“Cyber Shield” Legislation: Protecting IoT Users or Stifling Innovation?
On October 27, 2017, Congressman Ted W. Lieu (D-Calif.) and Senator Edward J. Markey (D-Mass.) introduced the Cyber Shield Act of 2017 (the Act). The Act would direct the Department of Commerce to create a voluntary self-certification program that would independently identify, verify, and label compliant Internet-of-Things (IoT) devices with strong cybersecurity standards. Companies that meet the standards could display a compliance label on their products. The labels may be in the form of different “grades” that indicate the extent to which a product meets “industry-leading cybersecurity and data security benchmarks.”
An advisory committee would evaluate connected devices—such as laptops, smartphones, tablets, thermostats, and baby monitors—and provide recommendations to the Secretary of Commerce for establishing compliance benchmarks. The committee would be made up of industry representatives, cybersecurity experts, public interest advocates, and governmental experts in certification and cybersecurity. It would publish and provide an opportunity for comment on the recommendations.
The Act has been proposed in the midst of a still-forming IoT regulatory framework. Because IoT supply chains and distribution models do not lend themselves to prescriptive regulations, the federal government has generally taken a more cautious approach. The government is already engaged in a number of proceedings related to IoT security:
-
The National Institute of Standards and Technology (NIST) recently announced plans to develop guidance on IoT for federal agencies that will address high-level risks regarding cybersecurity and privacy. NIST plans to release the guidance in early 2018.
-
The National Telecommunications and Information Administration (NTIA) is currently engaged in a multistakeholder process on security upgradability and patching.
-
The bipartisan Congressional Internet of Things Caucus formed to discuss the policy implications of enabling ubiquitous connectivity from everyday devices. In March, they introduced the Developing Innovation and Growing the Internet of Things Act (DIGIT Act). The DIGIT Act requires the Department of Commerce to convene a working group made up of federal agencies overseeing the innovative IoT sector. Several other bills are pending or under consideration regarding IoT security issues.
Given these proceedings and the evolving nature of IoT, prescriptive domestic regulations or a detailed, universal certification regime may be premature. Even if it is “voluntary,” it is not clear that codifying a set of standards will help the market mature. It may inhibit, rather than cultivate, further innovation. Prescriptive regulations could also have unintended consequences internationally. The European Union is looking at IoT approaches, including certification regimes, so the U.S. must be cautious in setting a precedent that could encourage premature regulation or balkanization in approaches.
Earlier this year, Wiley Rein and the U.S. Chamber of Commerce released a report on the intersection of IoT and security that addresses many of these pressing issues. As the report notes, governments are in a difficult position given the complexity and rapidly evolving cyber threat landscape. As the government continues to determine the best way to address these new security issues, it should promote and expand current collaborative approaches.