New IoT legislation to be introduced in U.S.
Thu 3 Aug 2017
A group of U.S. senators plans to introduce legislation seeking to prevent vulnerabilities in IoT, according to a Reuters report.
The new bill that is about to be announced next week would require vendors that provide web-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. The bill would also forbid vendors from supplying devices that have unchangeable passwords or known security vulnerabilities.
The legislation is sponsored by Democrats Mark Warner and Ron Wyden, and Republicans Steve Daines and Cory Gardner. The document was drafted with input from IT experts from the Atlantic Council and Harvard University.
A Senate aide who helped write the bill said that companion legislation in the House was expected soon. ‘We’re trying to take the lightest touch possible,’ said Warner.
The legislation was intended to remedy an ‘obvious market failure’ that has left device manufacturers with almost no stimulus to build with security in mind. The paper would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy non-compliant devices if other controls, such as network segmentation, are present.
The document would expand legal protections for cyber researchers to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.
Though security for IoT has been a known problem for years, some manufacturers say they are not well equipped to produce cyber-secure devices.
Chief technology officer at cloud computing firm VMware, Ray O’Farrell, said the new legislation includes ‘reasonable security recommendations’ that would be critical to improving protection of federal government networks.
In July, Amazon Web Services and VMware started negotiating a partnership on data centre software. The two companies are considering jointly developing a software product for use in the data centre.