Cybersecurity Alert: Lawmakers Draft Bi-Partisan Bill to Enhance Internet of Things Security
By Hanne-Lore M. Gambrell & Craig S. Horbus on April 2, 2019
House and Senate lawmakers recently rolled out bipartisan legislation that sets cybersecurity standards for internet-connected devices that are purchased by the government.
The Internet of Things, or IoT, simply put, is the concept of connecting any device, sensor, instrument or control sets to each other and the Internet. This includes everything from lightbulbs, industrial machines, A/I interface machines, electronic devices, and wearable devices.
Sens. Mark Warner (D-VA) and Cory Gardner (R-CO), and Reps. Will Hurd (R-TX) and Robin Kelly (D-IL) reintroduced The Internet of Things Cybersecurity Improvement Act. The bill was introduced two years ago, but died in the Senate because of concerns that the legislation cast too broad of a net. The group addressed this issue by excluding several categories of devices, including personal computers, from being considered IoT products. The new bill requires the National Institute of Standards and Technology (NIST) to establish guidelines for IoT devices and mandates that vendors selling IoT products to the government to adhere to the new rules, including having to create vulnerability disclosure policies so federal officials would learn of security flaws when they are uncovered. It would also create a process for companies to challenge whether their devices are covered, which will provide businesses with more clarity under the law.
Sen. Warner, who is also the vice chair of the Senate Intelligence Committee, stated “While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” he said. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
The proposed bill is supported by many tech industry giants, including trade group BSA: The Software Alliance, which represents Apple Inc., IBM Corp. and Microsoft Corp., among others. A representative from BSA stated, “BSA applauds Senators Warner and Gardner and Representatives Kelly and Hurd for their leadership in securing the IoT, and calls on Congress to act swiftly to advance this important legislation… As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring.” Cybersecurity giants, such as Mozilla Corp. and Symantec Corp. also support the proposed legislation.
This bill follows a similar law enacted by California, which has been leading the way in the United States on cybersecurity and data privacy laws. California’s law requires makers of televisions, routers, fitness trackers, automobiles, refrigerators and a range of other devices that connect to the internet to equip products with “reasonable security features.”
Despite its limits in scope, the new proposed bill will likely influence changes in how devices are made for the general public as well as industrial applications known as IIoT or Industrial Internet of Things. The bill defines an IoT device as a “physical object” that “is capable of connecting to and is in regular connection with the internet,” “has computer processing capabilities that can collect, send, or receive data," and, in a nod to industry concerns, “is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems.”
As we see these legislative changes taking place, the impact on the development of commercial IoT devices will be high. Assuming there is a standard developed by NIST and required by the bill, IoT industry participants will not want to build devices using different sets of standards. This will require those in the IoT industry and those planning on large capital expenditures in the IoT space in the near future to watch closely. The new bill with bipartisan and tech industry support has a very real chance of passing.
Brouse McDowell remains diligent with staying informed on the latest updates regarding this IoT bill and other technology-based regulations. Our attorneys are here to help our clients navigate these tricky waters. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.