Last week, Rep Obernolte (R,CA) introduced HR 7138, the Protecting Against Compromised Internet of Things Technology Act. The bill would require the DOC’s Bureau of Industry and Security to submit (and periodically update) to the End-User Review Committee a list of foreign persons that “pose a threat to the security of supply chains of Internet of Things devices”.
Moving Forward
While Obernolte is not a member of either the House Foreign Affairs or Oversight and Reform Committee, the two committees to which this bill was assigned for consideration, his sole cosponsor {Rep Jacobs (D,CA)} is a member of the Foreign Affairs Committee. This means that there may be enough influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. If the bill were introduced in Committee, I would expect that there would be significant revisions made to make the bill more effective (see ‘Commentary’), that could change the potential for support.
Commentary
This bill does not actually appear to accomplish anything. The definition of the term ‘covered foreign person’ limits the people that could be affected by suggested listing by BIS to overseas vendors of IoT devices. These are not typically the people that we are concerned with when it comes to endangering the security of IoT supply chains. If, for some reason, they do endanger that supply chain security, we prohibit people in this country from selling items to the affected vendors. Which means that the federal government is adversely impacting the supply chain of those IoT vendors, which further threatens the supply chain that started the whole thing into motion.
I do not see any simple fix for this problem without defining ‘security of supply chains’ and then describing what actions might endanger that security. I would like to suggest that the definition should specifically address software security requirements.
For more details about the provisions of the bill, see my
article at CFSN Detailed Analysis - - subscription required.
Posts
No comments:
Post a Comment