Bipartisan legislation to improve the cybersecurity of Internet-connected devices was introduced March 11 in both the Senate and the House of Representatives. The legislation — The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 — would require that devices purchased by the U.S. government meet minimum security requirements.
The legislation was introduced in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT), while Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) introduced companion legislation in the House of Representatives.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Sen. Gardner said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST) … are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts.”
“As the Internet of Things landscape grows – we must ensure that … information is safe and the security of our critical infrastructure is protected,” said Sen. Daines. “This bill helps establish proper safeguards that balance the need to protect … privacy and our national security with the growing tech economy and high-paying jobs it provides.”
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:
1. Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
2. Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
3. Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
4. Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
What’s Antitrust Have to Do With It?
If, as a Pew Research survey revealed, 91% of adults agree or strongly agree that consumers have lost control of how personal information is collected and used by companies, the risk of losing even more control over data with devices running in the intimacy of our homes or running critical infrastructure that keeps our homes and our national security running, what role does antitrust play in all of this?
“It appears the Internet of Things has reached the tipping point at which most middle and upper class U.S. households have at least one enabled device, whether a single Amazon Alexa or fully connected suite of home security and automation products,” said MoginRubin attorney Jennifer M. Oliver.
“These devices, which often include cameras and microphones, should certainly be at the forefront of public privacy and cybersecurity enforcement. Google’s recent disclosure that certain of its Nest products contained undisclosed microphones is a perfect example of the need for regulation,” said Oliver, who is both an attorney and a CIPP/US certified privacy professional.
“While the IoT Cybersecurity Improvement Act may address some privacy issues,” she continued, “the IoT presents several antitrust hallmark concerns as well. For example, IoT product manufacturers depend on interoperability standards and are prone to monopolist and tying behaviors, and IoT platforms may present both direct and indirect network effects. Addressing both the antitrust and privacy concerns in this space is key to fully protecting consumers, and it is up to private and public enforcers to do so.”