back to article Hard to believe but Congress just approved an IoT security law and it doesn't totally suck

Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk. As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law …

  1. Little Mouse

    This article is the last thing I read before going to bed.

    I'll probably wake up tomorrow and realise it was all just a dream.

  2. alain williams Silver badge

    Support lifetime & abandonment

    Many of these things only get updates until the next model comes out; the rest do not get updates at all.

    Then there are those that need a fixed server - when that is shut the kit becomes a brick.

    These problems must be addressed - probably the best way is by allowing third party firmware -- but that will not happen as the vendors want to keep you locked in and then have you buy new kit.

    This is kind of related to what the right to repair people (rightly) want.

    1. Blackjack Silver badge

      Re: Support lifetime & abandonment

      The best way is to not use so called Smart Devices.

  3. DJV Silver badge

    It looked good until...

    ...I saw the bit that said " it will now move to the President’s desk".

    What's he going to do with it? Eat it? Turn it into a paper airplane? Scribble across it in crayon?

    Or can we live in hope that he won't notice it until Biden takes over?

    1. RM Myers

      Or can we live in hope that he won't notice it until Biden takes over?

      Well according to the constitution, if he doesn't notice the bill it will become law before Biden takes over.

      If any Bill shall not be returned by the President within ten Days (Sundays excepted) after it shall have been presented to him, the Same shall be a Law, in like Manner as if he had signed it, unless the Congress by their Adjournment prevent its Return, in which Case it shall not be a Law.

      1. EnviableOne

        Re: Or can we live in hope that he won't notice it until Biden takes over?

        I Believe, as it was passsed unanimously, even if The Petulant one vetos it, it will pass into law.

    2. diodesign (Written by Reg staff) Silver badge

      Re: It looked good until...

      Congress can force a bill into law if there's a great enough majority supporting it.

      C.

      1. This post has been deleted by its author

      2. This post has been deleted by its author

      3. RM Myers
        Happy

        Re: It looked good until...

        Which is actually described in the same paragraph of the constitution as the lines I quoted.

        1. W.S.Gosset Silver badge
          Happy

          Re: It looked good until...

          You are clearly not American.

          No American on this website seems to know how their (multiple layers of) government operates, let alone their Constitution.

          Let alone be able to nominate a relevant section!

          It is extraordinarily refreshing. But are you a space alien?

          1. W.S.Gosset Silver badge
            Alien

            Re: It looked good until...

            icon ===========>

  4. Doctor Syntax Silver badge

    When the standards are written perhaps UL will certify products meeting them in the same way as they do for electrical standards. That would provide even more arm-twisting.

    1. FILE_ID.DIZ
      FAIL

      Your title here.

      That's OK... there will always be bottom feeders like Intertek.

  5. ThatOne Silver badge
    Devil

    > Companies will still be able to produce products that don’t meet the new standards [...] And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.

    In short it's just a big feel-good paper, describing some perfect yet unreachable world...

    Step 0: Wish for a better world. Step 1: Make it mandatory. Step 2: Prove you mean it (by hitting hard). At this point the more timid and impressionable companies might consider starting to follow (to some extent) (the letter of) the law. So we're still at step 0, and while it is indeed a step forward, it's still a long way to make IoT safe(ish).

  6. Anonymous Coward
    Thumb Up

    Better than nothing

    But without enforcement mechanisms it won't do much.

    Perhaps a new administration could force all government purchases to be compliant kit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Better than nothing

      IIRC, the US government previously mandated OSI networking in its own procurement, and later, IPv6.

      Neither appears to have had a huge impact on commercial networking.

    2. Anonymous Coward
      Anonymous Coward

      Re: Better than nothing

      "But without enforcement mechanisms it won't do much."

      It's a start. Surely, it won't be stellar after this.

      But surely next time some bozos will ship widgets with hard coded weak password or other non-sense, the "secure coding" aspect of it, whatever it really means, will be harder to defend.

      And more will come for sure, they're only showing the direction.

    3. Silverburn

      Re: Better than nothing

      "But without enforcement mechanisms it won't do much."

      It's the perfect congressional bill then!

      1. W.S.Gosset Silver badge

        Re: Better than nothing

        Yeah, the US President and even Congress has startlingly little domestic power.

  7. Silverburn

    Utter lack of knowledge

    Proof - if any were needed - that Congress has literally no clue about tech. They probably have no idea what they signed. The Democrats had no idea what IoT or any of the buzzwords are in their bill (which was probably written by a lobbyist), but because the Republicans don't have a clue either and none of their trigger words (immigrants, guns, abortion, global warming etc) were in the bill, it passed.

  8. Mike 16

    Updates?

    "... how and when devices are updated to deal with emerging security holes. "

    I'm more concerned about the standards governing how and when devices are updated to _insert_ security holes.

    Plus the charming belief that some of these agencies will disclose the security holes they use.

    As for UL stickers, I can imagine that the folks currently producing counterfeit UL stickers are preparing to add counterfeit "Secure IoT" stickers to their offerings.

    And as usual, when the federal government moves to cover some problem that states have already started on, it is very rare that the purpose is anything other than to preempt and nullify that state legislation. Thus are the issues mentioned above enabled.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like