A cross-party group of US Senators have this week introduced the Internet of Things Cybersecurity Improvement Act, which would ensure that companies selling IoT devices to the Federal Government met a minimum security threshold. The minimum threshold loosely revolves around ensuring that products are patchable and prohibiting vendors from supplying devices that have unchangeable passwords.
Federal agencies would have the ability to enforce higher security measures and also petition for exceptions to the ruling if it were impractical or uneconomic to have the additional functionality. The Act also seeks to attempt to protect security researchers who exposed flaws in IoT devices used by the Government from prosecution.
Whilst the Act is limited to technology being sold to the Government the intention is that there will be substantial overspill into the wider IoT market. The development follows on from the publication of Strategic Principles for Securing the IoT from the Department of Homeland Security (DHS) in January.
The conversation in the UK and EU is currently focused on consumer devices with discussion ongoing about a potential trust or secure label. The Department for Digital, Culture, Media and Sport (DCMS) are also looking at potential interventions in this area. techUK is on the external advisory group for this project and will be holding a call between the IoT and Cyber Security Councils – if you are interested; http://www.techuk.org/events/meeting/item/11152-joint-iot-and-cyber-security-council-working-group