Cyber Commission: Expand Connected Device Security Bill Beyond Federal Procurement Realm  

Legislation requiring manufacturers of connected devices to enable reasonable cybersecurity measures should apply not just to products they sell to the federal government but to all customers, the congressionally established Cyberspace Solarium Commission said in a new white paper.

In releasing the “pandemic annex” Tuesday, the commission is capitalizing on the attention focused on responding to the public health crisis to emphasize and augment its recommendations for digitizing critical services. 

“The proposed Internet of Things Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States,” the annex reads.

The legislation, as is, has bipartisan sponsorship in the House and Senate and passed the Senate Homeland Security Committee last September.

Expanding it, as the commission recommends, would be a significant step in the context of efforts to reform the market for cybersecurity as a whole by having federal government procurement set the standard.

Cybersecurity and Infrastructure Security Agency Assistant Director Bryan Ware commented on this during a webcast hosted by NeoSystems today on the future of government cybersecurity, risk and the supply chain. 

“I think we have a lot of work to do to make it an effective idea,” Ware said. “The government is a big buyer but we aren’t the biggest buyer. As compared to the rest of industry or the rest of the world, where most of our security products are targeted, the U.S. government is still just a small drop in the bucket.” He added that the government would need to buy a lot faster if it wants to move the market. 

Mark Montgomery, executive director of the Solarium Commission, also spoke during the NeoSystems webcast and said the group is pushing for its recommendations to be enacted into legislation this summer. 

The Solarium Commission’s white paper also highlighted its original recommendations around modernizing critical services, modifying one to include a call for grants that would allow state, local and tribal governments to procure cloud services to be added to any upcoming COVID-19 stimulus packages.

“Social or physical distancing has forced a new reliance on cloud and other technologies that enable remote work and remote services, further underscoring the importance of secure cloud services and of digitization,” commissioners wrote. “The need for much of the workforce to work from home has underscored the importance of in-home and consumer information technology devices and a secure and reliable cyber ecosystem.”

But security has to be included, they said, recommending that Congress direct the Homeland Security and Commerce departments, in consultation with industry to identify a set of standards “against which the security of cloud services can be measured and which may have to be met to demonstrate eligibility for the grant program.” 

The annex also highlighted the commission’s recommendation that liability be established for “final goods assemblers.” 

“Holding final goods assemblers of information technology equipment liable for damages from incidents that exploit known vulnerabilities for which no patch has been made available will incentivize them to adopt better patching practices,” the commission said.

During the NeoSystems webinar, Ware said CISA’s Information and Communications Technology Supply Chain Risk Management Task Force has worked on creating contract templates. That’s something the White House is focused on as well, toward establishing liability for cloud providers. 

RELATED PODCAST