That Didn’t Take Long – Calls for Expedited and New Regulation of Tech from the Solarium Commission
As we covered at Wiley Connect and in Bloomberg, the Cyberspace Solarium Commission (CSC) Report offers dozens of legislative and regulatory recommendations, many focused on the private sector and technology. Today the CSC released a White Paper, Cybersecurity Lessons From the Pandemic, adding an entirely new call for legislation and urging passage of some of the more regulatory proposals in its original report as part of any additional COVID-19 recovery money, including for the Internet of Things (IoT).
It makes a bold new recommendation for Congress to “Pass an Internet of Things Security Law.” Reasoning that “a significant portion of the workforce is working from home during the COVID-19 disruption” it asserts that home routers are vulnerable, so IoT devices need to be regulated in a “modestly prescriptive” way. Congress, the CSC reasons, should “mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s ‘Recommendations for IoT Device Manufacturers.’” Putting aside that the NIST documents are just that – recommendations – this approach that may overlook private innovation and encourage Congress to oversimplify the diversity of IoT devices. (Notably this comes just as NIST releases NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline, which identify best practices and note the diversity of IoT use cases and the importance of flexibility).
For example, the CSC White Paper says that a Congressional mandate should “ensur[e] that a device is capable of receiving a remote update.” But some IoT sensors may not need to be capable of a remote update. The C2 Consensus to Secure the Digital Economy created a major baseline set of security capabilities. As that effort explained, “some IoT devices are designed to be useful for very short periods of time, after which their purpose is complete and they are removed from service. Examples of such throw-away devices might include disposable smart shipping labels and disposable smart medical bandages.” Such devices may not need patches but their security can and should be managed by the device “provider” with “a mechanism to identify vulnerable devices, disable vulnerable devices, and communicate the need for replacement of vulnerable devices to end-users.” CTIA’s IoT Certification program certainly expects patchability for certified products, but the industry recognizes that patching is complex.
The CSC White Paper also urges Congress to “explicitly task” the Federal Trade Commission (FTC) to enforce the law “on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.” The FTC already has a robust history of bringing enforcement actions related to unreasonable and deceptive trade practices for IoT devices.
The CSC cites the pandemic as a reason to reiterate its calls for a National Cybersecurity Certification and Labeling Authority and to have Congress “Establish Liability for Final Goods Assemblers” on the theory that making them “liable for damages from incidents that exploit known vulnerabilities for which no patch has been made available will incentivize them to adopt better patching practices.”
This may vastly oversimplify the process of creating and pushing patches. As the FTC mobile device security report noted, “a host of players – system-on-a-chip manufacturers, operating system developers, application (“app”) developers, other third-party software developers, carriers, and security researchers – may be involved in pinpointing security vulnerabilities, developing patches, customizing those patches for particular devices and carriers, testing the patches, deploying the updates, and notifying consumers.”
And it may overlook the role that end users play. As the FTC observed in the smartphone context, “uptake depends on consumer deferrals and rejections.” The FTC also noted that “42% of Americans only update their phones when it is convenient, and 14% say they never update their phones. Consumers ages 65 and older are especially likely to ignore an update; nearly a quarter of these consumers report that they never update their phone’s operating system.” Extrapolate this to all connected devices, and the imposition of liability for patching seems complex at best.
Such liability invites a slew of lawsuits about, for example, the time it takes to deploy patches for products for which no patch should be or can be developed but whose security can be managed. We have seen such lawsuits already and they do not bode well for security, though they may line lawyers’ pockets. As we explained in this amicus brief for several associations, “a wave of litigation founded on speculative harm from claimed vulnerabilities” will harm “the security of emerging technologies and government efforts to encourage information sharing.” That brief quotes plaintiffs’ attorneys who said “as there are more suits, plaintiff lawyers are going to be more knowledgeable and you’ll end up with a snowball effect that takes off quickly. The plaintiffs’ bar is talking about this. They’re salivating over this. It’s going to be a feeding frenzy.”
This liability could lead to imprudent “forced” updates. “Forcing a device to update immediately, or after a certain number of deferrals, improves the uptake rate but may bother users” and it may interfere with desired or needed functionality. Indeed, the FTC noted that many enterprise and managed systems are configured to control updates and not permit over-the-air updates. Several best practices and standards encourage updating and patchability but recognize that updates need to themselves be secure and that use cases vary. Hence the truism: there is not a “one size fits all” solution.
Legislation that could affect billions of consumer devices across the economy – from smartwatches to printers to cars to industrial sensors to connected dog collars – deserves careful and thoughtful scrutiny. If it is put into a COVID-19 stimulus bill or the National Defense Authorization Act, stakeholders may not have time to weigh in.