Does IoT stand for \u201cinternet of threats\u201d? One senator says it might soon, and warned that the internet of things could \u201cpose a direct threat to economic prosperity, privacy and our nation\u2019s security.\u201d\nIndeed, security issues plaguing IoT devices have long been a concern, and last week congressional Democrats introduced a bill designed to help mitigate what are seen as widespread vulnerabilities. But while the effort is noble and may help raise awareness of the issues, there are lots of reasons why the Cyber Shield Act of 2017 won\u2019t end up doing much to actually solve the problem.\nWhat\u2019s in the Cyber Shield Act of 2017\nThe bill, in the works for months and introduced by Sen. Edward J. Markey of Massachusetts (who made the \u201cinternet of threats\u201d quip in a statement) and Rep. Ted W. Lieu from Los Angeles, calls for a voluntary scheme to evaluate, certify and label IoT devices that meet certain benchmarks for internet and data security. The idea is to create a Cyber Shield Advisory Committee made up of industry representatives, cybersecurity experts, public interest advocates and government wonks. Reporting to the secretary of commerce (currently Wilbur Ross), the committee would have a year to establish the content and format of the proposed IoT device labels.\nIt\u2019s a good idea, really. After all, the best time to secure an IoT device is before it gets deployed, and a cybersecurity seal of approval could theoretically help warn consumers away from the most vulnerable choices.\nWhy it probably won\u2019t work\nBut even assuming the bill were to be enacted \u2014 which hardly seems likely for a consumer-oriented Democratic bill floated during the Trump administration \u2014 it\u2019s difficult to see how it would make a real difference.\nAlso in Network World: 5 reasons why device makers cannot secure the IoT platform\nFirst, despite all those \u201cexperts\u201d populating the committee, it could be very difficult for everyone to agree on exactly what constitutes better IoT security. That means they will likely end up with only the most obvious and generic recommendations\u2014which could be woefully inadequate to protect against determined attacks. And it seems clear that cybersecurity threats develop much faster than Congress can move (the bill suggests updating the criteria every two years), making many of the benchmarks obsolete even before they\u2019re established.\nPerhaps most importantly, though, the program would be completely voluntary. Vendors could choose whether or not to participate, and it\u2019s not clear who would vet the vendors\u2019 claims of compliance. Similarly, consumers could very well choose to buy devices with bad ratings \u2014 or no certification at all \u2014 that offer low prices or compelling features. More to the point, would such a label bring value to enterprise IoT buyers?\nAlso in Network World: Fixing, upgrading and patching IoT devices can be a real nightmare\nA better bet might be the bipartisan IoT Cybersecurity Improvement Act of 2017, introduced earlier in October, which would require IoT vendors selling into the government market to state that their products employ user-configurable passwords, can be patched when necessary and don\u2019t include known vulnerabilities. While the government market isn\u2019t critical to many IoT vendors, it could help spur the whole market to take security more seriously. And as a more limited bipartisan measure, it actually stands a snowball\u2019s chance of making it into law.