Cybercriminals are ramping up their efforts to use compromised “Internet of things” devices in botnets that attack other systems, and Congress wants to do something to fix the problem.
Sen. Mark Warner, D-Va., who introduced an Internet of things security bill in mid-2017, is planning to offer new legislation in March, a spokeswoman said. Warner’s office didn’t offer details of the new bill, but she said there will be changes from 2017’s Internet of Things Cybersecurity Improvement Act.
The 2017 bill, which failed to pass, tried to use the U.S. government procurement process to encourage better security for Internet of things devices, which are everyday appliances with Internet connectivity such as smart refrigerators, Amazon’s Alexa, or app-controlled home security systems.
The bill would have required Internet of things vendors doing business with the government to ensure that devices are patchable and free from known security vulnerabilities. It would have also prohibited unchangeable passwords in devices sold to government agencies.
Supporters of government regulations say many Internet of things devices, particularly consumer-grade products like security cameras and connected television sets, are shipped with security holes and easily guessed default passwords. In some cases, the default security settings are difficult for buyers to change.
In February, Internet of things security startup WootCloud noted that three new Internet of things botnets are targeting video conferencing systems. In January, Internet service provider CenturyLink said an Internet of things botnet was driving traffic for a YouTube ad fraud scheme.
Many technology users “are starting to get frustrated” with security vulnerabilities, said James Goepel, CEO and general counsel of Fathom Cyber, a cybersecurity consulting group. “They are seeing companies they trust betray their trust, or at least do things that make it seem like maybe … privacy activists have a point.”
Goepel pointed to Google’s recent disclosure that some of its Nest thermostats had hidden microphones. “People have been warning that devices like personal assistants are listening to everything you do, and here Google embeds a microphone into a product and doesn’t even tell customers that it is there,” he said. “Their reaction? ‘Whoops. We should have told you. But don’t worry, it is off by default.’”
High-profile Internet of things breaches and security vulnerabilities are putting pressure on Congress to take some action, he added. Additional pressure comes from the California Legislature, which passed a bill in 2018 that requires device makers to build in “reasonable” security, although some critics complained that that legislation lacks specifics.
Many other states may follow California’s lead and pass their own cybersecurity bills, Goepel said. “The prospect of having to comply with 50 different laws will stifle innovation and competition in this space,” he added.
Congress may be on a deadline to act this year, he said. It will be difficult to pass substantial bills in the 2020 election year, and if Congress doesn’t pass a bill by then, many states may take action, he predicted. “If Congress doesn’t act this year, their inaction will create problems for years to come,” he said.
Other security experts question whether Congress will pass an Internet of things security bill or pass one that makes an impact. Congress is unlikely to pass a bill, and if it does, the bill probably won’t be “anything that matters,” said Jamie Cambell, a cybersecurity consultant and founder of security review site GoBestVPN.com.
The recent California bill, for example, is more “reactive than proactive,” Cambell added. “On top of that, it doesn’t address the real issues behind security.”
But the California bill is, at least, a move toward better security regulations, he said. “As data breaches and hacks get bigger and bigger and media outlets cover them more, I believe the members of Congress will also start taking cybersecurity more seriously.”
Congress should pass legislation to regulate the Internet of things, but it’s unclear if it will, added Chris Carter, CEO of Approyo, a cloud and Internet of things consulting firm.
“Unfortunately, the individuals who are in Congress are not educated enough as to why they should be doing this,” he said. “Unless it’s going to bring dollars and cents to their bottom line for their re-election purposes I don’t know if they understand how much they should really be taking this up.”
