Bill sponsor Sen. Mark Warner (D-Va.) introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 to the Senate August 1, 2017.1 The bill’s stated purpose is “To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.”2 The bill defines IoT expansively to include any device that is connected to and uses the internet. Further, the bill’s fact sheet contemplates there being in excess of 20 billion IoT devices by 2020.3 Therefore, the scope of this proposed bill goes beyond core connected devices, such as smartphones and computers, to implicate manufacturers, distributors and resellers in all sectors whose products are ultimately acquired by the federal government (collectively, “government contractors”).4
Requirements
The legislation seeks to achieve the contemplated, minimal cybersecurity operational standards for IoT by leveraging the federal government’s market power to improve safety, and setting guidelines for security representations and certifications that agencies must include in government solicitations for the acquisition of IoT devices. These representations and certifications would require that devices:
- Are patchable
- Do not contain known vulnerabilities as per the National Institute of Standards and Technology’s (NIST) National Vulnerability Database, or a similar database.5 If the government contractor identifies vulnerabilities, it must disclose them to the acquiring agency, with an explanation of why the device is nonetheless secure. If the agency is satisfied, it may still acquire the device.
- Rely on industry standard protocols for communication, encryption, and interconnection
- Do not contain hard-coded passwords for updates or remote access
The Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) will work with industry to develop coordinated vulnerability disclosure guidelines for government contractors, including requirements for researching and testing security. Coverage will include disclosure of security vulnerabilities when they become known after sale. The IoT government contractor will be required to notify the acquiring agency of any “known security vulnerabilities or defects subsequently disclosed to the government contractor by a security researcher,” or as soon as the government contractor which sold the IoT device to the government agency becomes otherwise aware of a vulnerability.
In an acknowledgement of the value of good faith security research, the Act would allow researchers to study and report on security systems without facing possible liability under the Digital Millennium Copyright Act or Computer Fraud and Abuse Act. This move seeks to ameliorate the rocky relationship between the Department of Justice and much of the cybersecurity industry, wherein good faith security research has unwittingly exposed cyber experts to liability. This relationship worsened earlier this year when law enforcement officials arrested Marcus Hutchins, a popular figurehead in the cybersecurity world and discoverer of the "kill switch" that thwarted the WannaCry attack.6
In addition to regulating government contractors which sell IoT devices, the legislation would require each executive agency to inventory all Internet-connected devices it uses within 180 days of the legislation’s passage.
Exceptions
The Office of Management and Budget (OMB) has the authority to grant case-by-case exceptions to the legislation’s requirements. After five years, the OMB may waive, in whole or in part, any of the legislation. Additionally, because the legislation seeks to set a floor rather than a ceiling, individual agencies may employ their own standards so long as they are equivalent to or more rigorous than the standards proposed.
Criticism
The legislation faces criticism for its ambiguity, especially as it pertains to the definition of IoT devices and the scope of the research exemption.7 The bill defines “Internet-connected device” as any physical object “capable of connecting to and . . . in regular connection with the Internet” that “can collect, send, or receive data.” This definition is potentially sweeping in its breadth, and therefore, critics argue that Congress should provide a more definite statement of its intent as to which devices will and will not be covered.8
The scope of the research exemption is similarly vague as to which researchers are covered. The bill purports to amend both the Digital Millennium Copyright Act and Computer Fraud and Abuse Act with exculpatory language; the amendments would waive liability for researchers acting “in good faith, engaged in researching the cybersecurity of an Internet-connected device of the class, model, or type provided by a government contractor to a department or agency of the United States,” so long as the researchers “acted in compliance with the guidelines [involving responsible disclosure] required to be issued by the National Protection and Programs Directorate” of the Department of Homeland Security (DHS). These guidelines are intended for government contractors raising the question of whether these provisions apply to freelance, commercial researchers, or only to those collaborating with government contractors.9
The research exemption also is vague as to what qualifies as a “class, model, or type” of device.10 “Suppose the government buys a smartphone. Does the research exemption cover only that exact model number? Does it include other devices in the same product family? All smartphones?”11 The legislative intent is to facilitate partnerships, whereby independent researchers conduct good faith research and communicate the results to government contractors (anywhere within the distribution chain) and government. Vagueness as to liability may disincentivize researchers from partaking in those very partnerships.
Proponents of IoT security have also expressed concerns that the legislation does not go far enough. For instance, it applies only to government contractors, excluding the private market altogether, and, notably, failing to specify to what tier of government contractor (prime contractor, subcontractor or sub-subcontractor) the legislation will apply.12 Allowing each executive agency to seek waivers, and not specifying liability for violations or criminal penalties further weaken the legislation.13
A related, unanswered question is precisely how the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 will supplement current security requirements already in place, such as the Federal Risk Management Framework (RMF). The RMF uses “three basic aspects of data security: confidentiality, integrity, and availability.”14 These three items ensure that data cannot be shared or accessed without authorization, cannot be accidentally or maliciously changed, and is available to authorized personnel when and where they need it.15 Like the proposed legislation, the RMF applies broadly to all connected devices acquired by the federal government, applies NIST security standards, and is arguably vague. For these reasons, it is difficult to define precisely how much the proposed legislation will expand cybersecurity beyond what is already in place.
Conclusion
Sen. Warner noted that while he recognizes the “innovation and productivity” of IoT, he desires that security not be overlooked.16 The senator believes that regulators, thus far, have not properly incentivized the market to tackle security, and this legislation “will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”17 The bill remains in its early stages, as there has been no further documented activity since it was referred to the Committee on Homeland Security and Governmental Affairs on the day of its introduction, and it has an estimated 13 percent chance of passage.18
A brief “Fact Sheet” for the bill is available here.
- congress.gov
- Id.
- scribd.com
- See also internetofthingsagenda.techtarget.com (As such, it seemingly applies not only to core devices such as computers and smartphones, but also to everyday items such as door locks that incorporate internet-connected technology).
- nvd.nist.gov
- thehill.com
- aei.org
- Id.
- Id.
- Id.
- Id.
- The legislation neglects to specify whether it will implicate only entities in privity of contract with the government, presumably with the expectation that these entities will then require their subcontractors and the ultimate manufacturers to adhere to the same standards, or apply directly to all entities in the distribution chain. Realistically, government contractors will be reluctant to offer broad security certifications without similar certifications from their lower-tier subcontractors in the distribution chain including the device manufacturer.
- internetofthingsagenda.techtarget.com
- meddeviceonline.com
- Id.
- warner.senate.gov
- Id.
- govtrack.us
Client Alert 2017-297