Internet of Things (IoT) proliferation has not slowed down. In 2018, the number of IoT devices is expected to surpass the number of mobile phones.1 The U.S. government has been playing catch-up with its own increasing rollouts of proposed IoT regulations – all of which attempt to address some aspect of the increased security and safety risks inherent in the rise of IoT adoption.
The most recent government iteration is the Cyber Shield Act of 2017.2 The Cyber Shield Act is the first congressional bill to focus on the voluntary labeling of IoT devices with a security score. Through these labels, the proposed legislation aims to develop an informed market that it hopes will set an appropriate valuation for device security. One of the co-sponsors of the bill, Senator Edward Markey (D-Mass.), warned that without appropriate safeguards, “IoT will also stand for the Internet of Threats.”3
This Client Alert summarizes proposed legislation, analyzes its potential impact, and addresses the key criticisms lodged against the bill.
The Cyber Shield Act of 2017’s voluntary regulatory framework
The Cyber Shield Act of 2017 aims to incentivize improved IoT device security through a voluntary framework. The bill’s drafters collaborated with the Institute for Critical Infrastructure Technology (ICIT).4 The legislation seeks to “establish a voluntary program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures and processes.”
The bill would identify and certify covered products – defined as connected consumer devices that collect, send, or receive data – with superior cybersecurity and data security through the application of Cyber Shield labels. Evaluators will have multiple labels with different grades at their disposal in order to score a product’s achievement of cybersecurity and data security benchmarks.
Details on the labels and scoring system are deliberately left out of the bill and would be developed through a Cyber Shield Advisory Committee appointed by the Secretary of Commerce. This committee would consist of “individuals who are specially qualified to serve on the Advisory Committee,” including representatives of the covered products industry, cybersecurity experts, public interest advocates, and federal employees with the requisite expertise. The committee would have one year to lay out the format and content of Cyber Shield product labels. The secretary would also be responsible for promoting technologies that comply with chosen benchmarks and enhancing public awareness of the Cyber Shield labels through public outreach, education, research, and development. The secretary would further consult the Secretary of Health and Human Services, the Commissioner of Food and Drugs, the Secretary of Homeland Security, and other federal agencies in carrying out the Cyber Shield program. The Inspector General of the Department of Commerce would then evaluate the program within four years of enactment, and at least every two years thereafter.
The Cyber Shield Act focuses on a free-market approach. Its labeling system aims to bridge the informational void that currently exists between purchasers and device manufacturers. By shining a light on device security through a mandatory and uniform reporting system, the theory goes that demand from informed consumers will incentivize manufacturers and vendors to build better security into their products. Buttressing this theory, a recent international survey by the security firm Irdeto found that more than two-thirds of respondents (69%) were worried about their smart devices being susceptible to hacking, and 90% of respondents thought smart devices should come equipped with built-in security features.5 The proposed labeling structure attempts to allay those concerns.
Anticipated challenges and criticism
Detractors of the Cyber Shield Act have focused on three themes. First, the chosen standards cannot guarantee safety. The threat landscape of cybersecurity is fluid. Seemingly secure one day, the same device could become exceedingly vulnerable overnight. Further, such a device-based rating system focuses too much on the devices themselves and overlooks important factors such as how the device is installed and used. Any realistic security appraisal must account for those aspects, rather than simply on their innate security features. For example, even secure devices can be breached laterally by other devices on a shared network. Meanwhile, perhaps ignorant of these combined challenges, consumers may have a misplaced confidence in Cyber Shield ratings and may themselves take fewer security precautions as a result.
At least as to the first issue of static labels in a dynamic threat landscape, a reasonable solution is available. Instead of merely providing a single permanent security score, devices could be labeled with a QR code6 that corresponds to a dynamic database that updates the score in real time according to the current threat landscape.
A second major criticism is the legislation’s voluntary nature. Proponents believe that the bill can attract a sufficient number of companies to opt into the labeling system that holdout device manufacturers that refuse to participate will be commercially disadvantaged. This may prove overly optimistic. Notably, similar attempts by foreign legislators have proven unsuccessful. For instance, in 2013, the United Kingdom launched a similar rating system, based on the BSI Kitemark.7 Businesses largely opted out of the voluntary standards, and the legislation languished. In addition, the bill lacks the ability to keep low-scoring participants within the regulatory scheme. A low-scoring device manufacturer can simply end its participation in the labeling program, without any requirement to improve its security framework.
Third, some chief information security officers (CISOs) believe they were not adequately consulted in the development of the proposed legislation. One such critic is Martin Zinaich, the information security officer for the City of Tampa. Mr. Zinaich has argued that the legislation’s goals can only be achieved by CISOs “working in conjunction with government, to put out a standard and keep it up to date.” He believes that CISOs, led by a professional CISO association, should provide the voice of business.
On the other side of this issue, the ICIT expressed concerns that allowing business CISOs too much authority in directing the shape of the legislation could result in a weak framework and meaningless certification as organizations may “shy away from adhering to best practices because doing so increases their bottom line.” Additionally, large businesses may “economically weaponize the framework as an entry-barrier”8 to smaller entities. Large businesses may act on their anti-competitive interests by creating a series of onerous standards that have less to do with device security than with adding hurdles for smaller new companies attempting to enter the marketplace. The debate underscores the breadth of IoT proliferation in the marketplace and the wide spectrum of stakeholders.
Connection to the broader legislative landscape
The Cyber Shield Act of 2017 is the latest in a number of federal legislative proposals to promote device security. Cyber security experts are watching closely to see how this bill and its voluntary scoring framework will interact with the patchwork of already pending legislation.
Like the Cyber Shield Act of 2017, the Cybersecurity Disclosure Act of 20179 also seeks to increase the public availability of device security data. The Cybersecurity Disclosure Act would direct the Securities and Exchange Commission to issue final rules requiring a registered issuer to (1) disclose in its mandatory annual report or annual proxy statement whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience; and (2) if no member has such expertise or experience, describe what other company cybersecurity steps were taken into account by the persons responsible for identifying and evaluating nominees for the governing body.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (which we previously reported on)10 would require that “vendors who supply the US government with IoT devices . . . ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements.”11
Specific to the medical device sphere, the Internet of Medical Things Resilience Partnership Act of 2017 (previously reported on here at Med Device Online)12 is also pending before Congress, which seeks to “establish a working group of public and private entities led by the Food and Drug Administration to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices, and for other purposes.”
All these bills are under review in several committees and are a harbinger of more government regulation that is to come.
- ericsson.com
- congress.gov; congress.gov
- The bill was introduced in their respective chambers of Congress by Senator Edward Markey (D-Mass.) and Representative Ted Lieu (D-Calif.) in October 2017
- ICIT is a 501(c)(3) organization that describes itself as a non-partisan cybersecurity think tank that aims to protect the nation’s critical infrastructure and private sector industries. It boasts notable industry members such as KPMG, Mastercard, and McAfee
- emarketer.com
- A QR code is the trademark for a type of matrix barcode (or two-dimensional barcode). Put simply, it is a machine-readable optical label that contains information about the item to which it is attached
- The BSI Kitemark™ is a quality mark owned and operated by the British Standards Institution
- James Scott, The Cyber Shield Act – Is the Legislative Community Finally Listening to Cybersecurity Experts?, Institute for Critical Infrastructure Technology, April 2017
- Cybersecurity Disclosure Act of 2017, S.536, 115th Cong. (1st Sess. 2017) https://www.congress.gov/115/bills/s536/BILLS-115s536is.pdf
- Pending Legislation Seeks to Secure Federal Government IoT
- warner.senate.gov
- meddeviceonline.com
Client Alert 2018-062