On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.
The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.
The bill would require that suppliers of internet connected devices to the federal government:
- Provide written certification that the product does not contain any known security vulnerabilities.
- Use software and components that can be updated and patched.
- Refrain from using hard-coded credentials or passwords.
- Notify the purchasing agency if any defects are discovered.
- Update software or replace components that create vulnerabilities.
- Repair new security vulnerabilities in a timely manner.
- Continue to support the device or provide the purchasing agency notice when cybersecurity support ends.
Instead of complying with these contract requirements, suppliers will have the option to certify compliance with third party security standards. The National Institute of Standards and Technology (NIST), in coordination with other federal agencies, will have the authority to determine which certifications will be sufficient.
The bill also includes a limitation on liability for cybersecurity researchers engaged in research and acting in good faith. The limitation applies to the the Computer Fraud and Abuse Act (CFAA) and Digital Millennium Copyright Act (DMCA).
Our take
Recent events show that the IoT is an attractive vector for a cyberattack. By mandating that suppliers meet basic security requirements, the federal government is pushing the market to take cybersecurity considerations into account as early as the product and system design phases. Further, by requiring post-sale monitoring of vulnerabilities, the government is requiring entities to monitor and enhance a device’s cybersecurity throughout its life-cycle. Given the federal government’s purchasing power, this bill could move the entire IoT market toward better cybersecurity practices.
—————————————
Norton Rose Fulbright nominated for Cyber Law Firm of the Year
Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.
The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.
Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.
