US senators plan IoT legislation requiring vendors to secure their products

New legislation to be introduced in the US Senate next week would impose minimum security standards on IoT devices and protect 'good faith' hackers

US lawmakers in the Senate, America's upper-house, are planning to introduce draft legislation next week that would require makers of Internet of Things and other connected devices to ensure that their products are patchable and conform to industry standards for security.

The legislation is a bi-partisan effort led by Democratic Party senators Mark Warner and Ron Wyden, and Republicans Steve Daines and Cory Gardner.

Although relatively modest in scope, the legislation represents a first step to requiring device makers to start taking responsibility for the security of products connected to the internet. "We're trying to take the lightest touch possible," Warner told Reuters.

He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.

It echoes thinking from security specialists such as Bruce Schneier, who have suggested that sensible - rather than heavy-handed - legislation is required to push device makers to improve the security of their products.

In November last year, following the Mirai malware attacks that compromised chronically insecure internet-connected CCTV systems, Schneier wrote: "The technical reason these devices are insecure is complicated, but there is a market failure at work…

"The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require.

"These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades… Like pollution, the only solution is to regulate," wrote Schneier.

The draft legislation was put together with help from IT specialists from the Atlantic Council and Harvard University. It would also expand protection for security researchers to hack equipment with the purpose of finding vulnerabilities.

The Computing Cloud & Infrastructure Summit returns on Wednesday 20 September at the Hilton London Tower Bridge. Hear the latest Computing research, case studies from industry pioneers, and pose your questions to our expert CIO panellists. Attendance is free to qualifying IT leaders and senior IT professionals, but places are strictly limited, so register now