Cyber Shield Act IoT security labeling proposed by Dems

A scheme to label Internet of Things devices that meet more stringent security standards has been proposed by the US Democrats, responding to mounting concerns about the safety of connected gadgets. The idea, dubbed the Cyber Shield Act of 2017, was put forward by Congressman Ted W. Lieu (D | Los Angeles County) and Senator Edward J. Markey (D-Mass.) today. In addition to a labeling scheme that compliant IoT devices would bear, if passed it would also be responsible for establishing a best-practices advisory committee.

The Internet of Things is one of the predicted growth segments of the tech space, as connectivity gets cheaper, more frugal in terms of power and data, and wireless networks more widespread. At the same time, however, there are mounting concerns that the lack of regulatory security demands could lead to increasing numbers of hacks, breaches, and privacy exploits.

It's not a baseless concern. The Mirai botnet in 2016, for example, took advantage of middling security in out-of-date versions of Linux that had been installed on connected cameras and old routers, among other things, and which had been released with a default username and password still set. Hackers took advantage of that to install rogue code onto thousands of such devices, and then targeted Netflix, Spotify, and others.

While many companies – predominantly those making chipsets for IoT devices – have released new products with more stringent security, the segment as a whole, and the risks it brings, are still poorly understood by consumers. The Cyber Shield Act would go some way to address that, creating a number of so-called "cybersecurity benchmarks" across categories including connected cameras, baby monitors, and cellphones.

"The IoT will also stand for the Internet of Threats unless we put in place appropriate cybersecurity safeguards," Senator Markey said today. "With as many as 50 billion IoT devices projected to be in our pockets and homes by 2020, cybersecurity will continue to pose a direct threat to economic prosperity, privacy, and our nation's security."

Use of the standards would be voluntary, not mandatory, so it would be up to individual manufacturers to decide whether to participate in the scheme. According to the bill, there's the potential for several "grades" of compliance, which could mean different types of badge or label depending on how closely the product meets security benchmarks. Criteria for each category would be reviewed at least every two years, in an attempt to keep the scheme relevant in the evolving IoT landscape.

Whether the bill goes ahead and the Cyber Shield program is enacted is now down to lawmakers to decide. If approved, finalizing the recommendations for security criteria would be required within two years.

MORE Representative Ted Lieu