Smart Devices May Be Governed by Laws

John Lister's picture

Politicians on both sides of the Atlantic are considering laws to tighten cyber security for the so-called Internet of Things (IoT). The rules would cover devices that aren't traditional computers or phones but still connect to the Internet.

The United States Congress is considering the Internet of Things Cyber Security Improvement Act. It's been examined by a Senate committee and is currently awaiting a date to be examined by the Senate as a whole. However, there's no guarantee it will be heard before the end of the year and newly elected or re-elected Senators taking their seats.

Agency To Set Standards

It's the third such attempted law in the US, all of which have tried to leverage the government's buying power as an incentive rather than affecting sales to private citizens. The first arguably failed because manufacturers objected to specific requirements. Contrastingly, the second was considered too vague by those arguing for tighter security measures.

The current attempt doesn't set out any specific measures that manufacturers must follow. Instead, it says the National Institute of Standards and Technology should set out standards and guidelines that apply to any devices the federal government uses or controls. (Source: congress.gov)

Meanwhile, the United Kingdom's government has published proposals for a law that would set out three specific requirements for any "smart" products sold in the country, whether to government or consumers.

No Dumb Passwords

The first is that the default password on any device must be unique to that device and avoid generic terms such as "admin".

The second is that all manufacturers must provide a way for users to report security flaws.

The third is that buyers must know at the time of purchase how long the product will continue to receive updates including security patches.

How the law will be enforced is still under discussion. Suggestions include bans on selling products that don't follow these guidelines, mandatory recalls, confiscation and destruction of stocks, and fines for offenders. (Source: which.co.uk)

What's Your Opinion?

Do you support either of these proposals? Should smart device security be a legal issue or should it be left to market forces? What product features would make you confident about the security of gadgets?

Rate this article: 
Average: 5 (7 votes)

Comments

davolente_10330's picture

I'm looking at this from the other side of the pond and have seen numerous articles about items classed as IOT being hacked and generally abused. I'm all for some sort of legislation to force manufacturers of these god-forsaken things (why "smart" and why connect mundane items like light bulbs to the net?) to make them more secure and also make it illegal to sell off or pass on any customers' data arising from use of said items. Are you listening, Amazon and Ring doorbell? It's high time that something concrete was instigated before it all gets completely out of hand.

ronangel1's picture

Ring doorbell,I will not use as cannot connect directly to my wi-fi system localy or server.
Wants me to register have limited recording space and charge me for it!
once a third party has my details and location the system is no longer secure.
I want to record 24 hours if needed via camera if I want it to go to my cell phone done via my server not third party ( No matter how "Secure") No tec details like IP address or instructions supplied with these devices) just an app which I can do with like an extra hole in the head! Bring one out like this and you will sell many more,but lose after sales revenue.

jamies's picture

YES - Items have to have password protected access and controls -
YES - Many ship with simple codes for the control access -
YES - Many users (owners) do not change those access controls
Major FBI case many years ago - 'Hackers' accessed Government security database systems using the access and passwords "System" and "Test" as written in the installers guide where it stated they should be changed by the installer - The accessors were imprisoned - the Government management team (Unnamed) probably got bonuses and promotion.

So - if the laws are to be effective then they need to REQUIRE people set proper security
And how is that "Requirement" to be enforced -
Don't let those offenders have access to IT devices, imprison them for the offence, incarcerate them for not being mentally capable of following the law

Well, maybe consider the other links in the email from infopackets

Android Hit By New Banking Malware (published 20200721)
Windows 10 May Get Key Security Boost (published 20200715)
'Winky Face' Email Takes Control of PCs (published 20200714)
Zoom Video Conferencing a Major Risk on Windows 7 (published 20200713)

So - what is the point of users setting unique access control id's and passwords
when the devices as shipped are so insecure that the intrusions can bypass the need for all the user set codes!

Maybe the law should be along the lines of the supplier of insecure facilities should be required to pay on a monthly basis, an amount equivalent to (say 10 cents USD) in the recipients local currency for every identified failure in the security of the software sold or licenced.
And that to be by posted cheque to avoid access of users bank account details.
That would
1) reduce unemployment with the number of postal workers needed to handle the mail
2) make the shipment of inadequately secure systems a more costly action than properly testing and coding of secure systems.

Note that it would be appropriate and legally acceptable that the costs could be charged to a 3rd party supplier where it can be shown that that the facility at fault was obtained from that supplier in the faulty condition.
Not relieving the End-product/retail ? supplier of the liability and recompense requirement
Just allowing the cost to be passed on up the supply chain to the actual problem source.

Add to that -
Professional indemnity insurance to be required to cover any claims made in the 10 years following the payment of the premium.

As in no allowing insurers to only cover claims made during the period of cover - and allowing them to cease providing cover as soon as there are a couple of claims
So the "trader" needs to get cover for the appropriate period BEFORE they start trading in IT or other products such as selling or advising on investments and purchases.

Hey - how about making "Management" responsible for their actions and failure to take appropriate action.
Avoids them ducking responsibility for actions taken in directing corporate and government organisations.
OK - responsibility can be legally avoided by showing that subordinates withheld information despite formal instructions not to.
So - yes a Manager should not be considered responsible for subordinates actions if they can show the subordinate deliberately failed to inform them of something of which they should have informed their manager, and that they were capable of understanding that the manager should be informed.