S 88 Introduced – IOT Support

Earlier this month Sen. Fischer (R,NE) introduced S 88, the Developing Innovation and Growing the Internet of Things Act or “DIGIT Act”. The bill would establish a working group within the Executive Branch to provide recommendations to Congress on how to plan and encourage the growth of IoT. The bill was adopted without amendment in a markup hearing before the Senate Commerce, Science and Transportation Committee this week.

This bill is very similar to S 2607 introduced in the 114^th Congress and adopted by the same Committee. That bill never made it to the floor of the Senate.

Working Group

The bill would establish working group of Federal stakeholders to advise Congress on the internet of things (IOT). The working group would {§4(b)}:

• Identify any Federal regulations, statutes, grant practices, budgetary or jurisdictional challenges, and other sector-specific policies that are inhibiting or could inhibit the development of the Internet of Things;

• Consider policies or programs that encourage and improve coordination among Federal agencies with jurisdiction over the Internet of Things; and

• Consider any findings or recommendations made by the steering committee and, where appropriate, act to implement those recommendations.

The working group would also specifically look at how the Federal agencies will be affected by IOT. Included in that review is a requirement to look at security measures those agencies may need to take to {§4(b)(4)(D)}:

• Safely and securely use the Internet of Things; and

• Enhance the resiliency of Federal systems against cyber threats to the internet of things.

The working group would be advised by a steering committee established within the Department of Commerce. The steering committee would consist of personnel from outside of the government including experts from both the tech sector and other industrial sectors that could benefit from the use of IOT. The steering committee is tasked in looking at (among other things) three security related issues relating to IOT {§4(e)(2)(C)}:

• Promote or are related to the privacy of individuals who use or are affected by IOT;

• May enhance the security of IOT; and

• May protect users of IOT.

Moving Forward

Early action on S 88 in committee would seem to indicate that Fischer has the support of the Chair in proceeding with moving S 88 to the floor of the Senate. Whether or not that support will be enough to actually get the bill to the floor remains to be seen. With no funding or new regulations being authorized by the bill, there should be no impediment to this bill being passed in either house if it is actually considered. In the Senate, this bill would probably be considered under the unanimous consent provisions.

Commentary

There have been subtle changes in the wording of this bill with respect to the cybersecurity challenges associated with IOT. Whether or not those changes have any real effect on the recommendations that are made to congress as a result of the studies required in this bill remain to be seen.

I am still concerned that the relatively minor mentions of IOT security in this bill reflect a gross misapprehension of the problems that we have already seen with IOT security issues. There is no mention, for example, in the rather extensive findings section of the bill about how some recent denial of service attacks have utilized bot nets that consist mainly of inadequately secured IOT devices.

I am also concerned that ICS-CERT is not specifically mentioned in the list of agencies to be represented in the working group. While DHS is listed, ICS-CERT (the only agency specifically working on security issues for IOT type devices) is not listed. The Department of Commerce listing, on the other hand, specifically includes three technical agencies (NTIA, NIST, and NOAA) from the Department.

The lack of funding also concerns me. The committee eport on S 2607 (S Rept 114-364) last session contained the mandatory report from the Congressional Budget Office on the cost of the legislation. The CBO estimated that the working group and steering group would incur administrative costs of about $3 million (pg 5). That money would come from the budgets of the agencies involved in the activity. While $3 million is chump change in the federal government, it does have to come from somewhere and failing to account for that spending in bills like this is political slight-of-hand at best and dishonest accounting in practice.