Security among Internet of Things devices is bad enough at home, but it’s downright scary in government, where a vulnerable security camera could lead to hackers stealing vital secrets. A bipartisan team of US senators wants to reduce the chances of ever happening. They’re introducing a bill, the Internet of Things Cybersecurity Improvement Act, that mandates a base level of security standards for any IoT gadgets used in government. The would-be law is there mostly to ensure that vendors don’t get away with rookie mistakes that leave their devices wide open to attack.
The legislation would require that devices support patches and password changes, and are free of known exploits. To that end, security researchers would have greater legal protection when they’re hacking devices to find those exploits. The government would be allowed to ask for permission to buy devices that don’t meet all the requirements, but only if they’re fenced in through network isolation, operating system containers or other tricks that prevent attackers from doing much damage.
There’s no guarantee that the measure will become law. There’s a corresponding House bill already in the works, however, and Senator Mark Warner stresses that they’re aiming for the “lightest touch” possible. This is more about raising the bar for IoT gear than a narrow set of expectations. If it does take effect, though, it could have an effect well beyond government. Some companies are likely to sell their connected devices to both home and government users, and scoring a lucrative government contract could require that they improve the baseline security for everyone.