Covington IoT Update: U.S. Legislative Roundup on IoT
As policymakers weigh the many policy implications associated with the Internet of Things (“IoT”), U.S. lawmakers have put forward a variety of proposals for studying—and regulating—IoT devices. Although the likelihood of current proposals becoming law this term remains uncertain at best, existing legislative proposals provide important context and insight into the ways that lawmakers view IoT and the government’s role in fostering and regulating the technology.
Below, we summarize five draft bills in the U.S. that approach IoT from different perspectives—including seeking to develop IoT technologies, imposing contractual requirements on companies that provide IoT devices to the government, regulating specific security standards, and creating new resources for consumers to better understand the security and reliability of their IoT devices.
Developing Innovation and Growing the Internet of Things (“DIGIT”) Act
The DIGIT Act was introduced in the Senate (S. 88) and the House (H.R. 686) in January 2017 to foster the development of IoT technologies. The Act was passed by the Senate in August 2017 on a voice vote, but has stalled in the House. The measure would direct the Secretary of Commerce to convene a “working group of Federal stakeholders” to create recommendations and a report to Congress on IoT. The working group would:
- Identify any federal regulations, statutes, grant practices, budgetary or jurisdiction challenges, and other sector-specific policies that are inhibiting or could inhibit the development of IoT;
- Consider policies or programs to improve federal agency coordination on IoT;
- Consider any findings or recommendations made by a new steering committee (described below) and act to implement those recommendations where appropriate; and
- Examine how federal agencies can benefit from, currently use, and are prepared to adopt IoT, including any additional security measures that may be needed for IoT adoption by the federal government.
- The Act would also create a new steering committee of non-federal-government representatives, tasked with advising the working group about issues including the availability of adequate spectrum, international proceedings relating to IoT, and policies and programs affecting individual privacy and critical infrastructure protection.
The DIGIT Act also would require the Federal Communications Commission (“FCC”), in consultation with the National Telecommunications and Information Administration (“NTIA”), to issue a notice of inquiry seeking public comment on current and future spectrum needs relating to the IoT, including regulatory barriers to necessary spectrum, the role of licensed and unlicensed spectrum in the IoT, and whether adequate spectrum is currently available.
Internet of Things Cybersecurity Improvement Act of 2017
This bill focuses on IoT devices purchased by the U.S. Government—and mandates specific contractual provisions agencies are to include in any contract for such devices. It was introduced in the Senate (S. 1691) in August 2017.
The measure requires the Director of the Office of Management and Budget (“OMB”) to issue guidelines with specific contractual clauses for each executive agency to require in contracts for the acquisition of internet-connected devices. These contractual provisions would require:
- Written certification by the contractor that the device:
- does not contain any known security vulnerability or defect;
- relies on software capable of being updated by the vendor;
- uses only non-deprecated industry standard protocols for communication, encryption, and internet connection; and
- does not contain fixed or hard-coded credentials used for remote administration.
- Notification by the contractor to the purchasing agency of any known vulnerabilities or defects subsequently disclosed or discovered;
- The device to be updated or replaced to allow for patches or repair;
- The provision of repair or a replacement device in a timely manner with respect to any new vulnerability discovered (if it cannot be patched or remediated); and
- The provision of information about how the device receives security updates, the timeline for ending security support, formal notice when security support has ceased, and other information recommended by the NTIA.
The bill provides exceptions for devices with limited data processing and functionality where security would be “unfeasible” or “economically impractical.” In certain cases, it also allows agencies to rely on compliance with existing third-party or agency security standards in lieu of these requirements, when the other standards provide an equivalent level of security.
Securing the IoT Act of 2017
This measure, introduced in the House in March 2017 (H.R. 1324), is a targeted bill that would require the FCC to establish cybersecurity standards that radio frequency equipment must meet throughout its lifecycle (design, installation, and retirement) in order to be certified under the FCC’s technical standards for equipment authorization.
Cyber Shield Act of 2017
This consumer-focused bill, introduced in the House (H.R. 4163) and Senate (S. 2020) in October 2017, would create a voluntary labeling and “grading” system for IoT devices. Specifically, it directs the Secretary of Commerce to establish a voluntary program to “identify and certify covered products with superior cybersecurity and data security through voluntary certification and labeling.” Under this program, products may be given grades that “display the extent to which a product meets the industry-leading cybersecurity and data security benchmarks.”
As part of the program, the Secretary of Commerce is also directed to establish and maintain cybersecurity and data security benchmarks, by convening and consulting interested parties and federal agencies.
The IOT Consumer Tips to Improve Personal Security Act of 2017
This consumer-focused measure, introduced in the Senate in December 2017 (S. 2234) would require the Federal Trade Commission to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of IoT devices. These resources are to be technology-neutral and are to include guidance, best practices, and advice for consumers to protect against, mitigate, and recover from cybersecurity threats or security vulnerabilities.