New Federal IoT Security Bill Has Narrower Scope, But Big Impact

This week, U.S. Sens. Mark Warner, D-Virginia, Cory Gardner, R-Colorado, Maggie Hassan, D-New Hampshire, and Steve Daines, R-Montana, introduced the Internet of Things Cybersecurity Improvement Act of 2019. It’s the second attempt by federal lawmakers to impose a cybersecurity standard for IoT devices purchased by the federal government.

In 2017, Warner, Gardner, Daines and Sen. Ron Wyden, D-Oregon, had introduced a similar, but not identical, IoT measure. While the 2017 bill focused on IoT devices’ passwords and software updates, the leaner 2019 measure doesn’t make specific requirements, but instead requests cybersecurity recommendations from the National Institute of Standards and Technology (NIST).
But despite its limited scope, some lawyers argue that if the measure does pass, it could affect the cybersecurity standards of all IoT devices, not just those used by the federal government.

“Prior government bills on internet of things were about fostering the growth of IoT,” said James Koenig, privacy and cybersecurity practice group co-chairman at Fenwick & West. “This bill is important and interesting because it seeks to have the standards reviewed for IoT cybersecurity vulnerabilities for [the] government and the devices used and integrated.”
The 2019 bill covers devices that are capable of connecting to the internet and collect, send or receive data. However, the proposed law may not cover smartphones, mainframe computers and “programmable logic controls,” which Koenig said is an interesting omission.

“As the bill goes a long way in helping to develop an approach for common industry and technical standards for IoT in government internet accessible devices, it largely covers IoT devices that can access or manage or process information,” he noted. “There is a possibility that the scope of the bill in the definition of covered devices doesn’t cover general-purpose computing devices [and] programmable logic controls, and that is critically important as logic controllers are the things that manage and govern autonomous machinery and robots.”

Koenig cited the 2010 Stuxnet computer virus, which attacked Iran’s nuclear facility through its programmable logic controllers, as an example of the havoc a cyberattack against such a computer could cause. “That’s the first thing that jumped out to me that they were excluding those things.”
Despite its omissions, if the measure is passed as is, the standard for IoT devices could trickle to private consumers.

“Depending on the device and its use, then the desire for higher security may drive the commercial sector to use devices [meeting federal IoT guidelines],” Koenig added.

However, for the bill to gain traction, Ice Miller Strategies co-founder and principal Clayton Heil said the bill will need stakeholders’ expertise. Heil said the 2017 bill failed because it didn’t have enough input from those in the cybersecurity community. For the new bill not to meet the same fate, Heil predicted the legislation “may drift more toward great NIST involvement and create an involvement of voluntary standards globally accepted as a benchmark of how IoT will work.”

Heil called NIST’s announcement of its Cybersecurity for the Internet of Things Program, which brings together stakeholders to discuss IoT cybersecurity, as the best approach to grow and create the law’s baseline standard.

Fenwick & West’s Koenig agreed, adding, “This bill is potentially easier to digest and since NIST is viewed as impartial—for government standards, not commercially—it has a better chance at passing.”

To be sure , a federal IoT cybersecurity regulation may be a low priority, as the possibility of a national data privacy law grabs federal lawmakers’ attention.

“While the proposed bill is promising, one of the obstacles to its enactment is Congress’ consideration of a national data privacy law,” wrote Kirkland & Ellis partner Sunil Shenoi in an email. “With the latter garnering House and Senate hearings, substantial lobbying efforts, and widespread media attention, Congress may put the Internet of Things Cybersecurity Improvement Act of 2019 on the back burner until after it resolves proposals regarding a national data privacy law.”

What’s more, a companion nationwide consumer-side IoT regulation is doubtful. Indeed, Ice Miller’s Heil said it was unlikely Congress would enact a nationwide private-sector IoT law because a federal IoT regulation covering government devices would become the “de facto standard.” Economically, it would be more expensive for device makers to make two versions of the same product—one that meets federal government regulations and one that does not, he said.

Heil cited the California Consumer Privacy Act, which includes measures regarding data collected by IoT devices, as an example of manufacturers selecting that law as a cybersecurity standard for all devices. “For them, that becomes the floor, because they don’t want to make different devices for California and the rest of the country,” he said.