US Senators Unveil Their Attempt To Secure The Internet Of Very Broken Things

from the good-luck-with-that dept

Over the last few years we've documented in painstaking detail how the lack of any real security and privacy standards in "internet of things" devices is leading us down a path to some serious trouble. That shouldn't be particularly surprising if you've paid attention to how your refrigerator can now leak your Gmail credentials, your "smart" thermostat is now vulnerable to ransomeware attacks, your smart car could be hacked in order to kill you, your power outlets can be hacked and used to launch DDOS attacks, or how your vibrator is now busy collecting data on your daily behavior.

There's one root cause: companies that prioritized making a quick buck over implementing anything resembling sane security or privacy standards.

And despite this dysfunction now being the butt of endless jokes, things really haven't changed all that much, since actually giving a damn about the problem would erode profit margins for WiFi-enabled widget makers. The end result is the daily introduction of millions of new attack vectors for both homes and businesses on a global scale. As such, there's more than a few security experts that, no hyperbole intended, believe it's inevitable that this problem will impact core infrastructure leading to significant human casualties.

Given this is a global problem, and many of these companies are Chinese, legislating the problem away via U.S. law is likely going to be a steep uphill climb. That apparently doesn't seem to concern Congress, which this week introduced a new bill they hope will help secure the internet of very broken things:

"The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon."

While IOT legislation may be well-intentioned, many of these devices (like the security cameras and DVRs that contributed to the historically massive DDOS attack on Dyn last year) are made in China, where manufacturers will laugh off foreign legislative band aids. And while there's very legitimate concerns that legislation crafted by a Luddite Congress could stifle innovation and experimentation in the space, this particular proposal does at least apply some standards to the IOT devices purchased and used by the federal government, injecting at least a layer of sanity and reflection to the rapid expansion of poorly-secured IOT devices.

Security researcher Brian Krebs highlights another good part of the bill, namely the portion that expands legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws:

"Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers. Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.

All of that said, the legislation isn't going to do enough to prevent major, looming problems. Between 20 billion and 30 billion "IOT" devices are expected to be connected to the internet by 2020 worldwide. And as Bruce Schneier has noted on occasion, the origins of this market failure begin with an apathetic cycle of dysfunction between both hardware vendors and consumers, something that the market alone has shown it's not capable of -- or seriously interested in -- fixing:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

So while this law may be a start, it's going to take a lot more than U.S.-specific legislation to fix this particular market failure, assuming such laws don't actually manage to make the problem worse. Smart networks, smarter engineers, better routers, better code, and better communications between companies, governments, activists, and other stakeholders are all essential to get ahead of this particular threat. Fixing the internet of broken things requires a massive, over-arching, holistic effort, one that doesn't exist yet, and unfortunately isn't likely to gain serious momentum until after the internet of broken things check comes due.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, congress, iot, mandates, researchers, security