Congress and technology companies are evaluating new laws, controls, and preventative measures to improve internet safety in light of recent attacks

In addition to law enforcement, Democratic U.S. Sen. Mark R. Warner, a member of the Senate Select Committee on Intelligence, who joined Republican Cory Gardner of Colorado over the summer in forming the bipartisan Senate Cybersecurity Caucus, wants answers and issued a statement calling for better protections. Warner called on three federal agencies — the FCC, FTC and Department of Homeland Security’s National Cybersecurity & Communications Integration Center (NCCIC) — to provide information on the tools available and needed to prevent attacks from flaws in consumer devices and IoT components including IP-based cameras, connected thermostats and other products that that have connectivity. An FCC spokesman said the agency is still reviewing Warner’s letter.

In his letter to FCC Chairman Wheeler, he questioned what can be done about the fact that consumers aren’t likely to change passwords in their IoT devices (and if it’s even an option). One implication was perhaps mandating improved software that enables automatic firmware updates. Warner also questioned the feasibility of enabling ISPs “to designate insecure network devices as ‘insecure’ and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses? Would such practices require refactoring of router software, and if so, does this complicate the feasibility of such an approach?”

Morey Haber, VP of Technology at BeyondTrust, in a blog post earlier this week, called on Congress to come up with legislation that would put security requirements on all IoT devices. Haber believes the legislation should put the following requirements and restrictions on all IoT and Internet-connected devices:

*** Internet-connected devices should not ship with common default passwords
*** Default administrative passwords for each device should be randomized and unique per device
*** Changing of the default password is required before the device can be activated
*** The default password can only be restored by physically accessing the device
*** The devices cannot have any administrative backdoors or hidden accounts and passwords
*** The firmware (or the operating system) of the device must allow for updates
*** Critical security vulnerabilities identified on the device for at least three years after last date of manufacturer must be patched within 90 days of public disclosure
*** Devices that represent a security risk that are not mitigated or fail to meet the requirements above can be subject to a recall