HR 4792 (S 2664) Introduced – Cyber Shield Program

Last week Rep. Lieu (D,CA) introduced HR 4792, the Cyber Shield Act of 2019. The bill {and its companion bill, S 2664; introduced by Sen Markey (D,MA)} would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data.

The products referenced in the bill only apply to ‘consumer facing objects’ that {§2(3)}:

• Connect to the internet or other network; and

• Collect, send, or receive data; or

• Control the actions of a physical object or system

Commentary

Presumably the ‘consumer facing’ portion of the definition excludes industrial control systems but may apply to certain medical devices. Unfortunately, the FDA is not specifically mentioned as one of the federal agencies to be consulted with on establishing standards in this program. Nor is the Cybersecurity and Infrastructure Security Agency (CISA) mentioned; surprising in that they would certainly have an interest in cybersecurity certifications of consumer products used by federal agencies.

In general, these bills are weak on definitions; no definition of the key term ‘cybersecurity’ for instance. They also fail to address the issue of coordination of vulnerability reporting or even take into account the fact that independent researchers are the most common source for reporting vulnerabilities.

The basic premise is helpful, but this implementation is weak to say the least. This is surprising since Lieu and Markey have both tried to position themselves as cybersecurity gurus in Congress.