The Internet of Things (IoT) Cybersecurity Improvement Act

Posted by John Slye on September 27, 2017

Capital Building

Four U.S. Senators have introduced legislation seeking to improve the cybersecurity of internet-connected devices, a.k.a. the Internet of Things, or IoT.

Earlier this month, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 was introduced by Sens. Cory Gardner (R-CO) and Mark Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, and Sens. Steve Daines (R-MT) and Ron Wyden (D-OR), and reported on by The Hill.

As noted in a press release announcing its introduction, the bill was drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University.

According to the senators, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would do the following (emphasis added):

  • Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

The bill also seeks to promote cybersecurity research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.

Implications

At first glance, the provisions of the bill focus largely on security standards and IT policy, and a fact sheet posted by Sen. Warner emphasizes some flexibility that federal agencies will have in addressing some of the provisions. But several vendor or contractor implications also seem evident.

Vendors will need to ensure that the devices they sell to the government do not contain any known security vulnerabilities and are patchable if new vulnerabilities are discovered. That seems to suggest that ongoing support is expected and could mean additional operating costs that may not be recoverable. It is unclear whether such costs will translate into higher prices or other contract terms.

The OMB “alternative network-level security requirements” for devices that pull down data that’s processed remotely, i.e. “the cloud,” could add some momentum behind cloud security policy efforts, but that will take time for OMB to work out those standards and to ensure standards already in place at various agencies are in sync. Until then, the acceptable functionality (e.g. processing and storage capabilities) of some IoT devices may be a moving target at federal agencies and there may be some devices and applications that are permitted in some contexts but not in others, much the way it is now.

Vulnerability information sharing, limited liability, and agency device inventories are all aspects of federal IT and cybersecurity that Congress and federal tech leaders have been wrestling with for many years – both legislatively as well as programmatically (e.g. inventories in preparation for continuous monitoring under the CDM program.) The tricky balance between disclosure and liability continues to evolve and the inclusion of all internet-connected devices sold to the government could broaden the scope to include areas that have not yet been considered.

Categories