Will warning labels shield users against insecure IoT?

A pair of Democratic lawmakers is backing new cybersecurity standards for the internet of things, including a framework to identify and label products.

Rep. Ted Lieu (D-Calif.) and Sen. Ed Markey (D-Mass.) introduced the Cyber Shield Act of 2017 on Oct. 27, which would empower the secretary of the Department of Commerce to create a program to grade and certify industry products that connect to the internet for cybersecurity and data security. It would also establish an advisory committee composed of industry representatives, cybersecurity experts and federal employees to recommend new standards and guidelines for internet of things security to the secretary of Commerce.

"The government and tech companies share an obligation to develop more transparency around the security of our favorite devices," Lieu said in a statement.

According to IT research firm Gartner, by 2020 there will be more than 20 billion devices, products and other "things" connected to the internet worldwide.  That potential reality has policymakers scrambling to determine how best to regulate IoT devices while also deterring hackers who may attempt to leverage their collective computing power to wreak havoc on public and private networks.

In 2016, the Mirai botnet was able to successfully block and slow access to large portions of the internet by taking over and leveraging the collective computing power of thousands of connected devices and executing a distributed denial of service attack on a major internet infrastructure company.

Lieu and Markey's bill is one of several that have been introduced in recent months to bolster the security standards around connected devices. In August 2017, Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) introduced the Internet of Things Cybersecurity Improvement Act, which would put strictures around government acquisition of devices, banning the purchase of unpatchable gear and devices with hard-coded passwords.

Warner and Gardner had investigated and ultimately rejected the warning label approach.

"We were increasingly convinced by talking to industry experts that there is no single static approach," said Rafi Martina, a policy aide to Warner, at an Oct. 25 meeting of the National Institute of Standards and Technology's Information Security and Privacy Advisory Board. A warning label "conveys a false sense of security," Martina explained, especially if "the vendor doesn't commit to patching to maintain the out-of-the-box level of security."

By focusing on the government market, Martina explained, they could commit to avoiding the presence of "smaller fly-by-night" devices -- the "stocking stuffers from the TJ Maxx checkout line" -- while at the same time respecting and encouraging more mature and serious market entrants.

"We need to ensure that the bar is set in line with that level of maturity," Martina said.  

The question remains whether government's purchasing power in the connected devices space will be big enough to contribute to security in the overall ecosystem. Martina said that it would be nice if it did, but what's important is making sure only secure devices ride on federal networks.

"That second-order effect is welcome," Martina said, "but the first order effect -- the higher level security in the government" -- is the main goal of the legislation.

FCW Executive Editor Adam Mazmanian contributed to this story.