Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.Mostly, I don't think that there should new new laws for almost anything. But readers know that I've been ranting about the lousy security of the Internet of Things for a long time (I see you roll your eyes at me).
The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.This seems to me to be exactly the way to approach this. The Fed.Gov buys a bunch of stuff, so much that they can (and often do - see FIPS 140) get companies to add security to their products. After all, the Fed.Gov doesn't have to buy anyone's products if they don't think they're fit for purpose. Since a lot of IoT products are based off of the same software stack, there's a good chance that a lot of consumer products would pick these up since it's cheaper for the companies to support a single stack for everything, rather than a government one and a consumer one.
And then IoT companies will start competing with pure consumer competitors based on security.
All in all, this seems like a reasonable approach. It's a carrot, not a stick. Hard to see how it would make things worse.