On August 1, a bipartisan group of four senators introduced a bill that would impose specific cybersecurity requirements on providers of Internet of Things (IoT) devices when doing business with the U.S. Government and provide liability protections for security researchers who disclose vulnerabilities affecting these devices. Though the bill’s security requirements would apply only in cases where entities are acting as contractors to the U.S. Government, if enacted, it likely would be influential on IoT vendors operating in the consumer context as well. The bill is largely consistent with an ongoing multistakeholder effort led by the National Telecommunications and Information Administration (NTIA) aimed at developing voluntary security standards for Internet-connected devices.
The IoT Cybersecurity Improvement Act of 2017 was introduced by Sens. Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA) and Ron Wyden (D-OR); Sens. Gardner and Warner co-chair the Senate Cybersecurity Caucus. The legislation was prompted by a series of massive cyberattacks within the past year. Each of the attacks took advantage of security vulnerabilities in Internet-connected devices that enabled them to be co-opted into global networks known as “botnets.” Once created, these botnets harnessed the significant collective computing power of the network for malicious purposes.
The stated purpose of the legislation is to correct a market failure that allows Internet-connected devices to be sold without being designed with minimum security controls. The legislation would require providers of Internet-connected devices to commit to providing the federal government IoT devices that:
- Use software and firmware that is capable of receiving patches and other updates;
- Are free of known security vulnerabilities or defects at the time of proposed sale (or if such vulnerabilities exist, they are clearly disclosed prior to sale);
- Rely on current industry-standard protocols for communications, encryption, and connectivity with other devices; and
- Do not contain hard-coded passwords (i.e., those that are integrated into the source code of a device’s software or firmware).
The bill’s sponsors purport to adopt a “light touch” approach, with a stated goal of influencing the security practices of IoT device manufacturers indirectly through the federal procurement market rather than by directly imposing new legal obligations. There are no enforcement mechanisms aside from the threat of disqualification from federal contracting opportunities. Further, because these requirements are limited to contractors participating in the federal procurement market, consumer devices would be exempt from the requirements except where vendors are selling these devices to the Government as well. But even for consumer devices more broadly, the legislation likely would provide a strong—if non-mandatory—incentive to formally implement the specific security measures outlined in the bill.
The bill also contains liability protections for security researchers who in good faith identify and disclose vulnerabilities in Internet-connected devices. The legislation would exempt these researchers from liability under the Computer Fraud and Abuse Act (CFAA) as well as the Digital Millennium Copyright Act (DMCA), so long as they followed coordinated disclosure guidelines to be developed by the U.S. Department of Homeland Security National Protection and Programs Directorate (NPPD).
These liability protections address a widespread recognition that security researchers can play a crucial role in enabling organizations to address previously undiscovered vulnerabilities before they may be exploited by malicious actors. Although the protections apply only to Internet-connected devices “of the class, model, or type provided by a contractor to a department or agency of the United States,” imposing such protections on a significant proportion of the IoT market likely would encourage non-federal IoT device vendors to provide similar support to security researchers who disclose vulnerabilities in good faith and consistent with developed standards.
The bill was drafted in consultation with the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, among others, and already has the support of the Center for Democracy and Technology (CDT) and a number of well-known security researchers and organizations.
The proposed legislation marks a shift from an exploratory period in which relevant Senate action had been mostly limited to holding hearings and other informational events to educate Senators and the general public on emerging issues related to IoT. A recurring theme of these hearings, the first of which was held in March 2015, has been a common commitment to the principle that although the U.S. government may have a role to play in addressing risks posed by Internet-connected devices, it should do so in a manner that does not inhibit innovation. This week’s draft legislation reflects an effort by the bill’s co-sponsors to remain faithful to and advance those principles through the power of federal procurement practices.