US law makers to introduce IoT security legislation next week

New legislation would impose minimum security standards on IoT devices - and also encourage 'good faith' hackers to test them

US senators are planning to introduce draft legislation next week that would, for the first time, obligate makers of Internet of Things (IoT) devices to to ensure that their products can be patched and meet minimum security standards.

The legislation is a bi-partisan effort led by Democratic Party senators Mark Warner and Ron Wyden, and Republicans Steve Daines and Cory Gardner.

Although relatively modest in scope, the legislation represents a first step to requiring device makers to start taking responsibility for the security of products connected to the internet. "We're trying to take the lightest touch possible," Warner told Reuters.

He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.

It echoes thinking from security specialists such as Bruce Schneier, who have suggested that sensible - rather than heavy-handed - legislation is required to push device makers to improve the security of their products.

In November last year, following the Mirai malware attacks that compromised chronically insecure internet-connected CCTV systems, Schneier wrote: "The technical reason these devices are insecure is complicated, but there is a market failure at work…

"The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require.

"These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades… Like pollution, the only solution is to regulate," wrote Schneier.

The draft legislation was put together with help from IT specialists from the Atlantic Council and Harvard University. It would also expand protection for security researchers to hack equipment with the purpose of finding vulnerabilities.

Computing's DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.