Senate Cybersecurity Caucus Introduces Bill To Secure Federal Agencies’ Connected Devices

King & Spalding
Contact

On August 1, 2017, the Senate introduced the proposed “Internet of Things (‘IoT’) Cybersecurity Improvement Act of 2017” (the “Act”) to establish, among other things, minimum cybersecurity standards for contractors who provide an array of connected devices to the federal government.

Introduced by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT), the core provisions of the Act would require the inclusion of specific clauses in procurement contracts with federal agencies for Internet-connected devices (e.g., smart phones and laptops), including a certification that the devices do not contain known security vulnerabilities or defects, are capable of being updated with new security patches, meet certain industry security standards, and do not contain any fixed or hard-coded credentials allowing remote access.  To facilitate implementation and allow discretion to federal agencies, the Act provides for waiver of the minimum security requirements under certain circumstances, as well as recognition of alternative third-party security standards.

Senator Warner previously called for changes to connected device security in October 2016, when he wrote the FTC, FCC, and DHS in response to the Mirai botnet, a large-scale cyber-attack carried out by hackers who scanned the Internet for connected devices—such as routers and cameras—protected only by minimal factory-default passwords.  With the IoT universe expected to include over 20 billion devices by 2020, Senator Warner expressed hope this week that the proposed legislation “will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”  While the Act would only apply to devices purchased by federal agencies, commentators such as Jonathan Zittrain of Harvard’s Berkman Klein Center for Internet & Society have applauded the Act’s use of “the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products.”

In addition to the minimum out-of-the-box security requirements for connected devices, the Act would also mandate that government procurement contracts include provisions requiring (1) the seller-contractor to notify the purchasing agency of subsequently discovered security vulnerabilities or defects; (2) the updating of software to address future vulnerabilities; and (3) in the event a software update cannot sufficiently remediate a vulnerability, the repair or replacement of the device.

Finally, a separate component of the Act would provide carve-outs to liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act for persons engaged in “good faith” research of the cybersecurity of an Internet-connected device provided by a contractor to a federal agency.  These protections would allow independent researchers to conduct systems penetration testing and other research on the types of devices used by federal agencies to identify potential security vulnerabilities without running afoul of federal law.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.