Pending Legislation In U.S. Congress, Part V

Congress may well pass IoT legislation this year, and the two bills under consideration take different approaches.

Continuing our look at bills Congress may pass this year leads us to an issue area that has received attention but no legislative action; the Internet of Things (IoT). Many Members are aware and concerned about the lax or nonexistent security standards for many such devices, which leaves them open to attack or being used as part of a larger bot network to attack other internet connected devices. There are two bills with significant odds of being enacted, one better than the other, for it is a more modest bill and it is attached to the Senate’s FY 2021 National Defense Authorization Act. However, the other bill is finally coming to the House floor today, which may shake loose its companion bill in the Senate.

As the United States (U.S.) Departments of Commerce and Homeland Security explained in “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, insecure IoT poses huge threats to the rest of the connected world:

The Distributed Denial of Service (DDoS) attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component in many DDoS mitigation strategies. This attack also highlighted the growing insecurities in—and threats from—consumer-grade IoT devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place. While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices, and one of the largest DDoS attacks seen to date recently exploited a newly discovered vulnerability in the relatively obscure MemCacheD software.

Later in the report, as part of one of the proposed goals, the departments asserted:

When market incentives encourage manufacturers to feature security innovations as a balanced complement to functionality and performance, it increases adoption of tools and processes that result in more secure products. As these security features become more popular, increased demand will drive further research.

However, I would argue there are no such market incentives at this point, for most people looking to buy and use IoT are not even thinking about security except in the most superficial ways. Moreover, manufacturers and developers of IoT have not experienced the sort of financial liability or regulatory action that might change the incentive structure. In May, the Federal Trade Commission (FTC) reached “a settlement with a Canadian company related to allegations it falsely claimed that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”

As mentioned, one of the two major IoT bills stands a better chance of enactment. The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S. 1611) would establish the beginnings of a statutory regime for the regulation of IoT at the federal level. The bill is sponsored by Senators Deb Fischer (R-NE), Cory Gardner (R-CO), Brian Schatz (D-HI), and Cory Booker (D-NJ) and is substantially similar to legislation (S. 88) the Senate passed unanimously in the last Congress the House never took up. In January, the Senate passed the bill by unanimous consent but the House has yet to take up the bill. S.1611was then added as an amendment to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) in July. Its inclusion in an NDAA passed by a chamber of Congress dramatically increases the chances of enactment. However, it is possible the stakeholders in the House that have stopped this bill from advancing may yet succeed in stripping it out of a final NDAA.

Under this bill, the Secretary of Commerce must “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things, including”

identify any Federal regulations, statutes, grant practices, budgetary or jurisdictional challenges, and other sector-specific policies that are inhibiting, or could inhibit, the development or deployment of the Internet of Things;

  • consider policies or programs that encourage and improve coordination among Federal agencies that have responsibilities that are relevant to the objectives of this Act;
  • consider any findings or recommendations made by the steering committee and, where appropriate, act to implement those recommendations;
  • examine—
    • how Federal agencies can benefit from utilizing the Internet of Things;
    • the use of Internet of Things technology by Federal agencies as of the date on which the working group performs the examination;
    • the preparedness and ability of Federal agencies to adopt Internet of Things technology as of the date on which the working group performs the examination and in the future; and
    • any additional security measures that Federal agencies may need to take to—
      • safely and securely use the Internet of Things, including measures that ensure the security of critical infrastructure; and
      • enhance the resiliency of Federal systems against cyber threats to the Internet of Things

S.1611 requires this working group to have representatives from specified agencies such as the National Telecommunications and Information Administration, the National Institute of Standards and Technology, the Department of Homeland Security, the Office of Management and Budget, the Federal Trade Commission, and others. Nongovernmental stakeholders would also be represented on this body. Moreover, a steering committee would be established inside the Department of Commerce to advise this working group on a range of legal, policy, and technical issues. Within 18 months of enactment of S.1611, the working group would need to submit its recommendations to Congress that would then presumably inform additional legislation regulating IoT.  Finally, the Federal Communications Commission (FCC) would report to Congress on “future spectrum needs to enable better connectivity relating to the Internet of Things” after soliciting input from interested parties.

As noted, there is another IoT bill in Congress that may make it to the White House. In June 2019 the Senate and House committees of jurisdictions marked up their versions of the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734), legislation that would tighten the federal government’s standards with respect to buying and using IoT. In what may augur enactment of this legislation, the House will take up its version today. However, new language in the amended bill coming to the floor making clear that the IoT standards for the federal government would not apply to “national security systems” (i.e. most of the Department of Defense, Intelligence Community, and other systems) suggests the roadblock that may have stalled this legislation for 15 months. It is reasonable to deduce that the aforementioned agencies made their case to the bill’s sponsors or allies in Congress that these IoT standards would somehow harm national security if made applicable to the defense IoT.

The bill text as released in March for both bills was identical signaling agreement between the two chambers’ sponsors, but the process of marking up the bills has resulted in different versions, requiring negotiation on a final bill. The House Oversight and Reform Committee marked up and reported out H.R. 1668 after adopting an amendment in the nature of a substitute that narrowed the scope of the bill and is more directive than the bill initially introduced in March. The Senate Homeland Security and Governmental Affairs Committee marked up S. 734 a week later, making their own changes from the March bill. The March version of the legislation unified two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283).

Per the Committee Report for S. 734, the purpose of bill

is to proactively mitigate the risks posed by inadequately-secured IoT devices through the establishment of minimum security standards for IoT devices purchased by the Federal Government. The bill codifies the ongoing work of the National Institute of Standards and Technology (NIST) to develop standards and guidelines, including minimum-security requirements, for the use of IoT devices by Federal agencies. The bill also directs the Office of Management and Budget (OMB), in consultation with the Department of Homeland Security (DHS), to issue the necessary policies and principles to implement the NIST standards and guidelines on IoT security and management. Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies’ security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST’s guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IoT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons.

In general, this bill seeks to leverage the federal government’s ability to set standards through acquisition processes to ideally drive the development of more secure IoT across the U.S. The legislation would require the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to work together to institute standards for IoT owned or controlled by most federal agencies. As mentioned, the latest version of this bill explicitly exclude “national security systems.” These standards would need to focus on secure development, identity management, patching, and configuration management and would be made part of Federal Acquisition Regulations (FAR), making them part of the federal government’s approach to buying and utilizing IoT. Thereafter, civilian federal agencies and contractors would need to use and buy IoT that meets the new security standards. Moreover, NIST would need to create and implement a process for the reporting of vulnerabilities in information systems owned or operated by agencies, including IoT naturally. However, the bill would seem to make contractors and subcontractors providing IoT responsible for sharing vulnerabilities upon discovery and then sending around fixes and patches when developed. And yet, this would seem to overlap with the recently announced Trump Administration vulnerabilities disclosure process (see here for more analysis) and language in the bill could be read as enshrining in statute the basis for the recently launched initiative even though future Administrations would have flexibility to modify or revamp as necessary.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by lea hope bonzer from Pixabay

Congressional Cybersecurity Commission Releases Annex To Final Report

A Congressional cyber panel is adding four recommendations to its comprehensive March report.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 2 June, the Cyberspace Solarium Commission (CSC) released an annex to its final report. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In mid-March, the CSC released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has still not yet made available. However, Members of Congress who served on the CSC are working with the Armed Services Committees to get some of this language added to the FY 2021 National Defense Authorization Act (NDAA). See this issue of the Technology Policy Update for more detail on the CSC’s final report.

Per its grant of statutory authority, the CSC is set to terminate 120 days after the release of its final report, which will be next month. Nonetheless, the CSC has been holding a series of webinars to elucidate or explain various components of the final report, and the Commission began to consider cybersecurity through the lens of the current pandemic for parallels and practical effects. Consequently, the CSC added four new recommendations and renewed its call that recommendations in its final report related to the pandemic – in the view of the Commission – receive renewed attention and ideally action by Congress and the Executive Branch.

The CSC again called for the types of resources and reforms most policymakers have either not shown an appetite for or believe are a few bridges too far. Even though the CSC stated its intention to a “9/11 Commission without the 9/11 event,” it is unlikely such sweeping policy changes will be made in the absence of a crisis or event that fundamentally changes this status quo. Nevertheless, the CSC’s new recommendations are targeted and modest, one of which call for funneling more funds through an existing grant program to bolster private sector/non-profit efforts and another for a government agency to exercise previously granted authority. What’s more, the CSC could add the new recommendations to those shared in the form of legislative language with the Armed Services Committees in the hopes they are included in this year’s NDAA. Given that CSC co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) serve on their chambers’ Armed Services Committees as do the other two Members of Congress on the CSC, Senator Ben Sasse (R-NE) and Representative James Langevin (D-RI), the chances of some of the recommendations making it into statute are higher than they may be otherwise.

In its “White Paper #1: Cybersecurity Lessons from the Pandemic,” the CSC asserted:

The COVID-19 pandemic illustrates the challenge of ensuring resilience and continuity in a connected world. Many of the effects of this new breed of crisis can be significantly ameliorated through advance preparations that yield resilience, coherence, and focus as it spreads rapidly through the entire system, stressing everything from emergency services and supply chains to basic human needs and mental health. e pandemic produces cascading effects and high levels of uncertainty. It has undermined normal policymaking processes and, in the absence of the requisite preparedness, has forced decision makers to craft hasty and ad hoc emergency responses. Unless a new approach is devised, crises like COVID-19 will continue to challenge the modern American way of life each time they emerge. This annex collects observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption. These insights and the accompanying recommendations, some of which are new and some of which appear in the original March 2020 report, are now more urgent than ever.

The CSC conceded that “[t]he lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

  • First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
  • Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
  • Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
  • Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

The CSC continued:

The COVID-19 pandemic is a call to action to ensure that the United States is better prepared to withstand shocks and crises of all varieties, especially those like cyber events that we can reasonably predict will occur, even if we do not know when. We, as a nation, must internalize the lessons learned from this emergency and move forward to strengthen U.S. national preparedness.  This means building structures in government now to ensure strategic leadership and coordination through a cyber crisis. It means driving down the vulnerability of the nation’s networks and technologies. And finally, it means investing in rigorously building greater resiliency in the government, in critical infrastructure, and in our citizenry. In the past several years, experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis. As the COVID-19 crisis has unfolded, the United States has experienced a wake-up call, prompting a national conversation about disaster prevention, crisis preparedness, and incident response. While COVID-19 is the root cause of today’s crisis, a significant cyberattack could be the cause of the next. If that proves to be the case, history will surely note that the time to prepare was now.

The CSC offered these four new recommendations:

  • Pass an Internet of Things Security Law: With a significant portion of the workforce working from home during the COVID-19 disruption, household internet of things (IoT) devices, particularly household routers, have become vulnerable but important pieces of our national cyber ecosystem and our adversary’s attack surface. To ensure that the manufacturers of IoT devices build basic security measures into the products they sell, Congress should pass an IoT security law. The law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” But it should be only modestly prescriptive, relying more heavily on outcome-based standards, because security standards change with technology over time. Nonetheless, the law should stress enduring standards both for authentication, such as requiring unique default passwords that a user must change to their own authentication mechanism upon first use, and for patching, such as ensuring that a device is capable of receiving a remote update. Congress should consider explicitly tasking the Federal Trade Commission with enforcement of the law on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.
    • In a footnote, the CSC asserted “[t]he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States.
    • The initial draft of the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734) was a revised, unified version of two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283). However, during the process of consideration in both chambers, differences emerged that as of yet have not been reconciled. However, it is possible that a final version of this bill gets folded into the FY 2021 NDAA or is passed as standalone legislation in the waning days of this Congress.
    • However, the FTC already uses its Section 5 authorities to bring actions against IoT manufacturers. For example, last month, the agency announced a settlement with Tapplock regarding “allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”
  • Support Nonprofits that Assist Law Enforcement’s Cybercrime and Victim Support Efforts: Cyber-specific nonprofit organizations regularly collaborate with law enforcement in writing cybercrime reports, carrying out enforcement operations, and providing victim support services. As the COVID-19 pandemic has proven, trusted nonprofit organizations serve as critical law enforcement partners that can quickly mobilize to help identify and dismantle major online schemes. Such nonprofits have the expertise and flexibility to help and reinforce law enforcement efforts to disrupt cybercrime and assist victims. However, they often face financial challenges. Therefore, the Commission recommends that Congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.
    • The portion of the Department of Justice’s Office of Justice Programs that makes grants was provided $1.892 billion in FY 2020, with large chunks being earmarked for state and local law enforcement agencies like the Edward Byrne Memorial Justice Assistance Grant program. Therefore, there would likely need to be additional funding provided for this program if there will be additional eligible recipients and additional purposes.
  • Establish the Social Media Data and Threat Analysis Center: Because major social media platforms are owned by private companies, developing a robust public-private partnership is essential to effectively combat disinformation. To this end, the Commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC), which would take the form of an independent, nonprofit organization intended to encourage public-private cooperation to detect and counter foreign influence operations against the United States. The center would serve as a public-private facilitator, developing information-sharing procedures and establishing—jointly with social media—the threat indicators that the center will be able to access and analyze. In addition, the DTAC would be tasked with informing the public about the criteria and standards for analyzing, investigating, and determining threats from malign influence operations. Finally, in order to strengthen a collective understanding of the threats, the center would host a searchable archive of aggregated information related to foreign influence and disinformation operations.
    • This is, obviously, not really a new recommendation, but rather a call for already granted authority to be used. The Director of National Intelligence was provided discretionary authority to establish the DTAC in P.L. 116-92 and has not chosen to do so yet. There are a number of existing entities that may qualify as the Atlantic Council’s Digital Forensics Research Lab or the Alliance for Securing Democracy. However, the issue may be resources in that the DNI was not provided any additional funding to stand up the DTAC.
  • Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: Congress should fund the Department of Justice to provide grants, in consultation with the Department of Homeland Security and the National Science Foundation, to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them. Such malign foreign influence campaigns can include covert foreign state and non-state propaganda, disinformation, or other inauthentic activity across online platforms, social networks, or other communities. These centers should analyze and monitor foreign influence operations, identify trends, put those trends into context, and create a robust, credible source of information for the American public. To ensure success, these centers should be well-resourced and coordinated with ongoing government efforts and international partners’ efforts.
    • It is not clear whether this program would be conducted through an existing DOJ program or a new one would be created. As with the DOJ’s Office of Justice Programs, funding may be an issue, and while the Armed Services Committees may be able to fold this into the FY 2021 (notwithstanding jurisdictional issues considering the DOJ is part of the Judiciary Committees’ purviews), but the Appropriations Committees would ultimately decide whether this would be funded.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.