Billions of internet-connected things like smart light bulbs are expected to pop up in our homes and businesses in the coming years. And a group of senators wants to help make them more secure.
The bipartisan group introduced a bill on Tuesday to address some concerns regarding the so-called Internet of Things (IoT). It would require any companies that provide the federal government with internet-enabled devices to meet basic security requirements.
Devices must be able to receive software updates, have login credentials that can be changed by the user, and not have any known vulnerabilities. The bill, introduced by Democrats Mark Warner and Ron Wyden and Republicans Cory Gardner and Steve Daines, also requires devices to use standard technology protocols.
Government agencies could ask to use devices that don’t meet these requirements, but only if other security measures are in place.
The proposed bill addresses the concern that devices connected to the internet — like cameras, coffee makers, and door locks — can be insecure gateways into home or business networks. Vulnerable devices can also be hijacked to create an army of zombie computers called a botnet.
Last year, the a big cyberattack turned vulnerable security cameras into a botnet that took down major websites including Netflix and Twitter. The so-called Mirai attack motivated the drafting of Tuesday’s bill because it revealed how insecure smart devices can cause real harm, said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council.
Related: The psychology of privacy in the era of the Internet of Things
Senators consulted with Corman while drafting the bill.
“Every Christmas when we have more and more IoT devices like Hello Barbie and Amazon Echoes, there’s more fertile soil for these attackers to launch bigger attacks,” Corman told CNN Tech.
The number of Internet of Things devices is expected to top 20 billion by 2020.
Also included in the bill is a provision that some security researchers should be able to look for vulnerabilities in smart devices without the threat of a lawsuit. Currently, researchers are hamstrung by certain laws.
“It’s an important step in vindicating the principal that one of the best ways to understand the vulnerabilities of something is to be able to tinker with it,” said Jonathan Zittrain, a Harvard Law professor.
While the bill targets companies that want to supply the government with smart devices, it will have a trickle-down effect on consumers.
The government wants to protect itself and national security interests. But consumers buy smart devices, too. And tech companies won’t make different versions depending on the customer.
“Any industry that can affect public safety and human life eventually gets some minimum hygiene standards,” Corman said. “And software now can affect public safety and human life.”