back to article Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?

Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security. At a session of the House's Energy and Commerce Committee into last month's attack on DNS provider Dyn that caused widespread disruption to online services, several security …

  1. Tomato42
    Flame

    > to develop best practices that would "not hinder innovation."

    aren't business process patents already valid in the US of A?

    1. Destroy All Monsters Silver badge

      No farting in church!

  2. ratfox
    Devil

    The S in IoT is for security

    There's many years of wild West to come.

  3. Anonymous Coward
    Anonymous Coward

    Some hope...

    We still haven't killed Flash, Silverlight or Java.

    What chance of jumping on this steaming pile of ever growing turd-fest?

    1. Anonymous Coward
      Anonymous Coward

      Re: Some hope...

      Corrections

      > Cheap and cheerful, negative externality-exporting ActiveX is dead (is it? is it? at least in the browser, then?) Combined with cheap and cheerful, negative externality-exporting Internet Explorer and cheap and cheerful, negative externality-exporting Windows it was the cancer-creating Cannibal Nonhumanoid Internet Dweller.

      > Flash is being "killed" by being replaced by HTML5 gimmicks and none too fast. We need a postmortem analysis paper on what went wrong. Will the new gimmick implementations be more secure? Time will tell.

      > Silverlight is still being pushed by Microsoft in spite of the dev team having been gassed (AFAIK). No-one is convinced, luckiyl The last time I encountered it was for streaming a 2016 mathematics conference in Potsdam. Good work, Microsoft salesdroid - your next target will be children with disabilities, here is a jar of candies.

      > Java Applets are rare, rare, rare. Good. But Java itself is alive and well, as it should be. Hapless civilians who can't distinguish between the two are unfortunately plentiful. I still don't know why the "Applets" turned out to be so hackable, the sandbox idea was absolutely the right thing to do. Even more so as the idea was from 1995 (good times, anyone remember Inferno/Limbo?)! The goal initially was to shift code over the Internet to the computing nodes (why anyone would do that outside of the context of HPC where it easier to move the program to the data than thje reverse will remain a mystery). Additionally you can have jar signing. And you are running the code on a VM, not the bare metal. You can't do much better, the next step in security is a complete virtual machine. Breakouts may have been possible because of bad API choices and cross-abstraction attacks on the JVM (aka "optimizing the byte code verifications"), and likely because a lot of changes occurred between simple Java 1.1 and Java 8. Need another postmortem paper.

      > JavaScript. Oh boy, oh boy. A dynamically typed, global-variable demanding language originally meant to write quick 10-line hacks running unprotected code that comes from $deity knows where in complexified browsers using code-optimizing engines underneath? NoScript and at least TypeScript, please! And probably QubesOS, too. The people interested in IoT also happen to often be the people interested in JavaScript. We are looking at a combination from hell.

      > Native code in the browser: Get off my lawn!!

      1. This post has been deleted by its author

  4. Anonymous Coward
    Trollface

    You see, these IT security experts approached this testimony in the wrong way...

    Now, if before testifying Schneier and Co. had hired DDoS R' Us to take down U.S. political fundraising websites, THAT would have engendered a sufficient sense of urgency.

    1. ecofeco Silver badge

      Re: You see, these IT security experts approached this testimony in the wrong way...

      Sad but true.

    2. You aint sin me, roit

      Re: You see, these IT security experts approached this testimony in the wrong way...

      John Hinckley Jr.'s attempted assassination of Reagan did nothing for gun control...

      In this new Trump world they should have stressed American jobs for Americans...

      "Them Chinese don't know security, we do... make good security a legal requirement and they can't sell into the US market. We can. Even when they catch up and can add security they will become less competitive. In the meantime we establish US brands and sell to those liberal Europeans who will be demanding security regulation!"

      Doesn't matter if it's true or not, it plays on their fears and aspirations. Isn't that what Trump taught us?

      1. Destroy All Monsters Silver badge
        Holmes

        Re: You see, these IT security experts approached this testimony in the wrong way...

        John Hinckley Jr.'s attempted assassination of Reagan did nothing for gun control...

        Well, there is "gun control" at various levels in the various states (and this was more about a nutcase doing his nutty stuff), but apart from that:

        Panicky law reaction for cheap virtue signalling in response to child-killer-maim-rapist-horror-show: BAD

        Panicky law reaction for cheap virtue signalling in response to attempted Reagan assassination: GOOD

        You can't have it both ways,

    3. Pascal Monett Silver badge

      Re: You see, these IT security experts approached this testimony in the wrong way...

      Absolutely. Congress has a deaf ear because no Congresscritter has been negatively impacted by the problem.

      Just wait for one of them to have their IoT fridge order 5 tons of milk and have the driveway blocked due to the 10 delivery trucks, plus the bill.

      THEN legislation will get pushed through faster than the result of a Taco Bell lunch two hours later.

      1. Anonymous Coward
        Anonymous Coward

        Re: You see, these IT security experts approached this testimony in the wrong way...

        Or, better, when their fridge will give someone access to their "intimate photos" they "inadvertently" send to fifteen years old...

      2. tom dial Silver badge

        Re: You see, these IT security experts approached this testimony in the wrong way...

        Have an upvote for the probable accuracy of the claim, but the implied reason is a bad motivation for legislation.

    4. Captain DaFt

      Re: You see, these IT security experts approached this testimony in the wrong way...

      "Now, if before testifying Schneier and Co. had hired DDoS R' Us to take down U.S. political fundraising websites, THAT would have engendered a sufficient sense of urgency."

      True, a similar campaign worked before, even if it wasn't the intended effect.

  5. Palpy
    Devil

    Well, if these fine legislators have their way --

    -- there will soon be a booming market for non-smart tech. The unconnected and unchipped can't be remotely hacked. And so much for innovation.

    1. Charles 9

      Re: Well, if these fine legislators have their way --

      Oh? People have been hacked since before the word "hacked" ever existed. Ever heard of the Confidence Game? That's Social Engineering at its most direct.

      1. Destroy All Monsters Silver badge

        Re: Well, if these fine legislators have their way --

        But now you can harvest 100K people from the safety of your office.

        "Slack Hacks", innit?

        Just re-reading Neal Stephenson's "Diamond Age". Luckily, we will have to survive to "consumer IoT" age before stepping into the nanotech age. Or so we hope.

      2. veti Silver badge

        Re: Well, if these fine legislators have their way --

        There's a difference in kind between script-kiddie 'hacking' and social engineering.

        One requires someone - an actual, living person - to be aware of your existence. To take an interest in you. To contact you in some way.

        The other - doesn't.

        That's an important difference, because it affects how they scale. Face to face, you can con one person, or a hundred, or a thousand, within a given year. But to hit 100,000 you need to automate it. And that's what the IoT makes possible.

        And that works both ways. Face to face, you probably don't get conned more than once or twice a year. Online, it could be once or twice per hour - and you wouldn't even know.

        1. Charles 9

          Re: Well, if these fine legislators have their way --

          You can con by mail. That doesn't require a face-to-face presence and is just a bit of a slower version of a 419.

  6. Anonymous Coward
    Anonymous Coward

    There needs to be some serious suing of any IoT company that ignores sequrity.

    Why doesn't EU quickly whip up some laws that would be useful for IoT?

    It's tragic when any half decent techie knows, as soon as he hears about something called "IoT" for the first time, that it will be a security disaster. Even before it has taken off.

    1. Charles 9

      But then, as Washington pointed out, how do you deal with China, who's both sovereign and militarily powerful enough to be a legitimate threat if pushed?

      1. Ken Hagan Gold badge

        Re: How do you deal with China?

        The same way you deal with "Germany", or rather Volkswagen. You publish standards that manufacturers have to meet and then let someone else sues their arses off if they don't meet them.

        Lax security is very much like pollution. For any polluting device, the seller gains because they've cut a corner and the buyer wins because that makes it cheaper and the pollution of one single device is far outweighed by the benefit of possessing it. The cost is borne by the rest of society. Markets will not fix that and anyone who actually *understands* the trendy free-market mantras rather than merely being able to *spout* them will see why that is the case.

        Sadly, we've bred a generation of politicians who know that the market is better than government, but haven't a clue why. Even sadder, those politicians are frequently the same ones who will argue at length that market forces do not act on genetic variation. Maybe they're just fucking stupid.

        1. Charles 9

          Re: How do you deal with China?

          Volkswagen has an American presence. They have specialized dealers and a branch they can target.

          Most of the Chinese tat is sold direct form China, usually through the gray markets. I doubt customs even knows when they pass through.

          1. Doctor Syntax Silver badge

            Re: How do you deal with China?

            "Most of the Chinese tat is sold direct form China, usually through the gray markets."

            You keep rabbiting on about gray markets. What do you mean by them? Presumably you don't mean someone sidling up to folk in the street saying "If you want to buy some IoTat stuff I can order it from China for you.".

            Gray markets have to advertise, otherwise customers couldn't find them. And the big advertising routes such as eBay do usually have legal presences in the US, EU etc, where they can be leaned on.

            1. Charles 9

              Re: How do you deal with China?

              But eBay and the like are multi-national. They're like gel. If one country applies pressure, it'll just ooze to another. That's why ships rarely flag in US or European countries. Plus some of the sellers like Alibaba are already based in China and the like and out of western regulatory reach.

              1. Mark 85

                Re: How do you deal with China?

                That's why ships rarely flag in US or European countries.

                Ships are rarely US or European flagged because of profit. Being flagged as such means high pay, more crew, and more stringent safety requirements. So yes, they end being gel like but....

        2. John H Woods Silver badge

          Re: How do you deal with China?

          "Sadly, we've bred a generation of politicians who know that the market is better than government, but haven't a clue why." -- Ken Hagan

          Fun activity is quoting their hero Adam Smith at them --- often results in them telling you to stop quoting Marx.

  7. Queeg
    Coat

    We're talking politician here..

    They are literally paid to spout bullshit and do as little as possible to rock the boat.

    Until someone causes a Senator to drop dead on national TV by screwing with the firmware of their pacemaker they will do nothing.

    * for those who didn't vote for Donnie T Rump that was NOT a suggestion.

    although "those 2nd Amendment people could do something"

    Getting my coat,that'll be the one with the tin foil lining.

  8. Youngone Silver badge

    No surprises there then

    The Senate are largely idiots. I despise them all, the difference between R and D is just the things they misunderstand.

    Also, I am not surprised Homeland Security are keen on taking over IoT security. They will be well aware that as soon as someone decides to have a good look at what they really do for a living they are very vulnerable.

  9. Mark 85

    Lame Duck Congress

    That's a killer for anything right there and then there's new group coming. Hitting Congress to do something at this time is just plain stupid as it would take more than a couple of months to set this up.

    Then there's the new group coming in. For all we know, they'll end up banning everything on the internet except for the Jesus sites and the sites that have well-heeled lobbyists.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lame Duck Congress

      And if a Jew sues on First Amendment grounds?

      1. Anonymous Coward
        Anonymous Coward

        Re: Lame Duck Congress

        The first amendment currently only applies to Christian fundamentalists. Everyone else is a third class citizen.

        1. Destroy All Monsters Silver badge

          Re: Lame Duck Congress

          The first amendment currently only applies to Christian fundamentalists. Everyone else is a third class citizen.

          Stop reading left-wing fanzines, you!

    2. Destroy All Monsters Silver badge
      Holmes

      Re: Lame Duck Congress

      For all we know, they'll end up banning everything on the internet except for the Jesus sites and the sites that have well-heeled lobbyists.

      I really want to know at what place this kind of bullshit is being injected into the memosphere.

      Maybe the explanation lies in the fact that journalists are writing hysterical pandering stuff. Here's Jared Taylor of "American Renaissance" (of all things!) on this: Trump: The Media’s Frankenstein Monster

      1. Mark 85

        Re: Lame Duck Congress

        I made that statement simply because many Repubs pander to the Religious Right and some to the extreme. There's been more than one stating that NASA is a waste of money as the Bible says the universe is only 6000 years old. There's others that would like to see any religious site (other than their own taken down) as they "promote terrorism" or untruths in their eyes. Of course, Christianity is perfect in this regard.

        There was some facetiousness to my statement but for the NASA example, look to the head of the Science Committee.. former doctor but hardcore Religious Right. However, in the end, the lobbyists will rule all....

        Should I add that for the most part, CongressCritters are a joke at this point in time? Holding their breath until they turn blue or having a sit-in on the House/Senate floor because they aren't getting their way? There's no thought, no compromise, no critical thinking. Only reaction and deadlock when they don't agree.

        1. allthecoolshortnamesweretaken
  10. Kent Brockman

    DHS

    Haven't DHS just published some 'principles'... coincidence?

    https://www.us-cert.gov/ncas/current-activity/2016/11/15/Strategic-Principles-Securing-IoT

  11. bazza Silver badge

    Be Careful What You Wish For...

    Calling for regulated security on IoT devices is, well, likely to have consequences more far reaching than anticipated.

    For a start, when is a CPU + memory + NIC + software an IoT device, and when is it just a computer or smartphone? They're all potentially involved in home automation, especially if you consider the app as being part of the IoT system.

    To illustrate the difficulties of trying to make a legal differentiation between IoT and non-IoT, consider the Raspberry Pi. IoT device? Yes. Computer? Yes. Router? Yes. Server? Yes.

    So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet, Thus if the law required IoT devices to meet minimum security requirements, receive regular updates, etc they'd have to apply to everything else too, otherwise there'd be no point.

    That would be a problem for Android in particular.

    1. Ken Hagan Gold badge

      Re: Be Careful What You Wish For...

      Sounds great! Where do I sign up?

    2. anonymous boring coward Silver badge

      Re: Be Careful What You Wish For...

      IoT: Appliance that can be connected to the internet without any security whatsoever.

      So, connects without user intervention and setting up security measures.

      If sold as "just hook up", it better be secure.

      Simples

    3. PrivateCitizen

      Re: Be Careful What You Wish For...

      So you cannot reasonably apply a bunch of regulations to an IoT device that then don't also apply to smartphones, computers, home routers, smart TVs, back end services, the entire Internet,

      Isn't this sort of the point? The Dyn attack was supposedly driven by generic "IoT" devices like fridges which are internet connected without any security but the problem is anything internet connected without security is creating a risk.

      Smart TVs without security are just as much of a problem.

      The problem, as Schneier has said, is that the manufacturers dont care and the purchasers of each item dont care but the attacks affect everyone. This means that deep down the manufacturers & customers are actually paying a bit more for everything else as the security controls have to be implemented in more expensive areas.

    4. veti Silver badge

      Re: Be Careful What You Wish For...

      And that right there is why I can't watch Youtube on my TV.

      It comes with that option. All I have to do is hook it up to the home wifi network, and we could use it to browse and watch on demand, like - well, like we once imagined we could.

      But then I looked for documentation on "how to change the root password". No mention of it. No mention of there even being such a thing.

      And so, that device is not getting the password to my home wifi network. We'll watch TV the old fashioned way, use computers for the internet, and never the two shall meet.

      Shame there's no standard that it could comply to that would give me confidence in it.

    5. bombastic bob Silver badge
      Big Brother

      Re: Be Careful What You Wish For...

      a gummint "solution" is likely to breed PROBLEMS that require MORE "solutions" from gummint, yotta yotta. It's like an INFECTION with cyclic mutations.

      Instead, do this: pass laws that put the BLAME for 'lack of security' on the producers of insecure hardware and software, making them responsible for ANY liabilities caused by NEGLIGENCE when it comes to security. This would include DDoS attacks, mass infection/intrusion on IoT devices [requiring expensive 'fixes' on the part of end-users], and so on. Then, let the class action lawsuits fix it. I know, it's like calling down a napalm strike on your own head. Just make sure you duck for cover.

      And simple fixes by IoT vendors might include simple things like holding a button while changing settings or flashing new firmware.

      1. Charles 9

        Re: Be Careful What You Wish For...

        So what do you do when the manufacturers are outside the country, being protected by that country's sovereignty, and that country refuses to cooperate?

  12. Dan 55 Silver badge
    Facepalm

    "I don't think I want my refrigerator talking to some food police."

    Oh God, it's an unstoppable force... it's the rise of the stupid.

    1. Destroy All Monsters Silver badge

      Re: "I don't think I want my refrigerator talking to some food police."

      Actually, it will probably come.

    2. Anonymous Coward
      Anonymous Coward

      Re: "I don't think I want my refrigerator talking to some food police."

      Food police, maybe not. But food advertiser, lots of them.... and diet/health/etc....

      Unless his fridge isn't participating in DDoS attack, of course.... gullible senators are the perfect customer for some stupid IoT stuff to show off (paying with taxpayers money, of course).

      1. Anonymous Coward
        Anonymous Coward

        Re: "I don't think I want my refrigerator talking to some food police."

        Lipidleggin' (contains link to full text) is a Good Read.

    3. bell

      Re: "I don't think I want my refrigerator talking to some food police."

      The food police - otherwise known as SWMBO.

  13. Anonymous Coward
    Anonymous Coward

    As always with IT security..

    .. there's no hoping legislation or even law enforcement will be of any help at all. You're on your own.

    That's your reality, that's your fact. Starting from any other position is deluding yourself.

  14. Milton

    Value for Money: The Sequel

    I promise I won't keep saying 'I told you so', but I did point out in comments on the laughable Adobe fine (http://forums.theregister.co.uk/forum/1/2016/11/16/adobe_breach_settlement/) that corporations get best value for money by purchasing politicians:

    "A well-fattened pol is a wonderful asset to the enterprise. Whether you need a quick under-handed favour to make an investigation go away, or some cover for dodgy foreign dealings, or just a nice new law with some small print relaxing environmental protection or your customers' rights, it's all available in one plump, sweaty package."

    It's actually possible that some of the politicians present are not quite as stupid and ignorant as they seem, but if you're being paid to obstruct something irrefutably sensible, you're pretty much forced into fibbing, bullshitting, changing the subject, delaying and introducing irrelevancies and distractions. So you end up with grown men looking and sounding like idiots or liars or usually both. Welcome to Congress.

    When a politician says "We've had enough of experts" (like that little moron Gove, before Brexit) what he's really saying is, "I lost the argument to people who know more than I do, so now I'm gonna stick my fingers in my ears and cry."

    To grown, rational adults, they're a pathetic sight and they would be quite funny—if they weren't so damned dangerous.

  15. Anonymous Coward
    Anonymous Coward

    Tell senators they should shutdown the NTSB...

    ... and let the airplane industry self-regulate. Then say them they need to fly around more often.... or shutdown the FDA, and let the pharmaceutical industry self regulate (oh well, it probably already does...).

    Yes, I'm afraid we need casualties before they act. Then you will see one of them swearing "I was saying it since 2016!!!!!"

  16. Anonymous Coward
    Anonymous Coward

    That's it exactly, view it as pollution....

    "But it fell to security guru Bruce Schneier to argue outright [PDF] for legislation. "Like pollution, the only solution is to regulate," he stressed. "The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care."

  17. Anonymous Coward
    Anonymous Coward

    Could the US legislate to block sites that cause IoT re-infection at least?

    "The Mirai malware which is used to create the botnet can be cleared by simply restarting affected devices. But there are so many hacked devices on the internet that a vulnerable system will likely be reinfected within five minutes of restarting, unless some other protection is put in place."

    https://www.theguardian.com/technology/2016/oct/24/chinese-webcam-maker-recalls-devices-cyberattack-ddos-internet-of-things-xiongmai

    1. Anonymous Coward
      Devil

      Re: Could the US legislate to block sites that cause IoT re-infection at least?

      Yes, just like they effectively shut down spam after the CAN-SPAM act... it is true that state regulation may be no to effective - probably it would just require you to opt-out from IoT attacks...

  18. Anonymous Coward
    Anonymous Coward

    No More Regulation... More do nothing Congress...

    ~ We get it, the Reds and Trump are in charge now..

    ~ But how about legislating fines against any US corp that imports and sells IoT shit which is known to cause DDOS chaos on US soil?

    ~ If Amazon knows they'll be fined for selling Xiongmai, maybe they'll stop selling it. Same goes for sales of vulnerable routers by Asus etc which can easily be hacked.

    ~ Also why doesn't congress fund research to explore ways of blocking DDOS at a country / continent / continental fiber link level. If they can put NSA sniffers on these lines, how about adding filters that detect / filter net-traffic-pollution...???

    1. Anonymous Coward
      Anonymous Coward

      Re: No More Regulation... More do nothing Congress...

      Sniffing data (copying them for out-of-band processing) is a little easier than processing data in real time and decide they have to be blocked or not (especially at the fiber links bandwidth and speed). Moreover DDoS attacks are often based on traffic that looks legitimate and being spread over many connections it is not so easy to identify. I's when it "aggregates" at the endpoint that is shows its malignity. Even pushing down and processing filters to cut off thousands of endpoints after the attack has been identified is not so easy - especially since remember the Internet is designed to use multiple routes to destination... something can be done, but it would be alike increasing car safety putting big cushions around. Or counter electric hazards letting company to include a pair of rubber gloves in the box of dangerous devices.

      Devices must be made safer, and those that doesn't implement a given baseline must be banned.

      Even blocking traffic or banning unsafe devices would need a legal framework - ISPs won't take the risk of being sued for banning traffic or devices without a law allowing them to do so and protecting them. That's also a reason why industry self-regulation is impossible.

    2. Anonymous Coward
      Anonymous Coward

      "remember the Internet is designed to use multiple routes to destination"

      ~ Granted, but when I mentioned an NSA like tap-in before, I was hinting at past Reg articles that demonstrated a break down in this 'internet redundancy'. An obvious example is the severing of an underwater cable, but there are other examples. Want me to hunt around?

      ~ Plus once reports come in, based on the above limitation, shouldn't it be possible to block certain traffic spreading to all regions. The mother of all corporate firewalls etc. One area might get hit badly, but not everywhere.

      1. Anonymous Coward
        Anonymous Coward

        Re: "One area might get hit badly, but not everywhere"

        A DDoS attack is designed to hit a single endpoint (or a few ones), but which is an important one. It's not something the spreads around. One way to minimize the effects of a DDoS is exactly a redundant infrastructure where even if some nodes are flooded others will keep on working - but that's not always feasible, moreover some redundant architectures are also designed for load balancing, therefore a number of user can still be affected until they are redirected other nodes (but the DDoS attack too may be redirected).

        Internet routing tables can be modified (without severing cables...), and sometimes it happened for strange reasons (IIRC there were routes announced which made traffic going through Pakistan and China....), but it could also worsen the situation, when a surge of traffic is routed through a single link.

        IMHO thinking to stop DDoS attacks only at the backbone tier is very difficult, and the spreading of unsafe IoT devices will make also less relevant - the possible sources will be many. many more scattered around many, many connections.

        1. Charles 9

          Re: "One area might get hit badly, but not everywhere"

          DDoS's are getting SO bad that they can hit even redundant infrastructure. It's not that effective having four servers at different locations if the enemy's so massive they can split into four and STILL effectively attack you.

  19. KalaDude

    And now for something slightly different

    $50 K just to solve this one riddle:

    https://www.mitre.org/research/mitre-challenge/mitre-challenge-iot

    1. anonymous boring coward Silver badge

      Re: And now for something slightly different

      "$50 K just to solve this one riddle"

      If you come up with it you might want to ask for a bit more than that!

      Friggin rip-off if they get it for that.

      Patent it and wait for millions to roll in.

  20. Doctor Syntax Silver badge

    At some point a DDoS attack will hit something politicians care about. Then they'll start insisting on action.

    1. Dan 55 Silver badge

      So that'll be Mossack Fonseca et al.

    2. anonymous boring coward Silver badge

      "At some point a DDoS attack will hit something politicians care about. Then they'll start insisting on action."

      Yes. Presumably you mean it will hit themselves. What else would they care about?

      1. Bronek Kozicki

        Their lawyers, bankers, lobbyists and all other "contributors". That's where all politicians have a weak spot. Well, except the fabled honest ones.

  21. AbeSapian

    Starting with the fact ...

    that the IoT is the solution to the problem nobody had. It was then followed by "Oops, we forgot to consider security." It's like bolting a birdcage onto a Chevy and then being surprised that budgie was a little strained on arrival.

  22. Anonymous Coward
    Anonymous Coward

    IoT

    Internet Of Trump, it stinks!

    With out

    http://www.atmel.com/products/security-ics/cryptoauthentication/ecc-256.aspx

    LoRaWAN can be hacked & cloned.

    Don't trust it for security requirements EVER.

  23. doke

    Standards in the US would also affect china, due to dev costs

    It's expensive to make multiple versions of code for an IoT device. So imposing security standards for selling into the US will cause the IoT developers to improve their code in products released worldwide.

    The same thing happened when Europe legislated Reduction of Hazardous Substances. It took a few years, but now virtually all consumer electronics meet RoHS, regardless of the country they're sold into.

    1. Charles 9

      Re: Standards in the US would also affect china, due to dev costs

      So what happens when two regions give conflicting mandates, meaning you have no choice but to create two versions since one version WILL violate the other and vice versa?

      Like, for example, radio equipment where frequency allocations differ from region to region and different bands are off-limits for security reasons?

      1. GloomyTrousers

        Re: Standards in the US would also affect china, due to dev costs

        > So what happens when two regions give conflicting mandates

        Bit of a straw man here. It *could* happen, occasionally - but do you really think it'll be the norm?

        1. Charles 9

          Re: Standards in the US would also affect china, due to dev costs

          Why do you think the US can't use LTE Band III? Because it's already in use. That's an example right there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like