HR 3010 Introduced – Cyber Hygiene

Last week Rep. Eshoo (D,CA) introduced HR 3010, the Promoting Good Cyber Hygiene Act of 2017. The bill would require the National Institute of Standards and Technology to establish a list of best practices for effective and usable cyber hygiene based upon the Cybersecurity Framework (CSF) established pursuant to EO 13636.

Information System Guidelines

The best practice guidelines would be available to all personnel “utilizing an information system or device”. Adoption of the best practices would be voluntary and should serve as a baseline upon which additional cybersecurity practices are established. NIST would be required to update the guidelines on an annual basis.

The guidelines would {§2(a)}:

• Be a list of simple, basic controls that have the most impact in defending against common cybersecurity threats and risks; and

• Utilize technologies that are commercial off-the-shelf and based on international standards

IOT Cyber Hygiene

Paragraph 2(h) of the bill would require DHS (in coordination with NIST and the Federal Trade Commission)  to conduct a study of “cybersecurity threats relating to the Internet of Things” (IoT) {§2(h)(2)}. The study would {§2(h)(3)}:

• Assess cybersecurity threats relating to the Internet of Things;

• Assess the effect such threats may have on the cybersecurity of the information systems and networks of the Federal Government; and

• Develop recommendations for addressing such threats.

In this paragraph IoT is defined as “the set of physical objects embedded with sensors or actuators and connected to a network” {§2(h)(1)}.

Moving Forward

Neither Eshoo nor her co-sponsor, Rep. Brooks (R,IN), is a member of the House Science, Space, and Technology Committee, the Committee to which this bill was assigned for consideration. This means that it is extremely unlikely that the bill will be considered in that Committee.

There is nothing in this bill that would cause any serious opposition to the bill if it was considered in committee or on the floor of the House or Senate.

Commentary

The lack of a definition of ‘information system or device’ would typically mean that the common usage of that term, the narrow IT centric definition, would probably exclude industrial control systems (ICS) from specific inclusion in the cyber hygiene guidelines.

Having said that, the very wide and ICS-inclusive definition of IoT that would support Federal information systems and networks throws the whole meaning of ‘information system’ open to serious interpretive problems.

For the purposes of this bill, however, since neither NIST nor DHS would be provided any funding to establishing the guidelines or conducting the study, the two agencies would use the narrowest, IT-centric definition. They would certainly be ignoring the much more complex ICS cybersecurity issues for the NIST guidelines.

This would greatly reduce the scope of any IoT study conducted under provisions of this bill. The only devices that would probably be considered would be devices supporting network communications and server farms. That is a very small part of the IoT cybersecurity problem. Including the IoT study in this bill underlines how poorly congresscritters and their staffs understand the potential scope of IoT cybersecurity issues.