U.S. House Passes SMART IoT Act Without Acknowledging Security Risks Associated with IoT

By B.N. Frank

The Internet of Things (IoT) is used to connect multiple devices to the Internet. According to countless security experts, IoT is vulnerable, dangerous, stupid, and shitty. For example:

ZDNet: “The economic costs of a large cyber-attack could be as large as the impact of a major natural disaster.”

Bruce Schneier: “Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.”

Regardless, the U.S. House passed the Smart IoT Act last week in a unanimous vote:

House passes SMART IoT Act

The House passed the SMART IoT Act on Nov. 28 in a unanimous voice vote, sending the bill to the Senate with just over two weeks until Congress is set to adjourn.

The legislation, introduced by Rep. Robert Latta (R-Ohio), tasks the Department of Commerce with studying the current internet-of-things industry in the United States. The research would look into what companies develop IoT technology, what federal agencies have jurisdiction in overseeing this industry and what regulations have already been developed.

The congressman outlined the motivations behind the bill in Nov. 28 remarks from the House floor: “We must equip ourselves and industry with information about what the landscape for federal, public, private, and self-regulatory efforts are in place or underway.”

Latta’s comments did not touch on security concerns surrounding IoT technology.

The bill — which has 18 cosponsors, including 13 Republicans and five Democrats — defines IoT technology as devices that connect to the internet “either directly or indirectly through a network,” can communicate to an individual and have a computer that can handle data. This is similar to the definitions found in other legislation, including the IoT Cybersecurity Improvement Act of 2017, which sets procurement rules the federal government must follow when buying IoT technology.

If you’re a U.S. resident and haven’t already started preparing for the poop-to-hit-the-fan due to the reckless installation of vulnerable, dangerous, stupid, and shitty IoT, now might be a good time to start.