While at one time the very idea seemed to promise the possibility of a digitally connected utopia, these days the Internet of Things is mostly notable for simultaneously being both a punchline and a threat to the very core of the internet. However, at least part of that may change — maybe — if two U.S. Congressmen have their way.
On Friday, Senator Ed Markey (D-MA) and Representative Ted Lieu (D-CA) proposed a bill that aims to establish a standardized system for evaluating and certifying the security of IoT products. With so many manufacturers of internet-connected cameras and toasters ignoring basic best practices, this measure would allow a concerned customer to sort the wheat from the botnet-infected chaff.
Think something along the lines of a “certified organic” sticker, but instead of telling you pesticides weren’t used on your carrots, you get to see that your smart fridge is less likely to be taken over by the Mirai botnet or its kin.
“The Secretary shall establish a voluntary program to identify and certify covered products with superior cybersecurity and data security through voluntary certification and labeling of, and other forms of communication about, covered products and subsets of covered products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data,” reads the bill. “[The Secretary] shall permit a manufacturer or distributor of a covered product to display a Cyber Shield label reflecting the extent to which the product meets the industry-leading cybersecurity and data security benchmarks established under paragraph.”
“The IoT will also stand for the Internet of Threats unless we put in place appropriate cybersecurity safeguards,” explained Senator Markey in a press release. “With as many as 50 billion IoT devices projected to be in our pockets and homes by 2020, cybersecurity will continue to pose a direct threat to economic prosperity, privacy, and our nation’s security. By creating a cybersecurity certification program, the Cyber Shield Act will help ensure consumers can reliably identify more secure products and rewards manufacturers that adopt the best cybersecurity practices.”
That someone in the government is even thinking about this problem represents a positive change. However, a voluntary labeling program is not the same thing as mandating that internet-connected device manufacturers (among other things) stop using default admin passwords for their gadgets.
Until that day comes, IoT devices will always be a risk to the online ecosystem. But hey, you have to start somewhere.