Congress last week did something that it rarely does: It passed a meaningful cybersecurity bill.
The legislation is aimed at enhancing the safeguards of internet-connected devices — also known as the internet of things (IoT) — such as smart sensors that monitor water quality or control ships in waterway locks.
The bill is also a major step toward the federal government encouraging vulnerability disclosure policies that implement programs for organizations to work with security researchers to fix software flaws.
“It is arguably the most significant U.S. IoT-specific cybersecurity law to date, as well as the most significant law promoting coordinated vulnerability disclosure in the private sector to date,” said Harley Geiger, director of public policy at Rapid7, a cybersecurity company.
All it took to get across the finish line was more than three years of bipartisan work, encroaching state and foreign government IoT rules, a ticking legislative clock, goodwill toward a departing senator and convincing business groups not to hate the bill. Now, all it might take to convince the president to let it become law is the memory of the gift of popcorn.
The popcorn part goes back to when then-Rep. Mark Meadows, now President Donald Trump’s chief of staff, once was a co-sponsor of the IoT Cybersecurity Improvement Act.
“Maybe my secret sauce is his chief of staff,” said Rep. Robin Kelly, the Illinois Democrat who sponsored the bill in the House. “We worked very closely together and I used to bring him popcorn from Chicago, so I’m hoping he remembers all that.”
Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., first introduced the legislation in August of 2017. Kelly followed with her own draft a few months afterward and later picked up co-sponsor Will Hurd, a Texas Republican.
What It Does
The measure would direct the Commerce Department’s National Institute of Standards and Technology to establish baseline security requirements for any IoT manufacturer that wishes to contract with the federal government, in areas such as patching or identity management. The bill also would require contractors to implement vulnerability disclosure policies.
At its core, the idea is to protect federal agencies and use the purchasing power of the federal government to push manufacturers toward adopting the same standards, whether they seek to contract with the federal government or not.
“Our hope has always been that – like the EnergyStar rating, first established to promote use of more energy efficient IT by the federal government – our effort to establish a federal baseline would have wider impact in the broader enterprise and consumer market for IoT devices,” Warner said via email.
Said Kelly: “Of courses it depends on the business and how much business they think they can get from the federal government. I think it will sway some. I’m not gonna say it will sway all.”
Absent government action, some researchers and consumer advocates had already experimented with security labeling for IoT devices.
The federal government doesn’t break out its spending on IoT devices, but outside assessments estimate that it spends billions each year, with more to come. But its purchasing influence is only part of the potential leverage the bill brings to bear.
“There will still be IoT manufacturers who don’t sell to the government that may be able to continue to ignore some of these baseline practices,” said Tommy Ross, director of public policy for The Software Alliance, a technology industry group. “I think they will come under increasing scrutiny given that the U.S. government will now be saying these are the baseline practices we expect for any IoT device.”
How It Passed
The Democratic-controlled House passed the legislation by voice vote in September, followed by the Republican-controlled Senate clearing it by unanimous consent on Nov. 17. But it took a lot of effort to get through.
The U.S. Chamber of Commerce initially opposed the bill, considering it too burdensome on industry. Sponsors worked to ease the group’s concerns. “We got them to neutral,” said a Democratic Hill aide.
The version the Senate Homeland Security and Governmental Affairs Committee approved in 2019 had more waivers on when the standards would apply to contractors, including one that said the standards wouldn’t apply if the IoT device was used in a way that was “appropriate to the function of the covered device.” That version of the legislation never advanced to the Senate floor.
“The way we interpreted that is if you use smart light bulbs as smart light bulbs, the security requirements don’t apply,” said Geiger. “It just seemed like it blew a giant loophole into the bill.”
Instead, last week, the Senate took the House-passed version of the legislation and approved it unanimously.
The Hill aide said lawmakers used the looming end of 2020 to their advantage, putting the Senate in a position to accept the House bill, or nothing. Senators also wanted to give Gardner, who was defeated in his reelection campaign, a win in the chamber before he left, the aide said. Gardner, co-chairman of the Senate Cybersecurity Caucus, has long prioritized cybersecurity.
Warner said growing awareness of the threat played a role, too.
“In the nearly four years since this bill was first introduced, we’ve seen considerable strides from industry in acknowledging the risks of these devices — whether that’s as part of enormous DDoS attacks as we saw in Mirai, as the entry point into home and enterprise networks, or efforts by bad actors to brick these devices,” he said.
Lawmakers might also have felt pressure from states such as California and Oregon passing IoT security bills, as well as other nations doing so, Geiger said.
Kelly said the White House hasn’t given any indication to her about whether it will oppose the bill becoming law, but supporters point out its bipartisan support as a reason to believe Trump won’t stand in the way. And the lack of a single vote against the legislation would make a veto difficult to sustain, since the chambers could then overturn it. Unless there’s a veto, Trump can either sign it, or after 10 days it simply becomes law.
Overall, supporters of the legislation were happy with the final version.
“If in the process being introduced and enacted some compromises were made, it may not be everything we would like to see,” said Suzanne Spaulding, a senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies. “I think it’s a really good step forward.”
Congress has passed major cybersecurity bills before, such as in 2015 when it got through a measure that sought to enhance threat sharing information between government and industry, and in 2018, when it passed legislation establishing the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
More awaits in the annual defense policy bill, which aides and other sources say is likely to include many recommendations from the Cyberspace Solarium Commission.
But the bipartisan, bicameral effort on the IoT bill bodes well for future cybersecurity legislation to address other topics like industrial control systems, said James Hayes, vice president of global government affairs at cybersecurity company Tenable.
Geiger added that it was all the more impressive that the bill passed during a pandemic and an election year. But he said there’s still work to do should the IoT legislation become law.
“The passage of the law is not the end of the story,” Geiger said. “The implementation phase is also going to be really important.”
But for Kelly, “happy” wasn’t the best description of seeing the bill across the finish line after years of pushing.
“Actually, to be honest with you, I’m relieved,” Kelly said. “That word covers it more.”