New IoT bill is on the table: Here’s what that means for you

You’ve heard horror stories at this point about how devices with online features have been hacked – it seems that we truly have an Internet of Things (IoT).

And as vendors rush to put more and more of these IoT devices on the market, there’s an increasing amount making it past quality control.

These vulnerabilities have been found in high-tech sanitizing equipment in hospitals, children’s stuffed teddy bears and even internet-connected hotel room doors.

As we become more connected and data-driven, these vulnerabilities pose a threat to IT systems around the world.

And the U.S. government hasn’t overlooked this threat.

Vulnerabilities haven’t gone ignored

Four senators – Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA) and Ron Wyden (D-OR) – have proposed a bill called the Internet of Things Cybersecurity Improvement Act of 2017.

There’s a couple things it gets right, and a few more than might cause some problems for IT pros if they aren’t addressed by the time the bill is voted on and passed.

On the bright side, the bill calls for two major actions to start taking place in the IoT industry.

Step in the right direction

Whenever the government buys an IoT device for use in a business or office setting, the vendor must either claim there are no known vulnerabilities or apply for a special exemption.

The second stipulation that has most security researchers cheering is, when the purpose is for research, that researcher is exempt from the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act.

These acts have come up several times when vendors didn’t want security researchers tampering with devices or software, claiming the researchers were breaking laws in doing so.

If this bill is passed, it would be a boon for U.S. researchers to perhaps find more vulnerabilities in commonly available devices and software.

But here’s where the language of the bill might pose some trouble and ambiguity down the line.

Clearing things up

On the first stipulation, the definition of an IoT device is any physical object “capable of connecting to and … in regular connection with the Internet” that “can collect, send, or receive data.”

Based on that definition of IoT, that means any computer, laptop, tablet or smartphone may be covered by the bill.

While this isn’t necessarily a bad thing, it may cause some issues if the government is intending the IoT bill to be specifically about IoT devices.

Otherwise, it would mean that every single vendor that sells any internet-based system would need to maintain a list of all known vulnerabilities for its products.

The other issues involve the research section.

At the moment, it’s unclear if the protected researchers are freelancers, government contractors or both.

Furthermore, the bill mentions make and model types of the bought device.

Does this mean that research can only be done on the exact make and model of the device the government bought?

Or will the bill provide broader protection as most hope?

While the bill is still in its fledgling state, it’s being hailed as a step in the right direction to making sure the IoT industry is protecting consumers’ data.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy