House Passes Bill To Address The Internet Of Broken Things
from the your-fridge-needs-a-better-firewall dept
Though it doesn't grab the same headline attention as the silly and pointless TikTok ban, the lack of security and privacy standards in the internet of things (IOT) is arguably a much bigger problem. TikTok is, after all, just one app, hoovering up consumer data in a way that's not particularly different from the 45,000 other international apps, services, governments, and telecoms doing much the same thing. The IOT, in contrast, involves millions of feebly secured products being attached to home and business networks every day. Many also made in China, but featuring microphones and cameras.
Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in devastating and historic DDoS attacks. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in some notably nasty results.
To that end, the House this week finally passed the Internet of Things Cybersecurity Improvement Act, which should finally bring some meaningful privacy and security standards to the internet of things (IOT). Cory Gardner, Mark Warner, and other lawmakers note the bill creates some baseline standards for security and privacy that must be consistently updated (what a novel idea), while prohibiting government agencies from using gear that doesn't pass muster. It also includes some transparency requirements mandating that any vulnerabilities in IOT hardware are disseminated among agencies and the public quickly:
"Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data. The IoT Cybersecurity Improvement Act would ensure that taxpayers dollars are only being used to purchase IoT devices that meet basic, minimum security requirements. This would ensure that we adequately mitigate vulnerabilities these devices might create on federal networks."
Again, it's not going to get the same attention as the TikTok pearl clutching, but it's arguably more important.
The IOT is a simultaneously a successful sector while at the same time suffering from a form of market failure. I come back a lot to this Bruce Schneier blog post because I think it explains IOT dysfunction rather well:
"The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
One problem is that consumers often don't know what they're buying because sellers aren't transparent, which is why groups like Consumer Reports have been working on an open source standard to include security and privacy issues in product reviews. Another big problem is that these devices are rarely designed with GUIs that provide transparent insight into what these devices are doing online. And unless users have a semi-sophisticated familiarity with monitoring their internet traffic via a router, they likely have no idea that their shiny new internet-connected doo-dad is putting themselves, and others, at risk.
Fixing the IOT requires collaboration between consumers, vendors, governments, and security experts, and so far that coordination has been patchy at best. Instead of developing policies and standards that address an entire sector's worth of security and privacy problems, the U.S. adores hyperventilating about individual threats (see: TikTok) then pushing policies (see: the TikTok ban) that don't actually accomplish that much. U.S. data privacy and security is a problem that requires a much wider view, instead of this bizarre, inconsistent consternation that's more ADHD Whac-a-Mole than serious policy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, iot, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
...but only applies to products purchased with taxpayer dollars
Pretty wimpy attempt that doesn't do much and definitely does nothing about the zillions of silly gizmos already in operation. This is similar to grandstanding "gun control" legislation, which does nothing about the hundreds of millions of firearms already resident in the U.S. Perhaps, someday, we'll be able to elect some Congresscritters who aren't both technologically ignorant and beholden to big corporations. (I also believe in Santa Claus!)
[ link to this | view in thread ]
So... is there any chance that this will make it through the Senate and the POTUS? We''ve now had two awesome house bills today that aren't likely to go anywhere in this sitting.
[ link to this | view in thread ]
Re: ...but only applies to products purchased with taxpayer doll
Honestly, how can they? I write a nifty program on a raspberry pi, get a product together, Widget X, and sell it for 6 months as a finished product. After that, the product is decommissioned and a new Widget Xv2 is up for sale while the older product is EOL'd. Seriously, this is the American way, forced obsolescence. It's the same reason for a PS5, Apple Watch 6, et al... 99% of the shit is the same, but we'll force you to purchase a new item because we won't update the older one even it there is nothing physically stopping it from working. You can't force people to purchase new hardware, and you really can't force companies to update software. It's a catch-22 and sadly it's probably the cause of a lot of the malware being generated today. Perhaps we should make a liability law if found, but tracking down the source will be rather difficult to say the least.
[ link to this | view in thread ]
Re: any chance
... Sure -- tons of unconstitutional bills make it through the Senate and POTUS
[ link to this | view in thread ]
This won't work
Since when has having Congress, a group that caters to the highest bidder and has little to no technological knowledge, legislate a solution actually worked?
[ link to this | view in thread ]
Re: This won't work
Enough people in the house aren't bowing to the moneyed interests. The Senate and Prez? Not so much.
[ link to this | view in thread ]
It's a nice gesture but won't go anywhere. All you have to do is look at Graveyard Mitch's performance over the last years of his majority for the head of the senate to know this is just a feel good effort.
It will never come up for a vote in the senate anymore than any of the last 400 bills, not counting resolutions, that have failed to come up for vote.
The only thing that concerns the Republican Senate for action is judges put into place with a Republican bent. The Demacrats don't have enough votes to counter any of that.
[ link to this | view in thread ]
Re: This won't work
Agree.
And Congress is so incompetent overall they are totally unable to even enact a normal fiscal budget each year, their most basic responsibility.
The House was also very confused as to the actual enforcement of this bill. They reluctantly settled on the FTC to do the dirty work, although it is outside FTC authority.
[ link to this | view in thread ]
Re: Re: This won't work
"Enough people in the house aren't bowing to the moneyed interests."
Obviously not "enough people". Or today's US would look a lot different.
[ link to this | view in thread ]
Call me a cynic if you will...
...but isn't this just the perfect entrance to seague into a demand for a suitably government oversight office of some kind to regulate what goes into anything with a processor?
I'd really like to look at this as just another bunch of inept politicians making unenforceable legislation about technology they know nothing about, but I wouldn't be surprised to see a bill demanding anything capable of running computer code being mandatorily "enhanced" with an applet which monitors the device and opens a feed to the FBI - for the consumers safety, naturally.
[ link to this | view in thread ]
no pun intended, honest!
"I had to pay some kid in the Ukraine $750 so I could access my own genitals" is a new wrinkle many hadn't seen coming.
But I'm pretty sure Philip K. Dick wrote a story about that.
[ link to this | view in thread ]