Slashdot Mirror
US Senators To Introduce Bill To Secure 'Internet of Things' (reuters.com)
Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
It's good they're trying to do something, but the devil is in the details. For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away. And do they mean internal or external vulns? etc, etc. And these things won't be determined in the law, they'll be decided by the bureaucrats implementing it. Pray that they're smart.
We'll all get free hammers!
Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.
Not requiring standards for the entire industry, but for vendors to the Federal government which, if they work, will then propagate as de facto requirements for the private sector.
Not holding my breath, but hopefully this will result in something resembling sanity. Tired of the pollution of the internet with crap configurations that would have smelled funny even in 1997. In addition to regulations for manufacturers, the end user REALLY needs to become educated about the dangers of connecting stuff all willy-nilly.
There is no XUL, only WebExtensions...
...legislators get busy solving technical problems they don't understand. We all know they will direct us toward more superfluous complexity that we need to work around, but at least that produces more job security for me. So, in a way, those popular people are the experts at creating security!
M$FT does not meet the criteria:
- ensure their products are patchable and conform to industry security standards.
- supplying devices that have known security vulnerabilities.
So, will they mandate that there be entry level jobs that require no experience, in CyberSecurity? If not, this bill will do nothing.
People can't switch careers if they are going to get rejected for not having experience in the new career field they are switching to.
He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.
This guy gets it. But I was hoping for a market solution. The government could start by requiring vendors of US government products to meet certain guidelines. States could require that police and government tech meets a standard. That typically makes civilian companies jump on board and require similar guidelines. Then individuals start to say "Oh, I only buy IP cameras that meet FIPS-12345 standards."
This approach is nice because it is flexible, and allows the market to decide what standards to apply. I fear Senators trying to write tech legislation.
Please... please... if some deity is listening, make it so this becomes a law. It's quite sad seeing my perfectly serviceable Nexus 4 and 5 not receive basic security patching, and this has already spread to TVs, and soon vaccum cleaners and smoke detectors are to follow.
We already HAVE the dystopian overreaching legislative bureaucracy to deal with this, there's really no need to reinvent this wheel.. but since you weren't doing anything anyway, carry on?
Most of these devices can be patched. The real issue is that they'll be unsupported a year or two later.
The special interests will gut it and turn it against the public.
It's more important to APPEAR that you're doing something, than it is to ACTUALLY do something.
How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is. It means absolutely nothing. While they're at it, why don't they also try to secure Big Data, The Cloud, and Web 2.0?
If the end game of IoT is to be ubiquitous then there is no way that you can rely on manual intervention to keep things up to date and secure. So how will this all be enforced?
I am Slashdot. Are you Slashdot as well?
Any device with internet connectivity needs to have s reasonable support window where the manufacturer provides known security updates. The unfortunate side effect is that support has large costs and will either drive down profit, or drive up price. People will care less (anb buy less) when the magical IoT keyfob/light controller/toaster oven costs $500 instead of $99.
Silence is a state of mime.
this bill, as proposed, will not keep up.
$100K year per site + 1K / year per device to HPE to manage it. Labor costs extra
What about us plebes?
Let's also add to the bill a minimum support time for internet connected things. This would protect consumers from buying the latest internet connected coffee pot and having it stop working just because they didn't want to run the servers any more after 6 months.
hammers will be billed at 25K each!
What about redundant systems with rolling updates so you can update an router with out taking the site down.
Without laws that actual protect consumer information, privacy, etc - no law like this will mean anything. First because it doesn't cover all loses, second because if someone has information but wasn't the person that hacked you, then they're not in the "wrong." It must be made illegal to have the information in the first place. Start with something like the EU "right to be forgotten" and go from there.
auto drive car buy an new car each 4-5 years as updates stop after about 4 years or you need an high labor cost (at the dealer) computer swap / or upgrade + the markup. Thing dell / hp like 300-400% markup on HDD's and ram before dealer labor changes.
I have suggested this plan before.
Make the manufacturer (not seller) of an IoT device liable for any actual damages that are caused by their IoT device getting hacked.
That's it. No government standards. No registration. No certification. No mandated testing facilities. (But the market could create certifications and testing facilities on its own.)
What this would do is change the perverse incentives that currently exist to the correct incentives. Suddenly manufacturers would be all about security! It would be Job #1. Manufacturers might standardize and cooperate on secure Linux distributions upon which they base their products. They might cooperate to improve everyone's security.
Suddenly manufacturers might consider whether they should have an update mechanism (or not).
Manufacturers might consider whether certain things should even be connected to the cloud at all!. Do we really need a cloud connected toy teddy bear?
Oh, yes. The retail price of some IoT devices might increase due to the manufacturer's cost of security measures. But that is as it should be. Right now the perverse incentive puts the costs on innocent parties that get DDOS'ed (or worse) by hacked IoT devices. This would fix that.
I'll see your senator, and I'll raise you two judges.
-The same people who can't secure the IRS
-The same people who can't secure nuclear power plants
-The same people who can't secure the veteran's administration
-The same people who can't secure the identities of military personnel
While I believe it's well intentioned this has zero chance of effecting any change. So a few in Congress are finally aware but the majority of both houses are clueless when it comes to tech (think: a series of tubes clueless). Either it will fail entirely (highest IMO) or it will be broken re something basic regarding the Constitution. It's almost as if half in Congress have never read the document.
Broken also covers the clear misses that are very likely regarding trying to lock down security for reason X but breaks it for everything else. I have no trust in the Republican controlled Congress and less belief in their ability to do the right thing for any reason at all.
Like home automation equipment isn't expensive enough already. Now we get to add on government red tape and delays to market while some inept bureaucracy looks over a new device. Your $50 light switch just doubled in price.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
"We can't be bothered to do our own research on what we buy, so you aren't allowed to sell us those. And to make sure you comply, we'll do our own research on what you sell us!"
Why not just mandate that the government can't buy those? That would be a lot simpler and accomplish the exact same thing. Neither addresses the real issue, but that's obviously not what this is about.
There are many IOT companies that market a product, sell it, design it, then die; in that order too.
A light switch can last decades. I'm going to use that has a hypothetical IOT device.
Let's say there is an orphaned brand of light switch that was installed in many places decades ago. It might have been "secure" when it was released, but encryption and systems security are only as good as the next few generations of computers. At some point in the future, everything will need to be patched.
All else being equal, we need to make sure that orphaned devices can be supported in the future via open source or have some form of insurance to replace expensive insecure systems when companies drop the ball.
IMHO it's not much of a problem now, but as IOT matures, there will be many orphaned, and possibly forgotten devices waiting to get breached.
-D
These standards are pretty worthless. Unless you significantly exceed them, your products will suck at security.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
lol yeah right. we notice your system sucks here is a little lib from the nsa so we can help you keep it âoeup to dateâ looooollllololol noooope
In all the mil tests we found there was always an IoT backdoor.
Always.
Without exception.
It's the nature of forgetfullness. "Honey, did you remember to update the toaster and the fridge?"
-- Tigger warning: This post may contain tiggers! --
Unfortunately the Senate was hacked and the bill deleted.
Things like this always start out as something that SOUNDS like a good idea, but the government always fails. The net result is the government imposes upon us a total disaster that fails to solve the problem and makes things worse for everyone.
Just look at Obamacare. I'm sure those who supported it really thought it was going to make things cheaper and better for everyone but it didn't. This "great idea" made everything worse. Coverage became more expensive for everyone, and Obamacare is slowly changing the USA from a free country into someone's wet dream of a communist utopia. Karl Marx did write the best way to control a people is by controlling their health care. It seems liberal Democrats are following the communist manifesto step by step. How is that congruent with the principals upon which a free country is built?
Just look at the TSA. It started out with the good-sounding idea that we will keep Americans safe. What we ended up with is a fascist police state installed at our nation's airports, courthouses, football stadiums, and baseball fields conducting illegal and unconstitutional searches of every person who comes through. And it's coming soon to every train station and bus depot in the country. Who knows? Maybe they'll expand the police state into the subway stations and your local supermarket, too. Won't it be wonderful to obtain the government's approval for the food and clothes you want to buy? It's a UTOPIA I tell you!
Just look at the U.S. Border Patrol. It started out with the good-sounding idea that we're going to step up our efforts to combat illegal drugs, illegal border crossings, and other crimes. What we got was another fascist police state where they set up Soviet-style checkpoints on our interstates and pull over every car they see. Why? Because you're within 100 miles of a foreign border or an ocean coastline, so you're inside our "Constitution-Free Zone," that's why. These oppressive government thugs actually think you don't have constitutional rights.
There are many more examples of government's constant and ongoing failures, like the fact that Microsoft is still in business, but this post is already too long.
Government legislation should be the very last resort, relied upon only when everything else fails.
Stop, Senators! Stop! (Rolls up newspaper and swats them) Bad Senators! Bad! Would you stop it with this nonsense and just repeal Obamacare already?
Requiring updates is good and all, but for how long?
Even Microsoft was reluctant to patch XP. Somone, somewhere is still running WIndows 95. Are they entitled to patches?
Say I buy a $50 IP camera for home security. Do I still demand patches in 2 years? 5 years? 10 years?
This might lead to a "kill switch" for cheap IoT devices once they go EOL. New model next year, no budget to patch both, so let's kill last year's. Otherwise, support costs will bring down any company.
For a car analogy, there's a time limit that manufacturers have to stock parts - Ford doesn't still offer parts for the Model-T. I just don't know what the IoT equivalent should be.
Most FIPS standards are a joke. I've seen were people trying to meet PCI standards actually had to reduce the security of their solution. The auditors just wanted to check a box, not understand why the CPI regs weren't a good.
I want to be able to turn off features to reduce attack vectors.
I want mandatory support periods - 10 yrs for $250+ devices with quarterly patches included for any device that makes more than 20K devices.
I want mandatory labeling on all networked devices:
* which protocols and ports are required or optional
* which IPs/DNS access is required or optional
Mandatory notification of any security related issues, including
* userid loss,
* any personal information, including names, addresses, billing info, device type, firmware version, etc.
* Corporate hacks uncovered must be announced within 48 of learning about them.
And as a rider for this law - let's make it illegal for bills to be due on non-work days, especially Sunday. Amex, you guys suck.
Bruce Schneier wrote an article about IoT govt oversight - he was proposing a separate agency, similar to the FCC, since a level of knowledge separate from the FTC and FCC is required.
A handful of morons in DC, whose primary job qualification is flapping their lips while exhaling and whose secondary skill is collecting cash from special interests and claiming it's not bribery, are going to write LAWS that lock in place rules for the fast-moving computer industry. They will then move on to create an agency to write the rules to accompany these laws and then (because they're generally too lazy to actually legislate and usually delegate that task to lobbyists and/or staffers) they will authorize the unelected and unaccountable bureaucrats in the new agency to write as many new rules as they please in the decades to come.
This is how the computer industry gets transformed into the detroit auto industry or the defense contractor business - an heavily-regulated business that slows down and sheds innovation and into which it eventually becomes virtually impossible for nearly any new vendor to enter. It's called "regulatory capture"
Once such an industry gets all gummed-up by big govt, it invests in lots of lobbyists and starts trying to achieve profitability by buying politicians and bribing them to keep any new upstarts from getting into the business.
Will their security rules eventually require the use of certain languages, techniques, "accepted best practices" etc? It might SOUND good... but remember: govt is slow and bloated and corrupt and currently still uses floppy disks and COBOL and FORTRAN. Will vendors of IoT hardware 5 years from now be free to use the by-then newest techniques and tools or will they be locked-in to what some relatively stupid government workers approved while under the influence of lobbyists with interests in certain products and serveces?
Consider the FAA and their rules for avionics: If you even want to see the regulations that apply, you must buy them at a heavy price from the private company that wrote them and owns them... RTCA. They managed to get their specs and standards locked-in by the FAA and they make nice money with their govt-mandated locked-in "customers". There are very few avionics vendors, since very few can afford to overhead of getting into that industry and few who can endure the costs (in time and money) of getting a product approved to be released.
On the one hand, sponsored by Ron Wyden. On the other hand, endorsed by somebody from VMWare. I'll withhold judgement until I see the actual bill.
But it's good to hear that somebody in Congress is at least taking the problem seriously, even if it's a couple years later than I would have liked.
They completely destroyed the voting computers and went to paper. Computers are great, but not for voting. https://en.wikipedia.org/wiki/...
Have you read TFS? They don't make it mandatory to make IoT devices patchable or even at least secure the moment they get shipped, all they do is say that if you want to sell your crap to the government it has to be.
So no, the Intelligently Designed Internet Of Things Systems can still be sold to their acronym.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.