Feds Want New IoT Guidance to Address Security Vulnerabilities
Posted on May 22, 2019
“Internet of Things” devices are listening. And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data online, and are thus are susceptible to hacking and listening in. Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage these cybersecurity risks. This legislation would affect a wide range of IoT devices. i.e., a device connect to the internet that is not a “general purpose computing device.”
This legislation calls on the National Institute of Standards and Technology to take several actions. First is to review how companies can manage IoT cybersecurity risks. The review should be done by September 30, 2019 and cover, at a minimum several key elements. These include identity management and patching. They also include secure development and configuration management. Second, the legislation calls on NIST to recommend minimum information security requirements for managing IoT cybersecurity risks. The deadline under the legislation for this is March 31, 2020. Third, the new legislation calls on NIST to publish guidance relating to sharing security vulnerabilities relating to devices used by the federal government. As part of this is sharing potential fixes to those security vulnerabilities.
While not directly related to the proposed legislation, NIST has published a preliminary draft practice guide on
Securing Small Business and Home Internet of Things Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description. The comment period for this draft guide ends June 24, 2019.
PUTTING IT INTO PRACTICE: While still in the early stages, if the legislation passes, agencies will eventually be prohibited from acquiring or using devices from any contractor or vendor that does not have appropriate safeguards in place. This will likely impact all companies that make IoT devices. The impact will either be direct, where an organization provides these devices to the federal government. Or, it may be indirect, where an organization may use the NIST standards as a baseline for the security of its devices.
Utah Requires Law Enforcement Search Warrants
Posted on May 14, 2019
Effective this week, law enforcement in Utah will need a search warrant to obtain for certain electronic records. The new state legislation looks to expand privacy protections for content that consumers store online. Generally, the third-party doctrine limits the protection this type of information receives under Fourth Amendment protections against unreasonable searches and seizures. The rationale being that individuals have already voluntarily disclosed this information to the service provider and, thus, have no reasonable expectation of privacy in that information. This new law seeks to chip away at the third-party doctrine, as consumers are putting more and more of their personal information online in the hands of service providers with the expectation that the information to stay private. What this means in practice is that state and local law enforcement in Utah will need to meet a greater burden of proof to access this content. If you are a service provider, you may want to take another look at any legal process you receive from Utah law enforcement. The legislation does leave several exceptions to the new warrant requirement, including the ability for providers to voluntarily release information to law enforcement in certain circumstances and to allow for subpoena requests from law enforcement for a “subscriber record.”
PUTTING IT INTO PRACTICE: ISPs and those who receive requests from law enforcement for electronic records should keep in mind the new restrictions under this Utah law.
     29 Eye on Privacy 2019 Year in Review