Legislative proposal sent to my Congressman

[Stephen Satchell <list () satchell net>]

In thinking over the last DDos involving IoT devices, I think we don't 
have a good technical solution to the problem.  Cutting off people with 
defective devices they they don't understand, and have little control 
over, is an action that makes sense, but hurts the innocent.  "Hey, 
Grandma, did you know your TV set is hurting the Internet?"

It's the people who foist bad stuff on the people who need to take the 
responsibility.  Indeed, with enough moxie, we could avoid the net 
saturation problem in the first place.

My proposal, as I sent it to my US House Representative:

> Fixing the security of the Internet of Things: Now we have had
> several distributed denial of service attacks — generating
> eye-popping amounts of network traffic to bury a web site or gamer —
> arguably traced to botnets-for-sale of "hacked" common devices with
> Internet connectivity. It's time to look at the problem bad product
> design can cause. Not being "computers", many of those devices —
> cameras, televisions, light bulbs, to name a few — don't have
> tough-enough security moxie baked in. And it's not enough to solve
> today's attacks, they have to survive new attacks down the road.
>
> Some of these household items didn't conform to today's Best
> Practices, taught in Security 101, with the rules learned (painfully)
> over the last 30 years. And then there is the question of installing
> security fixes: "Hey, Joe, you have to install an update to your
> thermostat and washing machine." Right.
>
> This is nothing new. What is new is the tsunami of Internet-capable
> devices hitting the market and the Internet...and doing it badly. By
> sheer numbers, the situation rises to a whole new level of risk to the
> nation's communications infrastructure. The magnitude of the problem?
> Think how many light bulbs are in the typical house or apartment, and
> you get the idea.
>
> This note comes a little late to the game, but I thought that one
> wayto stem the flood of garbage from compromised household stuff is to
> treat vulnerabilities that cause spew as design defects, defects as
> serious as the exploding batteries in the Samsung Galaxy Note 7. So,
> looking at the procedures already in place for dealing with merchandise
> that can cause harm, this suggestion.
>
> Proposed: GIVEN
>
>      * any Internet-connected device,
>      * "pwned" by cybercriminals,
>      * that cause significant harm,
>      * the manufacturer received notice of the defect, and
>      * did not, or cannot, provide a timely, zero-cost update
>
> THEREFORE the Consumer Product Safety Commission shall require that
> the manufacturer provide a security update to the device within 30 day
> of first notice; or failing that, to issue a complete recall of the
> defective devices.
>
> I don't care if it's a television, camera, refrigerator, light bulb,
> thermostat, washing machine, wireless access router, smart phone,
> desktop computer, server, you-name-it...if it's broke, and can't (or
> won't) be fixed, it gets recalled.
>
> That's the only way manufacturers will take Internet security
> seriously. If they have to upgrade the stuff they sell, without
> exception, the manufacturers will find a method that will keep their
> expense for upgrades down. Upgrades should not be charged to the
> customer — the manufacturer screwed up, they should fix the problem, at
> their expense. I further suggest that security testing should be
> specifically permitted under law, not be considered part of "reverse
> engineering", or other shrink-wrap or copyright restriction.
>
> The CSPC should develop guidelines for product with embedded computers
> that connect to the Internet at large, either directly or indirectly.
>
> There are a number of things to consider, when building such a
> regulation, that come into play that complicated things
>
>      * orphaned devices,
>      * devices made by companies that have gone out of business,
>      * imported stuff,
>      * methods of notification, and
>      * enforcement
>
> This is an off-the-top-of-my-head idea. I think it's worth
> consideringover other "solutions" I've seen proposed.

There is precedent for this with radio and the FCC.  According to 
current law, the owner/operator of the radio equipment is ultimately 
responsible for non-interference by any transmitter used in the United 
States.  This includes so-called unlicensed transmitters.  To help the 
people who are not radio gurus, the FCC also has a type acceptance 
program, in which radios have to meet certain requirements as built by 
the manufacturer.

There is another possible wrinkle:  if there were legal consequences 
with selling IoT equipment, businesses making the stuff would take out 
insurance against claims against them.  The underwriters would then take 
notice, and require that policyholders meet some minimum standards. 
Remember, we are talking about the "underwriters" who form the first 
part of the name "Underwriters Laboratories".  From UL's web page:

> UL is a global independent safety science company with more than a
> century of expertise innovating safety solutions from the public
> adoption of electricity to new breakthroughs in sustainability,
> renewable energy and nanotechnology. Dedicated to promoting safe
> living and working environments, UL helps safeguard people, products
> and places in important ways, facilitating trade and providing peace
> of mind.

We could build on these existing frameworks to the advantage of the 
Internet by mandating certain minimum requirements for equipment sold to 
the general public.  I would suspect that the IETF would need to become 
involved in this effort, because the standards would have to come from 
SOMEWHERE.  Which is why they are included in the header.  There are 
other people on the Cc: list that might be interested...or might not.

Why not nip the IoT problem in the bud?