We have to start somewhere. There are two parts to this legislation that I like; the first is to set a purchasing standard for government agencies. This is really important—and it’s what we advocate to customers already: to purchase smart and do their due diligence before they buy and deploy any new technology. This legislation would set purchasing standard for IoT devices for the federal government. The hope is that if the legislation passes, manufacturers will start to become more responsible and build security into their devices, because they want to sell products, not just to government entities but to commercial businesses as well.
Even with good legislation, however, you still have the “retroactive” problem, which is how to deal with the billions of devices already in use that don’t meet those standards. Those devices won’t magically disappear. It’s great to see legislation that tries to address the problem and deal with it in better ways moving forward, but new legislation can never really fix the existing problem.
The second part of this legislation is the provision to protect researchers who are identifying vulnerabilities in these devices. This is really, really, really needed! Researchers are testing these devices because the manufacturers are not, and somebody needs to be doing it.