Evolution of the Law
In response to the Mirai botnet, three different groups moved to regulate IoT security in a completely uncoordinated manner. Several states, a federal executive agency, and Congress all moved to establish some standard. Pressures placed on these groups led to a set of broadly similar rules for IoT devices.
The 2017 IoT Bill was both very broad and very prescriptive. It attempted to regulate “internet-connected devices”, which was basically everything with a network address and a processor. The law itself required an ability to accept authenticated updates from manufacturers, review of the National Vulnerability Database, and limited permissible types of authentication to devices.
The law was problematic because many items that fell under “internet-connected devices” already had cybersecurity standards, established through regulation, private entities, or a combination. Layering more standards on top of these, especially standards as linked to technology as the 2017 IoT Bill was (e.g., it defined firmware), was problematic.
The state level bills—at least the ones that passed—narrowed the definition of device somewhat, and were more general in their requirements. While both laws did have some terms directed specifically at the causes of the Mirai botnet, they both required manufacturers to implement reasonable security features, the definition of which they generally left in the hands of the manufacturers. These laws also excluded private claims, which would allow the states to maintain control of enforcement. In other words, attorneys general would decide what was sufficiently unreasonable as to warrant enforcement actions. Still, the language of the laws caused concern among many of those in industry responsible for implementation.
Meanwhile, the FTC was focused on manufacturers’ security programs. In the D-Link settlement, the FTC required a “comprehensive software security program.” It imposed some specific controls, but focused mainly on the development of an auditable secure development process. Such a process would arguably be part of determining what security features are reasonable under the state IoT laws. Although the FTC and the states address IoT devices in different ways, the rules they imposed are roughly similar.
When initially introduced, the 2019 IoT Bill excluded general purpose computing devices, narrowing its scope considerably. It also did away with specific technical controls, instead directing the National Institute of Standards and Technology (NIST) to complete ongoing efforts related to the management of IoT risks, and to use the resulting standards to assist in the development of controls for the federal government.
The 2019 IoT Bill changed while it worked its way through Congress to become the version that passed. First, it dramatically tightened the definition of IoT device. Now, regulated devices are limited to devices that have a transducer for interacting with the physical world and excludes “conventional Information Technology devices.” In keeping with the 2019 bill, most of the actual work has moved to NIST, and to a lesser extent, the Office of Management and Budget (OMB). NIST is responsible for establishing security standards, guidelines on vulnerability disclosure, and standards for the resolution of vulnerabilities. OMB is responsible ensuring that agencies comply with NIST guidance. Congress recognized that there needs to be cybersecurity standards, but more importantly, recognized that Congress is poorly placed to define those standards.
Congress also recognized that devices will continue to converge. It tasked the Comptroller General to brief it on “convergence of information technology, internet of things, and operational technology devices, networks, and systems.” As these devices converge, Congress will likely attempt to pass a more generic cybersecurity law.