July 7, 2021
In December 2020, news broke that Russian hackers had gained access to the computer systems of several US government agencies, including the Treasury and Commerce Departments, through a third-party network monitoring system contractor. The attack sent shockwaves through the federal government, culminating in an emergency meeting of the U.S. National Security Council, and highlighted the massive threat third-party software breaches pose to otherwise secure systems. In response, President Biden issued Executive Order 14028, a set of directives aimed at establishing a set of minimum labeling and evaluation criteria for software purchased by the federal government.
However, the order’s relevance extends far beyond the federal government. Many of the largest government software contracts go to companies like Amazon, Google, Microsoft, and IBM for cloud solutions, analytics, and even communications platforms; these companies provide many similar or identical services to private firms and consumers. As critical infrastructure, both federal and commercial, becomes a frequent ransomware target of hacker groups and international adversaries, the federal government has turned its attention back to debates over private cybersecurity standards.
With this executive order, President Biden has acknowledged the need for standardized regulation, information, oversight, and consumer protections generated by the rapid proliferation of commercially available IoT technology and software. The evolution of this market, and the security vulnerabilities its products pose to private individuals, corporations, and U.S. national security, necessitate the creation of some regulatory framework. In response, the order seeks to push IoT device companies and software providers to adopt security standards and labeling requirements. The intent of these requirements is to better inform consumers and better protect devices throughout the private market.
The Biden administration intends for the requirements included in the order to force companies interested in securing lucrative government contracts to conform to a general set of standards. Many of the same products used by the federal government, including appliances, cameras, smart devices, storage, and televisions, are available directly to consumers. Increasingly, commercially available technology and software products are tasked with safeguarding the personal information and commercial interests of American citizens. Over 65% of American homes have at least one IoT device, frequently including smart TVs, streaming devices, or wearable technology. Even separately from their government work, federal employees are also consumers; many IoT products are also used privately by elected and appointed US officials.
The prevalence of these devices and the amount of data they collect on users presents a tempting target to cyber adversaries. Medical IoT is a massive industry tasked with maintaining individual vital data, remote patient monitoring, and telehealth services; IoT devices in the financial industry provide detailed data about homes and vehicles; and the Internet of Payments allows IoT devices to store and communicate financial information. Ultimately, IoT networks are both a vulnerability and a target. Not only do they present numerous third-party entry points into critical systems, they also offer a trove of personal data as a target in their own right that hackers can sell, profit off of, or use to gain intelligence about individual or group behavior. The administration hopes that labeling will help consumers identify and choose secure devices, driving companies in compliance with higher cybersecurity standards to be widely adopted by the private market and better protecting business networks and consumer privacy and information.
Using the incentive of government contracts to galvanize improvements in private sector cybersecurity standards is hardly a novel concept. In 2013, President Obama issued Executive Order 13636, which tasked the National Institute of Standards and Technology (NIST) with developing a set of cybersecurity best practices to protect critical infrastructure, such as the communications, energy, and information technology sectors. Like President Biden’s recent executive order, the measure had no binding authority on private companies. However, government agencies adopted a policy requiring contractors that would handle sensitive information to meet minimum NIST cybersecurity standards. This gradually pushed companies seeking federal contracts in certain sectors, particularly defense, to adopt better security practices.
In his order, President Biden attempts two major updates to federal cybersecurity standards and regulations. In Section IV, he tasks the Secretary of Commerce with updating NIST standards to include a standardized labeling program informing consumers of IoT and software security. These standards will include criteria for a baseline level of security practices and an indication of various levels of increasingly rigorous security testing that technology products have undergone. In Section V, the President establishes the Cyber Safety Review Board to bring together representatives from relevant agencies and the private sector to review significant cyber incidents and issue guidance to improve cybersecurity. As the board was not established by Congressional action, it lacks the regulatory and oversight powers of a true industry board. However, this innovative step acknowledges the growing importance of cyber and technology as a segment of the U.S. consumer economy. This differentiates it from previous public-private cybersecurity partnerships, which tended to reactively focus on information sharing and response for major cyber incidents at the federal level rather than addressing the security of products on the market.
In light of Congress’s general hesitancy to fast track legislation on technology regulation during recent sessions, an executive order provided the Biden administration with a way to quickly address the largest gaps in IoT and software security, albeit with a very broad brush. However, executive action alone is not enough. Executive orders have extremely limited authority beyond operations of the federal government, and, while financial incentives are a powerful motivator, not every third-party software company will feel the need to compete for government business or uphold any NIST labeling requirements. As a result, only a fraction of software companies in the consumer space will adhere to labeling recommendations. In order to fully enact consumer protections, Congress must use its regulatory authority over the private sector to pass a broad set of binding cybersecurity standards.
The prospects of comprehensive legislative action are mixed. Cybersecurity bills have received varied receptions in Congress. Despite a general spirit of bipartisanship on most cyber policy, passing a broad bill on cybersecurity standards in the private sector has proven incredibly difficult over the past few decades. In recent years, hundreds of cybersecurity bills have been introduced or reintroduced in Congress, with a significant uptick in the latest session. Many of these high-profile bills have fallen short of becoming law: notably, the Cybersecurity Act of 2012 and the Compliance with Court Orders Act of 2016 stalled out amidst intense debate. Even the benchmark success, an IoT security bill that made it through both chambers in November 2020, took three years and several iterations to appease lawmakers and private interests.
The IoT Cybersecurity Act, introduced last year by Senators Mark Warner (D-Va.) and Cory Gardner (R-Colo.) and signed into law in 2020, was the most notable attempt in recent years to extend federal tech standards to the private sector. The law updated NIST standards governing the security of federal IoT devices, including secure development, identity management, and patching. Proponents saw it as a way to use government contracts and the power of the federal purse to incentivize the private sector to adopt consumer-friendly standards and baseline security practices. However, in the same vein as President Biden’s executive order, the law does nothing to compel the swathe of private firms with no interest in pursuing government contracts, and is likely to cause only a relatively minor shift in the consumer market.
While neither the IoT Cybersecurity Act nor President Biden’s executive order have any binding authority over the consumer market, the bipartisan success of Senator Warner’s bill and the recent high-profile cybersecurity incidents affecting Colonial Pipeline and JBS indicate that now may be the time for Congress to take the next step in cyber regulation.
The extent to which consumers must place their trust in IoT products and software developers requires a regulatory standard to relay the level of protection customers can expect and oversight to ensure this trust is not abused. President Biden took as proactive a step towards this reality as executive powers permit—the ball is now firmly in Congress’s court to finish the job.