PIT +1 412-566-1212
HAR +1 717 234-4121
info@tuckerlaw.com
Home
Attorneys
Capabilities

Capabilities

Services

Alcoholic Beverages/Liquor Licensing Arbitration, Mediation and Alternative Dispute Resolution Bankruptcy & Restructuring Business & Finance Business Succession Planning Commercial Litigation Compliance & Risk Management Criminal Defense Education Law Elder Law Employee Benefit Plans/ERISA Environmental ERISA Litigation Estates & Trusts Family Law Fiduciary Services & Risk Management Finance Franchise Government Relations Import/Export Control & Compliance Insurance Disputes Intellectual Property Labor & Employment Medical Marijuana Mergers & Acquisitions Personal Injury Privacy, Data Security & Technology Products Liability Real Estate Real Estate Transactions and Title Insurance Securities Special Needs Planning Taxation Toxic Tort and Asbestos Litigation Defense White-Collar Criminal Defense Women‘s Business Enterprise (W.B.E.) Workers’ Compensation Zoning & Land Use

Industries

Construction Energy Finance Healthcare Higher Education Hospitality Long-Term Care Manufacturing Municipal & School Non-Profit Organizations Privacy, Data Security & Technology Utilities Law Veterinary Services

Departments

Business and Finance
Business & Finance Business Succession Planning Elder Law Employee Benefit Plans/ERISA Estates & Trusts Fiduciary Services & Risk Management Finance Franchise Hospitality Intellectual Property Labor & Employment Manufacturing Mergers & Acquisitions Non-Profit Organizations Privacy, Data Security & Technology Real Estate Real Estate Transactions and Title Insurance Securities Special Needs Planning Taxation Veterinary Services
Litigation
Arbitration, Mediation and Alternative Dispute Resolution Bankruptcy & Restructuring Commercial Litigation Compliance & Risk Management Construction Criminal Defense Environmental ERISA Litigation Family Law Insurance Disputes Labor & Employment Personal Injury Products Liability Toxic Tort and Asbestos Litigation Defense White-Collar Criminal Defense Workers’ Compensation
Government and Regulatory
Alcoholic Beverages/Liquor Licensing Education Law Energy Government Relations Import/Export Control & Compliance Medical Marijuana Municipal & School Utilities Law Zoning & Land Use
Bankruptcy & Restructuring Business & Finance Commercial Litigation
News & Insights
About Us
About Our Firm
Awards
Firm Structure & Management
Historical Legacy
Law Firm Alliance Affiliation
Join Us
Associate Life
Summer Associate Program
Career Opportunities
Diversity & Inclusion
Women@Tucker
Pro Bono & Community
Diversity & Inclusion
Contact Us
Blog Logo
Blog Logo

Tucker Arensberg

Contact information

Email Address
    BOOKMARK SHARE
    View All News & Insights
    BACK TO Tucker’S PROFILE

    Senators Introduce Legislation to Improve Cybersecurity of Internet-Connected Devices

    It is estimated that the number of devices connected to the internet could reach 30 billion by 2020[1]. These connected devices include mobile phones, household appliances, smart watches, and even vehicles.

    Despite our increasing reliance on connected devices, and the fact that they are ubiquitous in the consumer market, these devices pose significant cybersecurity risks.  Often, connected devices are configured with factory-set passwords which cannot be changed and can be difficult or impossible to update or patch in the event of a virus or other security issue.

    In an effort to address these risks, Senators recently introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, legislation designed to reduce cybersecurity risks in connected devices purchased by the United States government.

    The requirements of the bill target specific vulnerabilities currently found in connected devices.  For example, the bill requires contractors to verify that a certain connected device: (1) does not contain hardware, software, or firmware with any known vulnerability set forth by the National Institute of Standards and Technology (“NIST”); (2) relies on software components that are capable of accepting updates from a vendor; (3) uses only non-deprecated industry-standard protocols for certain functions; and (4) does not include hard-coded or fixed credentials for the delivery of communications or updates or for remote administration.

    Perhaps most importantly, the bill requires prospective planning for security vulnerabilities related to connected devices.  Contractors must promptly repair any new security vulnerability that is detected and provide the government with a timeline for ending security support associated with the connected device.  These requirements are consistent with best practices in the IoT[2] space which require vendors to plan for security vulnerabilities throughout the entire lifecycle of a product.

    In lieu of complying with the requirements of the bill, contactors may demonstrate that they comply with a third party security certification standard provided that standard imposes security obligations that are at least as restrictive as those of the bill.  NIST would be responsible for developing accreditation standards for these third party certifiers.

    The bill does include a waiver process in which the government can accept the risks associated with any connected device provided the contractor: (1) identifies the specific known vulnerability; (2) identifies any mechanisms for limiting or eliminating the possibility that the vulnerability will be exploited; and (3) provides a justification for secure use of the connected device in light of the identified vulnerability.

    The bill is limited in scope in that it would only apply to those connected devices purchased by the United States government.  Connected devices made generally available to the average consumer would not be subject to these requirements.  However, the bill would require the government to maintain a publically accessible database of connected devices and manufacturers for which the government has received notice that security support will terminate.  At a minimum, this database could provide consumers with information related to connected devices they own that may no longer be supported by the manufacturer.

    The bill provides a baseline of minimum requirements government contractors must comply with in order to win government business.  More generally, the bill serves as a good reminder to all vendors of connected devices to review current security controls and ensure these controls are in compliance with best practices set forth by NIST.

    Previous blog posts that provide additional insight and guidance related to IoT security issues include Food and Drug Administration Issues Draft Guidance on Cybersecurity in Medical Devices (https://www.tuckerlaw.com/2016/02/02/food-and-drug-administration-issues-draft-guidance-on-cybersecurity-in-medical-devices/and Best Practices For Implementing Internal Security Controls (https://www.tuckerlaw.com/2016/06/29/best-practices-implementing-internal-security-controls/).

    For additional information contact Kristin Biedinger.

    [1] http://www.mckinsey.com/industries/semiconductors/our-insights/the-internet-of-things-sizing-up-the-opportunity

    [2] The Internet of Things or “IoT” is a term used to describe a network of interrelated devices.  These devices rely on a combination of internet connectivity, sensors, and communication protocols to interact with each other.

    August 14, 2017

    Contact Now

    Get support from our trusted attorneys.

      Serving our clients successfully since 1900

      The same attributes that have anchored over a century of success are still our guiding principles today.

      Capabilities Find an Attorney

      Stay up-to-date on the latest News & Insights by subscribing to our alerts

      Enter your email address below and be notified when we post new information.