Advisories
Draft Cybersecurity Legislation Would Impose Substantial New Obligations on Vendors Selling Interconnected Devices to the U.S. Government
By Christopher W. Savage and Lisa M. Marchese
08.02.17
On Tuesday, August 1, 2017, a bipartisan group of four Senators from the Senate Cybersecurity Caucus introduced legislation designed to improve the cybersecurity of devices purchased by the U.S. government and – albeit indirectly – sold anywhere in the U.S. or the world.
The legislation – the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” – would require government contracts for the purchase of Internet-connected devices to include clauses that impose significant new cybersecurity obligations on suppliers. Among other provisions, suppliers would be required to certify that their devices: (a) do not contain any known security vulnerabilities or defects; (b) can be patched; (c) use industry-standard protocols for communications and encryption; and (d) do not include any hard-coded credentials for receiving updates. Suppliers would be obliged to notify the government of any later-discovered security vulnerabilities, and to either update/patch or replace devices that are found to have such vulnerabilities. Waivers on a case-by-case basis would be permitted for “devices with severely limited functionality” if it is uneconomical to require compliance with the requirements of the bill.
In addition, the bill would require the National Protection and Programs Directorate within the Department of Homeland Security to issue guidelines for each executive branch agency for “coordinated disclosure” by contractors of security vulnerabilities.
The bill would also require each covered agency to develop a database of that agency’s internet-connected devices.
Finally, the bill would create explicit exemptions from liability under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and the Digital Millennium Copyright Act (17 U.S.C. §§ 1201 et seq.) for “good faith” research into cybersecurity vulnerabilities of devices of the types sold to the United States government.
The title of the legislation suggests that it might apply only to “IoT” devices – networked cameras, appliances, etc. But the definition of “Internet-connected devices” under the bill includes any “physical object” that (a) is regularly connected to the internet and (b) has computer processing capabilities. So, the new requirements would apply to all PCs, laptops, tablets, smartphones, routers, servers, mainframes, and more – that is, to essentially any modern computing device.
On the surface, this legislation would not directly impose any cybersecurity obligations on any company. However, given the range of entities that supply computing/network gear to the government, wide swaths of the technology industry would be required to conduct detailed cybersecurity reviews of their products (and agree to the new provisions outlined above), on pain of losing the government’s business. In practical terms, if passed, this legislation could significantly restructure industry’s approach to cybersecurity. Moreover, by expressly exempting good-faith research into vulnerabilities from liability under either the CFAA or the DMCA, the bill would strongly encourage efforts by outsiders to identify and report vulnerabilities – which would then have to be reported to the government.
In short, if adopted, this bill would amount to form of “soft” regulation of cybersecurity, leveraging the government’s purchasing power to require industry to substantially modify its approach. Long-time industry players will see a parallel between this effort and the effort in the late 1980s/early 1990s by the Department of Defense to require email systems used by its contractors and subcontractors to be interoperable. While not “regulation” in any formal legal sense, in practical terms leveraging the government’s purchasing power drove the interoperability of email systems. This bill attempts to adopt the same approach for cybersecurity.
In summary, this legislation only underscores the Government’s growing and heightened focus on cybersecurity and the expanding compliance requirements for federal contractors. For example, the newly enacted FAR and DFAR Cybersecurity clauses impose a myriad of compliance obligations aimed at safeguarding information and data in contractor information systems. Cybersecurity requirements will soon be included in virtually all federal procurement contracts. The government’s approach has been to place the burden of cybersecurity upon contractors. Thus, contractors should make cybersecurity compliance a priority to ensure they stay ahead of the proverbial power curve in this ever evolving legislative and regulatory landscape.
By avoiding directly imposing security obligations on device manufacturers, and instead leveraging the government’s purchasing power to “nudge” the market, this bill takes a different approach from the currently pending California IoT bill (SB 327). In its current form, that bill would require interconnected devices sold to consumers in California to have “reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit [and] that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” See here.
We will monitor the progress of this proposed legislation and provide additional updates as warranted.
The legislation – the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” – would require government contracts for the purchase of Internet-connected devices to include clauses that impose significant new cybersecurity obligations on suppliers. Among other provisions, suppliers would be required to certify that their devices: (a) do not contain any known security vulnerabilities or defects; (b) can be patched; (c) use industry-standard protocols for communications and encryption; and (d) do not include any hard-coded credentials for receiving updates. Suppliers would be obliged to notify the government of any later-discovered security vulnerabilities, and to either update/patch or replace devices that are found to have such vulnerabilities. Waivers on a case-by-case basis would be permitted for “devices with severely limited functionality” if it is uneconomical to require compliance with the requirements of the bill.
In addition, the bill would require the National Protection and Programs Directorate within the Department of Homeland Security to issue guidelines for each executive branch agency for “coordinated disclosure” by contractors of security vulnerabilities.
The bill would also require each covered agency to develop a database of that agency’s internet-connected devices.
Finally, the bill would create explicit exemptions from liability under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and the Digital Millennium Copyright Act (17 U.S.C. §§ 1201 et seq.) for “good faith” research into cybersecurity vulnerabilities of devices of the types sold to the United States government.
The title of the legislation suggests that it might apply only to “IoT” devices – networked cameras, appliances, etc. But the definition of “Internet-connected devices” under the bill includes any “physical object” that (a) is regularly connected to the internet and (b) has computer processing capabilities. So, the new requirements would apply to all PCs, laptops, tablets, smartphones, routers, servers, mainframes, and more – that is, to essentially any modern computing device.
On the surface, this legislation would not directly impose any cybersecurity obligations on any company. However, given the range of entities that supply computing/network gear to the government, wide swaths of the technology industry would be required to conduct detailed cybersecurity reviews of their products (and agree to the new provisions outlined above), on pain of losing the government’s business. In practical terms, if passed, this legislation could significantly restructure industry’s approach to cybersecurity. Moreover, by expressly exempting good-faith research into vulnerabilities from liability under either the CFAA or the DMCA, the bill would strongly encourage efforts by outsiders to identify and report vulnerabilities – which would then have to be reported to the government.
In short, if adopted, this bill would amount to form of “soft” regulation of cybersecurity, leveraging the government’s purchasing power to require industry to substantially modify its approach. Long-time industry players will see a parallel between this effort and the effort in the late 1980s/early 1990s by the Department of Defense to require email systems used by its contractors and subcontractors to be interoperable. While not “regulation” in any formal legal sense, in practical terms leveraging the government’s purchasing power drove the interoperability of email systems. This bill attempts to adopt the same approach for cybersecurity.
In summary, this legislation only underscores the Government’s growing and heightened focus on cybersecurity and the expanding compliance requirements for federal contractors. For example, the newly enacted FAR and DFAR Cybersecurity clauses impose a myriad of compliance obligations aimed at safeguarding information and data in contractor information systems. Cybersecurity requirements will soon be included in virtually all federal procurement contracts. The government’s approach has been to place the burden of cybersecurity upon contractors. Thus, contractors should make cybersecurity compliance a priority to ensure they stay ahead of the proverbial power curve in this ever evolving legislative and regulatory landscape.
By avoiding directly imposing security obligations on device manufacturers, and instead leveraging the government’s purchasing power to “nudge” the market, this bill takes a different approach from the currently pending California IoT bill (SB 327). In its current form, that bill would require interconnected devices sold to consumers in California to have “reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit [and] that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” See here.
We will monitor the progress of this proposed legislation and provide additional updates as warranted.