Congress to smart device makers: Your security sucks

Four senators propose the "Internet of Things Cybersecurity Improvement Act," calling for minimum security standards for connected devices.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
3 min read

Congress proposed a bill to up the security on IoT devices.

James Martin/CNET

Congress wants to fix the notorious security problems associated with the internet of things -- at least for themselves.

On Tuesday, Sens. Mark Warner, Cory Gardner, Ron Wyden and Steve Daines introduced the "Internet of Things Cybersecurity Improvement Act," (PDF) a bill that would force tech companies to ramp up security if they want to sell connected devices to the federal government.

Security on internet-connected devices hasn't kept pace with a market that is expected to grow to 20.4 billion IoT devices globally by 2020. Gadget designers to tend to make IoT devices as simple as possible, which can often mean sacrificing security. 

The trade-off has meant that thousands of IoT devices -- everything from connected security cameras to sex toys to baby monitors -- can easily be hacked. The senators' proposed bill aims to ensure vulnerable devices aren't used by the federal government.

The bill would would require IoT devices sold to the federal government have the ability to be patched and don't use hard-coded passwords. The last part is important because connected devices often come with a passwords like "admin," which are easy for hackers to guess but can't be changed. Thanks to thousands of cameras and DVRs with hard-coded passwords, a massive distributed denial of service attack, or DDoS, was able to take down a major portion of the internet last October.

"My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products," Warner said.

The bill would block any IoT devices with known security issues from government use and require device makers to patch any new flaws. Security researchers who hack IoT devices used by the federal government in order to find new flaws would be exempt from the Computer Fraud and Abuse Act, which has been used to charge hackers.

The proposed bill only meeting the "bare minimum standard" for IoT security, said Tyler Shields, the vice president of strategy at security company Signal Sciences, adding that it's better than nothing.

Being able to patch a device isn't exactly advanced security, Shields pointed out. In the long term, no bare-minimum legislation has ever been able to solve all security issues, he said.

The federal government primarily uses IoT devices to cut costs, according to the Center for Data Innovation. The General Services Administration's buildings saved $15 million in 2016 because of sensors that collect data on energy use. 

The federal government also uses IoT devices for scientific research. For example, the Centers for Disease Control and Protection uses connected devices to monitor mining environments, and the National Oceanic and Atmospheric Administration has sensors for studying whale migrations and underwater volcanoes. 

"Will this make IoT secure as a final point? Absolutely not, in no way," Shields said. "What it will do, is set a bare minimum for the government. Hopefully it sets a standard for the commercial sectors too."

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter. Here's what they're up to.

Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.