Three Reactions to the “Internet of Things Cybersecurity Improvement Act of 2017”

Note: This article was written in 2017 for a class assignment and does not represent the views of any person or group.

Abstract— This paper offers three perspectives on the “Internet of Things Cybersecurity Improvement Act of 2017,” a recently proposed legislation on cybersecurity in the Internet of Things (IoT), which requires that devices purchased by the U.S. government meet minimum cybersecurity requirements. We first describe the viewpoint of the IoT Security Foundation (IoTSF), before moving onto the Office of Senator Warner, one of the Senators sponsoring the bill. The views of the author are considered in the final section.

Index Terms— cybersecurity, devices, Internet of Things, legislation, networks, security requirements, U.S. Government

I. IOTSF’S VIEW

As a non-profit organization dedicated to driving security excellence, we believe that the proposed “Internet of Things Cybersecurity Improvement Act of 2017” is a commendable effort to secure IoT devices.[1] However, we must emphasize that this bill is clearly insufficient and ineffective at achieving the goal of securing the increasing number of Internet of Things devices.

The requirements of this bill only apply to vendors who sell devices to the Federal Government, and only with respect to those devices that are sold to the government. The title of the bill purports to improve the cybersecurity of the Internet-of-Things devices in general, yet in fact most IoT devices are not covered as they are not used by the government. These devices, used by consumers across the United States and around the world, will continue to be insecure.

The security and reliability of the Internet is threatened by vulnerable and compromised Internet-of-Things devices regardless of whether they are owned by the government or the private sector. Compromised IoT devices, whether used in the Federal Government or elsewhere, can be used to create botnets that can attack any target on the Internet, including valuable assets such as the government, critical infrastructure, and the financial sector. Incidents like the 2016 Dyn cyberattack, where attackers leveraged compromised IoT devices to attack and cause service disruptions on multiple major Internet platforms, will become more common as the irresponsible sale of vulnerable devices continues.[2]

Even within the scope of the Federal Government, the bill provides for broad exceptions and allows executive agencies the discretion to waive critical security requirements and essentially bypass the law. It is possible for executive agencies to grant exceptions under different justifications simply for the sake of convenience, at the expense of nullifying any benefits of the original security requirements.

The exceptions provision of the bill needs to be more specific and limited. For example, company applications for waivers should be denied as a matter of law if a secure and compliant alternative exists. Furthermore, exceptions granted by the Office of Management and Budget for feasibility or economic practicality reasons should be restricted to rare circumstances and should require compensating security controls.

While the exceptions for the government are overly broad, the limited protection for security researchers from legal liability is too narrowly defined despite being a step in the right direction. Specifically, the bill in its current form only protects research on specific device models used by the Federal Government. So long as security researchers continue to be threatened with criminal prosecution and civil lawsuits for their legitimate efforts to improve systems and devices, the security of IoT devices will remain under-examined and under-researched.

II. SENATOR WARNER’S VIEW

Since our introduction of the “Internet of Things Cybersecurity Improvement Act of 2017,” which establishes minimum security requirements for Internet-connected devices purchased by the U.S. government, our office has received numerous comments from across the United States. While there is certainly more that can be done to improve our nation’s cybersecurity readiness, it is important to note that we must take one step at a time to ensure the efficacy and efficiency of our legislation.[3]

This proposed bill represents the first step that we as a nation can take to improve the cybersecurity of Internet-of-Things (IoT) devices. By only purchasing secure devices from vendors that meet the baseline security requirements, the Federal Government can incentivize the industry to develop IoT devices that are more secure and resilient against cyberattacks.

The approach taken by this bill encourages device manufacturers to be more secure while avoiding the direct regulation of the IoT marketplace, as regulation has the risk of becoming burdensome, stifling innovation, and halting technological progress. Vendors need freedom to innovate and create products that can benefit and improve our society.

The exceptions provision ensures that the guidelines are flexible and do not impede the efficiency and effectiveness of government operations. Not all executive agencies are alike; each agency has unique needs and its own threat model. The mechanism for exceptions allows each agency to procure devices that satisfy its demands, while ensuring that agency heads are aware of the relevant security risks. The Director of the Office of Management and Budget is the most capable of taking into consideration the security requirements and demands of each agency and accepting risk when appropriate.

The limitation of liability provisions in this bill are intended to protect security researchers, but only when they conduct research in accordance with official guidelines. When combined with the mandated public database of IoT devices used by the Federal Government, this limitation of liability allows researchers to independently verify that IoT devices used by the government are in fact secure. To not create loopholes that facilitate unlawful access to protected computers, the bill limits legal protection to researchers who act in accordance with the designated guidelines.

III. THE AUTHOR’S VIEW

My own views lie in between that of the IoT Security Foundation (IoTSF) and that of Senator Warner.

I agree with Senator Warner that the proposed “Internet of Things Cybersecurity Improvement Act of 2017” is a step in the right direction for our nation’s cybersecurity. Upon passage, the legislation would immediately begin a process that will improve the security of government systems and networks. Furthermore, these requirements will give device vendors an economic incentive to improve security across the board, as a vendor’s eligibility to compete for government contracts is contingent upon its compliance with the security rules.

However, I share several of the concerns raised by the IoTSF that the legislation may be inadequate for improving IoT cybersecurity. It is accurate to say that this bill does not directly improve the security of consumer IoT devices, and further legislation will be required to address the market failure that arises when both sellers and buyers act solely upon their own desire to reduce costs and fail to consider the fact that their devices may become a threat to the Internet security of the entire nation and beyond.

There are a few possibilities for future legislation that may address these devices. For example, we may hold companies liable for the behavior of their products, particularly if they were compromised by a third-party, if they do not comply with a prescribed set of security standards. We may also introduce security certifications, like those currently issued by the Underwriter’s Laboratory for electrical appliances; security information labels, like the “Nutrition Facts” we currently see on food products; and security warning labels that can help consumers make informed choices when they shop for IoT products.

I also share IoTSF’s concern that the provisions protecting security research in the bill are too narrowly constructed. The Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) have long been abused by companies to threaten legitimate security researchers and impede independent security audits.[4][5] Instead of attacking researchers who contribute to the public good by finding vulnerabilities in products and reporting them, companies should address and fix the vulnerabilities disclosed to them in a timely manner. Further legal protections for security research are necessary to protect legitimate security researchers from inappropriate prosecutions and frivolous lawsuits.

Despite its inadequacy, the limitation of researcher liability provision specifically states that it shall not be “construed to establish additional obligations or criminal penalties for” security researchers.[6] Hence, the provision strictly improves the status quo.

IV. REFERENCES
[1] "Our Mission - IoT Security Foundation", Iotsecurityfoundation.org, 2017. [Online]. Available: https://www.iotsecurityfoundation.org/about-us/. [Accessed: 04-Oct-2017].

[2] N. Lanxon, J. Kahn and J. Brustein, "The Possible Vendetta Behind the East Coast Web Slowdown", Bloomberg.com, 2016. [Online]. Available: https://www.bloomberg.com/news/articles/2016-10-21/internet-service-disrupted-in-large-parts-of-eastern-u-s. [Accessed: 04-Oct-2017].

[3] "Senators Introduce Bipartisan Legislation to Improve Cybersecurity of “Internet-of-Things” (IoT) Devices", Mark R. Warner, 2017. [Online]. Available: https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC3-4A63-B9B4-523E18DADB36. [Accessed: 04-Oct-2017].

[4] "CFAA and Security Researchers", Electronic Frontier Foundation, 2017. [Online]. Available: https://www.eff.org/document/cfaa-and-security-researchers. [Accessed: 04-Oct-2017].

[5] E. Felten, "How Terrible Copyright Law Hurts Security Research", Slate Magazine, 2013. [Online]. Available: http://www.slate.com/articles/technology/future_tense/2013/03/dmca_chilling_effects_how_copyright_law_hurts_security_research.html. [Accessed: 04-Oct-2017].

[6] M. Warner, C. Gardner, R. Wyden and S. Daines, "Internet of Things Cybersecurity Improvement Act of 2017", U.S. Senate, 2017. [Online]. Available: https://www.congress.gov/115/bills/s1691/BILLS-115s1691is.pdf. [Accessed: 04-Oct-2017].

[7] "Senators Introduce Bipartisan Legislation to Improve Cybersecurity of “Internet-of-Things” (IoT) Devices | U.S. Senator Cory Gardner of Colorado", Gardner.senate.gov, 2017. [Online]. Available: https://www.gardner.senate.gov/newsroom/press-releases/senators-introduce-bipartisan-legislation-to-improve-cybersecurity-of-internet-of-things-iot-devices. [Accessed: 04-Oct-2017].

[8] "Explaining the Internet of Things (IoT) Cybersecurity Improvement Act of 2017", Independent Security Evaluators, 2017. [Online]. Available: https://blog.securityevaluators.com/explaining-the-internet-of-things-iot-cybersecurity-improvement-act-of-2017-912954d5c6e9. [Accessed: 04-Oct-2017].