On August 1, Sens. Mark Warner and Cory Gardner introduced the “Internet of Things Cybersecurity Improvement Act of 2017.” The goal of the legislation according to its sponsors is to establish “minimum security requirements for federal procurements of connected devices.” Pointing to the growing number of connected devices and their use in prior cyber-attacks, the sponsors aims to provide flexible requirements that limit the vulnerabilities of such networks. Most specifically the bill requires all new Internet of Things (IoT) devices to be patchable, free of known vulnerabilities, and rely on standard protocols. Overall the legislation attempts to increase and standardize baseline security of connected devices, while still allowing innovation in the field to remain relatively permissionless. As Ryan Hagemann[1] at the Niskanen Center states, the bill is generally perceived as a step in the right direction in promoting security while limiting the potential harms of regulation to the overall innovation in the Internet of Things.
The proposed legislation only creates such security requirements for the Internet of Things products purchased by the government. As a result, it does not directly affect the perceived market failure in securing the Internet of Things for either state and local governments or consumers. As a result, it is possible that either further state or federal legislation could develop different security norms in these areas or allow the market to sort out what level of security is needed in such products. Similarly, innovators might create different versions of products for consumers as opposed to the government if they found the security requirements of the federal procurement laws unnecessary. At the same time, consumers and other levels of government might reject such products if they feel they are less secure. For example, states and federal governments have independently developed their protocols and requirements for security in IT and Telecommunications services, and while all require some level of security, the exact requirements may vary. While most consumers still expect or opt in to some level of security for their personal computers, there are different expectations in security protocols for government and medical computer networks. A similar phenomena could emerge in the Internet of Things where the devices procured by the government are more secure than those available to the average consumer.
Defining and quantifying the Internet of Things can be difficult as new connected devices from toasters to teddy bears continue to arrive seemingly daily. As Ariel Rabkin discusses the bill defines the scope of devices covered in a broad ambiguous term of “Internet-connected device” which could cover not only new connected devices but much more mundane and common general purpose items such as laptops and smart phones. This ambiguity presents a serious concern regarding the proposed legislation. Given the security guidelines are being issued by the Office of Management and Budget in conjunction with each executive agency, we could see issues in agency’s use of soft law in an attempt to get Internet of Things entrepreneurs to adopt such standards beyond the items which the government procures. Because the items covered by the proposed legislation is ambiguous, it also raises concerns of what happens to emerging technologies such as connected cars where current security standards are already being discussed by agencies and devices such as laptops and cell phones where there are existing government and agency standards. If not clarified such a broad definition has potential to create uncertainty if the agency-based security standards for procurement. While initial standards are aimed at federal procurement, the delegation to agencies of these standards could lead to broader could lead to agency threats more generally in the Internet of Things and the use of government procurement standards as a type of soft law to influence the pace and course of innovation.
The proposed legislation provides a basic start on limiting the liability for Internet of Things researchers and systems security architects especially when coupled with existing intermediary protections. Unlike the FTC’s strict liability data security rules, the proposed legislation carves out safe harbors for both good faith security research and testing and updating the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA) to have safe harbors provided the device was in compliance with the issued guidelines under the new legislation. This, however, creates questions of liability for non-federal government purchasers. First, if the devices fail to comply with the proposed standards in the consumer market could the presence of a more secure government alternative be used to support a design defect argument as the availability of a reasonable alternative design? And if not for an individual consumer, then what about a state or local government. Under the proposed legislation, merely not complying with standards in a consumer grade product does not seem likely to give rise to a case against an Internet of Things producer. The proposed legislation also does not appear to adequately address a safe harbor for insufficient fix or a latent defect. While these situations should not immediately find a company negligent, there are concerns that an inefficient patch might exacerbate rather than solve a problem. It also does not address a possible situation where a third party fails to update the security measures or the government in some way modifies existing protocols on the device inadvertently changing existing security features.
In general, the Internet of Things Cybersecurity Act of 2017 provides a base level of security that could lead to greater adoption by government entities without disrupting the innovation in the consumer market. At the same time its broad definition of the Internet of Things risks potential soft law abuse and its specificity to government procurement limits its potential broader impact on IoT security. If passed, the Internet of Things Cybersecurity Act might lead to promotion of security across devices and broader innovation in such protocols without requiring such technology into captivity.
[1] Ryan provided feedback on an earlier draft of this post.