Review - FCC Publishes IoT Device Labeling NPRM

Today the Federal Communications Commission published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 58211-58229) for “Cybersecurity Labeling for Internet of Things”. Today’s NPRM notice is a summary of the Commission's Notice of Proposed Rulemaking (NPRM), FCC 23–65, adopted August 6, 2023, and released August 10, 2023.

Public Comments

The FCC is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Commission’s website (https://www.apps.fcc.gov/​ecfs/​; PS Docket No. 23-239). Comments should be submitted by September 25^th, 2023, with replies to comments submitted by October 24^th, 2023.

Commentary

The FCC rulemaking process is slightly different than what is normally covered in this blog. Today’s NPRM sounds more like what other agencies call an advanced notice of proposed rulemaking, with the FCC outlining the scope of a potential rule and providing an outline of the information that the Commission is looking to receive from the public and regulated community.

 

For more details about the NPRM, including additional commentary on the limited focus, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fcc-publishes-iot-device-labeling - subscription required.

Review - NIST Publishes Update from IoT Federal Working Group – 8-24-23

Today, DOC’s National Institute of Science and Technology (NIST) published a notice in the Federal Register (88 FR 57937-57938) on “A Preliminary Update From the Internet of Things Federal Working Group”. The Preliminary Update is available on the NIST website. A final report to Congress is expected to be submitted in June 2024.

Public Comments

NIST is soliciting public comments on the Preliminary Update. Comments should be emailed to NIST (iotfwg@nist.gov). Comments should be submitted by September 25^th, 2023.

Commentary

A decent, non-technical summary of the work to date, which is mainly just a definition of the problem space. I hope the working group fleshes this document out before preparing their report to Congress, soliciting additional public input.

 

For more details about the Working Group and it Preliminary Update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nist-publishes-update-from-iot-federal - subscription required.

Review - HR 1648 Introduced – Smart Airports

Last month, Rep Nehls (R,TX) introduced HR 1648, the Airport Technology and Efficiency Improvement Act of 2023. The bill would require the DOT’s Federal Aviation Administration (FAA) to establish a new pilot grant program “to support the acquisition and installation of ‘internet of things’ technologies by airports to create a more consumer-friendly and digitally connected airport experience.” The bill would authorize $5 million per year through 2029 to support the program.

Moving Forward

Nehls is a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. Other than the new spending authorized by the bill (which is generally going to be problematic in the 118^th Congress), I see nothing in this bill that would engender any organized opposition. I suspect that the bill would pass with some level of bipartisan support (with most of the opposition coming from Nehls’ fellow Republicans) in committee and on the floor of the House if it made it that far.

Commentary

It is disappointing to see a bill at this late date that encourages (funds) the use of IoT devices in the public transportation sector without including at least a mention of needing to include basic cybersecurity protections for those devices. Nehls’ staff even included a privacy hat-tip in their inclusion of the subsection (d) prioritization of grants that “of grants to “projects that do not collect facial and biometric data of passengers not identified as a security threat”, but they forgot the large issue of general cybersecurity protections that would help guarantee those privacy concerns.

At a minimum, I would have changed the wording of subsection (b) to read:

“(b) Eligible Projects.—The Administrator may make a grant under the Program only for a project that facilitates the acquisition and installation by an airport of sensor systems, software, passenger signals, or other technologies, including cybersecurity protections for those systems, consistent with the purposes of the Program, including projects that facilitate­­­”

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1648-introduced - subscription required.

Bills Introduced – 2-11-21

Yesterday with the Senate still sitting as jury in the Trump Impeachment Trial and the House meeting in proforma session, there were 89 bills introduced. One of those bills will receive additional coverage in this blog:

HR 981 To direct the Federal Communications Commission to collect and maintain data on the growth in the use of Internet of Things devices and devices that use 5G mobile networks in order to determine the amount of electromagnetic spectrum required to meet the demand created by such use, and for other purposes. Rep. DelBene, Suzan K. [D-WA-1]

DelBene provided a link to a copy of the bill in a press release yesterday. With the GPO taking so long to publish official copies of legislation (they are still working on bills introduced on 1-21-21) a congresscritter wanting their bill to be seen by the public needs to take this sort of action.

In any case, while a more detailed review of the bill will be coming in a future blog post, I did want to mention the definition of ‘internet of things device’ that DelBene uses in this bill:

“The term ‘‘Internet of Things device’’ means a device that uses a network to communicate and share data with other devices.” {§4(2)}

You cannot find a more inclusive definition of ‘IoT device’ than that.

HR 1668 – Review of Text Passed in House

 As I noted Tuesday night, the House passed a version of HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, that was different from both the introduced and reported versions of the bill. Yesterday the GPO printed the version of the bill that was passed by the House. In this post I will look at the differences between the version reported out of the House Oversight and Reform Committee and the version passed in the House.

Sense of Congress

The passed bill inserted a new §2, Sense of Congress, in the bill. That new section lays responsibility for cybersecurity of the executive branch with the President working through the Director of the OMB and the Secretary of Homeland Security. It further makes the claim that “the strength of the cybersecurity of the Federal Government and the positive benefits of digital technology transformation depend on proactively addressing cybersecurity throughout the acquisition and operation of Internet of Things devices by the Federal Government” {§2(3).

Finally it provides a description of ‘Internet of Things devices’ taken from the January 7^th, 2020 draft of the National Institute of Standards draft internal report 8259. The description in that report states:

“The IoT devices in scope for this publication [emphasis added] have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. The IoT devices in scope for this publication [emphasis added] can function on their own and are not only able to function when acting as a component of another device, such as a processor.

Note: the text emphasized above was not included in the description provide in §2(4).

Definitions

Section 2 of the reported bill included definitions of the following terms:

• Agency,

• Covered device,

• Director of OMB,

• Director of the Institute [National Institute of Standards and Technology (NIST)], and

• Security vulnerability.

Section 3 of the passed bill does not include definitions of ‘covered device’. It adds definitions for the following terms:

• Information system [IT-limited definition from 44 USC 3502],

• National security system,

• Operational technology, and

• Secretary [of Homeland Security].

Ongoing NIST Activities

The reported bill contained a §3, Completion of Ongoing Efforts Relating to Considerations for Managing Internet of Things Cybersecurity Risks. This section included a requirement for NIST to publish a report on “the following considerations for covered devices”:

• Secure development,

• Identity management,

• Patching, and

• Configuration management.

This section was not included in the passed version of the bill.

Security Standards

Section 4(a) of the reported bill required NIST (within 6 months) to publish guidelines under 15 USC 278g-3 on {§4(a)}:

• The appropriate use and management by the agencies of covered devices owned or controlled by the agencies, and
• Minimum information security requirements for managing security vulnerabilities associated with such devices.

Section 4(b) then went on to require the Cybersecurity and Infrastructure Security Agency (CISA) to establish standards based upon those guidelines for “covered devices owned or controlled by agencies, except those considered national security systems” {§4(b)(1)(A)}.

In the passed version of the bill, NIST is required (within 90 days) to develop and publish (again under §278g-3) “standards and [emphasis added] guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices” {§4(a)(1)}.

The OMB is then (within 180-days of the establishment of the ‘standards and guidelines’) required to review “agency information security policies and principles” for IoT based upon the NIST developed standards and guidelines; again with an exception for ‘national security systems’.

Petition to Exclude Devices

Section 5 of the reported bill would have required the OMB to establish a process for agencies to petition to have devices not designated as ‘covered devices’ subject to the guidelines established by NIST or standards established by CISA.

There are no comparable requirements in the passed version of the bill.

Coordinated Disclosure

Section 6 of the reported bill would have required NIST to develop guidelines “for the reporting, coordinating, publishing, and receiving of information about” {§6(a)(1)} security vulnerabilities for a covered device owned, or controlled, by an agency (or a contractor providing a covered device to an agency) and the resolution of such vulnerabilities. The developed guidelines should align with ISO 29147 and ISO 30111 {§6(b)(2)}. The guidelines for contractors would include information on “on the type of information about security vulnerabilities that should be reported to the Federal Government, including examples thereof” {§6(a)(3)}.

Section 5 of the passed bill includes similar language except that instead of ‘covered device’ the section refers to “information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency)”.  In addition to the requirement that the guidelines align with the two ISO documents mentioned in the reported bill, §5 requires that the guidelines are “consistent with the policies and procedures produced” {§5(b)(3)} under the coordinated disclosure requirements of 6 USC 659(m).The requirement for contractor reporting was not included. Finally, §5 concludes with establishing that DHS will be responsible for “the implementation of the guidelines published” under this section.

The passed version of the bill includes an additional section (§6) addressing the implementation of the coordinated disclosure guidelines. Section 6(a) requires the OMB (within 2 years) to “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices).” Section 6(b) requires DHS to “provide operational and technical assistance to agencies on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems (including Internet of Things devices).”

Operational Technology

Section 8 of the passed bill has no counterpart in the reported bill. It requires GAO (within one year) to brief Congress “on broader Internet of Things efforts, including projects designed to assist in managing potential security vulnerabilities associated with the use of traditional information technology devices, networks, and systems” {§8(a)} with IoT devices and operational technology devices, networks, and systems.

Moving Forward

The passage of this bill by a voice vote indicates that there is some level of bipartisan support for this bill. This is important because a bill of this sort is not ‘important’ enough to be considered under the normal debate and amendment process in the Senate. This late in the session the only way that this bill would be considered in the Senate is under the unanimous consent process. Unfortunately, the only way that a bill makes it through that process is for not one single Senator to voice opposition to the bill. I suspect that this bill could make it through such a process, but it could be blocked by a Senator making a point about, or needing support for, something completely unrelated to this bill.

Commentary

First, let me address the unusual way this was brought to the floor in the House. Rep Maloney (D,NY) was the one who actually brought the bill to the floor for consideration. She began the consideration process by saying: “Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 1668) to leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes, as amended.”

That phrase ‘as amended’ can be used to cover a wide variety situations. Typically, it is used to describe a bill that has been amended in the Committee process. It is used from time to time to include a bill that has been amended outside of the process by committee leadership when new information has become available, changes are necessary to get some additional floor support for the bill or to better reflect the intent of the leadership. I suspect that in this case the final reason was the primary driver of the changes being made to the bill. Maloney is the Chair of the House Oversight and Government Reform Committee.

Looking at the bill as passed, it is clear that Maloney is not really interested in IoT cybersecurity. The lack of a definition of the term ‘Internet of Things device’, the discussion in §2 notwithstanding, indicates how little Maloney cares about IoT. The changes to the bill, while still including multiple references to ‘IoT devices’, make this a bill about information system cybersecurity. It provides a small incremental increase in the authority of OMB and DHS to address information system cybersecurity and expands the authority for DHS to continue its recent mandate for government agencies to implement vulnerability disclosure programs.

The addition of §8 of the bill reflects Maloney’s future commitment to the authors and supporters of the bill that passed in Committee that the Committee will continue to look at IoT cybersecurity and actually adds the expanded topic of control system security to that future consideration.

Bills Introduced – 8-25-20

Yesterday with both the House and Senate meeting in pro forma session there were 22 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 8103 To amend section 3553 of title 44, United States Code, to strengthen Federal networks, and for other purposes. Rep. Green, Mark E. [R-TN-7] 

HR 8115 To ensure appropriate prioritization, spectrum planning, and interagency coordination to support the Internet of Things. Rep. Welch, Peter [D-VT-At Large] 

HR 8103 will almost certainly be an IT-centric piece of legislation, but I will be watching it for language that may include ICS security impacts.

I will be watching HR 8115 for cybersecurity language and definitions.

S 4049 Amendments Adopted – 7-3-20

Yesterday during consideration of S 4049, the FY 2021 National Defense Authorization Act, the Senate adopted by unanimous consent 62 amendments in an en bloc consideration. Four amendments were included that are of interest here. They include:

SA 2178 – Sen Wicker (R,MS) - to improve the cyber workforce and establish cyber challenges [pg S 3569],

SA 2215 – Sen King (I,ME) - to strengthen the Cybersecurity and Infrastructure Security Agency [pg S 3660],

SA 2231 – Sen Fischer (R,NE) - to ensure appropriate prioritization, spectrum planning, and interagency coordination to support the Internet of Things [pg S 3688], and

SA 2275 – Sen Peters (D,MI) - to require a plan for the continuity of the economy [pg S 3719]

Cyber Workforce

SA 2178 would add a new Title, Cyber Workforce Matters, to the bill. It includes sections on:

• Improving national initiative for cybersecurity education,

• Development of standards and guidelines for improving cybersecurity workforce of federal agencies,

• Modifications to federal cyber scholarship-for-service program,

• Modifications to federal cyber scholarship-for-service program,

• Cybersecurity in programs of the national science foundation,

• Cybersecurity in stem programs of the national aeronautics and space administration,

• Cybersecurity in department of transportation programs, and

• National cybersecurity challenges [Similar to S 3712].

The first section of the bill would amend 15 USC 7451(a), National cybersecurity awareness and education program. Part of that amendment would be to add a new subparagraph:

“(8) in coordination with the Department of Defense and the Department of Homeland Security, considering any specific needs of the cybersecurity workforce of critical infrastructure, to include cyber physical systems and control systems;”

The section on DOT programs makes to changes to 49 USC. The first would amend 49 USC 5505, University transportation centers program. The amendment would add to focused research grant program description found in §5505(c)(3)(E):

“, including the cybersecurity implications of technologies relating to connected vehicles, connected infrastructure, and autonomous vehicles”

Strengthening CISA

SA 2215 would move the Cybersecurity and Infrastructure Security Agency (CISA) Director from Level III to Level II of the Executive Schedule, increasing the importance of the Agency. The second section of the amendment would require DHS to conduct a comprehensive review of the ability of CISA to:

• Fulfill the missions of CISA and

• Fulfill the recommendations detailed in the report issued by the Cyberspace Solarium Commission under section 1652(k) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232).

The third section would require a similar review by the Government Services Administration.

Internet of Things

SA 2231 is very similar to S 1611, the Developing Innovation and Growing the Internet of Things Act, that Fischer introduced in 2019 (and earlier versions of the same bill in 2017 and 2016). The bill was passed in the Senate in January under the unanimous consent process. It has not been taken up the House.

Continuity of the Economy

SA 2275 would require the President to “develop and maintain a plan to maintain and restore the economy of the United States in response to a significant event.” {§XXX(a)(1)}. The term significant event is defined as an event that causes severe degradation to economic activity in the United States due to a cyberattack; or another significant event that is natural or human-caused.

Additional Amendments to be Considered

The Senate reached an agreement to resume consideration of the bill after the July 4^th recess (on July 20^th) by taking up six specific amendment with 2 hours of debate on each amendment. Once those amendments are dealt with the Senate will vote on the substitute language. One of the listed amendments address issues that I will cover in this blog.

There still remains a possibility that another batch of en bloc amendments will be considered before the listed amendments are brought up.

S 2657 Considered in Senate – Comprehensive Energy Bill

On Thursday the Senate began consideration of S 2657, the Advanced Geothermal Innovation Leadership Act. This bill is being used as a vehicle for Sen Murkowski (R,AK) to bring to the floor of the Senate a comprehensive energy bill. On Teusday she offered SA 1407 (pg S1351 or pg 49 of document), the amendment that would serve as substitute language for S 2657. Then on Thursday she offered a modified version of that language that will be considered as SA 1407. The Senate is currently scheduled to vote on SA 1407 on Monday at 5:00 pm EDT.

Cybersecurity

There are a number of cybersecurity provisions included in the bill and most of them have come from previously introduced legislation. The list below shows the ones that I have identified (pg numbers are for Thursday’s Congressional Record pages):

§1005. Smart Building Acceleration. (S 2447) pg S 1526

§1808. ARPA–E reauthorization. (S 2714) pg S 1564

§2201. Incentives for advanced cybersecurity technology investment. (S 2256) pg S1570

§2202. Rural and municipal utility advanced cybersecurity grant and

technical assistance program. (S 2256) pg S1570

§2203. State energy security plans. pg S1571

§2204. Enhancing grid security through

public-private partnerships. (S 2095) pg S 1571

§2205. Enhanced grid security. (S 1241) pg S 1527

I have not had a chance to review these sections in detail to see if any changes had been made to the original language.

Amendments

As with any major piece of legislation being considered by the Senate a large number of amendments have been offered over the last three legislative days and more are expected on Monday. Only a very small number of these amendments will be considered on the floor. A complete list of the offered amendment can be found here, here and here. Amendments that may be of interest include:

Tuesday CR:

SA 1428 Whistleblower protection for employees responsible for ensuring the reliability, resilience, and security of the electric grid – pg S 1413;

SA 1455 Cyber Sense Program – pg S 1426;

Wednesday CR:

SA 1480 Internet of Things (DIGIT Act) – pg S 1480;

Thursday CR:

            None

Moving Forward

S 2657 will probably pass with bipartisan support this coming week. What is not clear is how many Democrats will find enough ‘objectionable’ content to require a vote against the bill. If there is a large enough Nay vote the bill will not be taken up by the House. A strong bipartisan vote will ensure early consideration by the House. There is a good chance that if the Senate outcome falls somewhere in between the House will take up the bill and amend it into passable form.

HR 6032 Passes in House – Internet Connected Devices

Yesterday the House passed HR 6032, the State of Modern Application, Research, and Trends of (SMART) IoT Act, by a voice vote. The ‘debate’ lasted just over 8 minutes and consisted mainly of praising committee leadership for their bipartisan support for crafting this bill.

In my earlier post on this bill I had serious reservations about the definition of ‘internet connected devices’ used instead of trying to define IoT. That concern is further aggrevated by the discussion of the IoT problem found in the House Energy and Commerce Committee report on the bill. In both the sections describing the purpose of the bill and the need for the legislation, the term ‘internet connected devices’ is never used; all references are to the undefined acronym ‘IoT’.

Those discussions in the report clearly (but certainly not concisely) indicate that the Committee is concerned about a wide variety of devices that are connected to the internet but, may communicate over the internet without the specific control of the owner of the data that is being shared or with whom the data is being shared. But that concern is specifically ignored by the inclusion of the requirement in the definition of ‘internet connected devices’ that the physical object connected to the internet would “communicate information at the direction of an individual” {§2(c)(2)(A)}. One of the big problems of so many IoT devices is their capability to communicate information without the direction of the individual owner/operator of the device.

This bill obviously has bipartisan support and more importantly the lack of any significant opposition, so it could be passed in the Senate under their unanimous consent process. If there were a single Senator, however, that objected to this bill, the bill would languish in that body in the limited number of floor hours available for consideration of bills under regular order. I do not expect to see this bill reach the President’s desk.

Congressional IoT Definition

Earlier this week I took exception to the inability of congressional staffers to come up with a workable definition of ‘internet of things’ (IOT or IoT if you prefer). Well, I finally found a reasonably workable definition in a proposed amendment to HR 5515, so I feel honor bound to mention it.

On Tuesday Sen. Gardner (R,CO) proposed SA 2825 (pg S3849). It would add a new subtitle to HR 5515, Subtitle G—Internet of Things Cybersecurity Improvement Act. In the proposed §1072(a) it defines ‘a covered [IoT] device’ as a physical object that:

• Is capable of connecting to and is in regular connection with the Internet or internal networks of the Department [DOD] that are connected to the Internet;

• Has computer processing capabilities that can collect, send, or receive data; and

• Does not include advanced or general purpose computing devices, including personal computing systems, smart mobile communications devices, programmable logic controls, mainframe computing systems, and motor vehicles.

Depending on the type of IoT that we are discussing we can argue about what should or should not be included in exclusion portion of the definition. It is clear, however, that the exclusion subparagraph is necessary to make the definition of IoT device workable.

Kudos to Sen. Gardner’s staff.

HR 6032 Introduced – Internet Connected Devices

Last week Rep. Latta (R,OH) introduced HR 6032, the State of Modern Application, Research, and Trends of (SMART) IoT Act. The bill would require the Commerce Department to conduct a study of the internet-connected devices industry.

Study

Section 2 of the bill requires Commerce to conduct a two-part study. The first is a survey of the internet-connected devices industry and the second is a review of Federal government agencies that have jurisdiction over the industries identified in the first survey.

The bill relies on a very broad definition of ‘internet-connected devices’ which it specifically conflates with the term ‘Internet of Things’. Section 2(c)(2) defines internet-connected devices as a physical object that both:

• Is capable of connecting to the internet, either directly or indirectly through a network, to communicate information at the direction of an individual; and

• Has computer processing capabilities for collecting, sending, receiving, or analyzing data.

The inevitable report to Congress is required.

Moving Forward

Latta is the Chair of the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee. He has used his influence there to conduct a markup hearing of this bill yesterday. The bill was adopted without amendment by a voice vote.

This bill is likely to move forward to the full Committee and then the full House without much in the way of opposition. It does not authorize any regulation or expenditure of funds, so there is little here to attract concern.

Commentary

The major problem with this bill is two-fold. First, it uses an overly broad definition which includes practically anything that can connect to the internet. Secondly, it provides no funds for the required study which limits the ability of the Department of Commerce to complete an effective study.

The definition problem is one common with any discussion of IoT. A reasonably good definition of IoT can be found on Wikipedia:

The Internet of Things (IoT) is the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these things to connect and exchange data, creating opportunities for more direct integration of the physical world into computer-based systems, resulting in efficiency improvements, economic benefits and reduced human intervention.

Unfortunately, even that definition has problems because its explication of types of ‘physical devices’ included in the definition is incomplete. It does not include, for example, control systems, building environment and access systems, and …. well we could just keep adding things.

This bill (and others, see S 1691 for example), instead of trying to define ‘IoT’ directly, relies on the definition of ‘internet connected devices’. Unfortunately, that forces the inclusion of just about any electronic device, including phones, personal computers, main frames and even super computers. This goes well beyond the IoT problem that Latta is trying to address.

Now, this could result in one of two things. DoC could attempt to complete the survey and report using the definition provided in the bill. But, the lack of specific funding would make that difficult and would result in an incomplete study. Or, it could attempt to divine Latta’s actual intent and limit their study to the ‘smart devices’ (another poorly defined term) that are being increasingly being connected to the internet with securityless (made up word) abandon.

Oh yes; security. That is something else that is curiously missing from specific mention in the bill. Well, not entirely true, in the paragraph on the report to Congress it requires that the report includes “recommendations of the Secretary for growth of the United States economy through the secure [emphasis added] advancement of internet-connected devices” {§2(b)(2)}. Of course, no definition is provided so we could be talking about cybersecurity, supply chain security, or even (a stretch to be sure) physical security.

Okay, one last problem (really, I am stopping here), there is no mention of the bandwidth issue that is associated with these internet-connected devices. And that would include radio frequency bandwidth for both the wireless connections nearly universally used by these devices and the amount of information clogging the information highway.

Committee Hearings – Week of 9-24-17

The House is coming back to Washington after a week working in their districts and the Senate is coming back from a really-long weekend. The big news this week will once again be the healthcare ‘debate’ in the Senate, but there will be two hearings of interest, both touching on cybersecurity.

IoT Cybersecurity

On Wednesday the Information Technology Subcommittee of the House Oversight and Government Reform Committee will hold a hearing on the “Cybersecurity of the Internet of Things”. No witness list has been provided.

According to the Library of Congress there are currently three House bills (HR 686, HR 1324, and HR 3010) that contain reference to “Internet of Things” and none of them have been referred to the Oversight Committee for consideration. It looks like the leadership just wants to get into the IOT political game.

Homeland Threats

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Threats to the Homeland”; which will almost certainly at least touch on a number of cybersecurity topics. The current witness list includes:

• Elaine C. Duke, DHS;

• Christopher A. Wray, FBI; and

• Nicholas J. Rasmussen, National Counterterrorism Center

Considering the breadth of the topic I think we can only expect to see broad highlights in the prepared testimony. It will be interesting, however, to watch the focus of the questions tossed at the panel.

Senate Passes S 88 – DIGIT Act

Yesterday the Senate amended S88, the Developing Innovation and Growing the Internet of Things (DIGIT) Act, and passed the bill under the unanimous consent process. There was no debate and only the one amendment (S 769, pgs S4889-90), substitute language offered by Sen. Wicker (R,MS). That amendment was also adopted under the unanimous consent process.

Changes in the Bill

The substitute language made three changes to the bill:

• In §3, removed the definition of ‘appropriate committees of Congress’ as the term was not used in the bill;

• In §4(c), added the Federal Energy Regulatory Commission to the list of federal agencies to be represented on the Federal Working Group; and

• In §4(f)(2), added a specific list of congressional committees to which the final report by the working group would be submitted.

Moving Forward

The bill now moves to the House for consideration. There is a companion bill in the House, HR 686. No action has been taken on that bill beyond referral to the House Energy and Commerce Committee for consideration. Unless someone with more influence in that Committee than Rep. Welch (D,VT) becomes a sponsor of the bill, it is very likely that both bills will languish in Committee in the House.

Commentary

There is another problem with this bill that I had not mentioned in my post about the introduction of the bill or in the post on HR 686. There is no definition of ‘Internet of Things’ in the bill. The problem here is that a working definition is going to have a major impact on the scope of the report required in this bill.

On one hand if we use the IoT definition found in HR 3010 [“the set of physical objects embedded with sensors or actuators and connected to a network” {§2(h)(1)}], we would almost certainly have to include most of the realm of industrial control system components in the Working Group’s study.

A more limited definition; “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data”; would still have a rather broad impact, but would rule out control system components and medical devices, for instance. That would make this a much more manageable study.

Committee Hearings – Week of 06-11-17

This week with both the House and Senate in session the FY 2018 budget is still the big deal in congressional hearings. There are also three other hearings that may be of specific interest to readers of this blog; DHS authorization and cybersecurity

Budget

Because of having to deal with the FY 2017 spending bill earlier this year, Congress is behind in the budgeting/spending process. Hearings this week will be looking at the department budgets. These are high-level discussions of the President’s spending plan; don’t expect much in the way of details.

Hearings of potential interest to readers of this blog include:

• Monday, House, DOD, Armed Services Committee;

• Tuesday, Senate, DOD, Armed Services Committee;

• Wednesday, House, DOT, Appropriations Committee – Subcommittee;

• Wednesday, Senate, DOD, Appropriations Committee – Subcommittee;

• Thursday, House, DOD, Appropriations Committee – Subcommittee;

• Thursday, House, DOT, Appropriations Committee – Subcommittee;

• Thursday, House, EPA, Appropriations Committee – Subcommittee;

DHS Authorization

As I mentioned earlier today, the House Homeland Security Committee will be holding a markup hearing Wednesday on HR 2825, the FY 2018 DHS Authorization Act. There is already a link to the substitute language that the Committee will markup. I expect that we will see additional amendments posted to the site tomorrow afternoon.

Cybersecurity

There will be two cybersecurity related hearings this week. One will look at IOT opportunities and challenges and the other will look at WannaCry.

Tuesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a hearing looking at “Disrupter Series: Update on IOT Opportunities and Challenges”. The witness list includes:

• Mark Bachman, Integra Devices

• Gary D. Butler, Camgian Microsystems Corporation

• Cameron Javdani, Louroe Electronics

• Peter B. Kosak, General Motors North America

• Bill Kuhns, Vermont Energy Control Systems LLC

• William S. Marras, the Spine Research Institute

On Thursday the Oversight Subcommittee and the Research and Technology Subcommittee of the House Science, Space, and Technology Committee will hold a joint hearing on “Bolstering the Government’s Cybersecurity: Lessons Learned from WannaCry”. The witness list includes:

• Salim Neino, Kryptos Logic

• Charles H. Romine, National Institute of Standards and Technology

• Hugh Thompson, Symantec

• Gregory J. Touhill, Carnegie Mellon University

NIST Announces CSF 1.1 Workshop – May 16th, 2017

NIST has announced another in a series of workshops concerning the proposed new version of their Cybersecurity Framework (CSF 1.1). The 2-day workshop will be held in Gaithersburg, Maryland on May 16^th, 2017. The draft agenda for the workshop was made available this week on their CSF website.

I have not covered CSF 1.1 because the CSF is not operationally an industrial control system (ICS) security program. There are ICS components, but this is a cybersecurity management tool, not actually a cybersecurity tool. I have not seen anything in CSF 1.1 that would change that assessment.

Having said that, I am mentioning this workshop because it contains an internet of things (IOT) breakout session on the second day of the CSF 1.1 workshop. The agenda describes it this way:

“Cyber Meets the Physical World: The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT-specific threats into the Framework model.”

Even this description of ‘Cyber Meets the Physical World’ contains no specific reference to industrial control systems, or even really hints at their existence. This is the thing that continues to concern me about the CSF. I hope that I am reading too much into this brief description and I hope that we hear from some attendees with an ICS cybersecurity background that there was some specific and realistic discussion of ICS specific security concerns with IOT and how that might be dealt with in the CSF environment.

Early registration is recommended by NIST due to the limited seating available. Registration closes on May 9^th, 2017.

S 88 Introduced – IOT Support

Earlier this month Sen. Fischer (R,NE) introduced S 88, the Developing Innovation and Growing the Internet of Things Act or “DIGIT Act”. The bill would establish a working group within the Executive Branch to provide recommendations to Congress on how to plan and encourage the growth of IoT. The bill was adopted without amendment in a markup hearing before the Senate Commerce, Science and Transportation Committee this week.

This bill is very similar to S 2607 introduced in the 114^th Congress and adopted by the same Committee. That bill never made it to the floor of the Senate.

Working Group

The bill would establish working group of Federal stakeholders to advise Congress on the internet of things (IOT). The working group would {§4(b)}:

• Identify any Federal regulations, statutes, grant practices, budgetary or jurisdictional challenges, and other sector-specific policies that are inhibiting or could inhibit the development of the Internet of Things;

• Consider policies or programs that encourage and improve coordination among Federal agencies with jurisdiction over the Internet of Things; and

• Consider any findings or recommendations made by the steering committee and, where appropriate, act to implement those recommendations.

The working group would also specifically look at how the Federal agencies will be affected by IOT. Included in that review is a requirement to look at security measures those agencies may need to take to {§4(b)(4)(D)}:

• Safely and securely use the Internet of Things; and

• Enhance the resiliency of Federal systems against cyber threats to the internet of things.

The working group would be advised by a steering committee established within the Department of Commerce. The steering committee would consist of personnel from outside of the government including experts from both the tech sector and other industrial sectors that could benefit from the use of IOT. The steering committee is tasked in looking at (among other things) three security related issues relating to IOT {§4(e)(2)(C)}:

• Promote or are related to the privacy of individuals who use or are affected by IOT;

• May enhance the security of IOT; and

• May protect users of IOT.

Moving Forward

Early action on S 88 in committee would seem to indicate that Fischer has the support of the Chair in proceeding with moving S 88 to the floor of the Senate. Whether or not that support will be enough to actually get the bill to the floor remains to be seen. With no funding or new regulations being authorized by the bill, there should be no impediment to this bill being passed in either house if it is actually considered. In the Senate, this bill would probably be considered under the unanimous consent provisions.

Commentary

There have been subtle changes in the wording of this bill with respect to the cybersecurity challenges associated with IOT. Whether or not those changes have any real effect on the recommendations that are made to congress as a result of the studies required in this bill remain to be seen.

I am still concerned that the relatively minor mentions of IOT security in this bill reflect a gross misapprehension of the problems that we have already seen with IOT security issues. There is no mention, for example, in the rather extensive findings section of the bill about how some recent denial of service attacks have utilized bot nets that consist mainly of inadequately secured IOT devices.

I am also concerned that ICS-CERT is not specifically mentioned in the list of agencies to be represented in the working group. While DHS is listed, ICS-CERT (the only agency specifically working on security issues for IOT type devices) is not listed. The Department of Commerce listing, on the other hand, specifically includes three technical agencies (NTIA, NIST, and NOAA) from the Department.

The lack of funding also concerns me. The committee eport on S 2607 (S Rept 114-364) last session contained the mandatory report from the Congressional Budget Office on the cost of the legislation. The CBO estimated that the working group and steering group would incur administrative costs of about $3 million (pg 5). That money would come from the budgets of the agencies involved in the activity. While $3 million is chump change in the federal government, it does have to come from somewhere and failing to account for that spending in bills like this is political slight-of-hand at best and dishonest accounting in practice.

Committee Hearings – Week of 1-22-17

This will be a very short (two-day) week for both the House and Senate and there will be relatively few congressional hearings as a result. Most of the scheduled hearings in the House will be organizational in nature and will include the Appropriations Committee and the Energy and Commerce Committee. Most of the scheduled hearings in the Senate will be confirmation hearings. There is one markup hearing scheduled in the Senate that may be of specific interest to readers of this blog.

The Senate Commerce, Science and Technology Committee will hold a markup hearing tomorrow. In addition to voting on the nomination of Elaine Cho to be the Secretary for the Department of Transportation the Committee will markup a number of bills; including S 88, the Developing Innovation and Growing the Internet of Things Act or “DIGIT Act”.

The GPO has not yet published an official copy of this bill yet (probably today or tomorrow) so I have not yet posted my review of the bill. The Committee web site does include a link to the Committee draft of the bill. As expected is quite similar to the version of S 2607 that was reported out of the same Committee last session. That bill never made it to the floor for a vote.

A quick review of the Committee draft does show that there has been a minor cybersecurity provision added to the bill, but it is only found in the portion of the bill that deals with Federal agency use of IOT devices. More on that when I see the official version of the bill.

Congressional Hearings – Week of 9-11-16

This week with both the House and Senate in town there will be two cybersecurity related hearings that may be of specific interest to readers of this blog. Those two hearings address information sharing and encryption.

Cybersecurity Markup

On Tuesday the House Homeland Security Committee will be holding a markup hearing that will cover a number of bills. Of specific interest will be HR 5459, Cyber Preparedness Act of 2016. Substitute language for that bill will be considered. That substitute does include the ‘missing’ definition of ‘cybersecurity risk’ taking it from 6 USC 148(a)(1). Unfortunately, that definition still uses the limited definition of ‘information system’ from 44 USC 3502(8). Thus there is still not authority provided for sharing information about control system security issues.

Encryption

The Senate Armed Services Committee will be holding a hearing on Tuesday looking at Encryption and Cyber Matters. There may be a closed session at the end of the public portion of the hearing. The witness list includes:

• Marcell J. Lettre II, Under Secretary Of Defense For Intelligence; and

• Michael S. Rogers, United States Cyber Command

On the Floor

There is one cyber related bill that will be taken up in the House today under their suspension of the rules process. House Resolution 847 addresses the perceived need for a national strategy for the Internet of Things to promote economic growth and consumer empowerment. This resolution was introduced last week, but I have not posted a review because it does not include a single mention of cybersecurity concerns. Since today’s consideration will not include an amendment process the resolution will be published without this critical area being considered. Fortunately, nothing more will come from this action, this only being a symbolic resolution.

There are news reports (for example) that we could see a continuing resolution coming out of the Senate this week. There will be lots of political gaming going on in the lead up to the Senate vote and the subsequent House vote (if it passes in the Senate).

Bills Introduced – 09-07-16

Yesterday with both the House and Senate in session, 20 bills were introduced. Of those four may be of specific interest to readers of this blog:

HR 5943 To amend the Implementing Recommendations of the 9/11 Commission Act of 2007 to clarify certain allowable uses of funds for public transportation security assistance grants and establish periods of performance for such grants, and for other purposes. Rep. Donovan, Daniel M., Jr. [R-NY-11] 

HR 5944 To amend title 49, United States Code, with respect to certain grant assurances, and for other purposes. Rep. Upton, Fred [R-MI-6]

H Res 847 Expressing the sense of the House of Representatives about a national strategy for the Internet of Things to promote economic growth and consumer empowerment. Rep. Lance, Leonard [R-NJ-7]

S 3295 A bill to authorize the Secretary of Homeland Security to work with cybersecurity consortia for training, and for other purposes. Sen. Cornyn, John [R-TX] 

The first two House bills will be of interest here only if they deal with chemical transportation safety or security issues.

H Res 847 may be a companion resolution to S Res 110 introduced last March by Sen. Fischer.

S 3295 may be a companion bill to HR 4743 that was passed in the House with only three dissenting votes.

Committee Hearings – Week of 6-26-16

This week only the Senate is in Washington; the House has already started their long 4^th of July weekend. There are two hearings of potential interest to readers of this blog; both dealing with cybersecurity issues.

IOT and Transportation

The first hearing will be conducted this morning by the Senate Commerce, Science and Transportation Committee on “How the Internet of Things (IoT) Can Bring U.S. Transportation and Infrastructure into the 21st Century”. The witness list includes:

• Carlos Monje, DOT;

• Seleta Reynolds, Los Angeles Department of Transportation

• Jordan Kass, C.H. Robinson

• Doug Davis, Intel Corporation

• Robert Edelstein, AECOM

Cybersecurity issues may be (hopefully) raised during this hearing.

DOD – Cybersecurity and Encryption

The Senate Armed Services Committee will be holding a hearing on Thursday on “National Security Cyber and Encryption Challenges”. This is a closed hearing so we will probably hear nothing about the actual discussion here. Admiral Rogers is currently the only scheduled witness for this hearing.