Can US senators secure the Internet of Things?

For once, this isn’t an Internet of Things (IoT) story about an egregious security blunder in a webcam, or a printer, or a light bulb, or a talking doll, or a home router.

Quite the opposite, in fact.

It’s a story about a proposal by the US Congress to introduce a law called The Internet of Things (IoT) Cybersecurity Improvement Act of 2017.

In an intriguing choice of words, the bill aims to specify what the regulators are calling “minimal cybersecurity operational standards” for IoT devices.

We’re not sure if American English uses the words minimal standards where British English would prefer minimum standards (meaning the standards below which you may not go, even if those standards are quite high)…

…or if the US legislators are quite literally admitting that we are living in such an insecure IoT world that mandating even the most modest security standards would be an effective start.

We suspect that both these meanings apply.

We need minimum standards (i.e. ones that everyone is required to meet), but we might as well start with a minimal minimum (i.e. one that, although unimpressive, is unarguably achievable by everyone).

This is an interesting contrast to our law-makers’ story from yesterday in which we reported that UK Home Secretary Amber Rudd wanted to attack encryption in the other direction.

Rudd as good as said that she wants the UK to legislate for minimal maximum standards for cryptographic products (i.e. to weaken them on purpose).

Rudd argued that “real people” don’t care much about security, so it would be acceptable to regulate it away in order to fight terrorism and hate crime.

The US IoT Improvement Act, fortunately, as good as states that whether “real people” care about security or not, the vendors who sell them internet devices jolly well ought to care on their behalf.

Amongst some of the proposals in the US bill:

  • Fix firmware vulnerabilities in a reasonable time.
  • Provide a mechanism for authenticated firmware upgrades, so that fixes can actually be deployed.
  • Or, if the firmware can’t be updated, send your customers a replacement device with the new firmware burned in.
  • Don’t use hardcoded passwords or credentials that can’t be changed.
  • Stick to trusted and approved encryption – no outdated or home-made algorithms.

Will it work?

Even if you are generally an opponent of government intervention in IT and the internet, on the grounds that the more you meddle, the muddier it all gets, and therefore the less innovation there will be…

…it’s hard to oppose a minimal minimum law of this sort.

After all, we already have billions of IoT devices in use and on sale, and security seems to take second place, tenth place, or even no place at all in many of them.

Sure, vendors with strong technical ability and decent business ethics are already at or above these proposed minimal minima, but an awful lot of vendors aren’t, and don’t have any incentive to change their approach.

If you want to stop a race to the bottom, a good way is to make the ocean shallower, and to put a bunch of spikes on the sea bed to prevent laggards from settling there in comfort.