HR 1324 Introduced – Communications Cybersecurity

Last week Rep. McNerney (D,CA) introduced HR 1324, the Securing the Internet of Things (IOT) Act of 2017. The bill would require the Federal Communications Commission (FCC) to establish cybersecurity standards for radio frequency equipment regulated by the FCC.

Cybersecurity Standards

Section 2 of the bill would amend 47 USC 303; adding a new paragraph (cc). It would require the FCC to establish cybersecurity standards for radio frequency equipment regulated under 47 CFR Part 2, Subpart J. Those standards would apply “throughout the lifecycle of the equipment, including design, installation, and retirement”.

The bill would require the FCC to establish the regulations implementing these cybersecurity requirements within 180 days of the adoption of the bill. The standards would apply “to radio frequency equipment for which an application for certification is submitted after the date that is 1 year after the date of the enactment of this Act” {§2(c)}.

Moving Forward

McNerney is a member of the House Energy and Commerce Committee two which this bill was referred. He is a relatively low ranking Democrat on the Committee, so it is possible that he may have enough influence to have the bill considered by the Committee.

The bill is likely to engender a great deal of opposition from a wide variety of manufacturers. This would ensure that there was extensive Republican (and at least some Democratic) opposition to the bill. This bill is unlikely to be considered in the 115^th Congress.

Commentary

While the title of the bill would seem to indicate that McNerney intended this to address IOT security issues, it is written with a much larger brush. Any piece of equipment that has radio frequency emissions would be subject to the cybersecurity standards required by this bill.

The lack of any definitions in the bill and the short rulemaking deadline make establishing any effective cybersecurity standards extremely unlikely. Without limiting definitions, the FCC would be required to either come up with some very generic standards that applied to all RF emitting equipment, or attempt to establish workable subcategories of cyber vulnerable equipment for which reasonable standards could be written. The first option would be totally ineffective, but would still require costly compliance activities. The second option would be very time consuming for the FCC (completely missing the 180-day deadline) and would require a very large expansion of cybersecurity engineering professionals to meet the compliance requirements.

The most interesting portion of the legislation is the requirement to include cybersecurity requirements through the retirement of devices. I would assume that this is an attempt to ensure the privacy protection of information stored on a device after it is retired from service. While trying to define ‘retirement’ could prove problematic, the process standard could be something as simple as providing an effective erase mechanism for any information storage device. How that final erasure would be initiated (and protected from inadvertent activation) could prove to be an expensive engineering problem.