On August 1, 2017, the Senate introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”, which aims to bolster the security of government-acquired IoT devices.  Sponsored by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the bill would require connected devices purchased by the government agencies to be patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities.

The bill would also require each executive level agency head to inventory all connected devices used by the agency.  OMB and DHS would establish guidelines for the agencies based on DHS’s Continuous Diagnostics and Mitigation (CDM) program.  Specifically, the bill directs OMB to develop alternative network-level security requirements for devise within limited data process and software functionality.  It also directs DHS to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.  Finally, researchers would be exempted from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaging in good-faith research pursuant to adopted coordinated vulnerability disclosure guidelines.

This legislation follows calls for more security and standards addressing IoT devices to further safeguard information from potential attacks. For example, the Government Accountability Office (GAO) recently recommended that the Department of Defense update its policies to address IoT risks that leave them vulnerable to attacks.  In addition, Trump’s executive order on cybersecurity called for reports with recommendations to reduce the threat of botnets and other automated distributed attacks.

In a press release, Senator Warner, co-chair of the Senate Cybersecurity Caucus (SCC), states that the bill would provide “thorough, yet flexible guidelines for Federal Government procurements of connected devices.”  In the same statement, the SCC’s co-chair, Sen. Garner, states the bill would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.”

To view the introduced legislation, click here.

To view the public statement, click here.

To view the fact sheet summary, click here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.