By Dustin Volz
SAN FRANCISCO (Reuters) – A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects – known in the tech industry as the “internet of things” – which experts have long warned poses a threat to global cyber security.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
“We’re trying to take the lightest touch possible,” Warner told Reuters in an interview. He added that the legislation was intended to remedy an “obvious market failure” that has left device manufacturers with little incentive to build with security in mind.
The legislation would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy some non-compliant devices if other controls, such as network segmentation, are in place.
It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.
Security researchers have long said that the ballooning array of online devices including cars, household appliances, speakers and medical equipment are not adequately protected from hackers who might attempt to steal personal information or launch sophisticated cyber attacks.
Between 20 billion and 30 billion devices are expected to be connected to the internet by 2020, researchers estimate, with a large percentage of them insecure.
Though security for the internet of things has been a known problem for years, some manufacturers say they are not well equipped to produce cyber secure devices.
Hundreds of thousands of insecure webcams, digital records and other everyday devices were hijacked last October to support a major attack on internet infrastructure that temporarily knocked some web services offline, including Twitter, PayPal and Spotify.
The new legislation includes “reasonable security recommendations” that would be important to improve protection of federal government networks, said Ray O’Farrell, chief technology officer at cloud computing firm VMware.
(Reporting by Dustin Volz; Editing by Bill Rigby)