Expanding the Research Exemptions Provided by the Internet of Things Cybersecurity Improvement Act
By: James H. Loving
Earlier this month, Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR) and Steve Daines (R-MT) introduced the Internet of Things Cybersecurity Improvement Act of 2017, which is intended to bolster the security of Internet-connected devices acquired by the US Government. This bill adds several sensible requirements for these devices. The device must be certified as free of known vulnerabilities, it must accept authenticated updates from the manufacturer, and its network traffic must be encrypted. These requirements have been generally well received.
This bill also adds security research exemptions to both the Computer Fraud and Abuse Act (18 U.S. Code § 1030) and the Digital Millennium Copyright Act (17 U.S. Code § 1203-1204), which currently stymie security research. The CFAA forbids “exceed[ing] authorized access,” a phrase whose interpretation has criminalized many forms of security research. The DMCA, by penalizing the mitigation of copyright protection mechanisms (e.g., encryption), similarly prevents many forms of security research. While the DMCA has an established process for exemptions through the Library of Congress, such exemptions are limited and temporary.
However, the bill’s exemptions are limited to penetration testing of devices purchased by the US Government. As excerpted below, the bill’s exemptions have two requirements:
(1) in good faith, engaged in researching the cybersecurity of an Internet-connected device of the class, model, or type provided by a contractor to a department or agency of the United States; and
(2) acted in compliance with the guidelines required to be issued by the National Protection and Programs Directorate, and adopted by the contractor described in paragraph (1), under section 3(b) of the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.
This first requirement is unduly focused. First, by applying this bill only to “physical object[s],” it disfavors much of the federal information infrastructure. For example, a database software suite – which might later contain the personal information of millions of US citizens – would not be covered, despite the fact that the sensors and other devices feeding into that database would be. Second, by requiring that the devices be “in regular connection with the Internet,” the bill may fail to cover, e.g., electronic voting machines; these machines could never, or only rarely, connect to the Internet, and thus security research may not be exempted. (Voting machines are currently under a two-year exemption to the DMCA, but CFAA barriers remain.) Third, it doesn’t cover employees’ personally-owned devices, as pointed out by Nicholas Weaver. Exploiting these devices is potentially as harmful as compromising official systems, as high-profile incidents over the past few years have demonstrated.
Moreover, these exemptions miss an opportunity to improve overall Internet security. The majority of Internet infrastructure is commercial, neither purchased nor administered by the US Government. Similarly, the Internet of Things is generally private – industrial sensors, home automation, etc. By focusing exclusively on federal acquisitions, this bill does little to improve the security of the Internet or even Internet of Things devices. More general research exemptions will improve security, as demonstrated by the recent surge in research into automobile, medical device, and voting machine security – all of which are currently, and temporarily, excluded from the DMCA for security research purposes.
By expanding the security research exemptions to cover all responsible, good faith research of Internet-connected devices and software, the Internet of Things Cybersecurity Improvement Act of 2017 would improve the long-term security of the Internet and better accomplish its goal of securing federal acquisitions.
James Loving is a public sector security engineer and a research affiliate with the Massachusetts Institute of Technology (MIT) Internet Policy Research Initiative. His research interests include security and privacy in the Internet of Things and the intersection of Internet and international security. He holds M.S.’s from MIT in Computer Science and the Technology and Policy Program and B.S.’s from Florida State University in Computer Criminology and International Affairs with Honors. He currently serves as a Signal Officer in the Army National Guard. His views are his own.