We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
17 May 2019
Members of Congress recently introduced a bipartisan proposal to enhance cybersecurity for the network of Internet-connected devices, commonly known as the Internet of Things (IoT).
Senators Mark Warner (D-VA) and Cory Gardner (R-CO) and Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) introduced the IoT Cybersecurity Improvement Act of 2019 and hope to establish baseline cybersecurity standards for IoT devices. Senators Maggie Hassan (D-NH) and Steve Daines (R-MT) co-sponsored the Senate bill, and there are twelve other co-sponsors in the House of Representatives.
Growth in the IoT device market has exploded, and some stakeholders have expressed concern that the industry has prioritized time-to-market over adopting meaningful cybersecurity protections. The new bill would require minimum security standards for any devices integrated into government networks. The sponsors say they hope clear federal standards encourage the industry to adopt better security standards and integrate security into the design process.
The IoT Cybersecurity Act would also impose limits on the types of IoT devices the U.S. government could purchase. The bill would:
In addition to the earlier versions of this bill introduced in the 115th Congress, Senator Warner wrote multiple letters to the Federal Trade Commission, Federal Communications Commission, and Department of Homeland Security in 2016 and 2017 raising concerns about "smart toys," ransomware, and the risks that IoT devices were likely to pose. In a May 2018 report, the Departments of Commerce and Homeland Security recommended that the Federal government should "lead by example" and require the IoT products it purchases to be more secure and resilient.
Senator Warner said "the legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices." Representative Hurd said "this bipartisan legislation will make [IoT] devices more secure and help prevent future attacks on critical technology infrastructure." The other co-sponsors echoed the importance of ensuring the safety of information and infrastructure as the IoT landscape expands.
Several industry leaders and civil society organizations have expressed support for the IoT Cybersecurity Act. For example, Symantec, Mozilla, and CTIA applauded the bill for setting up a coordinated approach for helping secure IoT devices and the sensitive data they hold.
Separately, CTIA announced that the trade association's IoT Cybersecurity Certification program had certified its first device: the HARMAN Spark, an aftermarket connected car device offered by AT&T. According to CTIA, the IoT Cybersecurity Certification Program helps device suppliers, enterprises, and government organizations ensure that cellular-connected devices have appropriate security capabilities. The CTIA certification verifies devices' security features against a set of best practices on everything from the storage of consumers' information and password and security management, to "standards and the availability of an over-the-air mechanism for security software."
The introduction of the IoT Cybersecurity Act—and parallel industry efforts to boost IoT security— represent two of the most recent efforts to anticipate and prevent IoT cybersecurity risks. They won't be the last.
For further information on this topic please contact Trey Hanbury or Sarah K Leggin at Hogan Lovells by telephone (+1 202 637 5600) or email (firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.