[Senate Hearing 116-356]
[From the U.S. Government Publishing Office]








                                                        S. Hrg. 116-356

                    STRENGTHENING THE CYBERSECURITY 
                       OF THE INTERNET OF THINGS

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON SECURITY

                                 of the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 30, 2019

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation
                             
                             
                             
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                             
                             
                             
                             
                             
                             

                Available online: http://www.govinfo.gov 
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
42-448 PDF               WASHINGTON : 2023 
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                  ROGER WICKER, Mississippi, Chairman
JOHN THUNE, South Dakota             MARIA CANTWELL, Washington, 
ROY BLUNT, Missouri                      Ranking
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas                  BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska                 EDWARD MARKEY, Massachusetts
CORY GARDNER, Colorado               TOM UDALL, New Mexico
MARSHA BLACKBURN, Tennessee          GARY PETERS, Michigan
SHELLEY MOORE CAPITO, West Virginia  TAMMY BALDWIN, Wisconsin
MIKE LEE, Utah                       TAMMY DUCKWORTH, Illinois
RON JOHNSON, Wisconsin               JON TESTER, Montana
TODD YOUNG, Indiana                  KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida                  JACKY ROSEN, Nevada
                       John Keast, Staff Director
                  Crystal Tully, Deputy Staff Director
                      Steven Wall, General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
                      Renae Black, Senior Counsel
                                 ------                                

                        SUBCOMMITTEE ON SECURITY

DAN SULLIVAN, Alaska, Chairman       EDWARD MARKEY, Massachusetts, 
ROY BLUNT, Missouri                      Ranking
TED CRUZ, Texas,                     AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
MARSHA BLACKBURN, Tennessee          BRIAN SCHATZ, Hawaii
MIKE LEE, Utah                       TOM UDALL, New Mexico
RON JOHNSON, Wisconsin               TAMMY DUCKWORTH, Illinois
TODD YOUNG, Indiana                  KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida                  JACKY ROSEN, Nevada   






















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 30, 2019...................................     1
Statement of Senator Sullivan....................................     1
Statement of Senator Markey......................................     2
Statement of Senator Scott.......................................    82
Statement of Senator Sinema......................................    84
Statement of Senator Fischer.....................................    86
Statement of Senator Blumenthal..................................    91
Statement of Senator Klobuchar...................................    93
Statement of Senator Cantwell....................................    95
Statement of Senator Moran.......................................    97

                               Witnesses

Charles H. Romine, Ph.D., Director, Information Technology 
  Laboratory, National Institute of Standards and Technology, 
  United States Department of Commerce...........................     4
    Prepared statement...........................................     6
Matthew J. Eggers, Vice President, Cybersecurity Policy, U.S. 
  Chamber of Commerce............................................    11
    Prepared statement...........................................    12
Robert Mayer, Senior Vice President for Cybersecurity, 
  USTelecom--The Broadband Association...........................    16
    Prepared statement...........................................    18
Michael Bergman, Vice President, Technology and Standards, 
  Consumer Technology Association................................    67
    Prepared statement...........................................    68
Harley Geiger, Director of Public Policy, Rapid7.................    71
    Prepared statement...........................................    73

                                Appendix

Response to written questions submitted to Charles H. Romine, 
  Ph.D. by:
    Hon. Roger Wicker............................................   109
    Hon. Jerry Moran.............................................   109
    Hon. Todd Young..............................................   110
    Hon. Amy Klobuchar...........................................   111
Response to written questions submitted to Matthew Eggers by:
    Hon. Roger Wicker............................................   111
Response to written question submitted to Robert Mayer by:
    Hon. Roger Wicker............................................   112
    Hon. Todd Young..............................................   113
    Hon. Amy Klobuchar...........................................   113
Response to written questions submitted to Michael Bergman by:
    Hon. Roger Wicker............................................   114
    Hon. Jerry Moran.............................................   116
    Hon. Todd Young..............................................   117
Response to written questions submitted to Harley Geiger by:
    Hon. Roger Wicker............................................   118
    Hon. Jerry Moran.............................................   118

 
                    STRENGTHENING THE CYBERSECURITY 
                       OF THE INTERNET OF THINGS

                              ----------                              


                        TUESDAY, APRIL 30, 2019

                               U.S. Senate,
                          Subcommittee on Security,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:30 p.m., in 
room SD-562, Dirksen Senate Office Building, Hon. Dan Sullivan, 
Chairman of the Subcommittee, presiding.
    Present: Senators Sullivan [presiding], Fischer, Moran, 
Young, Scott, Markey, Cantwell, Klobuchar, Blumenthal, Sinema, 
and Rosen.

            OPENING STATEMENT OF HON. DAN SULLIVAN, 
                    U.S. SENATOR FROM ALASKA

    Senator Sullivan. The Subcommittee on Security will now 
come to order.
    In our increasingly interconnected world, the devices and 
systems that make up the Internet of Things deliver substantial 
benefit to end users. By the year 2020, the number of connected 
devices may exceed 50 billion, offering a wide range of new 
capabilities for consumer products, including everything from 
home appliances to medical devices to industrial control 
systems. However, these new technologies are susceptible to 
unprecedented security challenges that are becoming apparent, 
increasingly, day by day.
    Cybercrime and cyber espionage have serious impacts on 
consumers and companies, including damage to company 
performance, trade, competitiveness, and innovation for our 
country, writ large. In recent years, cybercrime has been 
estimated to cost the global economy anywhere from $375 to $575 
billion annually. As we discussed in the Subcommittee's 
inaugural hearing, China is a major player in cyber espionage, 
and this activity continues against U.S. companies, going 
largely unabated, despite Chinese government-level assurances 
that they are going to discontinue these kind of activities, 
another area of what I refer to as ``promise fatigue,'' where 
we get commitments from China, year after year, decade after 
decade, and they don't follow through on any of them. ``Promise 
fatigue.'' These state-driven cyberattacks give Chinese 
enterprises an edge in international deals, specifically to 
obtain information related to bid prices, contracts, and 
mergers and acquisitions, let alone the damage this does to our 
own national security. It has been estimated that China was the 
number-one source for Internet of Things attacks in 2018, 
responsible for 24 percent of the average 5,200 monthly attacks 
on U.S. cybersecurity firm Symantec's IoT honeypot. Last year 
alone, U.S. authorities issued 19 indictments related to 
Chinese cyber espionage in the most recent year.
    One of the largest Internet of Things cyberattacks was 
recently prosecuted in my home State of Alaska. In October 
2016, the Mirai botnet was used in a large-scale attack by 
enslaving poorly secured IoT devices, like wireless routers and 
security cameras, including devices in Alaska, and using the 
devices to bombard the servers of target companies, preventing 
many users from accessing major websites, including Amazon, 
Spotify, Reddit, and Twitter. While the authors and 
perpetrators of the attack have been identified and prosecuted, 
it was not before the release of the source code online 
spawning dozens of copycat and potential causes to Internet 
outages through manipulation of unsecured Internet of Things 
devices. Sound security practices must keep pace with the 
expansion of the Internet of Things in order to mitigate these 
threats.
    Over the last few years, the Commerce Committee has 
supported the public/private partnership approach to 
cybersecurity, including the enactment of the Cybersecurity 
Enhancement Act, to provide for the development of voluntary--
of a voluntary framework to reduce cyber risk to critical 
infrastructure, as well as Senate passage of the DIGIT Act to 
establish a working group to focus on how to plan for and 
encourage the growth of Internet of Things.
    This hearing, as part of an oversight hearing, will serve 
to emphasize the value in continued public/private partnership 
collaboration to advance our shared interests in strengthening 
cybersecurity as well as the value in fostering cybersecurity 
standards that are voluntary, flexible, performance-based, and 
cost-effective. We'll be hearing from both government and 
industry stakeholders to examine the security threats and 
challenges and ways to incentivize building more cybersecurity 
by design into connected devices and the networks that support 
them.
    With that, I want to thank our witnesses for being here 
today. I look forward to hearing their thoughts on these 
important issues.
    And I now recognize Ranking Member Markey for any opening 
statements he may have.

               STATEMENT OF HON. EDWARD MARKEY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Markey. Yes. And again, thank you, Mr. Chairman. 
Thank you for this very important hearing and phenomenal panel 
which you have put together, and the subject matter that we are 
going to consider.
    Cybersecurity has become one of the most critical security, 
economic, and privacy issues facing our Nation, but it's 
certainly not a new threat. As the Chairman of the House 
Subcommittee on Telecommunications back in 1993, I convened two 
hearings to explore what I called at the time ``the sinister 
side of cyberspace.'' Cybersecurity was then an issue which was 
of great concern. At those hearings, we saw how an ordinary 
cellular telephone could be reprogrammed to become a scanner 
capable of eavesdropping on other people's phone calls by just 
turning it over and switching a few wires and then listening to 
the cellphone calls of Congressmen in the Rayburn Building in 
1993. We saw a videotape of how Dutch hackers broke into the 
Pacific Fleet Command and the Kennedy Space Center from a 
computer terminal in Amsterdam in 1993.
    But, that was back in the old days. That was before 
Facebook and WikiLeaks, when only birds tweeted. That was the 
BF era, the Before Facebook era. We're now in an era which is 
so much more dangerous than that now seemingly prosaic era that 
I am referring to as dangerous, as it was at that time, even 
when it was clear that developing a national policy for 
cybersecurity was of fundamental importance for the future of 
our national networks, our competitiveness internationally, and 
our constituents' safety and security at home. So, it's not a 
new issue.
    Now, is the opportunity to develop that national policy. 
And I thank you, Mr. Chairman, because, as this committee 
begins shaping a national privacy law, we must include a robust 
cybersecurity regime that truly protects the American public, 
our industries, and government institutions from ``the sinister 
side of cyberspace.'' We can, and we should, give people a 
privacy bill of rights, providing people the right to tell 
companies that they cannot share or sell their personal 
information without consent.
    But, you can't truly have privacy without ensuring your 
personal information is protected from hackers. And there is no 
better place to begin exploring what the cybersecurity regime 
should look like than discussing cybersecurity protections for 
the Internet of Things, or IoT. Because we know that North 
Korean, Russian, Chinese hackers want to infiltrate our 
networks and our own devices, so we need to know how we can 
stop it. But, we also need to know how we stop domestic hackers 
from compromising the information of Americans, as well. 
Because there's no question that, while IoT holds the promise 
of revolutionizing the way we live and we work, that we should 
also be wary, because IoT also stands for the Internet of 
Threats, which operates simultaneously. With as many as, as the 
Chairman said, tens of billions of IoT devices--Internet-
connected thermostats, refrigerators, baby monitors, to name a 
few--projected to be in our pockets, cars, homes by 2020, cyber 
vulnerabilities will continue to pose a direct threat to 
economic prosperity, privacy, and our Nation's security.
    In 2016, for example, hostile actors launched a massive 
denial-of-service attack, where hundreds of thousands of hacked 
IoT devices--cameras, baby monitors, and home routers--were 
commandeered and used to send overwhelming streams of Internet 
traffic to core parts of the Internet's infrastructure. 
Ultimately, several major websites were disrupted, including 
Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, and the New 
York Times. Recently, the Washington Post reported on a 
troubling case, where hackers accessed an Internet-connected 
baby monitor and used the device's speaker to beam pornographic 
audio into a 3-year-old's bedroom. Cyber criminals were even 
able to access a casino's high-roller database by hacking an 
Internet-connected thermometer in a fish tank, granting them 
access to the casino's network. There is clearly a Dickensian 
quality to the Internet.
    And IoT devices--and it's the best of Wi-Fi and the worst 
of Wi-Fi simultaneously--it can enable, it can ennoble, it can 
degrade, it can debase. We're here today to find out how we 
stop the degrading and debasing of this system. And that's why 
I'm so excited, Mr. Chairman, for the opportunity to explore 
these opportunities to enhance our cyber defenses, including 
discussing my Cyber Shield Act, legislation that would create a 
voluntary cybersecurity certification program for IoT devices.
    I want to thank the witnesses for testifying, and you, Mr. 
Chairman, for this very important hearing.
    Senator Sullivan. Great. Well, thank you, Senator Markey.
    And we have votes, here, so we're going to be doing a 
little bit of a dance to make sure we continue the hearing as 
we go to vote.
    But, I do want to welcome our witnesses here. We have a 
great group of witnesses on an issue that I think the entire 
country is focused on and we, in the Congress, need to get our 
arms around: Mr. Charles Romine, Director of Information 
Technology Laboratory, the National Institutes of Standards and 
Technology; Matthew Eggers, the Vice President of Cybersecurity 
Policy at the U.S. Chamber of Commerce; Mr. Robert Mayer, the 
Senior Vice President for Cybersecurity, USTelecom, for The 
Broadband Association; Mr. Michael Bergman, Vice President of 
Technology and Standards for the Consumer Technology 
Association; and Mr. Harley Geiger, Director of Public Policy, 
Rapid7. Is that correct?
    So, thank you. I will ask each of you to present your oral 
testimony in 5 minutes or less. And, of course, a longer 
written statement will be included for the record.
    Mr. Romine, we'll begin with you, sir.

        STATEMENT OF CHARLES H. ROMINE, Ph.D., DIRECTOR,

               INFORMATION TECHNOLOGY LABORATORY,

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,

              UNITED STATES DEPARTMENT OF COMMERCE

    Dr. Romine. Thank you. Chairman Sullivan, Ranking Member 
Markey, and members of the Subcommittee, I'm Charles Romine, 
the Director of the Information Technology Laboratory at the 
Department of Commerce's National Institute of Standards and 
Technology, or NIST. Thank you for the opportunity to testify 
today on strengthening the cybersecurity of the Internet of 
Things. Today, I will discuss NIST's role in cultivating trust 
in the security of the Internet of Things.
    In the area of cybersecurity, NIST has worked with Federal 
agencies, industry, and academia since 1972, when it helped 
develop and publish the data-encryption standard. Today, NIST's 
Cybersecurity for the Internet of Things Program supports the 
development and application of standards, guidelines, and 
related tools to improve the cybersecurity of connected devices 
and the environments in which they're deployed.
    In recognition of a critical cybersecurity gap, NIST 
released Draft NIST Interagency Report 8228, Considerations for 
Managing IoT Cybersecurity and Privacy Risks, in September 
2018. The purpose of this publication is to help organizations 
better understand and manage the cybersecurity and privacy 
risks associated with IoT devices throughout their life cycles. 
The publication provides insights to inform organizations' risk 
management processes.
    NIST also published the NIST Interagency Report 8200, which 
examines the current state of international cybersecurity 
standards development by voluntary consensus standards bodies 
for IoT. The report establishes a common understanding of IoT 
components, systems, and applications for which standards could 
be relevant.
    In May 2018, the Departments of Commerce and Homeland 
Security published the Report to the President on Enhancing the 
Resilience of the Internet and Communications Ecosystem Against 
Botnets and Other Automated Distributed Threats. The report 
called for the Federal Government to clearly delineate 
priorities for action, and a roadmap was later released to 
identify tasks and timelines for completion. The roadmap calls 
on NIST, in collaboration with stakeholders, to identify a core 
set of cybersecurity capabilities which can also be used to 
support sector-specific baselines, as needed, such as the 
Federal Government or home consumers.
    On February 4, 2019, NIST published a discussion draft to 
gather feedback to help identify core IoT cybersecurity 
capabilities that are most vital to IoT devices. NIST 
identified a critical gap area in guidance on baselines for IoT 
device cybersecurity. This paper presents one possible approach 
to developing guidelines--baselines.
    A critical NIST resource is NIST's National Vulnerability 
Data base, or NVD. The NVD is the U.S. Government repository of 
standards-based vulnerability management data. NIST receives 
publicly available vulnerability information, standardizes it 
for use in scanners and vulnerability identification and 
mediation tools, and provides analysis and metrics for 
vulnerability severity. IoT vulnerabilities are one type of 
many items that are collected, scored, and communicated in the 
NVD.
    NIST has initiated a process to solicit, evaluate, and 
standardize lightweight cryptographic algorithms that are 
suitable for use in constrained environments where the 
performance of current NIST cryptographic standards is not 
acceptable. Today, NIST is evaluating 56 potential lightweight 
encryption algorithms for use in these environments, and will 
start down--to down-select this initial set this year.
    NIST's National Cybersecurity Center of Excellence, the 
NCCoE, is a collaborative hub, where industry organizations, 
government agencies, and academic institutions work together to 
address businesses' most pressing cybersecurity issues. This 
public/private partnership enables the creation of practical 
cybersecurity solutions for specific industries as well as for 
broad cross-sector technology challenges. The NCCoE has many 
published practice guides, ongoing projects exploring 
solutions, and upcoming projects exploring new challenges and 
building communities of interest that all directly support the 
cybersecurity of the Internet of Things.
    In the healthcare space, the NCCoE previously published 
practice guides demonstrating an example solution for securing 
wireless infusion pumps that apply security controls to the 
pump's environment to create a defense-in-depth approach for 
protecting infusion pumps and their surrounding systems against 
various risk factors.
    In addition to these published example solutions, the NCCoE 
has three upcoming projects that address cybersecurity 
challenges seen in many IoT devices and environments:
    First, the Securing Picture Archive and Communication 
System Project is currently exploring solutions that allow 
healthcare delivery organizations to apply cybersecurity 
controls to their imaging systems.
    Second, the Securing Telehealth Remote Patient Monitoring 
Ecosystem Project will explore cybersecurity controls to 
protect remote-patient monitoring platforms, which commonly 
incorporate home medical devices that are part of the IoT.
    Third, the Consumer Home IoT Security Project will explore 
how specific devices, platforms, and/or software may provide 
additional cybersecurity to home IoT networks.
    Thank you for the opportunity to present NIST's activities 
on securing the Internet of Things. And I would be pleased to 
answer any questions that you may have.
    [The prepared statement of Dr. Romine follows:]

 Prepared Statement of Charles H. Romine, Ph.D., Director, Information 
Technology Laboratory, National Institute of Standards and Technology, 
                  United States Department of Commerce
    Chairman Sullivan, Ranking Member Markey, and Members of the 
Subcommittee, I am Charles Romine, the Director of the Information 
Technology Laboratory (ITL) at the Department of Commerce's National 
Institute of Standards and Technology (NIST). Thank you for the 
opportunity to testify today on Strengthening the Cybersecurity of the 
Internet of Things (IoT), which is of critical importance to the 
security and economic well-being of America.
    The rapid proliferation of internet-connected devices and rise of 
the IoT come with great anticipation. These newly connected devices 
bring the promise of enhanced business efficiencies and increased 
customer satisfaction. As the landscape of IoT continues to expand, it 
is vital to foster cybersecurity for devices and data in the IoT 
ecosystem, across industry sectors and at scale. Today I will discuss 
NIST's role in cultivating trust in the security of the Internet of 
Things.
NIST's Role in Cybersecurity
    Home to five Nobel Prizes, with programs focused on national 
priorities such as advanced manufacturing, the digital economy, 
precision metrology, quantum science, and biosciences, NIST's mission 
is to promote U.S. innovation and industrial competitiveness by 
advancing measurement science, standards, and technology in ways that 
enhance economic security and improve our quality of life.
    In the area of cybersecurity, NIST has worked with Federal 
agencies, industry, and academia since 1972, when it helped develop and 
published the data encryption standard, which enabled efficiencies like 
electronic banking that we all enjoy today. NIST's role is to provide 
technologies, approved tools, data references and testing methods to 
protect the Federal Government's information systems against threats to 
the confidentiality, integrity, and availability of information and 
services. This role was strengthened through the Computer Security Act 
of 1987 (Public Law 100-235), broadened through the Federal Information 
Security Management Act of 2002 (FISMA) (Public Law 107-347)\1\ and 
reaffirmed in the Federal Information Security Modernization Act of 
2014 (FISMA 2014) (Public Law 113-283). In addition, the Cybersecurity 
Enhancement Act of 2014 (Public Law 113-274) authorizes NIST to 
facilitate and support the development of voluntary, industry-led 
cybersecurity standards and best practices for critical infrastructure.
---------------------------------------------------------------------------
    \1\ FISMA was enacted as Title III of the E-Government Act of 2002 
(Public Law 107-347).
---------------------------------------------------------------------------
    NIST develops guidelines in an open, transparent, and collaborative 
manner that enlists broad expertise from around the world. These 
resources are used by Federal agencies as well as businesses of all 
sizes, educational institutions, and state, local, and tribal 
governments, because NIST's standards and guidelines are effective, 
state-of-art and widely accepted. NIST disseminates its resources 
through a variety of means that encourage the broad sharing of tools, 
security reference data, information security standards, guidelines, 
and practices, along with outreach to stakeholders, participation in 
government and industry events, and online mechanisms.
The Internet of Things (IoT)
    The Internet of Things is a rapidly evolving and expanding 
collection of diverse technologies that interact with the physical 
world. IoT devices are an outcome of combining the worlds of 
information technology (IT) and operational technology (OT). With the 
inexpensive rise of WIFI and other connective technology chip sets and 
wireless technologies, we can connect almost anything to the Internet 
and harness computing power far beyond our traditional personal 
computer and laptop environments. Many IoT devices now take advantage 
of the result of the convergence of cloud computing, mobile computing, 
embedded systems, big data, low-price hardware, and other technological 
advances.
    IoT devices can use computing functionality, data storage, and 
network connectivity for equipment that previously lacked them, 
enabling new efficiencies and technological capabilities for the 
equipment. IoT also adds the ability to analyze data about the physical 
world and use the results to better inform decision making, alter the 
physical environment, and anticipate future events. While the full 
scope of IoT is not precisely defined, it is clearly vast. Every sector 
has its own types of IoT devices, such as specialized hospital 
equipment in the healthcare sector and smart road technologies in the 
transportation sector, and there are many enterprise IoT devices that 
every sector can use.
    Also, versions of nearly every consumer electronics device, many of 
which are also present in organizations' facilities, have become 
connected IoT devices--kitchen appliances, thermostats, home security 
cameras, door locks, light bulbs, and televisions. Many organizations 
are not necessarily aware that they are using a large number of IoT 
devices. It is important that organizations understand their use of IoT 
because many IoT devices affect cybersecurity and privacy risks 
differently than conventional IT devices do.
    Many IoT devices interact with the physical world in ways 
conventional IT devices usually do not. For example, IoT devices with 
actuators have the ability to make changes to physical systems and thus 
affect the physical world. Another important aspect of IoT device 
interactions with the physical world is the operational requirements 
devices must meet in various environments and use cases. Many IoT 
devices must comply with stringent requirements for performance, 
reliability, resilience, safety, and other objectives. These 
requirements may be at odds with common cybersecurity and privacy 
practices for conventional IT.
    Once organizations are aware of their existing IoT usage and 
possible future usage, they need to understand the IoT device risk 
considerations and the challenges they may cause to mitigating 
cybersecurity and privacy risks; adjust organizational policies and 
processes to address the cybersecurity and privacy risk mitigation 
challenges throughout the IoT device lifecycle; and implement updated 
mitigation practices for the organization's IoT devices.
NIST's Cybersecurity for the Internet of Things Program
    The growth of network-connected devices, systems, and services 
comprising the IoT creates immense opportunities and benefits for our 
society. However, to reap the great benefits of IoT and to minimize the 
potentially significant risks, these network-connected devices need to 
be secure and resilient. This depends in large part upon the timely 
availability and widespread adoption of clear and effective 
international cybersecurity standards.
    Securing IoT devices is a major challenge, as manufactures tend to 
focus on functionality, compatibility requirements, customer 
convenience, and time-to-market rather than security. Meanwhile, 
security threats are increasing. For example, Symantec reported a 600 
percent increase in attacks against IoT devices from 2016 to 2017.\2\
---------------------------------------------------------------------------
    \2\ https://www.symantec.com/content/dam/symantec/docs/reports/
istr-23-2018-en.pdf
---------------------------------------------------------------------------
    The IoT ecosystem's nature brings new security considerations. 
These considerations include--but are not limited to--constrained power 
and processing; the ability to manage, update, and patch devices at 
scale; and a diverse set of new applications across consumer and 
industrial sectors.
    NIST's Cybersecurity for the Internet of Things program supports 
the development and application of standards, guidelines, and related 
tools to improve the cybersecurity of connected devices and the 
environments in which they are deployed. By collaborating with 
stakeholders across government, industry, international bodies, and 
academia, the program aims to cultivate trust and foster an environment 
that enables innovation on a global scale.
    Additionally, NIST is studying the usability factors affecting 
cybersecurity and privacy perceptions of consumers of smart home 
devices to understand how these factors influence buying decisions and 
home use.

   Considerations for Managing IoT Cybersecurity and Privacy 
        Risks: NIST Internal Report 8228 (NISTIR 8228)
        In recognition of a critical cybersecurity gap, NIST released 
        draft NIST Internal Report 8228 \3\, Considerations for 
        Managing IoT Cybersecurity and Privacy Risks in September 2018. 
        The purpose of this publication is to help organizations better 
        understand and manage the cybersecurity and privacy risks 
        associated with IoT devices throughout their lifecycles. This 
        publication emphasizes what makes managing these risks 
        different for IoT devices than conventional IT devices, and it 
        omits all aspects of risk management that are largely the same 
        for IoT and conventional IT. The publication provides insights 
        to inform organizations' risk management processes. For some 
        IoT devices, additional types of risks, including safety, 
        reliability, and resiliency, need to be managed simultaneously 
        with cybersecurity and privacy risks because of the effects 
        addressing one type of risk can have on others. Only 
        cybersecurity and privacy risks are in scope for this 
        publication.
---------------------------------------------------------------------------
    \3\ https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8228-
draft.pdf

   Status of International Cybersecurity Standardization for 
        IoT: NIST Internal Report 8200 (NISTIR 8200)
        NIST Interagency Report 8200 \4\, published in November 2018, 
        examines the current state of international cybersecurity 
        standards development by voluntary consensus standards bodies 
        for IoT. NISTIR 8200 is intended for use by the government and 
        the broader public. The report aims to inform and enable 
        policymakers, managers, and standards participants as they seek 
        timely development and use of such standards in IoT components, 
        systems, and related services.
---------------------------------------------------------------------------
    \4\ https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf

        NISTIR 8200 establishes a common understanding of IoT 
        components, systems and applications for which standards could 
        be relevant. Additionally, it provides a functional description 
        of IoT components, which are the basic building blocks of IoT 
        systems. To provide insights into the present state of IoT 
        cybersecurity standardization, the report describes five IoT 
        technology application areas. These areas are certainly not 
        exhaustive, but they are sufficiently representative to use in 
        analyzing the present state of IoT cybersecurity 
---------------------------------------------------------------------------
        standardization:

      --  Connected vehicle IoT enables vehicles, roads, and other 
            infrastructure to communicate and share vital 
            transportation information.

      --  Consumer IoT consists of IoT applications in residences as 
            well as wearable and mobile devices.

      --  Health IoT processes data derived from sources such as 
            electronic health records and patient-generated health 
            data.

      --  Smart building IoT includes energy usage monitoring systems, 
            physical access control security systems and lighting 
            control systems.

      --  Smart manufacturing IoT enables enterprise-wide integration 
            of data, technology, advanced manufacturing capabilities, 
            and cloud and other services.

        IoT cybersecurity objectives, risks, and threats are then 
        analyzed for IoT applications in general and for each of the 
        five illustrative IoT technology application areas. 
        Cybersecurity objectives for traditional IT systems generally 
        prioritize confidentiality, then integrity, and lastly 
        availability. IoT systems cross multiple sectors as well as use 
        cases within those sectors. Accordingly, cybersecurity 
        objectives may be prioritized very differently by various 
        parties, depending on the application. The increased ubiquity 
        of IoT components and systems heighten the risks they present. 
        Standards-based cybersecurity risk management will continue to 
        be a major factor in the trustworthiness of IoT applications. 
        Analysis of the application areas makes it clear that 
        cybersecurity for IoT is unique and requires tailoring existing 
        standards and creating new standards to address challenges, for 
        example: pop-up network connections, shared system components, 
        the ability to change physical aspects of the environment, and 
        related connections to safety.

        NISTIR 8200 describes 12 cybersecurity core areas and provides 
        examples of relevant standards that while not exhaustive, 
        represent an extensive effort to identify presently relevant 
        IoT cybersecurity standards. The report's conclusions focus 
        upon the issue of standards gaps and the effective use of 
        existing standards.

   Report to the President on Enhancing the Resilience of the 
        Internet and Communications Ecosystem Against Botnets and Other 
        Automated, Distributed Threats
        In May 2018, the Departments of Commerce and Homeland Security 
        published the Report to the President on Enhancing the 
        Resilience of the Internet and Communications Ecosystem Against 
        Botnets and Other Automated, Distributed Threats. Known as the 
        Botnet Report, this report was developed in response to the May 
        11, 2018, Executive Order (EO) 13800, ``Strengthening the 
        Cybersecurity of Federal Networks and Critical 
        Infrastructure.'' \5\ As explained in the Botnet Report, 
        resilience against botnets will require a multi-pronged 
        approach, with many of the report's recommended actions being 
        mutually supportive by design. The report called for the 
        Federal Government to clearly delineate priorities for action, 
        and a road map \6\ was later released to identify tasks and 
        timelines for completion. Recognizing that there is no one-
        size-fits-all, each of these recommendations and associated 
        actions and tasks works towards achieving the overall goal of a 
        more secure Internet ecosystem. The road map also helps to 
        sequence actions and tasks to achieve maximum benefit. As 
        explained in the road map, before assessment, labeling, or 
        awareness initiatives for IoT devices can begin, there first 
        needs to be the foundational task of describing a core 
        cybersecurity baseline, which is a set of cybersecurity 
        capabilities that are broadly applicable across many or all IoT 
        devices. The road map calls on NIST, in collaboration with 
        stakeholders, to identify a core set of cybersecurity 
        capabilities, which can also be used to support sector-specific 
        baselines as needed, such as the Federal Government or home 
        consumers. An identified core set of these capabilities would 
        encourage harmonization and indicate the minimum cybersecurity 
        capabilities any IoT device should support. A core baseline can 
        serve as a foundation upon which more detailed and rigorous 
        baselines for individual sectors and verticals can be 
        developed. For example, a connected medical device would likely 
        require more cybersecurity capabilities than an IoT light bulb.
---------------------------------------------------------------------------
    \5\ Exec. Order No. 13800, 82 Fed. Reg. 22391, at 22394 (May 11, 
2017): https://federal
register.gov/d/2017-10004
    \6\ https://www.commerce.gov/sites/default/files/2018-11/
Botnet%20Road%20Map%2011291
8%20for%20posting_0.pdf

   Considerations for a Core IoT Cybersecurity Capabilities 
        Baseline
        On February 4, 2019, NIST published a discussion draft \7\ to 
        gather feedback to help identify core IoT cybersecurity 
        capabilities that are most vital for IoT devices. Through NIST 
        research, related stakeholder engagement, comments received 
        during the NISTIR 8228 public comment period, and, as described 
        above, in the Botnet Report, NIST identified a critical gap 
        area in guidance on baselines for IoT device cybersecurity. In 
        particular, there was interest in baselines focused on the pre-
        market cybersecurity capabilities that could be built into the 
        products, as opposed to the cybersecurity controls that 
        consumers or organizations that use IoT in their enterprise 
        operations, could apply post-market.
---------------------------------------------------------------------------
    \7\ https://www.nist.gov/sites/default/files/documents/2019/02/01/
final_core_iot_cybersecuri
ty_capabilities_baseline_considerations.pdf

        This paper presents one possible approach to developing 
        baselines, which includes initial thoughts about what a core 
        baseline of cybersecurity capabilities that are important for 
        most IoT devices would look like. In this paper, ``baseline'' 
        is used in the generic sense to refer to a set of foundational 
        requirements or recommendations. These could be used by IoT 
        device manufacturers to guide the cybersecurity capabilities 
        they implement in their products, as well as be used as a 
        starting point by communities of interest to develop baselines 
---------------------------------------------------------------------------
        appropriate to their community.

   National Vulnerability Database
        NIST's National Vulnerability Database (NVD)\8\, supported by 
        the Department of Homeland Security's Cybersecurity and 
        Infrastructure Security Agency, is the U.S. government 
        repository of standards-based vulnerability management data. 
        This data enables automation of vulnerability management, 
        security measurement, and compliance. NIST maintains the U.S. 
        National Vulnerability Database, which is the worldwide public 
        repository used to communicate vulnerabilities to the Nation. 
        NIST receives publicly available vulnerability information, 
        standardizes it for use in scanners and vulnerability 
        identification and mediation tools, and provides analysis and 
        metrics for vulnerability severity. IoT vulnerabilities are one 
        type of many items that are collected, scored and communicated 
        in the NVD.
---------------------------------------------------------------------------
    \8\ https://nvd.nist.gov

   Lightweight Cryptography
        There are many IoT areas in which highly-constrained devices 
        are interconnected, typically communicating wirelessly with one 
        another, and working in concert to accomplish some task. 
        Security and privacy can be very important in all of these 
        areas. Because the majority of current cryptographic algorithms 
        were designed for desktop/server environments, many of these 
        algorithms do not fit into the constrained resources. If 
        current algorithms can be made to fit into the limited 
        resources of constrained environments, then their performance 
        may not be acceptable.

        NIST has initiated a process to solicit, evaluate, and 
        standardize lightweight cryptographic algorithms \9\ that are 
        suitable for use in constrained environments where the 
        performance of current NIST cryptographic standards is not 
        acceptable. Today NIST is evaluating 56 potential lightweight 
        encryption algorithms for use in these environments. As part of 
        our plans for identifying the best, NIST will start to down 
        select this initial set this fiscal year.
---------------------------------------------------------------------------
    \9\ https://csrc.nist.gov/Projects/Lightweight-Cryptography
---------------------------------------------------------------------------
National Cybersecurity Center of Excellence (NCCoE)
    Established in 2012, NIST's National Cybersecurity Center of 
Excellence (NCCoE) \10\ is a collaborative hub where industry 
organizations, government agencies, and academic institutions work 
together to address businesses' most pressing cybersecurity issues. 
This public-private partnership enables the creation of practical 
cybersecurity solutions for specific industries, as well as for broad, 
cross-sector technology challenges.
---------------------------------------------------------------------------
    \10\ https://www.nccoe.nist.gov/
---------------------------------------------------------------------------
    Through consortia under Cooperative Research and Development 
Agreements, including private sector collaborators--from Fortune 50 
market leaders to smaller companies specializing in IT security--the 
NCCoE applies standards and best practices to develop modular, easily 
adaptable example cybersecurity solutions using commercially available 
technology. Working with communities of interest, the NCCoE has 
produced practical cybersecurity solutions that benefit large and small 
businesses, and third-party service providers in diverse sectors 
including healthcare, energy, financial services, retail, and 
manufacturing.
    The NCCoE has many published practice guides, on-going projects 
exploring solutions, and upcoming projects exploring new challenges and 
building communities of interest that all directly support the 
cybersecurity of the Internet of Things. Recently, the Mitigating IoT-
Based Distributed Denial of Service (DDoS) project published practice 
guides demonstrating how use of the Manufacturer Usage Description 
specifications could be used to reduce the ability of IoT devices from 
participating in a DDoS attack.
    In the healthcare space, the NCCoE previously published practice 
guides demonstrating an example solution for Securing Wireless Infusion 
Pumps that applies security controls to the pump's environment to 
create a defense-in-depth approach for protecting infusion pumps and 
their surrounding systems against various risk factors. Additionally, 
as many IoT devices rely on cloud services, the example solutions 
identified in the NCCoE's Trusted Cloud practice guides help IoT 
environments by providing assurance that business processes in the 
cloud are running on trusted hardware and in trusted environments while 
also increasing the protection of data as it processed and transmitted.
    In addition to these published example solutions, the NCCoE has 
several upcoming projects and ideas that may address cybersecurity 
challenges seen in many IoT devices and environments. The Securing 
Picture Archiving and Communication System project is currently 
exploring solutions that allow healthcare delivery organizations to 
apply cybersecurity controls to their imaging systems that provide 
significant integrity, availability, and confidentiality assurances 
since this data is about patients and used by doctors for determining 
health condition, follow-on visits, patient care, and other actions. 
Also, in the healthcare space, the Securing Telehealth Remote Patient 
Monitoring Ecosystem will explore cybersecurity controls to protect 
remote patient monitoring platforms, which commonly incorporate home 
medical devices that are part of the IoT. Home use of IoT is not 
limited to medical purposes. The NCCoE has initiated a Consumer Home 
IoT Security project, which will explore how specific devices, 
platforms, and/or software may provide additional cybersecurity to home 
IoT networks.
Conclusion
    Our economy is increasingly global, complex, and interconnected. It 
is characterized by rapid advances in information technology. IT 
products and services need to provide sufficient levels of 
cybersecurity and resilience. The timely availability of international 
cybersecurity standards is a dynamic and critical component for the 
cybersecurity and resilience of all information and communications 
systems and supporting infrastructures.
    The Internet of Things is a rapidly evolving and expanding 
collection of diverse technologies that interact with the physical 
world. Many organizations are not necessarily aware of the large number 
of IoT devices they are already using and how IoT devices may affect 
cybersecurity and privacy risks differently than conventional 
information technology devices do.
    The NIST's Cybersecurity for the Internet of Things program 
supports the development and application of standards, guidelines, and 
related tools to improve the cybersecurity of connected devices and the 
environments in which they are deployed. By collaborating with 
stakeholders across government, industry, international bodies, and 
academia, the program aims to cultivate trust and foster an environment 
that enables innovation on a global scale.
    NIST is proud of its role in establishing and improving the 
comprehensive set of cybersecurity technical solutions, standards, 
guidelines, and best practices, and of the robust collaborations 
enjoyed with its Federal Government partners, private sector 
collaborators, and international colleagues.
    Thank you for the opportunity to present NIST's activities on 
securing Internet of Things. I will be pleased to answer any questions 
you may have.
                                 ______
                                 
                           Charles H. Romine
    Charles Romine is Director of the Information Technology Laboratory 
(ITL). ITL, one of seven research Laboratories within the National 
Institute of Standards and Technology (NIST), has an annual budget of 
$160 million, nearly 400 employees, and approximately 300 guest 
researchers from industry, universities, and foreign laboratories.
    Dr. Romine oversees a research program that cultivates trust in 
information technology and metrology by developing and disseminating 
standards, measurements, and testing for interoperability, security, 
usability, and reliability of information systems, including 
cybersecurity standards and guidelines for Federal agencies and U.S. 
industry, supporting these and measurement science at NIST through 
fundamental and applied research in computer science, mathematics, and 
statistics. Through its efforts, ITL supports NIST's mission, to 
promote U.S. innovation and industrial competitiveness by advancing 
measurement science, standards, and technology in ways that enhance 
economic security and improve our quality of life.
    Within NIST's traditional role as the overseer of the National 
Measurement System, ITL is conducting research addressing measurement 
challenges in information technology as well as issues of information 
and software quality, integrity, and usability. ITL is also charged 
with leading the Nation in using existing and emerging IT to help meet 
national priorities, including developing cybersecurity standards, 
guidelines, and associated methods and techniques, cloud computing, 
electronic voting, smart grid, homeland security applications, and 
health information technology.
Education:
    Ph.D. in Applied Mathematics from the University of Virginia.
    B.A. in Mathematics from the University of Virginia.

    Senator Markey [presiding]. Thank you, sir, very much.
    Next, we're going to hear from Matthew Eggers, Vice 
President of Cybersecurity Policy, United States Chamber of 
Commerce.
    Welcome, sir.

 STATEMENT OF MATTHEW J. EGGERS, VICE PRESIDENT, CYBERSECURITY 
                POLICY, U.S. CHAMBER OF COMMERCE

    Mr. Eggers. Thank you, sir. Good afternoon, Chairman 
Sullivan, Ranking Member Markey, and other distinguished 
members of the Security Subcommittee. My name is Matthew 
Eggers, and I'm the Vice President of Cybersecurity Policy with 
the U.S. Chamber of Commerce. On behalf of the Chamber, I 
welcome the opportunity to testify before the Subcommittee 
regarding enhancing the cybersecurity and resilience of the 
Internet of Things, IoT.
    The Chamber welcomes the Subcommittee's dedication to 
examining pressing cyber matters. The Chamber is optimistic 
about the future of the IoT, including consumer and industrial 
devices. Many observers predict that the connectivity of the 
IoT will bring positive benefits through enhanced efficiency 
and productivity across the economy. Managing cyber risk across 
the Internet and communications ecosystem is central to growing 
the IoT and increasing businesses' gains.
    The business community, NIST, and other stakeholders are 
developing a core cybersecurity capabilities baseline for IoT 
devices. A top Chamber priority for industry is to achieve 
consensus on the technical criteria that support the IoT cyber 
baseline. The Chamber wants device makers, service providers, 
and buyers to win, from the development of state-of-the-art 
components and sound risk-management practices. The Chamber 
believes that IoT cyber efforts will be most effective if they 
reflect global standards and industry-driven practices. A 
fragmented cybersecurity environment, both at home and 
overseas, creates uncertainty for industry and splinters the 
resources that businesses devote to device development, 
production, and assessments. The Chamber and other 
organizations, including NIST, have been actively meeting with 
foreign governments to urge them to embrace a core IoT security 
capabilities baseline.
    It's worth highlighting that, in February, the Chamber and 
some 20 organizations sent a letter to the White House to urge 
the administration and Congress to support NIST's partnership 
with industry to strengthen IoT cybersecurity. The Chamber 
stressed three points to White House officials:
    First, this initiative should advance NIST's ongoing IoT 
cyberwork with industry, in keeping with efforts such as NIST's 
draft considerations for a core IoT cybersecurity capabilities 
baseline and the administration's botnet roadmap.
    Second, the undertaking should be elevated, policywise, to 
better address a number of IoT cyber proposals that are being 
developed at home and abroad. The Chamber wants this effort to 
capture the imagination of public- and private-sector 
stakeholders--in essence, to serve as an IoT cyber rallying 
point comparable to what the popular cybersecurity framework 
does for managing enterprise risk and threats. Congress should 
boost NIST's funding, especially given the array of significant 
tasks that it undertakes with the private sector on 
cybersecurity and resilience.
    Third, the botnet roadmap calls for establishing a robust 
market for consumer and industrial devices. Stakeholders are 
trying to solve a chicken-and-egg-strategy problem.
    Key next steps include advancing a market that generates 
both security and value for buyers and sellers. Market and/or 
policy incentives may be needed to jumpstart this circle.
    Thank you for giving me a chance to convey the Chamber's 
views. I'm happy to answer any questions.
    [The prepared statement of Mr. Eggers follows:]

       Prepared Statement of Matthew J. Eggers, Vice President, 
             Cybersecurity Policy, U.S. Chamber of Commerce
    The U.S. Chamber of Commerce is the world's largest business 
federation representing the interests of more than 3 million businesses 
of all sizes, sectors, and regions, as well as state and local chambers 
and industry associations. The Chamber is dedicated to promoting, 
protecting, and defending America's free enterprise system.
    More than 96 percent of Chamber member companies have fewer than 
100 employees, and many of the Nation's largest companies are active 
members. We are therefore cognizant not only of the challenges facing 
smaller businesses but also those facing the business community at 
large.
    Besides representing a cross-section of the American business 
community with respect to the number of employees, major 
classifications of American business--for example, manufacturing, 
retailing, services, construction, wholesalers, and finance--are 
represented. The Chamber has membership in all 50 states.
    The Chamber's international reach is substantial as well. We 
believe that global interdependence provides opportunities, not 
threats. In addition to the American Chambers of Commerce abroad, an 
increasing number of our members engage in the export and import of 
both goods and services and have ongoing investment activities. The 
Chamber favors strengthened international competitiveness and opposes 
artificial U.S. and foreign barriers to international business.
                                 ______
                                 
                                Summary
   Industry and National Institute of Standards and Technology 
        (NIST) leadership. The business community, NIST, and other 
        stakeholders are developing a core cybersecurity capabilities 
        baseline for Internet of Things (IoT) devices. A top U.S. 
        Chamber of Commerce priority for industry is to achieve 
        consensus on the technical criteria that support the IoT cyber 
        baseline.

   A win-win security cybersecurity market. The Chamber wants 
        device makers, service providers, and buyers to gain from the 
        development of state-of-the-art IoT components and sound risk 
        management practices.

   Global, industry-driven standards and practices. The Chamber 
        believes that IoT cyber efforts will be most effective if they 
        reflect global standards and industry-driven practices. A 
        fragmented global cybersecurity environment creates uncertainty 
        for industry and splinters the resources that businesses devote 
        to device development, production, and assessments.

    Good afternoon, Chairman Sullivan, Ranking Member Markey, and other 
distinguished members of the Security Subcommittee (subcommittee). My 
name is Matthew Eggers, and I am the vice president of cybersecurity 
policy with the U.S. Chamber of Commerce's Cyber, Intelligence, and 
Security Division (CISD). On behalf of the Chamber, I welcome the 
opportunity to testify before the subcommittee regarding enhancing the 
cybersecurity and resilience of the Internet of Things (IoT). The 
Chamber welcomes the subcommittee's dedication to examining pressing 
cyber matters.
    The Chamber's CISD was established in 2003 to develop and implement 
the Chamber's homeland and national security policies. The division's 
Cybersecurity Working Group (CWG), which I lead, identifies current and 
emerging issues, crafts policies and positions, and provides analysis 
and direct advocacy to government and business leaders.
    In addition to the CWG, I want to highlight two other groups within 
the Chamber that address IoT--the Chamber Technology Engagement Center 
(C_TEC) and Project Security, which handles our international cyber 
initiatives. C_TEC is at the forefront of advancing IoT deployment and 
innovation in the digital economy. Its initiatives include working 
groups on autonomous vehicles, 5G, and unmanned aerial vehicles.\1\
---------------------------------------------------------------------------
    \1\ The Chamber Technology Engagement Center (C_TEC).
    https://www.uschamber.com/ctec
---------------------------------------------------------------------------
    Project Security is a partnership between CISD and the Center for 
Global Regulatory Cooperation (GRC), which is housed in the Chamber's 
International Division. Project Security works with foreign governments 
and multilateral forums to promote international alignment to flexible, 
globally accepted risk-based approaches to cybersecurity.
    Project Security has engaged more than 30 foreign governments as 
they create and implement their respective cybersecurity programs. This 
engagement includes the European Commission (EC) and European Union 
(EU) national authorities regarding the Cybersecurity Act. The act 
establishes EU-wide cyber certification schemes for information and 
communications technology (ICT) products, services, and processes, 
including IoT devices.\2\ Project Security leaders meet regularly with 
EU officials to negotiate constructive outcomes on IoT cybersecurity. 
It is also works with other international stakeholders, such as Japan, 
Singapore, Australia, and the U.K., to fashion consensus and industry-
driven policy approaches to IoT security.\3\
---------------------------------------------------------------------------
    \2\ In March 2019, the European Parliament approved a cybersecurity 
regulation commonly known as the Cybersecurity Act, which was initiated 
approximately two years ago.
    http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//
NONSGML+TA+P8-TA-2019-0151+0+DOC+PDF+V0//EN
    In August 2017, the Chamber and six European organizations sent a 
letter to the European Commission regarding ``measures on cybersecurity 
standards, certification and labelling to make ICT-based systems, 
including connected objects.'' The industry groups argued that Europe, 
like the U.S., can expect to benefit from economic growth brought about 
by the expanding IoT as long as policymakers cultivate a digital 
environment that avoids misguided regulations and supports pioneering 
businesses.
    www.uschamber.com/sites/default/files/
iot.cybersecurity.coalition._ec.letter.pdf
    \3\ See Chamber and Wiley Rein LLP paper The IoT Revolution and Our 
Digital Security: Principles for IoT Security, September 2017.
    https://www.uschamber.com/IoT-security
---------------------------------------------------------------------------
    I recognize that the subcommittee is considering legislation that 
addresses IoT cybersecurity. However, I will confine my written 
statement to (1) highlighting some key problems that face the IoT cyber 
market, (2) discussing industry and NIST collaboration toward a core 
IoT cybersecurity baseline, and (3) soliciting the subcommittee's 
assistance and counsel in elevating the fruits of this partnership at 
home and overseas.
Framing Key IoT Cybersecurity Challenges
    It is important to frame some of the central challenges that impact 
the IoT cyber marketplace before discussing solutions.\4\ In speaking 
at length with stakeholders over the last two years, the Chamber has 
identified several challenges associated with IoT cybersecurity:
---------------------------------------------------------------------------
    \4\ Readers of this testimony are encouraged to listen to ``The 
Right Way to Solve Complex Business Problems,'' Harvard Business 
Review's (HBR's) IdeaCast, December 4, 2018.
    https://hbr.org/ideacast/2018/12/the-right-way-to-solve-complex-
business-problems

   Security risk. IoT objects are potentially vulnerable 
        targets for hackers. As the number of IoT devices grows, so 
        will the potential risk of successful intrusions and increases 
        in costs from those incidents.\5\ Strong IoT security should be 
        a win-win proposition for the makers and purchasers of robust 
        devices, as well as U.S. economic and national security.\6\
---------------------------------------------------------------------------
    \5\ Eric A. Fischer, The Internet of Things: Frequently Asked 
Questions, Congressional Research Service (CRS), October 13, 2015, pg. 
14.
    https://fas.org/sgp/crs/misc/R44227.pdf
    \6\ Some 50 billion devices will be connected to the Internet by 
2020. According to the Chamber's estimates, the IoT could add roughly 
$15 trillion to global GDP over the next 20 years. See the Chamber's 
October 3, 2017, testimony before the House Oversight and Government 
Reform Committee Information Technology Subcommittee.
    https://docs.house.gov/meetings/GO/GO25/20171003/106460/HHRG-115-
GO25-Wstate-EggersM-20171003.pdf

   Technical standards. Industry and government share an 
        interest in fostering stronger IoT security and resilience. The 
        business community and NIST are working diligently to deliver a 
        core capabilities baseline for IoT devices that increases 
        security, is dynamic in the face of threats, and is scalable 
        internationally. A top Chamber priority will be for industry to 
        achieve consensus on the technical criteria that support the 
        IoT cyber baseline, including for consumer and industrial 
---------------------------------------------------------------------------
        devices.

   Public policy mandates. The Chamber is concerned about 
        policies at home and abroad that require specific, top-down 
        approaches to security. Such mandates are unlikely to keep up 
        with malicious actors or align with international best 
        practices--outcomes that the Chamber presses the public and 
        private sectors to pursue.\7\
---------------------------------------------------------------------------
    \7\ The Chamber would welcome clear steps by government officials 
to elevate their defense of industry and the IoT ecosystem.

   Buyer decision making. A number of IoT cyber advocates take 
        a ``build it and they will come'' approach to IoT cyber, which 
        tracks with traditional, rational notions of economics. Yet it 
        is unclear if buyers--including individuals, households, 
        businesses, and public institutions--will (1) pay for the cost 
        of additional security features or (2) be able to identify a 
        strong device without a nonregulatory tool to help them make 
        educated choices.\8\
---------------------------------------------------------------------------
    \8\ John Beshears and Francesco Gina, ``Leaders as Decision 
Architects,'' HBR, May 2015.
    https://hbr.org/2015/05/leaders-as-decision-architects

    Most people's intuition is to buy the least expensive device even 
if the device's security is not strong--and possibly contrary to their 
own best interests. The Chamber seeks to better understand how people 
make real-world choices regarding purchasing IoT technology.\9\ The 
Chamber wants to get strong devices into the networks of businesses and 
the hands of consumers. Among other things, strong IoT will yield 
positive externalities.\10\
---------------------------------------------------------------------------
    \9\ Richard H. Thaler, Misbehaving: The Making of Behavioral 
Economics (W.W. Norton and Company: New York, 2015).
    \10\ On positive externalities, see N. Gregory Mankiw, Principles 
of Economics, Third Edition (Thomson: U.S., 2004), pg. 207.
---------------------------------------------------------------------------
Industry and NIST Are Developing a Core IoT Cybersecurity Baseline
    On February 7, 2019, the Chamber and 23 organizations sent a letter 
to the White House to urge the administration and Congress to support 
NIST's partnership with industry to strengthen IoT cybersecurity. The 
letter called on policymakers to support NIST in convening a robust 
effort on IoT security. Such an initiative will help stakeholders 
identify a flexible, performance-based, and cost-effective approach 
that can be voluntarily used by producers, sellers, and users of IoT 
devices to help them manage cyber risk and threats. The Chamber 
stressed three points in communicating with White House officials:

   Complement existing work. This initiative should advance 
        NIST's ongoing IoT cyber work with industry, in keeping with 
        NIST's February 2019 draft Considerations for a Core IoT 
        Cybersecurity Capabilities Baseline; the September 2018 draft 
        NIST Interagency Report (NISTIR) 8228, Considerations for 
        Managing IoT Cybersecurity and Privacy Risks; and the 
        administration's November 2018 Botnet Road Map.\11\
---------------------------------------------------------------------------
    \11\ NIST's Cybersecurity for the Internet of Things (IoT) Program.
    https://www.nist.gov/programs-projects/nist-cybersecurity-iot-
program

    The Council to Secure the Digital Economy (CSDE) and the Consumer 
Technology Association (CTA) are coordinating the development of an 
industry-led consensus--which its participants call the CSDE C2 (short 
for ``convening the conveners'')--regarding cybersecurity capabilities 
that will be common to new IoT devices. The CSDE C2 project will inform 
NIST's work, and vice versa, on identifying a core set of cybersecurity 
capabilities that could be a baseline for IoT devices.

    Katerina Megas, ``Let's talk about IoT device security,'' the 
National Institute of Standards and Technology (NIST), February 4, 
2019.
    https://www.nist.gov/blogs/i-think-therefore-iam/lets-talk-about-
iot-device-security
    https://www.nist.gov/sites/default/files/documents/2019/02/01/
final_core_iot_cybersecurity
_capabilities_baseline_considerations.pdf

    On February 7, 2019, 24 associations sent a letter to the White 
House to urge the administration and Congress to support NIST's efforts 
alongside industry to bolster IoT security.
    https://www.uschamber.com/sites/default/files/2-7-19_multi-
association_wh_letter_iot_cyber
security_final.pdf

    Draft NISTIR 8228, Considerations for Managing Internet of Things 
(IoT) Cybersecurity and Privacy Risks, September 24, 2018. The Chamber 
commented on NISTIR 8228 on October 24, 2018.
    https://www.uschamber.com/sites/default/files/10-24-
18_u.s._chamber_comment_letter_draft
_nistir_8228_final.pdf

    The Department of Commerce and the Department of Homeland Security 
(DHS), Road Map: Building a More Resilient Internet (aka the Botnet 
Road Map), November 29, 2018.
    https://www.ntia.doc.gov/blog/2018/road-map-building-more-
resilient-internet

   Elevate U.S. policy. The undertaking should be elevated 
        policywise to better compete with a number of IoT cyber 
        proposals that are being developed at home and abroad. The 
        Chamber wants this expedited effort to capture the imagination 
        of public-and private-sector stakeholders--in essence, to serve 
        as an IoT cyber rallying point--comparable to what the popular 
        Cybersecurity Framework does for managing enterprise risks. 
        Congress should boost the agency's funding, especially given 
        the array of significant tasks that it undertakes with the 
---------------------------------------------------------------------------
        private sector on cybersecurity and resilience.

   Foster a market. The Botnet Road Map calls for establishing 
        robust markets for consumer and industrial devices. The Chamber 
        wants device makers, service providers, and consumers to profit 
        from the business community leading the development of state-
        of-the-art IoT components and practices. Stakeholders are 
        trying to solve a chicken-and-egg strategy problem. Key next 
        steps include advancing a market that generates both security 
        and value for buyers and sellers. Market and/or policy 
        incentives may be needed to jump-start this circle.\12\
---------------------------------------------------------------------------
    \12\ This graphic was inspired, in part, by the Strategic Toolkits 
webpage, ``Chicken and Egg Strategy Problems.''
    http://strategictoolkits.com/strategic-concepts/chicken-and-egg-
strategy-problems
---------------------------------------------------------------------------
IoT Cybersecurity Needs to Be Rooted in Global, Industry-Driven 
        Standards and Practices
    In 2015, the Chamber supported NISTIR 8074, Report on Strategic 
U.S. Government Engagement in International Standardization to Achieve 
U.S. Objectives for Cybersecurity, which served as a precursor to the 
November 2018 NISTIR 8200, Status of International Cybersecurity 
Standardization for Internet of Things (IoT).<\13\ The Chamber contends 
that IoT cyber efforts will be most effective if they reflect global 
standards and industry-driven practices, including the joint industry-
NIST core IoT security baseline. We urge Congress to leverage the 
following principles when crafting IoT security policy:
---------------------------------------------------------------------------
    \13\ See April 18, 2018, Chamber letter to NIST on draft NISTIR 
8200, Status of International Cybersecurity Standardization for 
Internet of Things (IoT).
    https://www.nist.gov/sites/default/files/documents/2018/04/19/4-18-
18_uscc_letter_nist_
draft_nistir_8200_final.pdf

   Support U.S. leadership in international IoT cyber forums. 
        Standards, guidance, and best practices relevant to 
        cybersecurity are typically led by the private sector and 
        adopted on a voluntary basis; they are optimal when developed 
        and recognized globally. Such approaches avoid burdening 
        multinational enterprises with the requirements of multiple, 
---------------------------------------------------------------------------
        and often conflicting, jurisdictions.

        The Chamber appreciates that NIST has been actively meeting 
        with foreign governments to urge them to embrace a core IoT 
        security capabilities baseline. The Chamber urges the 
        administration to work with international partners and believes 
        that these discussions should be stakeholder driven and occur 
        routinely.

   Reduce regulatory fragmentation. There is market demand for 
        a common IoT cyber security baseline--due to a growing number 
        of often disparate policy proposals and requirements--to chart 
        a path for businesses and standards bodies to follow. A 
        fragmented global cybersecurity environment creates much 
        uncertainty for device makers and buyers and splinters the 
        resources that businesses devote to sound device development, 
        production, and assessments.

   Spotlight global alignment with an industry-led baseline. 
        The Chamber believes that policymakers in the U.S. and abroad 
        should align their IoT security and resilience programs with an 
        industry-led IoT cyber capabilities baseline. Achieving 
        consensus between the business community and NIST will 
        streamline and strengthen government-industry collaboration on 
        IoT security and enable the U.S. to champion more effectively a 
        core IoT cyber baseline worldwide. This method should also 
        ensure stakeholders' cybersecurity concerns are adequately 
        addressed and that IoT security requirements do not become an 
        unnecessary barrier to trade.

    Thank you for giving me a chance to convey the Chamber's views. I 
am happy to answer any questions.

    Senator Markey. Thank you, Mr. Eggers, very much.
    And next we're going to hear from Robert Mayer, Senior Vice 
President for Cybersecurity, USTelecom--The Broadband 
Association

                   STATEMENT OF ROBERT MAYER,

            SENIOR VICE PRESIDENT FOR CYBERSECURITY,

              USTELECOM--THE BROADBAND ASSOCIATION

    Mr. Mayer. Chairman Sullivan, Ranking Member Markey, and 
other distinguished members of the Subcommittee, thank you for 
the opportunity to testify at today's hearing on the 
cybersecurity of the Internet of Things.
    My name is Robert Mayer, and I am the Senior Vice President 
for Cybersecurity at USTelecom--The Broadband Association. Our 
members are committed to safeguarding digital security as an 
essential driver of innovation, economic growth, public safety, 
and our national security. I also have the privilege of serving 
as the Chair of the Communications Sector Coordinating Council, 
which represents the broadcast, cable, satellite, wireless, and 
wireline industries, and coordinates all public/private 
partnerships in the security arena across the government 
landscape. And I was recently appointed to Co-chair the 
Department of Homeland Security's Information, Communication, 
and Technology Supply Chain Task Force.
    There is little doubt that the Internet of Things holds 
tremendous power and promise for our modern connected society. 
We already are seeing those benefits, from energy management to 
manufacturing, healthcare to transportation. But, with 30 
billion connected devices expected within a short--few short 
years, securing IoT is a chief cybersecurity challenge. 
Manufacturers, service providers, and developers are taking 
critical steps to improve the security of their products and 
the infrastructure supporting the digital ecosystem. USTelecom 
members, for example, use botnet detection and filtering 
techniques, provide IoT-managed security services, and 
collaborate with security researchers and law enforcement to 
limit the destructive potential of IoT botnets. AT&T and 
Ericsson, for example, recently launched an IoT security 
testing program aimed at improving device security.
    Acting on our commitment to ecosystem-wide solutions, 
USTelecom established the Council to Secure the Digital Economy 
in 2018, created in partnership with the Information Technology 
Industry Council, CSDE is led by 12 global ICT companies whose 
shared mission is identifying sophisticated and evolving 
cyberthreats and the security practices that, if widely 
adopted, would contribute to the resiliency and sustainability 
of the global digital ecosystem.
    In November 2018, the CSDE and our strategic partner, the 
Consumer Technology Association, published the International 
Anti-Botnet Guide, which is included with this testimony. The 
Guide discusses problems inherent to IoT security and contains 
sets of baseline practices and advanced capabilities that are 
directly relevant to securing connected devices and the 
enabling infrastructure.
    Why are we laser-focused on IoT security vulnerabilities 
and the potential harm to consumers, businesses, and 
government? Because we have seen cameras used to invade their 
owners' privacy, confidential personal and business information 
stolen through seemingly innocuous IoT devices, such as 
thermometers, deeply personal objects, from children's toys to 
baby heart monitors being vulnerable to hackers, and hackers 
manipulating temperature in smart homes and whole buildings 
that have lost heat in the middle of winter. Concerns of this 
kind can have a massive influence on public perception of 
emerging technologies and, if not addressed in a meaningful 
way, threaten digital trust, causing unpredictable levels of 
disruption and economic harm.
    Government has a vital role to play in supporting industry 
initiatives and the evolving standards and practices necessary 
to combat these growing threats. It is our view that voluntary, 
prioritized, flexible, and cost-effective solutions embodied in 
the NIST cybersecurity framework can be effectively applied in 
the IoT space.
    We are also mindful that states are pursuing their own 
versions of cyber legislation. Our concern with this approach 
is that a patchwork of State compliance requirements will add 
complexity, confusion, and cost to an already challenging 
global landscape. The very nature of this challenge requires a 
highly adaptive and evolving response in as close to real time 
as possible. That level of innovation and operational 
implementation can only be realized when policies are carefully 
aligned with market dynamics.
    Thank you. And I look forward to answering your questions.
    [The prepared statement of Mr. Mayer follows:]

       Prepared Statement of Robert Mayer, Senior Vice-President 
                            Cybersecurity, 
             USTelecom--The Broadband AssociationUSTelecom
    Chairman Sullivan, Ranking Member Markey, and other distinguished 
Members of the Subcommittee, thank you for the opportunity to testify 
at today's hearing on the cybersecurity of the Internet of Things. My 
name is Robert Mayer and I am the Senior Vice-President of 
Cybersecurity at USTelecom, the trade association that represents a 
diverse membership that ranges from large publicly traded global 
communications providers to small companies and cooperatives all of 
whom are committed to the security of the digital ecosystem as an 
essential driver of innovation, economic growth, public safety, our 
national security and other societal benefits.
    The Internet of Things (IoT), a broad term referring to many 
categories of devices that connect to the internet, holds the promise 
of great benefits for modern society, both as a consumer-driven 
economic force that improves quality of life and as powerful sets of 
tools designed to increase efficiencies in measurable ways across 
businesses, governments, and non-profits. Today, we already see those 
benefits in diverse areas such as energy management, manufacturing, 
health care, and transportation to name a few. Yet, with 30 billion 
connected devices expected within a few short years and further 
exponential growth a virtual certainty, securing the IoT is among the 
chief cybersecurity challenges we face today.
    There is growing evidence of stakeholders taking actions to improve 
the security of their products and the infrastructure supporting the 
digital ecosystem. For example, USTelecom members use botnet detection 
and filtering techniques; provide IoT managed security services; and 
collaborate with security researchers and law enforcement to limit the 
destructive potential of IoT botnets. AT&T and Ericsson recently 
launched an IoT security testing program aimed at improving device 
security.
    Networks at every level are evolving to accommodate exponential 
growth in traffic associated with billions of new end-point devices. 
The introduction of 5G and the associated architecture will allow 
industry to incorporate security measures into more layers than in 
previous generations. ISPs, security vendors and other infrastructure 
providers are developing improved security offerings, such as firewalls 
that more intelligently identify authorized users and attackers.
    Commitment to ecosystem-wide solutions led to establishment by 
USTelecom in 2018 of the Council to Secure the Digital Economy (CSDE). 
Created in partnership with ITI, CSDE is led by 12 global ICT companies 
whose mission is to identify sophisticated and evolving cyber threats 
and the security practices that, if widely adopted, would materially 
contribute to the resiliency and sustainability of the global digital 
economy.
    In November 2018, the CSDE and our strategic partner the Consumer 
Technology Association published the International Anti-Botnet Guide 
which is included with this testimony. The Guide discusses the problems 
inherent to IoT security and contains sets of baseline practices and 
advanced capabilities that are directly relevant to securing connected 
devices and the enabling infrastructure.
    We are doing all of this because we have seen ample evidence of IoT 
security vulnerabilities and the potential harm to individuals, 
enterprises, government institutions and society writ large. We have 
seen that cameras can be used to invade their owners' 
privacy.i Confidential personal and business information can 
be stolen through seemingly innocuous IoT devices, such as 
thermometers.ii Deeply personal objects, from children's 
toys iii to baby heart monitors iv have been 
shown to be vulnerable to hackers. Vehicles can potentially be 
manipulated to cause deadly traffic accidents.v Hackers can 
manipulate temperature in smart homes,vi and whole buildings 
have lost heat in the middle of winter.vii Concerns of this 
kind can have a massive influence on public perception of technologies, 
and if not addressed in meaningful ways, trust in the digital ecosystem 
will erode, causing unpredictable levels of disruption and economic 
harm.
---------------------------------------------------------------------------
    \i\ Ms. Smith, Hijacked Nest Devices Highlight the Insecurity of 
the IoT, CSO (Feb. 4, 2019), https://www.csoonline.com/article/3338136/
hijacked-nest-devices-highlight-the-insecurity-of-the
-iot.html.
    \ii\ Oscar Williams-Grut, Hackers Once Stole a Casino's High-roller 
Database Through a Thermometer in the Lobby Fish Tank, Business Insider 
(Apr. 15, 2018), https://www.businessinsi
der.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-
lobby-fish-tank-2018-4.
    \iii\ Glenn McDonald, Strange and Scary IoT Hacks: Child's Plays, 
Network World (July 3, 2018), https://www.networkworld.com/article/
3285968/strange-and-scary-iot-hacks.html#slide
3; Glenn McDonald, Strange and Scary IoT Hacks: Toy Stories, Network 
World (July 3, 2018), https://www.networkworld.com/article/3285968/
strange-and-scary-iot-hacks.html#slide4.
    \iv\ Iain Thomson, Wi-Fi Baby Heart Monitor may Have the Worst IoT 
Security of 2016, The Register, (Oct. 13, 2016), https://
www.theregister.co.uk/2016/10/13/possibly_worst_iot_secu
rity_failure_yet.
    \v\ Andrew Meola, Consumers Don't Care if Their Connected Car can 
Get Hacked--Here's Why That's a Problem, Business Insider (Mar. 7, 
2016), https://www.businessinsider.com/smart-car-hacking-major-problem-
for-iot-internet-of-things-2016-3 (``Hackers could potentially crash a 
compromised car, but they are more likely to exploit IoT devices to 
gain entry to corporate and government networks and databases.'').
    \vi\ Luke Denne et al., We Hired Ethical Hackers to Hack a Family's 
Smart Home--Here's How It Turned Out, CBC News (Sept. 28, 2018), 
https://www.cbc.ca/news/technology/smart-home-hack-marketplace-
1.4837963.
    \vii\ Lee Mathews, Hackers Use DDoS Attack To Cut Heat To 
Apartment, Forbes (Nov. 7, 2016), https://www.forbes.com/sites/
leemathews/2016/11/07/ddos-attack-leaves-finnish-apartments-without-
heat/#2b7483fb1a09.
---------------------------------------------------------------------------
    Government has a vital role in supporting industry initiatives and 
the evolving standards and practices that are necessary to combat this 
growing threat. It is our view that voluntary, prioritized, flexible 
and cost-effective solutions embodied in the NIST Cybersecurity 
Framework can be effectively applied in the IoT space. We are also 
mindful that many states are pursuing legislation in this area and we 
are concerned that a patchwork quilt of state compliance requirements 
will add complexity, confusion and costs to an already challenging 
global landscape. In the digital ecosystem, no jurisdiction exists 
totally independent of others. Therefore, recommendations aimed at 
setting standards in one part of the ecosystem, while ignoring the 
others, are misjudging the scope and nature of the IoT security 
challenge.
    In closing, we are strongly supportive of U.S. government and 
industry collaboration on IoT security at the Federal level, through 
the highly successful public-private partnership model. The very nature 
of this challenge requires a highly adaptive and evolving response in 
as close to real-time as possible. That level of innovation and 
operational implementation can only be realized when policies are 
carefully aligned with market dynamics.
    I look forward to answering your questions.    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Fischer [presiding]. Thank you, Mr. Mayer.
    Next we have Mr. Michael Bergman, Vice President, 
Technology and Standards, Consumer Technology Association.
    Welcome, sir.

         STATEMENT OF MICHAEL BERGMAN, VICE PRESIDENT,

                   TECHNOLOGY AND STANDARDS,

                CONSUMER TECHNOLOGY ASSOCIATION

    Mr. Bergman. Thank you, Senator. Thank you, Chairman 
Sullivan, Ranking Member Markey, and members of the 
Subcommittee, for inviting me to testify today on strengthening 
the security of the Internet of Things. My name is Mike 
Bergman, and I serve as Vice President of Technology and 
Standards for the Consumer Technology Association.
    CTA represents more than 2,200 member companies who 
comprise the $398 billion U.S. consumer technology industry. We 
also own and produce CES, the world's gathering place for all 
who thrive on the business of consumer technologies. CTA also 
has a long history as a technical standards body. Our 
Technology and Standards Program is accredited by ANSI and 
includes more than 70 committees and over 1,000 participants.
    In my role at CTA, I am deeply engaged in collaborative 
efforts with government and industry to advance IoT security. 
These efforts with the government include NTIA's work on 
vulnerability management and softer transparency, NIST's work 
to develop IoT baseline security capabilities, and other 
aspects of the Commerce Department's and DHS's joint Roadmap 
Toward Resilience Against Botnets.
    The proliferation of smart sensors and devices in our homes 
and cities, commonly referred to as the Internet of Things, 
will drive tremendous consumer and public benefits over the 
coming years. It also presents new challenges, including with 
regard to cybersecurity.
    CTA has seen the cybersecurity landscape change over the 
last few years. A critical development is that powerful market 
incentives are emerging. Retailers are increasingly concerned 
about protecting their customer. They know consumers want to 
feel comfortable buying IoT product, and they want a clear and 
uniform way to have the resulting cybersecurity discussion with 
their suppliers.
    In response, CTA has developed a number of consensus-based 
standards and tools which help manufacturers build more secure 
devices. Our tools allow manufacturers to assess their internal 
processes for building security into their products, and they 
help professionals ensure the devices are installed with the 
appropriate security-conscious settings.
    CTA has also formed important partnerships to address IoT 
security. In May 2018, we announced that we were working with 
the Council to Secure the Digital Economy to develop an Anti-
Botnet Guide. We released this guide in November of last year. 
The Guide offers companies across the digital ecosystem a set 
of baseline tools, practices, and processes that they can adopt 
to protect against the threat of botnets and other automated 
distributed attacks that use IoT devices.
    Last month, through the CSDE, CTA also convened 18 major 
cybersecurity and technology organizations, industry 
associations, and standards bodies in a process we call 
``Convene the Conveners,'' or C2, for short. C2 is an 
unprecedented industry effort to identify consensus baseline 
security capabilities for the rapidly growing IoT marketplace. 
It aims to address four challenges:
    First, promoting global harmonization of security 
specifications and requirements in the IoT marketplace to 
prevent fragmentation.
    Second, harnessing market forces that are increasingly 
demanding secure devices and systems.
    Third, developing a coherent common language on these 
issues that is useful to various policy, technical, and retail 
audiences.
    And finally, influencing policy development here and 
abroad.
    Through this effort and other avenues, we and many of our 
member companies are collaborating closely with leaders at 
NIST, NTIA, DHS, and other government agencies.
    CTA believes the U.S. Government should continue to play 
its important and sometimes indispensable role in facilitating 
activities among different ecosystem stakeholders. NIST's work 
related to cybersecurity is an example of the productive role 
government can play in these efforts.
    We commend the Senate Commerce Committee for its 
foundational role in promoting the NIST cybersecurity framework 
and supporting the framework's development, including through 
the Cybersecurity Enhancement Act of 2014.
    CTA believes the Committee should continue to support this 
approach for IoT security. Solutions must be built upon three 
pillars:
    First, technical consensus on IoT security across the 
global ecosystem.
    Second, voluntary standards and best practices.
    And finally, standards that scale.
    Market-driven security solutions promoted by government 
leaders and agencies can best address the global IoT security 
challenge at scale, and it is critical for U.S. industry and 
the U.S. Government to speak with one voice. We hope the 
Committee will continue supporting the groundbreaking efforts 
underway at NIST, NTIA, DHS, and across the industry. These 
efforts are providing formal processes and structures to lead 
the global IoT to a secure future.
    Thank you. And I'm happy to answer any questions you may 
have.
    [The prepared statement of Mr. Bergman follows:]

  Prepared Statement of Mike Bergman, Vice President, Technology and 
               Standards, Consumer Technology Association
I. Introduction
    Thank you Chairman Sullivan, Ranking Member Markey and members of 
the Subcommittee for inviting me to testify today on strengthening the 
security of the Internet of Things (IoT). I am Mike Bergman, Vice 
President of Technology and Standards, of the Consumer Technology 
Association (CTA)TM.\1\
---------------------------------------------------------------------------
    \1\ Consumer Technology Association (CTA) TM is the 
trade association representing the $398 billion U.S. consumer 
technology industry, which supports more than 18 million U.S. jobs. 
More than 2,200 companies--80 percent are small businesses and 
startups; others are among the world's best-known brands--enjoy the 
benefits of CTA membership including policy advocacy, market research, 
technical education, industry promotion, standards development and the 
fostering of business and strategic relationships. CTA also owns and 
produces CES, the world's gathering place for all who thrive on the 
business of consumer technologies. Profits from CES are reinvested into 
CTA's industry services.
---------------------------------------------------------------------------
    CTA represents more than 2,200 member companies--80 percent are 
small businesses and startups; others are among the world's best-known 
brands--who comprise the $398 billion U.S. consumer technology 
industry. We also own and produce CES, the world's gathering place for 
all who thrive on the business of consumer technologies. CTA welcomes 
the opportunity to provide input to the Subcommittee as it considers 
ways to strengthen IoT security. CTA stands for innovators, including 
many companies from large household names to entrepreneurial startups, 
whose products and services largely comprise the IoT.
    Though CTA is the principal trade association representing the 
interests of the consumer technology industry, CTA also has a long 
history as a technical standards body going back to the 1920s. Our 
Technology and Standards program is accredited by ANSI, the American 
National Standards Institute, and includes more than 70 committees and 
over 1,000 participants. As Vice President of Technology and Standards 
at CTA, my work is focused on this program. On a day-to-day basis, I 
work with technical leaders throughout the industry on technology 
standards issues. I also serve as a resource providing technical 
insights both within the association and for regulators and government 
leaders. Before joining CTA, I worked for over thirty years in a 
variety of product development and standards-setting roles across the 
consumer and computer technology industries.
    In my role at CTA, as I will discuss in greater depth, I am deeply 
engaged in collaborative efforts among the technology industry and with 
the government to advance IoT security. These include ecosystem-wide 
industry initiatives, the National Institute of Standards and 
Technology's (NIST's) efforts to develop IoT core baseline security 
capabilities \2\ and, more generally, advancing the Department of 
Commerce (DOC) and Department of Homeland Security's (DHS) ``Road Map 
Toward Resilience Against Botnets'' (DOC-DHS Road Map).\3\
---------------------------------------------------------------------------
    \2\ See NIST, Draft Considerations for a Core IoT Cybersecurity 
Capabilities Baseline (Feb. 2019), https://www.nist.gov/sites/default/
files/documents/2019/02/01/final_core_iot_cybersec
urity_capabilities_baseline_considerations.pdf.
    \3\ A Road Map Toward Resilience Against Botnets (Nov. 29, 2018), 
available at https://www.ntia.doc.gov/blog/2018/road-map-building-more-
resilient-internet.
---------------------------------------------------------------------------
II. Industry, in Close Coordination with Government Leaders, is 
        Proactively Addressing IoT Cybersecurity Challenges
    In recent years, the consumer technology ecosystem has grown ever 
more dynamic and complex. Consumers are increasingly incorporating 
technology in more aspects of their lives, and this consumer demand for 
anytime/anywhere connectivity will continue to drive the development of 
new innovation. The resulting proliferation of smart sensors and 
devices in our homes and cities (commonly referred to as the ``Internet 
of Things'') will enable tremendous consumer and public benefits over 
the coming years. This innovation also presents new challenges, 
especially regarding cybersecurity.
    Industry has been working to address security for years. CTA has 
developed a number of consensus-based standards and tools, including 
helping manufacturers build more secure devices \4\ and assess their 
internal processes for building in security \5\ in addition to helping 
professionals install devices with more appropriate security-conscious 
settings.\6\
---------------------------------------------------------------------------
    \4\ See, e.g., ``Securing Connected Devices for Consumers in the 
Home--A Manufacturer's Guide'' (CTA-TR-12CEB33), https://
members.cta.tech/ctaPublicationDetails/?id=c12ebabe-84cd-e811-b96f-
0003ff52809d
    \5\ BSIMM Assessment Survey, https://www.surveygizmo.com/s3/
2849582/BSIMM6.
    \6\ Connected Home Security System, https://www.cta.tech/
Membership/Member-Groups/Tech
Home-Division/Device-Security-Checklist.aspx
---------------------------------------------------------------------------
    Building on the foundation we developed at CTA, we are working 
intensely with partners across the industry to secure the dynamic IoT 
ecosystem. In May 2018, we announced that we were working with the 
Council to Secure the Digital Economy (CSDE) to develop the 
International Anti-Botnet Guide (Guide). CSDE and CTA's members cover 
the entirety of the complex global Internet and communications 
ecosystem. We released the Guide in November 2018.\7\ The Guide is a 
playbook that offers companies across the digital ecosystem a set of 
baseline tools, practices and processes they can adopt to help protect 
against the threat of botnets and other automated distributed attacks. 
The guide provides a flexible approach for IoT devices of varying 
processing capabilities and data types, providing companies with a 
range of options to appropriately address security risks. We committed 
to promoting implementation of the Guide's recommendations and updating 
it each year, and we are currently working on updates.
---------------------------------------------------------------------------
    \7\ CSDE, International Anti-Botnet Guide 2018, available at 
https://securingdigitalecono
my.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-Report-final.pdf.
---------------------------------------------------------------------------
    Last month, through the CSDE, we convened 18 major cybersecurity 
and technology organizations, industry associations, consortia and 
standards bodies--all groups that convene their own memberships 
(``Convene the Conveners,'' or C2). This unprecedented industry effort 
to identify baseline security capabilities for the rapidly growing IoT 
marketplace aims to address four challenges:

  1.  Promoting global harmonization vs. fragmentation of security 
        specifications/requirements.

  2.  Working with emerging global market forces that naturally favor 
        secure devices and systems.

  3.  Developing a coherent common language on these issues that is 
        compelling to various policy and technical audiences.

  4.  Influencing policy development in Europe, the U.S. (including at 
        the state level) and elsewhere.

    Through this effort and other avenues, we and many of our member 
companies are collaborating closely with leaders at the National 
Telecommunications and Information Administration (NTIA), NIST, DHS and 
other government agencies.\8\ We believe these agencies play important 
roles in developing trust in emerging technologies, such as the IoT. In 
this regard, we commend the Senate Commerce Committee for its essential 
role in promoting the NIST Cybersecurity Framework (Cybersecurity 
Framework) \9\ and supporting the Framework's development, including 
the support of the Cybersecurity Enhancement Act of 2014.\10\ CTA and 
its members strongly support the collaborative processes through which 
NIST has worked with the industry to develop and update the 
Cybersecurity Framework, as well as the NIST-convened, industry-
supported efforts set forth in the DOC-DHS Road Map.
---------------------------------------------------------------------------
    \8\ For instance, CTA has engaged, and will continue to engage, 
NIST in its important efforts to develop IoT security baseline 
capabilities.
    \9\ See NIST, Cybersecurity Framework, https://www.nist.gov/
cyberframework.
    \10\ Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274, 
128 Stat. 2971 (2014).
---------------------------------------------------------------------------
III. Market Forces Are Combining With Public-Private Cooperation for 
        Major Gains
    Companies in the retail sector are increasingly concerned about 
protecting their customers. They want customers to feel comfortable 
when they buy products, and they want the market for IoT devices to be 
something where consumers can engage freely. These companies are 
working internally and with CTA to develop ways to promote security 
among their manufacturing suppliers.
    Retailers suggest that retailer-manufacturer conversations--
discussions that ultimately result in supplier agreements--should be 
based in accepted industry standards. The largest retailers are looking 
to industry and government for guidance on standards and best 
practices. Retailers say they need a common, industry-accepted way to 
identify acceptable baseline security with their suppliers. NIST, as 
part of the DOC-DHS Road Map, is developing a list of core baseline 
security capabilities for IoT through a public multi-stakeholder 
process that will advance these market developments.\11\
---------------------------------------------------------------------------
    \11\ See NIST, Draft Considerations for a Core IoT Cybersecurity 
Capabilities Baseline (Feb. 2019), https://www.nist.gov/sites/default/
files/documents/2019/02/01/final_core_iot_cybersec
urity_capabilities_baseline_considerations.pdf.
---------------------------------------------------------------------------
    In turn, our C2 effort with the CSDE is driving industry consensus 
for these security capabilities. Our effort will inform NIST and other 
U.S. Government efforts on IoT security and advance the broader market 
developments that are already underway.
IV. Government and Industry Speaking With One Voice on Consensus-Based 
        Standards Can Best Address Global IoT Cybersecurity Challenges
    CTA believes that the U.S. Government should continue to play its 
critical role in convening activities among different ecosystem 
stakeholders. NIST's work related to cybersecurity is illustrative of 
the productive role government can play in these efforts. The 
Cybersecurity Framework has been an incredibly successful and important 
public-private partnership, and NIST's guidance on IoT security 
baseline capabilities has the potential to have a similar impact. CTA 
believes the Committee should continue to support this approach.
    Ultimately, dynamic solutions driven by powerful market forces are 
the best answer to global, systemic challenges to IoT security. CSDE, 
C2 and other ongoing industry efforts demonstrate that industry is 
committed to these dynamic solutions based on the conviction that these 
solutions can work. Specifically, IoT security solutions must include 
and rely on:

   Ecosystem-wide consensus. We are seeking a baseline security 
        consensus that includes all major stakeholders globally, not 
        just a single industry sector, association, vertical or 
        national/regional jurisdiction. A key pillar of market-driven 
        IoT security is achieving technical consensus on security 
        specifications that, in turn, can be assessed and communicated 
        to buyers and other market participants.

   Voluntary standards and best practices. We are taking on 
        this challenge voluntarily for industry's own interests in a 
        global marketplace. In contrast, prescriptive compliance-based 
        regulations in various jurisdictions would handicap these 
        efforts.

   Standards that scale. We believe that security 
        specifications driven by powerful global market demands and 
        fueled by ever-improving security innovations of technical 
        experts are the best method to advance IoT security. Government 
        policies should be structured to promote this dynamic. In 
        contrast, regulatory requirements that would differ by 
        jurisdiction would inhibit security.

    It is critical to recognize IoT security is not a domestic problem 
in the U.S. that can be solved merely by domestic solutions. The 
October 2016 Mirai botnet attack on Dyn that took down many of the most 
popular websites on the U.S. and UK Internet was global: 89.1 percent 
of the enormous inbound attack traffic came from devices installed 
outside the U.S.\12\ In other words, enhancing the security of devices 
in the U.S. alone would not have prevented the Mirai attack or 
substantially mitigated its impact.
---------------------------------------------------------------------------
    \12\ See Internet Protocol (IP) address analysis by Imperva, 
Breaking Down Mirai: An IoT DDoS Botnet Analysis (Oct. 2016), https://
www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/
---------------------------------------------------------------------------
    IoT security is not merely a U.S. interest. Other government bodies 
around the globe are seeking answers including the European Union 
Agency for Network and Information Security, the United Kingdom's 
Department for Digital, Culture, Media and Sport and Japan's Ministry 
of Economy, Trade and Industry. This international interest in IoT 
security also underscores the importance of a common approach.
    Market-driven security solutions, promoted by government leaders 
and agencies, can best address the global IoT security challenge at 
scale. With cooperation between CDSE, CTA, NIST, NTIA, industry, 
retailers and assessment bodies all moving in the same direction and 
with the same strategy, the message coming from the U.S. in 
international fora is clear, meaningful and impactful. We encourage the 
Committee to continue to champion this approach.
V. Conclusion
    In summary, industry is working with government to make significant 
and rapid progress in navigating the expeditious and effective possible 
path to national and global IoT security. This Subcommittee has and 
will continue to play an important role in building the foundation for 
this progress. We ask that the Subcommittee continue to support and 
promote the groundbreaking efforts underway at NIST, DHS, DOC and other 
agencies, as well as across the industry, that are providing formal 
processes and structures to lead the global IoT to a secure future.

    Senator Sullivan [presiding]. Thank you, Mr. Bergman.
    Mr. Geiger.

                  STATEMENT OF HARLEY GEIGER, 
               DIRECTOR OF PUBLIC POLICY, RAPID7

    Mr. Geiger. Thank you very much for holding this hearing on 
the important issue of IoT security, and for giving me the 
opportunity to testify on behalf of Rapid7.
    Rapid7 is a cybersecurity and data analytics company. We 
have a headcount of about 1,300 people and 7,800 customers 
worldwide, and we partner closely with security and IT firms to 
empower organizations to securely advance and to protect their 
users. We have four recommendations for the Committee:
    First, Congress should pass data security legislation. 
Security of personal information is fundamental to privacy and 
must be included in any privacy legislation. This is distinct 
from breach notification. Legislation that requires reasonable 
risk-based security for personal information will apply to IoT 
devices that collect and process that information. Because the 
requirement for reasonable security would be tied to a 
definition of personal information rather than a definition of 
IoT, it would cut across IoT deployments in various sectors and 
encompass the other technologies that integrate with an IoT 
device. Many IoT vulnerabilities implicate personal 
information, such as credentials, audiovisual recordings, and 
geolocation. And a Federal data security law would require 
better IoT security in sectors that are otherwise not covered 
by the jurisdiction of Federal agencies.
    Second, Congress should support enforceable agency actions 
on IoT security. Federal agencies have domain expertise and 
existing authority to require basic IoT security within their 
areas of jurisdiction, such as the FDA for medical devices, 
NHTSA for cars, CPSC for product safety, FAA for drones, and 
OMB for government procurement. Many agencies, but not all, 
have begun the work of clearly describing their expectations 
for IoT security. Congress should support these efforts and 
exercise its oversight role to ensure that these efforts are 
effective. This should include security-by-design principles 
and industry standards, and not rely solely on voluntary 
guidance. For the most part, basic IoT security precautions are 
already widely recognized. The problem is lack of adoption.
    Third, Congress should facilitate programs to help 
consumers identify secure IoT devices. Consumers purchasing IoT 
devices often have little insight into whether that device is 
secure. Rapid7 recommends that Congress support voluntary 
consumer awareness programs, such as certifications, seals, or 
labels, like ENERGY STAR or the nutrition label, to let 
consumers know whether an IoT device has critical security 
features. Providing consumers with clear information about 
security features in IoT devices will foster market competition 
based on security, build trust in the security of IoT products, 
and help consumers fulfill their role in maintaining security.
    Fourth, and last, Congress should avoid new regulations 
that chill beneficial security research. Any new regulations 
related to IoT should not impose blanket access or use 
restrictions that hinder independent research and repair. Time 
and again, good-faith researchers or white-hat hackers have 
discovered and reported IoT vulnerabilities, often in 
coordination with IoT manufacturers, and these prompt patches 
and other mitigations that ultimately protect consumers. 
Independent researchers will be critical to match the growing 
need for security as IoT devices are more widely deployed.
    Members of the Committee, IoT security, if we're going to 
do it right, will require a societal response. There are many, 
many different types of IoT and IoTs integrated with an 
ecosystem of other technologies. The specific security needs 
for these different IoT deployments and different technologies 
will vary, so there is no single solution, but there are 
important roles for government, for manufacturers and 
operators, as well as for consumers, to play. The Federal 
Government need not accept the premise that its only role on 
IoT security is that of a convener. We can, and we should, 
expect basic protections for IoT devices and for personal 
information. The technical and the policy barriers are not 
insurmountable.
    These digital devices are coming online at an unprecedented 
rate, and failure to integrate reasonable security now will 
result in a wave of cybersecurity risk that will linger in 
enterprises, households, and infrastructure for some time to 
come. Unsecure IoT devices will be like the new asbestos. We 
will build them into our environments, only to have to rip them 
back out, years later, and wonder why our predecessors did not 
have the forethought to ensure basic security from the start.
    Thank you. And I look forward to your questions.
    [The prepared statement of Mr. Geiger follows:]

 Prepared Statement of Harley Geiger, Director of Public Policy, Rapid7
    Chairman Sullivan, Ranking Member Markey, and Members of the 
Subcommittee: Thank you for inviting me to provide testimony on this 
important issue on behalf of Rapid7. Rapid7 is a cybersecurity and data 
analytics firm headquartered in Boston, MA, with offices around the 
world. Rapid7's solutions manage cybersecurity risk and simplify the 
complex, allowing security teams to work more effectively with IT and 
development to reduce vulnerabilities, monitor for malicious behavior, 
investigate and shut down attacks, and automate routine tasks. Over 
7,800 customers worldwide rely on Rapid7 technology, services, and 
research to improve cybersecurity outcomes, protect consumers, and 
securely advance their organizations.
Introduction
    The Internet of Things (IoT) has great potential for technological 
innovation, economic growth, and enhanced quality of life. To reap 
these benefits while safeguarding consumers, businesses, and 
infrastructure, comprehensive cybersecurity protections will be needed. 
Many of the technical and policy issues related to IoT are not unique 
to this field. However, the diversity and quantity of IoT devices apply 
familiar cybersecurity problems to new business sectors at a larger 
scale.
    Broad deployment of IoT will grow the risk of breach of personal 
information and create a much larger attack surface for malicious 
actors. Security vulnerabilities that once affected laptops and 
smartphones can now affect refrigerators, implantable medical devices, 
automobiles, and more. High-profile examples of this concern include 
IoT devices infected by malware and leveraged to launch powerful 
attacks that disrupted Internet service in large swathes of the US.\1\ 
Digital devices are coming online at an unprecedented rate, and a 
failure to integrate reasonable security standards now will create a 
wave of cybersecurity exposure that will linger in enterprises, 
households, and infrastructure for some time.\2\
---------------------------------------------------------------------------
    \1\ Nicole Perlroth, Hackers Used New Weapons to Disrupt Major 
Websites Across U.S., New York Times, Oct. 21, 2016, https://
www.nytimes.com/2016/10/22/business/internet-problems-attack.html.
    \2\ Gartner estimates 25 billion connected devices will be in use 
by 2021. Gartner Identifies Top 10 Strategic IoT Technologies and 
Trends, Gartner, Nov. 7, 2018, https://www.gartner.com/en/newsroom/
press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-
technologies-and-trends.
---------------------------------------------------------------------------
    There is growing recognition that purely voluntary risk management 
of IoT by the private sector is not adequately effective, and that 
government needs to facilitate or mandate adoption of basic security. 
An endless push for more voluntary guidance or frameworks delays 
meaningful security requirements and enforcement. Policymakers have 
recognized the issue and are starting to take action--at the Federal 
and state level, in the Executive and Legislative Branches, as well as 
internationally. However, the drive for governments to take a more 
active role must also be balanced against the risk of a fragmented or 
overly prescriptive regulatory landscape. The sheer complexity of laws 
can itself be a barrier to security.
    Nonetheless, the Federal Government need not--and should not--
accept the premise that its only role in IoT security is that of a 
convener. Nor would innovation be irreparably stifled by advancing 
security or transparency baselines for devices that collect intimate 
details about consumers and whose collective computing power can form a 
weapon that threatens critical infrastructure.
    Rapid7 has four recommendations for Congress:

  1)  Require reasonable security of personal information. Security of 
        personal information is fundamental to privacy and should be 
        included in any privacy legislation. Legislation that requires 
        risk-based security requirements for personal information will 
        apply to IoT devices collecting and processing that 
        information. This will strengthen some aspects of IoT security 
        in sectors that are otherwise not covered by the jurisdiction 
        of Federal agencies.

  2)  Support coordinated but enforceable agency actions on IoT 
        security based on industry standards. Federal agencies should 
        be empowered to require reasonable security for IoT, including 
        security-by-design principles, within their areas of 
        jurisdiction. To the extent possible, agency requirements 
        should be harmonized by following a consistent baseline 
        supported by industry standards. Voluntary guidance should not 
        replace formal accountability and enforcement mechanisms when 
        baseline security is not met. Congress should exercise its 
        oversight role to ensure agency efforts are effective in 
        strengthening IoT security.

  3)  Facilitate voluntary transparency programs for consumer IoT 
        security. Congress should support voluntary consumer awareness 
        programs to enhance the transparency of critical security 
        features of consumer IoT devices, such as certifications, 
        seals, or labels. Providing consumers with clear information 
        about critical security features in IoT devices will foster 
        market competition based on security, promote innovation in 
        security, and build trust in the security of IoT products.

  4)  Avoid new regulations that chill beneficial security research. 
        Any new regulations related to IoT should not undermine 
        cybersecurity by imposing blanket access and use restrictions 
        that hinder independent research and repair. Independent 
        security researchers, acting in good faith, that identify and 
        disclose vulnerabilities in coordination with IoT manufacturers 
        can advance security by boosting the likelihood of remediating 
        otherwise unaddressed vulnerabilities.
I. IoT Security Challenges
1. ``The Internet of Things'' encompasses many technologies
    The great variety of IoT devices is a key consideration for 
policymaking around security. IoT systems can vary considerably from 
one another, particularly consumer versus industrial applications, and 
so can their security needs. Because of this, there is no one-size-
fits-all solution to IoT security, though some basic security features 
that are based on outcomes and existing standards can apply to many 
devices.
    An ``Internet of Things'' device generally refers to a physical 
object that contains a CPU and memory, runs software, communicates with 
other devices electronically, and typically uses sensors to collect 
data about its status or environment. This concept encompasses a huge 
range of computers--large and expensive objects such as vehicles and 
industrial robots, as well as small and inexpensive objects such as 
light bulbs and baby monitors. The security risks, and the potential 
consequences of security failures, vary across so many different 
deployments.
    It is also critical to recognize that IoT devices typically do not 
stand alone. Instead, IoT devices are often part of a broader ecosystem 
with several components: distributed sensors gathering data for the 
device, the network transmitting data, cloud storage of data gathered 
by the device, a mobile app for external management and control, 
companion devices, etc. These components can have their own security 
issues that implicate the rest of the ecosystem--for example, device 
security features will not necessarily prevent attacks on a weak mobile 
app or sensitive data from leaking from improperly configured cloud 
storage.\3\ In isolation, security features on the device itself will 
have limited effectiveness.
---------------------------------------------------------------------------
    \3\ Tod Beardsley, R7-2018-52: Guardzilla IoT Video Camera Hard-
Coded Credential (CVE-2018-5560), Rapid7, Dec. 27, 2018, https://
blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-
coded-credential-cve-2018-5560.
---------------------------------------------------------------------------
2. Common vulnerabilities and exposures
    Because IoT devices do not normally look or behave like traditional 
computers, they are often marketed and treated as if they are single-
purpose devices, rather than the general-purpose computers they 
actually are. In addition, IoT brings connectivity to more business 
sectors that previously did not provide networked products and have 
less experience with managing cybersecurity risks. As a result, basic 
precautions to thwart casual attackers that manufacturers might take 
with traditional computers can fail to make it into production of IoT 
devices.
    The items below describe some common vulnerabilities and exposures 
for IoT devices we have encountered. Not all IoT devices suffer from 
all of these issues, but in our experience, it is common to find 
consumer-grade IoT devices that exhibit at least one serious failing.

  a)  Lack of security for stored data: IoT devices and related 
        services often fail to store data in industry-standard, 
        encrypted formats--both if data is captured on the device or 
        held in the cloud.\4\ Failure to protect stored data with 
        cryptography risks breach of the data. This feature is 
        particularly important if the stored data is sensitive or 
        personal to the user.
---------------------------------------------------------------------------
    \4\ Daniel Oberhaus, This Hacker Showed How a Smart Lightbulb Could 
Leak Your Wi-Fi Password, Jan. 31, 2019, https://motherboard.vice.com/
en_us/article/kzdwp9/this-hacker-showed-how-a-smart-lightbulb-could-
leak-your-wi-fi-password.

  b)  Lack of security for data in transit: IoT devices often fail to 
        use modern cryptographic standards or fail to authenticate 
        properly, risking exposure of user data in transport over both 
        the public Internet and local area networks.\5\ This puts the 
        device at greater risk of many active and passive network 
        attacks, which could otherwise be defeated with widely used 
        communication encryption protocols like Transport Layer 
        Security (which, among other things, underpins HTTPS).
---------------------------------------------------------------------------
    \5\ Iain Thomson, Wi-Fi baby heart monitor may have the worst IoT 
security of 2016, The Register, Oct. 13, 2016, https://
www.theregister.co.uk/2016/10/13/possibly_worst_iot_security
_failure_yet.

  c)  Weak credentials: IoT manufacturers occasionally include default 
        or service accounts, which are either difficult or impossible 
        to disable under normal usage. These accounts often use default 
        or easily guessable passwords, and tend to share the same 
        password, key, or token across many devices.\6\ Weak 
        credentials raise the risk that the device can be accessed and 
        controlled by unauthorized users.\7\
---------------------------------------------------------------------------
    \6\ ``Based on field experience, passwords for approximately 15 out 
of 100 devices have never been changed from their default values. And 
just the five most popular user name/password pairs are enough to get 
admin access to 1 out of every 10 devices.'' Positive Technologies, 
Practical ways to misuse a router, Jun. 16, 2017, http://
blog.ptsecurity.com/2017/06/practical-ways-to-misuse-router.html.
    \7\ Dan Goodin, Leak of >1,700 valid passwords could make the IoT 
mess much worse, Ars Technica, Aug. 25, 2017, https://arstechnica.com/
information-technology/2017/08/leak-of-1700-valid-passwords-could-make-
the-iot-mes s-much-worse.

  d)  Mobile application access: Many IoT devices include a mobile app 
        for external management and control. Improperly secured mobile 
        applications can be exploited to provide unauthorized users 
        with control of the device.\8\ Some mobile applications are 
        also granted more access rights to a device than what is needed 
        for the application to function properly.\9\
---------------------------------------------------------------------------
    \8\ Andy Greenberg, This Gadget Hacks GM Cars To Locate, Unlock, 
And Start Them, Jul. 30, 2015, https://www.wired.com/2015/07/gadget-
hacks-gm-cars-locate-unlock-start.
    \9\ Dan Goodin, Samsung Smart Home flaws let hackers make keys to 
front door, Ars Technica, May 2, 2016, https://arstechnica.com/
information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-
make-keys-to-front-door.

  e)  Lack of segmentation: When different components of a device share 
        the same memory or circuitry, a flaw in one component can lead 
        to exploitation of another component. For example, an attack on 
        the infotainment system of a vehicle can lead to access of the 
        critical driving functions, such as acceleration or 
        braking.\10\ Non-critical controls should be physically and 
        logically separated from systems implicating safety.
---------------------------------------------------------------------------
    \10\ Andy Greenberg, Hackers Remotely Kill A Jeep On The Highway--
With Me In It, Wired, Jul. 21, 2015, https://www.wired.com/2015/07/
hackers-remotely-kill-jeep-highway.

  f)  UART access: Universal Asynchronous Receiver/Transmitter (UART) 
        interfaces often enable a physically close attacker to access 
        and alter IoT devices in ways that bypass the normal 
        authentication mechanisms via a serial cable connection.\11\ In 
        addition, UART interfaces tend to grant root access, far 
        exceeding the permissions of regular users, which can enable 
        persistent attacks on devices.
---------------------------------------------------------------------------
    \11\ Mark Stanislav and Tod Beardsley, Hacking IoT: A Case Study on 
Baby Monitor Exposures and Vulnerabilities, Rapid7, Sep. 2015, https://
www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-
and-Vulnerabilities.pdf.

  g)  Insufficient update practices: IoT devices, unlike most 
        traditional computers, can lack an effective update and upgrade 
        path once the devices leave the manufacturer's warehouse. In 
        some cases, the manufacturer may no longer provide security 
        support (such as patches) after a device outlives its 
        designated shelf life.\12\ Without a patching capability, it is 
        difficult to correct devices' known security flaws at a large 
        scale, leaving the devices vulnerable to repeated attacks even 
        when a fix is available.\13\ This issue is more prevalent in 
        inexpensive consumer devices that use commodity components, 
        rather than more sophisticated systems.
---------------------------------------------------------------------------
    \12\ See, e.g., Letter from Mary Engle to Richard J. Lutton, Jr. 
re: Nest Labs, Inc., FTC File No. 162-3119, Jul. 7, 2016, https://
www.ftc.gov/system/files/documents/closing_letters/nid/
160707nestrevolvletter.pdf. See also Jessica Rich, What happens when 
the sun sets on a smart product?, Fed. Trade Commission, Jul. 13, 2016, 
https://www.ftc.gov/news-events/blogs/business-blog/2016/07/what-
happens-when-sun-sets-smart-product.
    \13\ Troy Hunt, Data from connected CloudPets teddy bears leaked 
and ransomed, exposing kids' voice messages, Feb. 28, 2017, https://
www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-
ransomed-exposing-kids-voice-messages.

    We do not believe the technical challenges to providing basic 
security for the majority of IoT devices and associated technologies 
are insurmountable at present. We are optimistic that reasonably secure 
IoT deployments will become more common in the future, but we believe 
it is essential that IoT manufacturers be incentivized to incorporate 
widely acknowledged security protections from the design phase forward.
II. Recommendations for Congress
1. Legislation to require reasonable security for personal information
    Rapid7 strongly supports a national framework requiring reasonable 
security for consumers' personal information.\14\ As Congress considers 
privacy legislation, it is critical that security of personal 
information be included, as security is fundamental to privacy.\15\ 
Many of the concerns and events driving the privacy debate, such as 
accidental data breach or malicious hacking, are a result of security 
failures, not failures of notice, choice, transparency, or 
discriminatory use of data.\16\ However, if Federal privacy legislation 
once again fails to move forward, we would urge a standalone 
legislative effort to advance risk-based security for personal 
information.
---------------------------------------------------------------------------
    \14\ Harley Geiger, Updating Data Security Laws--A Starting Point, 
Rapid7, May 4, 2018, https://blog.rapid7.com/2018/05/04/updating-data-
security-laws-a-starting-point.
    \15\ See e.g., background of Fair Information Practice Principles: 
Department of Homeland Security, Privacy Policy Guidance Memorandum, 
Dec. 29, 2008, https://www.dhs.gov/xlibrary/assets/privacy/
privacy_policyguide_2008-01.pdf.
    \16\ See, e.g., The Equifax Data Breach, U.S. House of 
Representatives, Committee on Oversight and Government Reform, Majority 
Staff Report, Dec. 2018, pg. 4, https://republicans-
oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf.
---------------------------------------------------------------------------
    Legislation establishing an affirmative security obligation for 
entities collecting and processing personal information would prompt 
some basic security improvements to IoT devices that collect and 
process such information. Numerous, though not all, IoT security 
vulnerabilities involve unauthorized exposure of data that is typically 
categorized as ``personal information'' in data security laws, such as 
audio and visual recordings, credentials (username and password 
providing access to an online account), and geolocation data. Because 
the requirement of reasonable security would be tied to personal 
information, rather than a definition of IoT, it would cut across IoT 
deployments in disparate sectors and encompass the other technologies 
(such as cloud storage) that integrate with the IoT device.\17\
---------------------------------------------------------------------------
    \17\ Federal Trade Commission Staff Report, Internet of Things--
Privacy & Security in a Connected World, pg. 49, https://www.ftc.gov/
system/files/documents/reports/federal-trade-commission-staff-report-
november-2013-workshop-entitled-internet-things-privacy/
150127iotrpt.pdf.
---------------------------------------------------------------------------
    There is a great deal of precedent available for reasonable 
security requirements. Half of U.S. states have a data security 
requirement for personal information held by the private sector,\18\ as 
does the European Union's (EU) General Data Protection Regulation.\19\ 
Similar requirements are well-established in sectoral privacy 
regulation, such as under COPPA,\20\ GLBA,\21\ and HIPAA.\22\ What is 
missing outside of those sectors is a nationwide affirmative obligation 
for reasonable security of personal information in the US. This would 
provide more consistent expectations for businesses and more consistent 
protection for consumers. However, if the patchwork of current data 
security laws is preempted, a Federal replacement should not establish 
substantially weaker protections than the status quo.\23\
---------------------------------------------------------------------------
    \18\ http://www.ncsl.org/research/telecommunications-and-
information-technology/data-security-laws.aspx
    \19\ Article 32. https://gdpr-info.eu/art-32-gdpr/
    \20\ Children's Online Privacy Protection Act, 16 CFR 312.8.
    \21\ Gramm-Leach-Bliley Act, 16 CFR 314.
    \22\ Health Insurance Portability and Accountability Act, 45 CFR 
164.306.
    \23\ In particular, we urge that a Federal baseline be risk-based, 
not be limited to protecting against economic or physical harm, avoid 
requiring real names to qualify as ``personal information,'' and 
incentivize use of encryption. Harley Geiger, Updating Data Security 
Laws--A Starting Point, Rapid7, May 4, 2018, https://blog.rapid7.com/
2018/05/04/updating-data-security-laws-a-starting-point.
---------------------------------------------------------------------------
    Breach notification requirements only apply after a breach has 
occurred. Data security safeguards are critical to preventing breaches 
before they occur by addressing the root cause of many breaches: 
inadequate security. Too often, breach notification requirements are 
relied on as a substitute for data security--since complying with 
breach notification requirements is expensive and difficult, 
organizations will be inspired to implement strong security safeguards 
to prevent breaches. Yet this approach is not adequate--as demonstrated 
by the continued march of severe data breaches caused by poor security, 
in spite of all enactment of breach notification laws in all 50 states. 
A requirement of reasonable security for personal information is 
distinct from breach notification, and should be considered separately.
    Privacy legislation that fails to integrate security will have 
negative consequences for consumers. Unfortunately, this is occurring 
in several states that are among the half without data security laws--
most notably the Washington Privacy Act,\24\ but also legislation in 
Illinois, Montana, New Jersey, North Dakota, and others.\25\ Some of 
these efforts copycat the California Consumer Privacy Protection Act, 
which did not include data security provisions--but California already 
has a data security law.\26\ This problem will be especially serious if 
a Federal privacy bill excludes security provisions but preempts state 
security laws.
---------------------------------------------------------------------------
    \24\ Washington Privacy Act, SB.5376, Feb. 18, 2019, http://
lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate 
percent20Bills/5376-S.pdf.
    \25\ Respectively: SB.1502 (IL), HB.457 (MT), S.2834 (NJ), HB.1485 
(ND).
    \26\ CA Civ. Code 1798.81.5(b)
---------------------------------------------------------------------------
2. Support coordinated but enforceable agency actions on IoT security 
        based on industry standards
    Recognizing the differences in IoT systems, we do not recommend 
Congress attempt prescriptive IoT-specific legislation at this time. 
Instead, regulatory efforts should be undertaken by agencies that 
already oversee those sectors and have deep knowledge of their 
practices. Ideally, regulatory bodies would work in a coordinated 
fashion to achieve consistency where possible. Congress should support 
agencies' efforts and exercise its oversight role to ensure their 
activities are effective in appropriately advancing reasonable IoT 
security.
    Several agencies have started the work of articulating how IoT 
security fits within their authorities. Examples include the Food and 
Drug Administration,\27\ the National Highway Transportation 
Administration,\28\ the Consumer Product Safety Commission,\29\ the 
Federal Energy Regulatory Commission,\30\ the Federal Trade 
Commission,\31\ and the Department of Defense.\32\ Many of these 
efforts are voluntary but provide insight into how agencies expect IoT 
manufacturers and operators to mitigate basic security risks.
---------------------------------------------------------------------------
    \27\ FDA, Content of Premarket Submissions for Management of 
Cybersecurity of Medical Devices, Draft Guidance, Oct. 18, 2018, 
https://www.fda.gov/downloads/MedicalDevices/Device
RegulationandGuidance/GuidanceDocuments/UCM623529.pdf. See also, Food 
and Drug Administration, Postmarket Management for Cybersecurity in 
Medical Devices, Dec. 28, 2016, https://www.fda.gov/downloads/
MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/
ucm482022.pdf.
    \28\ NHTSA, Cybersecurity Best Practices for Modern Vehicles, Oct. 
15, 2016, https://www.nhtsa.gov/staticfiles/nvs/pdf/
812333_CybersecurityForModernVehicles.pdf.
    \29\ CPSC, Statement of Commissioner Kaye, Regarding A Framework Of 
Safety For The Internet Of Things, Jan. 31, 2019, https://www.cpsc.gov/
s3fs-public/A_Framework_for_Safety
_Across_the_Internet_of_Things_1-31-2019_0.pdf.
    \30\ 18 CFR 40.
    \31\ Kristin Cohen and Peder Magee, FTC updates COPPA compliance 
plan for business, Federal Trade Commission, Jun. 21, 2017, https://
www.ftc.gov/news-events/blogs/business-blog/2017/06/ftc-updates-coppa-
compliance-plan-business. Federal Trade Commission, Careful 
Connections, Building Security in the Internet of Things, Jan. 2015, 
https://www.ftc.gov/system/files/documents/plain-language/pdf0199-
carefulconnections-buildingsecurityinternetofthings.pdf.
    \32\ DoD CIO, Policy Recommendations for the Internet of Things, 
U.S. Department of Defense, December 2016, pg. 6, https://www.hsdl.org/
?view&did=799676.
---------------------------------------------------------------------------
    Congress should encourage other agencies to provide explicit 
guidance and, where appropriate, enforceable rules regarding the 
security of internet-connected devices under their jurisdiction. For 
example, the Federal Aviation Administration's cybersecurity 
expectations for unmanned aircraft should be clear, as should the 
Office of Management and Budget's security standards for IoT devices 
procured by the Federal Government. If there is a gap in authority, or 
if existing standards are unacceptably weak, Congress should consider 
legislation to prompt agency action without being overly 
prescriptive.\33\
---------------------------------------------------------------------------
    \33\ For example, Rapid7 supports initiating clear standards for 
Federal Government procurement of IoT, which is the aim of S.734, the 
IoT Cybersecurity Improvement Act of 2019. Jen Ellis, The IoT 
Cybersecurity Improvement Act of 2019, Rapid7, Mar. 27, 2019, https://
blog.rapid7.com/2019/03/27/the-iot-cybersecurity-improvement-act-of-
2019.
---------------------------------------------------------------------------
    NIST's work on authoritative, voluntary standards is extremely 
useful. NIST has dozens of initiatives related to IoT security, with 
about a dozen more planned.\34\ NIST's ongoing work to define a ``Core 
Security Capability Baseline'' will help establish minimum security-by-
design practices that should apply to the vast majority of IoT 
devices.\35\ This can further inform expectations in consumer, federal, 
and industrial contexts. Rapid7's suggestions for these baseline 
capabilities have been the following:
---------------------------------------------------------------------------
    \34\ NIST, IoT Cybersecurity-Related Initiatives at NIST, Apr. 11, 
2018, https://www.nist.gov/itl/applied-cybersecurity/nist-initiatives-
iot.
    \35\ Dept. of Commerce, A Road Map Toward Resilience Against 
Botnets, Nov. 29, 2018, https://www.commerce.gov/sites/default/files/
2018-11/Botnet%20Road%20Map%20112918%20
for%20posting_0.pdf.

  1.  Asset identification: The IoT device can be identified on a 
---------------------------------------------------------------------------
        network.

  2.  Update capability: The IoT device's software and firmware can be 
        updated post-market via a secure process.

  3.  Secure sensitive information: The IoT device can use cryptography 
        to secure stored and transmitted personally identifiable 
        information, safety-critical information, credentials, or 
        otherwise sensitive data.

  4.  No shared credentials: The IoT device does not use a default 
        credential that is shared by many other IoT devices or is 
        widely known.\36\
---------------------------------------------------------------------------
    \36\ California passed this requirement into law Sep. 28, 2018. It 
goes into effect in 2020. California SB 327, Sec. 1, https://
leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201
720180SB327.

  5.  Vulnerability handling: The manufacturer should have an 
        administrative process for accepting unsolicited vulnerability 
---------------------------------------------------------------------------
        reports and acting on them.

    However, it is important to point out that the above baseline 
features are already incorporated into many IoT standards and best 
practices documents. Government agencies, trade groups, and standards 
bodies have released a host of guidance and best practices for 
mitigating IoT security risks.\37\ In fact, these are established best 
practices for traditional technologies, not just IoT.\38\ As a result, 
Congress should be skeptical of claims that it is necessary to wait for 
the development of additional standards or best practices in order to 
have an expectation that the vast majority of IoT devices meet these 
basic features.
---------------------------------------------------------------------------
    \37\ In addition to the guidance cited elsewhere in the testimony, 
see also: U.S. Department of Homeland Security, Strategic Principles 
for Securing the Internet of Things (IoT), Nov. 15, 2016, https://
www.dhs.gov/sites/default/files/publications/
Strategic_Principles_for_Securing_the_
Internet_of_Things-2016-1115-FINAL. . . .pdf. United Kingdom Department 
for Digital, Culture Media, & Sport, Code of Practice for Consumer IoT 
Security, Oct. 14, 2018, https://www.gov.uk/government/publications/
code-of-practice-for-consumer-iot-security. Microsoft, Security best 
practices for Internet of Things (IoT), Oct. 8, 2018, https://
docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-
practices. Online Trust Alliance, OTA IoT Trust Framework v2.5, May 22, 
2018, https://www.internetsociety.org/iot/trust-framework.
    \38\ See, e.g., Council to Secure the Digital Economy, 
International Anti-botnet guide, 2018, https://
securingdigitaleconomy.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-
Report-final.pdf.
---------------------------------------------------------------------------
3. Facilitate voluntary transparency programs for security of consumer 
        IoT
    Rapid7 recommends Congress support voluntary processes that enhance 
the transparency of critical security features of consumer IoT devices. 
Consumer awareness plays an important role in IoT security, and end 
users would ideally evaluate device security as a routine part of 
purchasing. Yet consumers often have little insight into the presence 
of security features in an IoT device prior to purchase, which hinders 
informed buying decisions. Providing consumers with clear information 
about critical security features in IoT devices will foster market 
competition based on security, promote innovation in security, and 
build trust in the security of IoT products.
    To help address this lack of transparency, numerous government and 
private-sector efforts aim to provide an IoT security certification or 
seal--similar to Energy Star, the recycling symbol, or nutrition 
labels. The National Telecommunications and Information Administration 
facilitated the successful completion of a transparency proposal 
focused on IoT security update capability and end-of-life.\39\ 
Recently, the Departments of Commerce and Homeland Security released 
their ``Botnet Roadmap,'' which includes planned projects related to 
labeling and assessment programs for both consumer and industrial 
IoT.\40\ The EU Cybersecurity Act will also establish voluntary 
certification schemes for IoT, as well as other ICT products and 
services. Per the EU Cybersecurity Act, the certification schemes must 
designate basic, substantial, or high levels of security, with 
reference to available standards.\41\ These schemes aim to strengthen 
the overall level of security in the EU and enable consumers to 
accurately gauge the relative security of certified products.\42\
---------------------------------------------------------------------------
    \39\ The document was produced as part of a consensus-based 
multistakeholder process. National Telecommunications and Information 
Administration, Communicating IoT Device Security Update Capability to 
Improve Transparency for Consumers, Jul. 18, 2017, https://www.ntia
.doc.gov/files/ntia/publications/
communicating_iot_security_update_capability_for_consumers
_-_jul_2017.pdf.
    \40\ Completion of this work is not expected until mid-2021. Dept. 
of Commerce, A Road Map Toward Resilience Against Botnets, Nov. 29, 
2018, pgs. 5-8, https://www.commerce.gov/sites/default/files/2018-11/
Botnet%20Road%20Map%20112918%20for%20posting_0.pdf.
    \41\ See Articles 46, 51-54. European Parliament, Cybersecurity 
Act, Adopted Text, Mar. 12, 2019, http://www.europarl.europa.eu/sides/
getDoc.do?pubRef=-//EP//NONSGML+TA+P8-TA-2019-0151+0+DOC+PDF+V0//EN.
    \42\ Id., Recitals 6-10.
---------------------------------------------------------------------------
    In addition to these important efforts, we are encouraged that 
Congress is also exploring market-based means to bring information 
about the security of IoT products to the attention of consumers.\43\ 
Senator Markey's Cyber Shield Act would require the Department of 
Commerce to convene public-and private-sector experts to establish 
security benchmarks for select connected products. The working group 
would be encouraged to incorporate existing standards rather than 
create new ones, and the benchmark would change over time to keep pace 
with evolving threats and expectations. The process, like that which 
produced the NIST Cybersecurity Framework, would be open for public 
review and comment. Manufacturers may voluntarily display ``Cyber 
Shield'' labels on IoT products that meet the security benchmarks (as 
certified by an accredited testing entity).\44\
---------------------------------------------------------------------------
    \43\ Harley Geiger, Legislation to Strengthen IoT Marketplace 
Transparency, Jun. 26, 2017, https://blog.rapid7.com/2017/06/26/
legislation-to-strengthen-iot-marketplace-transparency.
    \44\ Cyber Shield Act of 2017, S.2020, 115th Cong., Oct. 26, 2017.
---------------------------------------------------------------------------
    The approach is not without its challenges. To be effective, the 
security benchmarks must be clear and focused, and consumers should 
recognize the certification or seal does not promise complete security. 
The program would need buy-in from security experts and responsible 
manufacturers. Nonetheless, strengthening the IoT ecosystem will 
require a multi-pronged approach from policymakers, and Rapid7 believes 
initiatives like these can be very useful tools for empowering 
consumers.
4. Avoid chilling independent security research
    IoT security risks can prompt regulatory proposals to block access 
to device software unless authorized by the manufacturer or operator. 
Rapid7 believes this approach would be misguided. While safety and 
crime deterrence is certainly an important consideration for IoT, any 
new regulations related to IoT should not undermine cybersecurity by 
imposing blanket access and use restrictions that chill independent 
research and repair. Independent security researchers will be critical 
to match the greater need for security as IoT devices are more widely 
deployed. Time and again, good-faith researchers or ``white hat 
hackers'' have discovered and reported IoT security vulnerabilities, 
prompting patches and other mitigations that ultimately protect 
consumers.
    Several existing laws chill security research, which can hinder 
independent efforts to assess the security of IoT devices. The Computer 
Fraud and Abuse Act (CFAA), Section 1201 of the Digital Millennium 
Copyright Act (DMCA), and other laws contain broad prohibitions on 
access to computers and software.\45\ Although we recognize the 
beneficial role of these laws in deterring cybercrime, balancing 
greater flexibility for independent research and repair with law 
enforcement needs is increasingly important as IoT proliferates faster 
than the cybersecurity workforce.
---------------------------------------------------------------------------
    \45\ Deirdre Mulligan, Nick Doty, and Jim Dempsey, Cybersecurity 
Research: Addressing the Legal Barriers and Disincentives, Berkeley 
Center for Law and Technology, Sep. 28, 2015, http://ondoc.logand.com/
d/5689/pdf.
---------------------------------------------------------------------------
    As compared to several years ago, policymakers more frequently 
recognize the value of independent security research. For example, in 
2018, the U.S. Copyright Office renewed a temporary exemption to Sec. 
1201 of the DMCA for security research,\46\ and expressed support for 
making the security research protections permanent.\47\ The Department 
of Justice strongly urged renewal and expansion of the DMCA protections 
for researchers.\48\ Another example: In 2016, the state of Washington 
included helpful protections for white hat security researchers in the 
state's cybercrime laws.\49\
---------------------------------------------------------------------------
    \46\ Harley Geiger, Expanded Protections for Security Researchers 
Under DMCA Sec. 1201, Rapid7, Nov. 1, 2018, https://blog.rapid7.com/
2018/11/01/expanded-protections-for-security-researchers-under-dmca-
sec-1201.
    \47\ U.S. Copyright Office, Section 1201 of Title 17, Report of the 
Register of Copyrights, Jun. 2017, pgs. 74-76, https://
www.copyright.gov/policy/1201/section-1201-full-report.pdf.
    \48\ U.S. Dept. of Justice, Letter from John Lynch (CCIPS) to Regan 
Smith (USCO), Jun. 28, 2018, https://www.copyright.gov/1201/2018/USCO-
letters/USDOJ_Letter_to_USCO.pdf.
    \49\ Revised Code of Washington 9A.90.030(10)-(11).
---------------------------------------------------------------------------
    Other Federal and state legislative proposals related to IoT would 
have imposed broad and redundant restrictions on access to connected 
devices. For example, in 2015, a House Energy and Commerce Subcommittee 
released draft legislation that would have levied heavy fines on anyone 
accessing car software without manufacturer authorization for any 
reason--regardless of whether the accessor had purchased the car, or if 
the car was accessed for cybersecurity research purposes.\50\ The 
following year, a similar bill restricting access to vehicle software 
was introduced in the Michigan Senate.\51\ Proposals such as these are 
not just overbroad, but also largely redundant of existing laws 
prohibiting unauthorized access and use of computers.\52\
---------------------------------------------------------------------------
    \50\ Harley Geiger, Draft Car Safety Bill Goes In The Wrong 
Direction, Center for Democracy & Technology, Oct. 20, 2015, https://
cdt.org/blog/draft-car-safety-bill-goes-in-the-wrong-direction.
    \51\ Joint letter to Michigan Senator Mike Kowall ``Re: Car Hacking 
Legislation--S.B. 0927 (2016),'' May 16, 2016, https://www.rapid7.com/
globalassets/_pdfs/policy/letter-re-sb-0927-
from-cybersecurity-researchers-051616.pdf.
    \52\ Id.
---------------------------------------------------------------------------
    Such restrictive proposals would hinder legitimate security 
researchers and repair services that can assess and fix the devices' 
cybersecurity vulnerabilities. Security researchers identify errors and 
vulnerabilities in software, digital devices, and networks, and 
disclose them to prevent their exploitation by criminals. This research 
strengthens cybersecurity because the researchers call attention to 
vulnerabilities that manufacturers may have missed or ignored, which 
encourages manufacturers or other parties to make the appropriate fixes 
or mitigations to keep people safe. As the growth of IoT devices 
creates a larger attack surface for malicious actors, it will be 
crucial to foster an environment where good-faith disclosure of 
security issues in devices or systems is taken seriously and openly, 
rather than with threats or avoidance.\53\
---------------------------------------------------------------------------
    \53\ Cybersecurity Coalition, Policy Priorities for Coordinated 
Vulnerability Disclosure and Handling, Feb. 25, 2019, https://
www.cybersecuritycoalition.org/policy-priorities.
---------------------------------------------------------------------------
    We thank the Committee for holding this hearing and for providing 
us the opportunity to share our views.

    Senator Sullivan. Great.
    Well, thank you, to all the witnesses. Very informative 
testimony.
    Let me begin by talking--when you mention--I'm going to 
open this up for everybody--you know, Mr. Geiger, you just 
talked about government policy. One element that--it's actually 
as much a national security issue, but a number of us on this 
committee actually sit on the Armed Services Committee. Two 
years ago, there was a hearing on this topic, cybersecurity, 
and it became very apparent that the consensus was that the 
United States, when attacked by a state actor--say, Russia, 
China, North Korea, Iran--we had a very, very low level of 
responding, almost zero deterrence. There was a exchange that 
we had--I actually had with the former Chairman Clapper of 
the--Director of National Intelligence. And I asked him 
specifically, in an open hearing, if the United States 
retaliated against China after China hacked into the Office of 
Personnel Management and stole over 22 million SF-86 forms, our 
top-secret national security forms of national security 
intelligence people, including CIA operatives. He said no. He 
said no. So, there was a broadbased consensus coming out of 
that hearing, even among the witnesses--this is the end of the 
Obama administration--that we were viewed kind of as the 
world's cyber punching bag, meaning we got hit and almost 
never--never hit back, and certainly weren't establishing a 
policy of deterrence, meaning, ``If you come after us, we will 
hit you back twice as hard.'' A state actor. Russia, China, 
North Korea. Where do you think we are on that? Where do you 
think the United States is viewed on that? Do you think state 
actors who do cybersecurity--or cyberattacks on the United 
States, whether it's companies or government agencies, worry 
about the costs that could be incurred by a very substantial, 
harmful American retaliation, whether it's overt or covert?
    I'll just open that up to everybody. Because that 
perception, I think, is a very important element to this whole 
problem.
    Go ahead. Mr. Eggers.
    Mr. Eggers. Given that I often convene events and am 
looking for people to respond to questions, I will help jump 
in, here.
    So, if I left the Committee and the folks watching this 
hearing with one thing, it's that the Chamber is trying to 
address, collectively, a challenge that we know we have. And we 
have had some good experiences with working with NIST and other 
parts of government to deal with IoT threats. And we're trying 
to take a problem off the table.
    Senator Sullivan. You don't think it's in the United States 
interest to retaliate, either overtly or covertly, against 
the----
    Mr. Eggers. So, on the----
    Senator Sullivan.--state actor who hacks----
    Mr. Eggers.--on the----
    Senator Sullivan.--into, say, your OPM system, and steals--
--
    Mr. Eggers. On the deterrence piece, the Chamber's been 
very vocal on the need for deterrence and pushback.
    Senator Sullivan. And do you think we are viewed as a 
country that will up the costs of somebody--a state actor--that 
conducts cyberattacks against us?
    Mr. Eggers. I think--and I'll finish one quick point--is, I 
think one of the things that needs to complement the IoT cyber 
baseline is to push back against bad actors who would hack IoT 
devices and then try to get in the networks. The private 
sector, we're going to be doing the defense work. We can't do 
it alone.
    Senator Sullivan. Right.
    Mr. Eggers. One of the things we'd like to see more of is 
deepening collaboration between voluntary industry groups, 
parties, and parts of government that want to facilitate such 
activity.
    Senator Sullivan. Oh, I get it. It's hard for the U.S. 
Chamber to go on offense. It's--but, it's not hard for the U.S. 
Government to go on offense.
    Mr. Mayer. You have a----
    Mr. Mayer. I think----
    Senator Sullivan. You want to----
    Mr. Mayer. I think--sir, I think that's the point. I think 
nobody, whether it's industry or government, wants to see the 
United States as a punching bag in any----
    Senator Sullivan. Do you think that was the view, though, 
over the last couple of years?
    Mr. Mayer. I don't know. We've been, certainly, victimized 
by state aggression. And that's obvious. Whether they did it 
out of fear or, you know, that--to show--you know, they did it 
out of a motivation to obtain information and intellectual 
property and other motivations. But, I think, first of all, 
from a government policy perspective, we know that the mission 
now of U.S. Cyber Command, it goes beyond just defensive. They 
have authorities and capabilities now to move in the offensive 
arena. I think----
    Senator Sullivan. Correct.
    Mr. Mayer. I think----
    Senator Sullivan. And that's important.
    Mr. Mayer. I--right. And I think it's industry's view that 
we encourage the government to do whatever they can, because we 
are often victimized. We're collateral damage in this 
international geopolitical struggle. And anything that the 
government does to help protect industry and support our 
efforts to defend our networks and our customers is helpful.
    Senator Sullivan. Thank you.
    Senator Scott.

                 STATEMENT OF HON. TIM SCOTT, 
                U.S. SENATOR FROM SOUTH CAROLINA

    Senator Scott. Thank you, Mr. Chairman.
    So, China's been a bad actor for a long time. They've 
stolen--they steal our technology, they don't give us the same 
opportunity to compete there as we give them opportunities 
here. Why--I'd like to hear from each of you--why don't we just 
outlaw--why doesn't the government just say, companies like 
Huawei, ``You can't do business in America. We know that you're 
not acting in our best interests. We know you're part of the 
Chinese government. And why would we allow you to not just--not 
do business with the American government, but do business with 
any company in this country?'' I--you know, you take my State, 
utilities are pretty important. I wouldn't want them to do--you 
know, logically, they shouldn't do business with Florida Power 
& Light or any of these other companies. So, why don't we just 
outlaw companies like that, that we know are bad actors?
    Mr. Geiger. I'd say, to--setting aside the potential issues 
with regard to our trade agreements--our existing trade 
agreements, the key features for security don't really matter 
where the device is manufactured and, you know, whether it's in 
China or Vietnam or elsewhere. And if we want to ensure that we 
have a strong baseline for IoT that protects people around the 
world--because the security of IoT outside of the United States 
also has a great effect on the security of the United States--
then I think that, rather than banning companies, we should be 
looking to establish a baseline of security for IoT to have 
access to our market.
    The--one of the botnets that was mentioned earlier, the 
Mirai botnet, many of those devices actually were outside of 
the United States rather than inside. So, we do have an 
interest in seeing security, worldwide, be strengthened. And 
I'm not sure that banning the companies will achieve that as 
effectively as saying--a baseline security requirement for 
access to our market.
    Mr. Bergman. Senator, thank you for the question.
    In a global economy and a global ecosystem of the Internet 
of Things, the intellectual property for the chip may be 
developed in one country, the chip may be fabricated in another 
country, the device built in a third country, then labeled and 
marketed in a fourth country, and sold in a fifth. In this 
merged global ecosystem, CTA's focus is on the security of the 
devices, themselves. And we're working with our partners at 
CSDE, working with NIST, working with the large number of 
partners that we've brought together for the consensus, the C2 
consensus that I described in my opening statement, which was 
core baseline security for the Internet of Things on a--an 
industry basis, parallel tracking what NIST is doing, and 
coming up with very similar responses to what NIST is coming up 
with. Overall, we feel that that is the fastest, most 
efficient, quickest way to get us to a more secure Internet.
    Mr. Eggers. Senator, to respond, I think we've got a number 
of organizations in government and industry looking at how to 
mitigate threats from foreign nations. At the Chamber, we're 
very much interested in expanding commerce globally. We're not 
looking to be, let's say, ``dragon slayers.'' Everyone's 
cognizant of companies that are problematic. And I think 
organizations have been very clear about what they're willing 
to accept and not accept. In terms of building out, let's say, 
the IoT 5G space, we're very mindful of the risks. I will tell 
you that for sure.
    You know, I think one of the things that the Chamber is 
very mindful of is, having organizations that need to do 
business globally. When we think about attempting to blacklist 
companies and so forth, I understand that. I do. I just don't 
know how that is sustainable, long term, when certain countries 
aren't going anywhere, maybe their companies aren't. But we're 
very mindful about what the playing field is and who's playing 
on it and what may need to be done. And we're interested in 
what happens with the new Federal Acquisition Security Council 
to see what it plans to do with respect to companies that are 
domiciled in certain countries.
    Mr. Mayer. Senator, I think one of the things we want to be 
careful about is that there--we're in an area, here, where 
there are no silver bullets. And I think, in the area of IoT, 
if we eliminated all the product from the company you've 
described, I doubt we would be any more secure, from an IoT 
perspective. There are other manufacturers that are delivering 
products that are not secure and are vulnerable to attacks in 
other countries. They sell them globally. That's part of the 
challenge we face.
    Having said that, I would say that our members, in 
particular--USTelecom members--are very cognizant of the 
security--national security issues that have been raised over a 
period of many years with respect to the company that you had 
mentioned. Starting in 2012, with the Senate Select 
Intelligence Committee putting providers on notice that there 
were issues here, all the way to recent reports from the U.K., 
as well as the United States position with respect to concerns 
about national security. And therefore, we're not deploying it.
    So, we, in industry, really cannot always wait for the 
government to come up with a clear position. And, you know, the 
NDA made--NDAA made some progress in this area, but it--it's 
limited in its coverage. Yet, we have to decide, as an 
industry, that we're not going to take on the national security 
risk. And I think there are a lot of areas when an IoT--the IoT 
work that we're doing, in particular, is an area where, yes, 
we're watching closely what's happening at NIST and other 
standards bodies, but we've decided that we needed to get in 
front of this, we need to collaborate together, we need to 
understand what the global landscape looks like, what other 
governments are doing, and how do we advance the security 
objectives, in partnership with government, but also 
independently.
    Senator Sullivan. Senator Sinema.

               STATEMENT OF HON. KYRSTEN SINEMA, 
                   U.S. SENATOR FROM ARIZONA

    Senator Sinema. Thank you, Mr. Chairman, for holding this 
timely and important hearing.
    Every day, the Internet of Things, or IoT, continues to 
expand in the United States. And IoT devices are becoming 
increasingly common in areas on our homes, such as smart 
speakers, smart light bulbs, wearable technology, driverless 
cars, and smart door locks. And, given Arizona's weather, it's 
no surprise that we love smart thermostats, too. Beyond 
personal use, the IoT is used extensively in industry, where 
IoT devices can make production lines more efficient and track 
components through the manufacturing and delivery process.
    As of 2018, there were over 7 billion connected devices 
globally, and studies estimate that number will balloon to 25 
billion by 2021. These devices can improve both our lives and 
our economy, but the unprecedented access into our personal 
data and confidential business information requires us to 
rigorously review the cybersecurity protections of these 
devices.
    The weakest technology component, such as certain unsecure 
IoT devices, can be access points for intruders to our home, 
business, and our government networks. During a 2018 hearing, 
the Director of the Defense Intelligence Agency stated that IoT 
devices are one of the, quote, ``most important emerging 
cyberthreats.'' And right now, we do not have national security 
standards for IoT devices. That means the individual device 
manufacturers have the discretion whether or not to include 
security features.
    But, these issues are so important for my State, because 
Arizona has a blooming tech sector, lots of highly educated 
workers, and cutting-edge companies working in the IoT space, 
and we're developing the IoT technologies of the future. 
Researchers at Arizona State University are testing wearable 
devices for our troops to communicate with each other in 
combat, and local cybersecurity companies are working to 
mitigate the cybersecurity threat of IoT devices.
    But, our country needs to do a better job developing IoT 
cybersecurity standards, educating users, particularly elderly 
users, about the cyber risks and solutions for devices, and 
increased transparency for consumers.
    So, my first question is for Mr. Eggers. In your testimony, 
you discussed whether customers will be able to identify a 
device with strong cybersecurity protections without a 
nonregulatory tool. So, your testimony also questions whether 
consumers would be willing to pay a premium for these 
additional security features. So, how important are 
transparency, labeling, and education related to IoT 
cybersecurity? And how can we best ensure that consumers, 
particularly elderly Americans, understand the safety features, 
or lack thereof, of the devices they purchase?
    Mr. Eggers. Senator, thanks for the question.
    I think your constituents in Arizona would very much 
welcome the kind of effort on this core cyber IoT capabilities 
baseline. They would see it as something that speaks to them 
and would be helpful in securing new devices.
    I share your thinking about how we figure out, let's say, a 
strong device from a less strong one. Right now, we're focused 
on the technical specifications to grow consensus with folks 
here at the table. One of the things we're also thinking about, 
What comes next? That is, how we help buyers, consumers, 
households, universities, and governments understand and 
discriminate among devices in a positive way. I think what 
we're going to probably look to next is figuring out, 
collectively, how we do that. It's easy to say that we will 
talk about issues like labels and marks. They can be fraught 
with different perspectives. One of the things we're going to 
try to do is figure out what helps solve that problem. And the 
goal is to help your constituents, young or elderly, go to the 
store, shop online, and identify strong devices and buy them. 
Because I think, if anything, that benefits the entire 
ecosystem. I don't know exactly what that's going to look like, 
to be honest, but that's one of the things we're thinking 
about, how we do that well.
    Senator Sinema. Thank you.
    So, my next question is both--again, for you and for Dr. 
Romine--but, I welcome the thought of witness--other witnesses. 
If Arizonans are concerned with the cybersecurity of their 
devices, what steps should they take to minimize their 
cybersecurity risks today in the marketplace?
    Mr. Eggers. Mr. Romine, you want to take that? Or I can.
    Dr. Romine. It's pretty challenging, I think, for 
individuals to be able to understand the level of risk 
associated with products that are currently on the market. I 
think one of the things that we can do, and one of the things 
that NIST is trying to do, in partnership with the private 
sector, is to spread greater awareness of, perhaps, security as 
a different shading factor among different devices. But, 
there's still a lot of work to be done in that area. I think we 
can do more.
    Mr. Eggers. Senator, the Chambers has had for a number of a 
years, probably a decade or so, programs where we go out and 
visit local chambers and bring in universities, State 
governments, and so forth, to talk about things like the NIST 
cyber framework. I anticipate that IoT cyber will be part of 
that. We will be promoting the baseline.
    It's interesting, I just bought a new HVAC system for my 
home, and one of the things that I was able to get was a smart 
control. And I asked, ``Tell me about the cybersecurity of this 
device.'' And I didn't get as much as I wanted. And suffice it 
to say, I kind of kidded with the person selling it. I said, 
``You know, I'm in the process of trying to figure this out.'' 
I added, ``I want to come back to you in a couple of years, if 
not less, and work with you on some means of being a more 
educated consumer.''
    But, I do think that that is the kind of thing that we are 
going to wrestle with and seek and provide solutions. If 
anything, from our vantage point, we have to for the 
marketplace to work well.
    Senator Sinema. OK.
    Thank you.
    Senator Sullivan. Senator Fischer.

                STATEMENT OF HON. DEB FISCHER, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Fischer. Thank you, Mr. Chairman.
    Mr. Bergman, does a coordinated effort among industry, 
academic, and government stakeholders, such as in the working 
group outlined in the DIGIT Act, play a key part in enabling 
both innovation and security development for the Internet of 
Things?
    Mr. Bergman. Thank you for the question, Senator.
    CTA has been involved in a number of coordinated activities 
in the public/private basis and throughout industry. We are 
finding that the nature of cooperation and the direction of 
travel of the different efforts tends to be moving in the same 
direction, and the nature of cooperation has been fabulous.
    As I mentioned before, CTA, working with CSDE, convened 18 
large organizations, each of which has its own block of 
technical experts. These conveners convened under one roof, 
brought in each of those groups of technical--each--the 
expertise of each of those groups, and together we were able to 
forge a baseline security consensus, which we then went off and 
spoke with NIST about and found that our baseline was coming in 
very, very similar to theirs. And then, immediately after that, 
NIST went off to international meetings to promote the U.S. 
interests.
    So, I would say that the public/private partnership, the 
work that we've done so far within industry, with civil 
society, with retailers, who are now asking for consistent 
industry-accepted, government-approved ways of conveying a 
message of cybersecurity between they and their vendors, the 
manufacturers, how to get that into supplier-vendor agreements. 
The fact that we've got UL as part of this overall effort, CTIA 
also has a robust certification process--assessment and 
certification process--it's all coming together in the--kind of 
the same direction.
    So, I appreciate the opportunity to talk about this. And I 
have to say, there's plenty more. And be happy to follow up 
with your office separately.
    Senator Fischer. So, from your comments, I would say you 
believe we're moving in the right direction.
    Mr. Bergman. Yes, absolutely. I----
    Senator Fischer. My question, then, is----
    Mr. Bergman. I beg your pardon.
    Senator Fischer.--are we moving quickly enough?
    Mr. Bergman. I believe we're moving in the fastest possible 
way. When market forces are pulling, the government is pushing, 
industry is pushing, everyone is working together, I believe 
that is the fastest, most efficient way to move. And, by the 
way, we would like to commend the Commerce Committee for their 
work in supporting NIST. We're big fans of NIST and NTIA, in 
the work that they're doing, and the support that this 
committee and the--that this committee has shown has been----
    Senator Fischer. OK, thank you.
    Mr. Bergman.--very helpful.
    Senator Fischer. Thank you.
    Mr. Eggers, I'm glad that the Chamber of Commerce also 
endorsed the DIGIT Act several years ago. We appreciated the 
Chamber voicing its support for the bill again last year at a 
House committee hearing on the Internet of Things. You had a 
colleague that testified there.
    In your testimony today, your--you have highlighted the 
importance of elevating U.S. policy on IoT. Given the 
development of IoT cyber proposals globally and at the State 
level, can you speak to the particular importance of how a 
national strategy, informed by relevant stakeholders, could 
better position the U.S. as a leader in IoT in the long term?
    Mr. Eggers. Senator, thank you. And, by the way, that was 
our Chamber Technology Engagement Center, so that was their 
good work. I'll share that with them.
    To your point, are we moving fast enough? I think we're 
moving as quickly as possible. Speed has been on our minds, and 
we have been trying to push this effort as fast as possible. I 
think one of the things we may end up doing is----
    Senator Fischer. So, how are we going to be leaders, 
globally? How are we going to be leaders, globally, in this----
    Mr. Eggers. I think we're going to----
    Senator Fischer.--country? How do we move forward?
    Mr. Eggers. Once we develop the baseline--. . . one of the 
things that concerns me is the fragmentation issue. We've seen 
states having their own approaches to IoT cyber. We see foreign 
countries, regions--the EU, in particular--having a cyber 
certification--voluntary cyber certification program for 
devices and other parts of ICT. What I think we are looking to 
do is to complete initial work on this baseline and try to get 
others, at home and in places like Europe, working with groups 
like ENISA, to embrace the cyber baseline. What we're trying to 
say is that the baseline is good for them--their countries, 
their devices, and their companies. It's also good for us. 
Congress wants strong devices. And they should. One of the 
things we're trying to deliver is a baseline that's technically 
sound and it's got buy-in from the business community and, 
hopefully, policymakers. Because it's industry driven, we've 
got groups like NIST working with us, and we can improve and 
revise on it over time.
    Senator Fischer. When you look at--if I could, Mr. 
Chairman--just a yes-or-no answer--when you look at the 
standards that are coming out on a State-by-State basis, and 
the potential for that in the future, do you believe that that 
would increase cybersecurity risks?
    Mr. Eggers. I think what it tends to do is----
    Senator Fischer. Yes or no. I promised the Chairman.
    [Laughter.]
    Mr. Eggers. Yes.
    [Laughter.]
    Senator Fischer. OK, thank you.
    Thank you.
    Senator Sullivan. Was that a yes?
    Mr. Eggers. Yes.
    Senator Sullivan. OK----
    Senator Fischer. It was a yeeessss.
    Senator Sullivan.--there we go. All right. There we go.
    Senator Markey.
    Senator Markey. Thank you, Mr. Chairman.
    Mr. Geiger, Mr. Eggers said that, when he was shopping and 
he talked to the salesperson, the salesperson didn't know 
anything about what the standards of cybersecurity are. And, as 
a result, Mr. Eggers can't know. So, if the salesman doesn't 
know, and the company hasn't told him, and he's out shopping 
for some device, whatever it might be, that creates a huge 
black hole into which consumers continually fall, and their 
families become more vulnerable. So, have we reached, like, 
crisis proportions, in terms of the absence of cybersecurity 
protections built into these devices across our country, Mr. 
Geiger?
    Mr. Geiger. I'm not sure if we've reached crisis 
proportions, but----
    Senator Markey. Pick a word.
    Mr. Geiger.--but it's serious.
    Senator Markey. OK. Serious.
    Mr. Geiger. It's very serious. And on the issue of consumer 
awareness, we think that that is a vital component of 
comprehensive cybersecurity protections that should apply to 
IoT as well as other services. When I think about my mother--
she's a very smart person, but technology is not her thing. The 
idea of me, you know, telling her to go into her router to--
into her IoT devices to check for a default password, and 
possibly change the password, you know, check and see whether 
or not your IoT device encrypts your personal information--
these things are just not realistic. What I can tell her is, 
look for a seal, look for a label. And it will be weird if we 
end up in a situation in the United States where the label I'm 
telling her to look for comes from the EU Cybersecurity Act, 
which will have certifications--in particular, for IoT. I'd 
like to see something like that in the United States.
    Senator Markey. So, that sounds a lot like the Cyber Shield 
Act that I haven't introduced yet this year, but, you know, 
would give that information, and it would act like the ENERGY 
STAR program. So, you walk in, you look at the refrigerator, 
you look at the stove, and then it's--is it five, four, three, 
two, one, in terms of energy efficiency? Right? That's really 
what you're looking for. How much is this refrigerator going to 
cost me over the next 15 years? You know? And I'm willing to 
buy some energy efficiency now, because I'll save money in the 
long run, in terms of the refrigeration cost. So, then you can 
make up your own mind on this.
    So, what do you think about that approach, this legislation 
that I haven't introduced yet, but that kind of would provide 
that kind of information to consumers?
    Mr. Geiger. So, we're strong supporters of the approach, 
and note that there are a number of other programs that have 
been successful, like it, in the past. ENERGY STAR is one. The 
recycling symbol is another. Nutrition labels. I mean, these 
things can be effective if there's enough adoption. Failure to 
adopt across the private sector would--you know, will just 
result in failure of the program, sort of like what we saw with 
the trustee label, some years ago. So, we are supporters of the 
approach, and we think that it can make a difference, but it's 
not the only thing that we think should happen to improve IoT 
security.
    Senator Markey. Right. But, it--that--but, this legislation 
would create an advisory committee of cybersecurity experts 
from academia, industry, consumer advocacy communities, and the 
public to create cybersecurity benchmarks for IoT devices. And 
it's a very similar process that many of our witnesses are 
undergoing and applauding here today. And then, IoT 
manufacturers can voluntarily put up their own five, four, 
three, two, one--all voluntary, but then suffer in the 
marketplace if consumers think that it was misleading.
    Mr. Geiger. And we note----
    Senator Markey. So, the----
    Mr. Geiger.--we note that it's voluntary, and that it's 
based on industry standards and best practices. And we think 
that's a good approach.
    Senator Markey. And then the industry participant is--has a 
choice of picking that level of security.
    Do you think that makes sense, Mr. Bergman?
    Mr. Bergman. Thank you for this--the question, Senator.
    I was trying to puzzle out the relationship between 
changing default passwords and a label. I know that this label 
proposal has been discussed. We----
    Senator Markey. It would be voluntary, and it would be done 
in conjunction with industry participants. Could you support 
that?
    Mr. Bergman. We've--we're currently supporting an industry 
effort on baseline security that's worked--working public/
private partnerships with NIST. It is parallel tracking what's 
being done there. It's being mapped to what's being done in 
Europe. We feel that that's the fastest, most efficient, best 
way to get to a more secure Internet.
    Senator Markey. Yes.
    What do you think, Mr. Mayer?
    Mr. Mayer. I think----
    Senator Markey. Under that system, will consumers have 
five, four, three, two, and one stars? Will they have some--Mr. 
Bergman, will that system--the system that you're talking 
about, that you're working on, would Mr. Geiger's mother or Mr. 
Eggers be able to see it's five, four, three, two, one, in 
terms of----
    Mr. Bergman. Well, let me--thank you for the question, 
Senator. Let me say that we--we're very appreciative of the 
enthusiasm on solving these problems.
    Senator Markey. No, I know that.
    Mr. Bergman. And----
    Senator Markey. I'm not----
    Mr. Bergman.--education----
    Senator Markey. I'm just looking at--what would the 
consumer see in Best Buy? Would--do you want them to be able to 
see that it's five, four, three, two, one, with one being the 
least security? Do you want that for the consumers?
    Mr. Bergman. The best way----
    Senator Markey. Do they have something----
    Mr. Bergman.--I guess the best way I can----
    Senator Markey. If they're going to fork over----
    Mr. Bergman.--the best way I can answer this is----
    Senator Markey.--600 bucks, should they be able to know its 
energy efficiency, you know, the----
    Mr. Bergman. Yes, the----
    Senator Markey.--if you star--should they know what the 
cybersecurity are?
    Mr. Bergman. Absolutely. The problem with the comparison 
with ENERGY STAR, Senator, is that the--is, energy is very 
easily measured; whereas, cybersecurity is not. And what we--
when we talk about a mark or a label or something like that--
using the smart television example, if I go in to buy a smart 
TV, there's a 4k Ultra HD logo, there is an HDMI, there's a Wi-
Fi logo, there's a Bluetooth logo, there's SD card logo, 
there's high dynamic range. Consumers have a little bit of logo 
fatigue. So, we find that the best and strongest approach is 
for the manufacturers, the retailers to take their burden and--
--
    Senator Markey. Well, how about this? If the device, which 
the person purchased patches, would the industry then say, 
``We're going to patch the device to the highest standards as 
soon as it develops''--would that be----
    Voice: Could I offer----
    Senator Markey.--would that satisfy it?
    Voice: Could I offer a thought?
    Senator Markey. Well, just let me finish with Mr. Bergman. 
Would that satisfy----
    Mr. Bergman. Absolutely. Thank you for the question.
    Senator Markey. If it could----
    Mr. Bergman. So----
    Senator Markey. If it could patch----
    Mr. Bergman. So, NTIA has done an excellent job on 
patchability. We're very interested in the results of that, 
because patchability is a significant challenge, in terms of 
actually executing. There's a number of----
    Senator Markey. If it could be executed, would you support 
it? If it could be executed.
    Mr. Bergman. Sorry. Could you put a finer box around what 
we would be supporting? Could you say again?
    Senator Markey. You'd be supporting a patch standard that 
protected against the vulnerability that was identified. Would 
you--and we could do that--would you support it?
    Mr. Bergman. Well, thank you for the question, Senator.
    Senator Markey. And then----
    Mr. Bergman. I would have to----
    Senator Markey.--the consumer----
    Mr. Bergman. I believe----
    Senator Markey.--and then the consumer would know----
    Mr. Bergman. I believe we'd have to review it before we 
could----
    Senator Markey. Yes, I thought so. Yes.
    So, we're trying, here, honestly, just to have something 
that matches the urgency and gives the consumers--Mr. Eggers--
the information--or Mr. Geiger's mother--the information they 
need at point of purchase.
    Voice. Could I offer----
    Senator Markey. And then, if the technology can be 
developed, NIST maybe could tell us that you can patch the 
vulnerabilities, then that should be pretty easy to measure as 
to whether or not that, in fact, is working.
    And I'm sorry, Mr.--I'll come back to----
    Senator Sullivan. That's all right. I'm going to--we'll do 
another round. I'm going to--out of courtesy to Senator 
Blumenthal, I'm going to turn to him now.
    Senator Markey. I apologize.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thanks, Mr. Chairman.
    And you'll have to forgive me, gentlemen. It's not directed 
against you, personally, but I have a very strong feeling of 
impatience and frustration as a Connecticut consumer, not to 
mention public official, because, listening to this 
conversation, one could conclude that it's the first time we're 
having this kind of discussion. Really. And I can tell you that 
there is a tidal wave of anger and alarm building out there, 
with very good reason. Some of it's been reflected in the 
questioning today. But, to answer the question, Are we in a 
crisis?--Mr. Geiger, the answer is yes. Are we moving fast 
enough?--Mr. Bergman, the answer is no. And that's why, on a 
bipartisan basis, members of this committee and others are 
trying to formulate privacy legislation that will offer the 
kinds of protection that Senator Markey has been discussing 
with you. The pace is simply too slow. I could characterize it 
in other ways, but, right now in people's homes, there are 
insecure devices that are transmitting information about what 
their children are saying, what their hours of awakening are, 
what kinds of usage they have of their homes. There is 
automated software out there to simplify hacking. It's 
available on Amazon, 20 bucks. Twenty bucks. It isn't moonshot-
type technology. And, for all the conversations that have been 
going on for the last decade, there are little more in the way 
of safeguards or information available to consumers than there 
was a decade ago. And that's why, I think, there will be 
government intervention. The voluntary approach is failing, or 
has failed. And I think that there has to be stronger 
attention, with a sense of urgency that the subject demands.
    So, I want to ask a couple of very specific questions. I am 
assuming that you would agree that default passwords to access 
IoT devices should be prohibited as part of these standards. 
Anybody disagree?
    Mr. Geiger. The--I think the issue is not just that it's a 
default password. But, if the default password is shared across 
many devices, that's the problem.
    Senator Blumenthal. Well said.
    So, I'm--I've got a lot to cover in very little time, so--
I'm sorry, Mr. Mayer, did you have a comment?
    Mr. Mayer. No. I think you were going to say something.
    Mr. Bergman. I simply wanted to point out that we--some of 
these topics are very complicated when they go into execution. 
So, for example, password doesn't necessarily cover biometrics 
like fingerprints, which doesn't cover facial recognition. 
There's many different aspects of these topics, which is why we 
feel that industry, working in a voluntary consensus basis, has 
the agility to deal with these topics.
    Senator Blumenthal. Mr. Mayer?
    Mr. Mayer. Sir, I'd like to just provide some perspective, 
here, because we've been talking--thinking about where we are 
today as a snapshot, but let's talk about----
    Senator Blumenthal. Well, I will give you my questions----
    Mr. Mayer. OK.
    Senator Blumenthal.--and then I'll give you the opportunity 
to respond. But, I--I'm limited, in terms of time. And, in 
deference to my colleagues who are arriving, I just want to 
cover these questions.
    I'm assuming that all of you would agree that companies 
ought to be expected to provide two-factor authentication to 
secure access to IoT devices. I'm assuming that you would agree 
that they should be easily and automatically updated with 
security patches. You're shaking your heads? I'm disappointed.
    Mr. Bergman. Thank you for the question, Senator.
    The challenge--just going back to the two-factor 
authentication, usually we would talk about multi-factor 
authentication. Again, it gets to be kind of complicated when 
we start trying to execute the will of whoever is setting the 
policy. But, the challenges of doing these things, when, out 
there in the field, it's actually moving pretty quickly, it's 
very dynamic. We say that innovation moves at light speed, and 
this is, unfortunately, one of the consequences of having a 
very fast, innovative economy in the Internet.
    Senator Blumenthal. Well, I'm going to give you an 
opportunity to respond, but let me just make this final 
observation. Two points.
    Number one, going back to Senator Sullivan's point about 
foreign interference, here is an example of our being way too 
complacent. The Russians, as I have said repeatedly, are 
committing attacks--indeed, acts of war--on this country. And 
our defenses are way too late and way too slow. And you could 
be of assistance in that effort. But, complexity and 
technological advance are probably true, but the question is, 
Are we going to have action? And who will impose standards if 
you are unable to do so, which, so far, has been the case? And 
I realize that you're in a better position, maybe, to do it, if 
you do it, but delay, in terms of protection, is protection 
denied, so to speak.
    Mr. Geiger. Senator, we agree with you and share your sense 
of urgency. We strongly encourage you and your colleagues to 
pass data security legislation for personal information that 
will apply to some of the scenarios that you've described, and 
also to urge Federal agencies to describe how IoT fits within 
their existing authorities, and exercise your oversight role to 
ensure that their efforts are effective at strengthening IoT 
security. We think that those are things Congress can do now, 
they're part of ongoing debates that are already happening, and 
we think that it will make a difference.
    Senator Sullivan. Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
you for holding this very important hearing.
    According to IoT analytics, there were 7 billion connected 
devices in 2018. And that doesn't even include smartphones and 
tablets, laptops, and fixed phone lines. And IoT devices, I 
think we all know, will continue to change the world around us, 
but these cybersecurity challenges are numerous. And, as I 
think you're hearing the frustration of some of the members up 
here, at some point we have to decide as whether it's worth it 
for some of these devices if they are actually hurting the 
security of America.
    I mean, this story--earlier this year, a couple in Illinois 
discovered that a hacker was talking to their baby and yelling 
racial slurs and obscenities through their Nest security 
camera. Families in Texas, Pennsylvania, New Jersey have 
reported similar terrifying incidents. In response, Google, 
which owns Nest, claims a system was not breached, but that 
hackers were able to access the cameras because the consumers 
used compromised passwords.
    I know you said, Mr. Geiger, that passwords are not 
sufficient, when discussing this with Senator Markey. Now, of 
course, I don't know how the consumers are supposed to know 
this, because they're just buying a device, spending money on 
it, and then they tell them to get a password, they try to get 
the best password they can, but this still happens. So, this is 
our frustration here.
    You'd highlighted how weak credentials could make these 
devices vulnerable. Do you believe that IoT devices in people's 
homes should be required to rely on something stronger than a 
password for remote access?
    Mr. Geiger. I think that the security protections that 
should be in place should be commensurate with the risks. The 
IoT device, when it ships, should not have weak credentials. 
But, then, if the consumer is changing the IoT password that is 
particularly weak, then that becomes a consumer awareness 
problem. I think that it's important for government to protect 
consumers when they can't protect themselves, and that includes 
making sure that, when the device leaves the warehouse, it has 
basic security features.
    Senator Klobuchar. So--but, you would think it's possible, 
as we look at what legislation we should get passed here--we 
have no privacy legislation really in place federally, which 
also includes other data breaches and things like that--that 
it's possible we should put together some legislation on this.
    Mr. Geiger. Senator, I think that security should be part 
of the privacy legislation.
    Senator Klobuchar. OK.
    Mr. Geiger. At least security for personal information. It 
will cover some of the IoT deployments that you mentioned. It 
may very well cover the Nest camera scenario that you 
described. It will not be a complete solution, because there is 
no silver bullet for IoT.
    Senator Klobuchar. OK.
    Mr. Geiger. But, including data security in privacy 
legislation will be very meaningful to consumers, and will have 
an impact on IoT.
    Senator Klobuchar. Should device makers be required to 
respond to good-faith reports of vulnerabilities from security 
researchers? We've heard that about half of the companies can't 
even detect if and when their IoT devices have been breached, 
leaving the devices vulnerable. And this is from a security 
company. Should they be required to have the capability--a 
second question--to automatically deploy security fixes to all 
their devices?
    Mr. Geiger. Thank you for the question.
    For--we do think that it's critical that companies have a 
process in place for responding to vulnerability disclosures 
from independent researchers and other external sources. 
Independent researchers are often a very valuable source of 
finding known vulnerabilities in products, and communicating 
those to the manufacturer. And if a manufacturer is out of 
business or if the manufacturer doesn't have that process, then 
the vulnerability just gets left unaddressed, in many 
circumstances.
    Senator Klobuchar. So, then you believe there should be a 
process to encourage companies to build security also into 
their IoT devices--not afterwards, but before?
    Mr. Geiger. Absolutely. And we think that one way to 
encourage companies to do so is with data security and privacy 
legislation, and encouraging agencies to articulate how IoT 
fits within their authority--their existing areas of 
jurisdiction, and to do so effectively.
    Senator Klobuchar. The last thing I'll ask about. My 
colleagues were relating this, understandably, to international 
security. And we know that the deployment of 5G networks--this 
will be for you, Mr. Mayer--we know that the deployment of 5G 
networks is critical to the adoption of IoT devices. But, the 
cost of deployment is always a problem in rural areas, just 
because of the costs, and they're far away, and----
    Huawei and ZTE, Chinese companies that we know our 
intelligence agencies have identified as national security 
risks, have been used by small rural carriers, since they are 
cost-effective providers of equipment. According to the Rural 
Wireless Association, it would cost 800 million to 1 billion to 
all of their members to replace Huawei and ZTE. I don't know if 
that's accurate. That's what they're saying. How can we then 
ensure, if we're going to deploy 5G in rural areas, which we 
all want to do, especially those of us with extensive rural 
areas, but if we're going to start using carriers that we can't 
trust? Answer that question for me. How can we ensure that 5G 
is deployed in rural areas without compromising network 
security?
    Mr. Mayer. So, I can't speak for the rural wireless 
carriers. I can speak only for our members. But, I can tell you 
that, as I indicated before, our members are aware of the 
national security interests that have been raised with Huawei 
for many years, which is why they've been careful to avoid that 
particular deployment. The costs that you speak to are real. We 
know the economics in rural areas for deployment of 
telecommunication services are different than they are in urban 
centers. The best thing that we can do to make 5G available in 
those areas is to continue to push fiber optics as far into the 
rural areas as possible, because we're going to need that 
backhaul----
    Senator Klobuchar. Oh, I agree.
    Mr. Mayer.--capacity.
    Senator Klobuchar. I'm all on board on that.
    Mr. Mayer. And we need the help of the U.S. Government in 
supporting those efforts----
    Senator Klobuchar. And I'm all in to funding more for 
broadband. I have no idea why we--the rural backbone isn't 
there, when we have it in places like Iceland----
    Mr. Mayer. Yes.
    Senator Klobuchar.--in general, and the phone network, and 
everything else. But, we have to figure out--make sure that 
we're not impinging on security when we do it.
    Mr. Mayer.I--we completely agree with you on that, and we 
have emphasized security in all of our engagement----
    Senator Klobuchar. OK.
    Mr. Mayer.--with government.
    Senator Klobuchar. And then, I'll just put onto the record, 
so that my colleague, Senator Cantwell, can ask questions, just 
questions about our work force, in general. Senator Thune and I 
have a bill to allow for more private-sector back-and-forth 
when it comes to our work force, and allowing some of our 
workforce to get trained out of the government so we can better 
check these things. And then, also, I have a precision 
agriculture bill. And it was actually signed into law, the 
Precision Ag Connectivity Act. And I'll ask those on the 
record.
    So, thank you, all of you.
    Senator Sullivan. Senator Cantwell.

               STATEMENT OF HON. MARIA CANTWELL, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Cantwell. Thank you, Mr. Chairman. Thanks for 
having this hearing. And I appreciate my colleagues' good 
questions, here.
    Mr. Romine, I want to thank you for NIST's work and for 
your work on guidelines and standards, writ large. And, since 
you are that person, I wanted to ask you, What did you--what do 
you think we need to be doing on the standard-setting on an 
international basis on IoT technology so we have harmonization? 
What's the best path for that?
    Dr. Romine. Thank you, Senator. And thanks for your 
appreciation for our work. We're fiercely proud of the work 
that we do, so I'm pleased to hear you----
    Senator Cantwell. Well, it's--yes, I could go, chapter and 
verse. It's--people may not understand it, but it is how we 
move forward, and it's how we create the standards.
    Dr. Romine. Right.
    Senator Cantwell. And, guess what? If the United States 
creates the standards, then, chances are, other people are 
going to follow them. So, that's why----
    Dr. Romine. Absolutely.
    Senator Cantwell.--the work is so important. And, 
obviously, interoperability, writ large, is also a big issue, 
because that way we can have people standardize on certain 
technologies, and then have the interoperability. So----
    Dr. Romine. Right. So----
    Senator Cantwell.--thank you.
    Dr. Romine.--we are engaged with our partners in the 
private sector in the area of standards development. In many 
cases, we are working alongside our partners at the National 
Cybersecurity Center of Excellence to promote guidelines for 
improving the security of IoT devices.
    One of the things that probably hasn't come out enough, 
perhaps, in this is the context of use of some of these 
devices. For example, some of the work that we've done at the 
NCCoE with our private-sector partners involves improving the 
security of wireless infusion pumps. These are things that are 
actually administering drugs to patients in a hospital setting. 
It's terrific that they're wireless. You reduce transcription 
errors and possibly reduce medical errors as a result. However, 
the concern about those devices being unsecure and an entry 
point into the enterprise network of a hospital, for example, 
is significant. And so, we undertook that kind of project at 
the NCCoE.
    Something like a wireless light bulb, for example, is an 
entirely different context of use, not nearly as critical as a 
wireless infusion pump, for example, to life and limb. 
Nonetheless, the standards arena is one where I think we can 
have a tremendous impact. And, as you know, and the Committee 
here knows through the many long years of support for NIST's 
work in standards, we don't actually manage the standards 
development activities. This is a private-sector-led in the 
United States. We support that activity, in partnership, and 
continue to do so, including engagement with the 3GPP, for 
example, that was mentioned earlier, of the 5G communications 
capabilities that are going to support extensions of IoT. And 
our folks are engaged--our NIST staff, our technical experts--
engaged in that international standards arena for 5G security.
    Senator Cantwell. And where is most of that taking place? 
What group?
    Dr. Romine. 3GPP is the----
    Senator Cantwell. OK.
    Dr. Romine.--is the name of the--it's the third-generation 
partnership.
    Senator Cantwell. OK.
    Dr. Romine. So, it's----
    Senator Cantwell. And is that----
    Dr. Romine. Even though it's 5G, it's--the name of the body 
is still--is 3GPP.
    Senator Cantwell. OK. And so, you think, for IoT, that's 
still the place?
    Dr. Romine. Well, that is one place where the new 
communications technologies that will help enable broader 
adoption of IoT is----
    Senator Cantwell. More about----
    Dr. Romine.--is being done.
    Senator Cantwell.--places like IEEE and other 
organizations?
    Dr. Romine. IEEE is certainly another one. There are other 
standards development organizations that we're engaged with, as 
well. But, those are some primary ones. ANSI, you know, 
generally speaking, coordinates these for the United States.
    Senator Cantwell. OK. What--so, let me ask it differently. 
On a scale of 1 to 10, what--how good do you think we are at 
having established networks to solve cybersecurity challenges 
on IoT as an international standard, not a national?
    Dr. Romine. Scale from 1 to 10 is hard for me. I would say 
it's--one of the most challenging things that NIST has is the 
rating or the measurement of security. What I would say is--I 
would look to the cybersecurity framework that NIST worked on, 
in consultation and----
    Senator Cantwell. Yes.
    Dr. Romine.--in partnership with----
    Senator Cantwell. Yes.
    Dr. Romine.--the private sector----
    Senator Cantwell. Yes.
    Dr. Romine.--as an opportunity to spotlight the influence 
that the U.S. has internationally on cybersecurity standards 
and guidelines.
    Senator Cantwell. Is that the approach? Because I know my 
colleagues mentioned Huawei, or some of them have mentioned--
and maybe prior to getting here--and this is, like, a big 
issue, right, as to what other people standardize on, as well, 
and then is integrated into their system. So, if we have a 
cybersecurity framework, which you guys have--NIST has done a 
good job on--do we take that to--and do it in a bilateral 
fashion, or do we do it in a multilateral fashion with 
countries with already-established cyber frameworks, too?
    Dr. Romine. So, we do both of those things. We promote 
international engagement using the cybersecurity framework as a 
tool for that. And we've had tremendous success. Numerous 
countries have adopted or altered in some ways, but used the 
basic framework of the cybersecurity framework that NIST worked 
on with our private sector here in the U.S. And, I think, with 
great success.
    Senator Cantwell. Well, I see my time is expired, Mr. 
Chairman. Thank you.
    Senator Sullivan. Senator Moran.

                STATEMENT OF HON. JERRY MORAN, 
                    U.S. SENATOR FROM KANSAS

    Senator Moran. Mr. Chairman, thank you. Thank you for 
allowing me to join your Subcommittee today.
    Let me start with Dr. Romine. I chair the Appropriations 
Subcommittee for the Department of Commerce. That includes 
NIST, as you know. I'm ensuring--I'm interested in ensuring 
that you have the necessary resources. The administration's 
budget is a $112 million reduction, less than enacted over last 
year's FY19 levels. Would you expect this budget cut to impact 
NIST's specific role in supporting its public and private 
partnership on IoT cybersecurity research and standard-
settings?
    Dr. Romine. The guidance that we received from the 
administration during the development of the budget was to 
ensure that we protected, to the largest extent possible, 
certain programs that they viewed as high priorities. And that 
included the cybersecurity program at NIST. And so, that--we 
believe we can execute the necessary activities under our 
cybersecurity program under the President's proposed budget.
    Senator Moran. I hope that's the case. And we'll be 
watching to make certain that remains the case, that what you 
just testified remains true.
    Really, a question for all. The subcommittee I chair in 
the--in Commerce, we held a hearing last year on the private 
industry's use of coordinated vulnerability disclosure 
programs, including bug bounty programs to identify 
cyberthreats. Many businesses and Federal agencies have found 
utility in this approach, as the diversity, scale, and 
expertise of cybersecurity research community can oftentimes 
identify vulnerabilities that automated scanners and permanent 
penetration teams cannot. Are there examples of connected 
device manufacturers utilizing this type of cybersecurity 
threat detection? And, if not, do you think it's a feasible 
tool?
    Mr. Bergman, you looked----
    Mr. Bergman. Thank you for the----
    Senator Moran.--anxious to speak.
    Mr. Bergman. Thank you for the question, Senator.
    Absolutely. What we're seeing is that a number of the more 
mature manufacturers are not only using these techniques, but 
they are growing beyond the basics. There's a metric out there 
called BSIMM, Building Security In--Maturity Model, that we're 
fond of. And this program includes major manufacturers, like 
Qualcomm, Intel, other brand names that you would know from the 
manufacturing--from the consumer technology industry, as well 
as names from other consumer categories, the financial 
industry, and so on. So, it really--it's really across the 
board. And what they have is multiple levels. And the--what you 
just described would--is what I would call Level 1. And there 
are companies that are working at Level 2 and Level 3, where 
level 3 is, they're using the intelligence that they get from 
the coordinated vulnerability information in order to predict 
the next threat before it is even detected. So, there's quite a 
bit of work going on in that area, and it's been very 
successful.
    Senator Moran. Thank you.
    Others? Mr. Geiger?
    Mr. Geiger. Yes. So, I would agree with Mr. Bergman that 
there are a lot of mature manufacturers that currently have 
vulnerability disclosure policies and procedures. It is not 
something that we necessarily see ecosystemwide. And we think 
that's a problem. We think that it is very important for IoT 
manufacturers to have an ability to receive disclosures about 
vulnerabilities in their products from independent researchers. 
This will help them to protect consumers by issuing a patch or 
other mitigation.
    We also think that this is something that government 
agencies, governmentwide, ought to employ. But, there is a very 
important distinction between coordinated vulnerability 
disclosure and bug bounties. The distinction is that, for bug 
bounties, it's usually limited in scope and time duration, and 
the researchers are paid for that work. So, there tends to be a 
large volume of disclosures, and it only applies to a certain 
subset.
    Even in--even if you have a bug bounty program, you should 
have a baseline coordinated vulnerability disclosure program 
that applies--it's just a process for receiving the 
information. No--it doesn't necessarily mean that the 
researcher will get a reward, but it means that there will be a 
response and some sort of mitigation once the disclosure has 
been submitted.
    Senator Moran. Thanks for that explanation.
    Mr. Eggers. Senator, if I may, just to add on to that. 
We've worked closely with this Committee and the Senate 
Homeland Committee, a couple of years ago on legislation called 
the PATCH Act. And one of the things that's relevant here in 
the coordinated vulnerability disclosure issue is, when there 
are vulnerabilities discovered, vendors want those 
vulnerabilities reported to them so they have time to create a 
fix and push it out. I know that this committee and other--
others are looking at legislation that would leverage a CVD-
like program. On balance, we think that those are good. The 
role of government in identifying and mitigating those 
vulnerabilities is something that we're still looking at trying 
to understand better and what flows from that. But, on balance, 
one of the capabilities of the IoT cyber baseline is managing 
such vulnerabilities, having a patching process, and so forth, 
which I think is one of the fundamental things that we've seen 
with bills.
    And--they've departed, but I was just going to mention 
that, with Senator Cantwell, Senator Blumenthal, a number of 
things that they raised as concerns, I think the core baseline 
will address those, and likely more.
    Senator Moran. Thank you.
    Senator Sullivan. Let me continue the line of questioning 
that Senator Cantwell began.
    Mr. Romine, let me just rephrase her 1-to-10 question. And 
we appreciate the good work that all of you do at NIST, so 
thank you for that. But, does the United States maintain an 
international lead in both setting technical IoT security 
standards? And how do we strengthen the role of the U.S. doing 
that internationally?
    Dr. Romine. Thank you, Mr. Chairman.
    We do have a robust engagement in the IoT security 
standards arena through the 3GPP. This is----
    Senator Sullivan. So--but, we've been--my question is--I 
think maybe I'm assuming something by asking it, but that we 
have traditionally had the lead with regard to international 
technical standards in the telecoms field. Do we--are we in the 
lead, or have we maintained the lead, in setting the 
standards--technical IoT cybersecurity standards, right now?
    Dr. Romine. I believe we are. The----
    Senator Sullivan. And how can we help you maintain that 
lead? Isn't that important to everybody here?
    Dr. Romine. So, I would say that the standards development 
organizations that we engage with that are leaders in this 
space are inherently meritocracies. That is, the very best 
technical input, the soundest technical ideas, do ultimately 
prevail. It's a bit of a messy process, but it does actually--
the currency there is technical competence and technical 
excellence, and something that NIST and the U.S. industry 
representatives are very, very good at, and still maintain 
leadership there.
    Senator Sullivan. And if we are----
    Dr. Romine. The strengthening----
    Senator Sullivan. Oh, sorry, go ahead.
    Dr. Romine.--question--I'm sorry. I apologize. The 
strengthening question relates to ensuring a robust ecosystem 
of research so that we can continue to generate the ideas that 
are necessary to continue to lead in the international----
    Senator Sullivan. Yes.
    Dr. Romine.--community.
    Senator Sullivan. Let me ask this question. And it kind of 
came up from Senator Scott's question. And it, of course, 
relates to the concerns we have with Huawei and ZTE and what 
they're doing, which is, I think, in some ways, competing 
pretty dramatically, not only in terms of wiring the world, but 
also setting the standards. And I know we also have the 
European Union. To me, we want to maintain our lead in this. 
But, there's a big difference. And some of you had kind of 
indicated, ``Well, hey, they're all over. We can't--you know, 
it is a business. We can't, kind of, discriminate against 
them.'' But, it's a business that's actually infiltrated by the 
Communist Party and probably the PLA, and it ultimately would 
take orders from them. That's the way their system works. So, 
I'm much less concerned about the EU. I'm much less concerned 
about the pretty much any other entity in the world, because it 
might be standards that we're not necessarily in agreement on, 
but it's not a company that ultimately is run or would be 
answerable to an entity--let's face it, we don't want the 
Communist Party of China setting standards globally on the 
Internet security of things. So, how do we make sure that--but, 
when you say, ``most people--it's a meritocracy''--I think most 
countries don't want standards set by the Communist Party of 
China or the PLA. So, how do we use that to our advantage, I 
guess is my issue? Because isn't that the main competition 
right now? Or is it the----
    Dr. Romine. So----
    Senator Sullivan.--EU, or both?
    Dr. Romine. Your concern, which is understandable, is 
maintaining leadership of the United States in the standards 
space.
    Senator Sullivan. Globally.
    Dr. Romine. Globally.
    Senator Sullivan. Correct.
    Dr. Romine. And what I would say is this. We do see 
evidence of increased engagement in the standards arena by 
China and other countries that are economic adversaries of 
ours. In this case, though, what we haven't seen is definitive 
evidence of a substantial increase in the impact of that 
activity.
    Senator Sullivan. OK.
    Dr. Romine. So, representation is not the same as impact.
    Senator Sullivan. That's important.
    Let me ask another kind of related question. I was in a 
meeting, just recently--very recently--that included a very key 
African leader who is very knowledgeable in the private sector 
with regard to international telecoms and 5G and some of the 
topics we're talking about. Internet of Things, certainly. 
Very, very knowledgeable, very influential. He mentioned to me 
that, in the 5G world, if the entire continent of Africa said, 
right now, ``OK, we will take and build out a system on the 
continent that will be led by an American company,'' there's no 
American company right now that could deploy 5G. He mentioned 
that Africa might have 5G deployment from Huawei before we get 
it in our own country. Is that true? And we're concerned about 
this deployment of 5G globally in a competition with China, 
particularly companies like Huawei and ZTE, but this 
individual, very knowledgeable, was essentially saying to me, 
``We don't have an American choice.'' What is the choice? What 
is the choice for, not just Americans, which I care mostly 
about, and Alaskans in particular, but people in Africa? What's 
the choice? Do they have a 5G choice right now?
    Mr. Mayer, you want to address that?
    Mr. Mayer. Sure. I think supplier diversity with respect to 
5G is a real concern, and one that I know our members care 
about.
    Senator Sullivan. But, is there an American company----
    Mr. Mayer. There is no American company----
    Senator Sullivan. And will there be one soon? We----
    Mr. Mayer. Well, in the absence of some substantial funding 
to get something like that started----
    Senator Sullivan. Funding from whom?
    Mr. Mayer. Well, that's the question. I----
    Senator Sullivan. The big telecoms need a subsidy----
    Mr. Mayer. No, no, no. I'm not talking about--well, no, 
that's not what I'm saying. What I'm saying is that we've got 
Nokia, we've got Ericsson----
    Senator Sullivan. Right.
    Mr. Mayer.--we've got Samsung. These are well-established 
companies that are delivering products capable of supporting 5G 
deployment.
    Senator Sullivan. And not answerable to the Community Party 
of China?
    Mr. Mayer. Well, no, I don't think they're answerable to 
the----
    Senator Sullivan. OK.
    Mr. Mayer.--Communist Party of China. And that's why those 
are the vendors that will--you'll see involved in the 
deployment in the U.S. But, you know, you'd have to go back all 
the way to the days of Ma Bell and the--at a time when we were 
developing manufacturing capabilities to support the--that 
system. That's no longer here today.
    Senator Sullivan. Just real quick. And I want to be 
respectful to my colleague, here. But, why do you think we 
don't--at least from a U.S.-company perspective, we don't even 
have anyone--any entity that's ready for that deployment? We 
are just asleep at the switch? Or----
    Mr. Mayer. Well, you know, there's been convergence, 
consolidation in that industry.
    Senator Sullivan. OK.
    Mr. Mayer. AT&T, Lucent, Alcatel, you can just follow the 
chains, how global mergers resulted in moving that capability 
to foreign companies. It's very difficult to start from scratch 
today. It would be very costly to build in, let's say, unique 
security considerations into those products that might be 
higher than what the commercial standards are for the other 
manufacturers. It's a dynamic that's very hard to recapture at 
this point. We have to work closely with the existing vendors 
and make sure that the security capabilities are built into 
their products to our satisfaction.
    Senator Sullivan. Thank you.
    Senator Markey.
    Senator Markey. Thank you, Mr. Chairman, very much.
    This goes right to the sinister side of cyberspace, goes 
right to the bad part of the whole thing. And we just have to 
deal with it. And the industry can promise all the wonderful 
things, and they can deliver that immediately, they can have an 
algorithm from here to Osaka and back in a quarter of a second, 
and they can brag about all that transfer of information. But, 
when we ask them about cybersecurity, ``It's just so 
complicated. We can't figure it out. We don't know what the 
algorithm would be. Just so complicated to deal with the bad 
side.''
    So--and I had--I've had this problem before, with the 
Consumer Technology Association, when I was trying to pass a 
law that said that every TV set in America had closed 
captioning, back in 1990. I just had this, ``Oh, my goodness 
you don't know how complicated that's all going to be. You've 
got to give us more time.'' Then in 1996, I wanted a V-chip, 
you know, for violence and sex and language, built into every 
TV set. ``Oh, it's going to cost $25. It'll get so complicated. 
Regular consumers won't want it.'' Then in 2010, on whether or 
not every wireless device is accessible to the deaf and blind 
in America, ``You don't know how complicated it is. You've just 
got to give us all this extra time.''
    So, I've done this over and over again. And ultimately, 
each time, you have to pass a piece of legislation, just say, 
``Go get it done. Figure it out. You want to argue over 2 years 
or 3 years to get it done? You want to argue over 6 months or 2 
years? Argue over that, but don't argue over whether or not it 
can get done.'' I can--because I've learned too many times, 
just dealing with Consumer Technology Association, that's 
always--it's never today, and it's not soon.
    So, here's my fear. My fear--and let me ask you this, Mr. 
Geiger. And thank you for Rapid7, you know, being here. Thank 
you for what you're doing. If your mother's buying an HDTV set 
today, and she's bringing it right into the living room, can 
that set potentially be hacked and people are listening to her, 
or even watching her, in the living room?
    Mr. Geiger. Yes, it can.
    Senator Markey. Now, how would she know that? Would the 
salesperson tell her that? ``Be careful that--that TV set can 
be turned into an actual camera, watching you, or that they can 
listen to you.'' Does--would she know that if she was out 
shopping today?
    Mr. Geiger. Most salespeople are very knowledgeable, but my 
experience with them has been that they have not been able to 
tell me similar information when I have asked for products that 
I buy, even high-end products, like an HDTV. There are certain 
things that the user can do to protect themselves. Like, for 
example, you should immediately update your television software 
and so forth.
    Senator Markey. Would your mother know how to do that?
    Mr. Geiger. She would probably call me, and I would talk 
her through it.
    Senator Markey. No, I don't mean you.
    [Laughter.]
    Senator Markey. Her--the son she's so proud of, that has 
such great tech skills. I mean an ordinary family. Would they 
know how to do that?
    Mr. Geiger. I don't--I can't speak for other families, but 
it is--it's----
    Senator Markey. I can.
    Mr. Geiger.--it's a process, and it's----
    Senator Markey. I will say that that's a very daunting 
challenge for most families. And I know it's a daunting 
challenge for history and English majors in college.
    [Laughter.]
    Senator Markey. Very daunting for us. We just look at it 
and maybe, you know, I'll wait until the TV is 10 years old, 
right?
    So, would the same thing be possible for a microwave, that 
that could also be turned into--if you can talk to the 
microwave, could the microwave also be hacked by someone so 
that they can be listening to your conversations in the living 
room?
    Mr. Geiger. At this point, every device ships with some 
vulnerabilities. There is never going to be a--we're never 
going to reach a situation where there is complete security. I 
think that what is most important now is that we look at 
preventing the most basic and unreasonable lack of security 
that we see in some devices.
    Senator Markey. So, you agree, though, that that TV set or 
that microwave should have a five-star--four, three, two, one--
warning, in terms of the protection that's been built into that 
set against being hacked.
    Mr. Geiger. I think that that would be one very important 
component. I think that another, as I've mentioned, is having, 
both, agencies establish an IoT baseline within their own areas 
of authority, and having security legislation that protects 
consumers. This would shift--because part of the problem with 
the label is that we also don't want to have to put the entire 
obligation on consumers. It can't just be about consumer 
awareness. There have to be things that are built into the 
product as it leaves.
    Senator Markey. That's what I'm saying, that they would be 
built in. For instance, when I buy a car--if I bought a car 5 
years ago, and it says five-star safety--four, three, two, 
one--I know that, 2 years later, it's not the same standard as 
it was 2 years ago, but I knew when I bought it that it had the 
highest-possible security standard. And if I bought a car that 
only had a one rating, I would know that, and it would probably 
be even less safe now. But, I would know all that, and I would 
internalize it, and I would make a decision as a customer. And 
then what happened, of course, is, once we set up that system, 
auto industry competed on safety. They want the----
    Mr. Geiger. Exactly.
    Senator Markey.--five star. With consumers smart enough to 
know that 2, 3, 4, 5 years later, it might have advanced, but 
at least you did your best for your family, your children, you 
know, your loved ones in the car at the time. So, the same 
thing is true here, except you can actually, in the Digital 
Era, patch remotely----
    Mr. Geiger. Right.
    Senator Markey.--and bring it up to standard, huh----
    Mr. Geiger. And we----
    Senator Markey.--Mr. Geiger?
    Mr. Geiger. And we think it's critical to have a 
differentiator for consumer technology that is not just about 
cost, but that is also about security. Retailers have adapted 
to things like ENERGY STAR. If you go on Amazon and you try to 
buy an appliance now, you can filter the search results by 
ENERGY STAR. You know, I personally, as a consumer that cares 
deeply about cybersecurity, would filter it by an energy 
shield--or a Cyber Shield or other such differentiator. 
Currently, that just does not exist that is widespread in the 
ecosystem.
    Senator Markey. Yes. So, my view----
    I'm sorry, Mr. Chairman.
    Senator Sullivan. Well, I'm--I was just going to--go ahead 
and----
    Senator Markey. I would just conclude by saying, from my 
perspective, the least that we should be able to do to--for 
families is to give them the safety information they need. And 
if they want to shortchange their family because the extra 
money hasn't been spent by the company on building in the 
cybersecurity, or the security into an automobile----
    Voice: Could I----
    Senator Markey.--or an SUV to protect them, then that's a 
family decision. But, at least--the least that we should be 
able to say is that we tried, we really tried to get this 
information to families across this country, that their 
security is at risk. And that's why I think we just have to 
build a mandate into this legislation and give them a deadline 
to come up with a consensus.
    Voice: May I----
    Senator Markey. Otherwise, I just think it's an open-ended 
take-home exam that will never be finished, and that's what 
I've found in the past with the industry.
    Senator Sullivan. I'm going to----
    Senator Markey. OK. Sure.
    Senator Sullivan. No, I want to--but, I want to give you 
guys an opportunity to wrap. This has been a very good hearing. 
You can tell Senator Markey has been focused on these issues--
and I respect him a lot--for most of his career. Like I said, 
very interesting hearing. I'm not sure I've been at a hearing 
where the witnesses talked about their mothers so much, so 
that's kind of----
    [Laughter.]
    Senator Sullivan.--interesting.
    But, here's my, kind of, final question for all of you. And 
you all get to take a crack at this. I think you're seeing, 
here, both sides, right, Republicans and Democrats, are--we 
are--on the Internet of Things, as both of our opening 
statements mentioned, great opportunities, but also growing 
security risks, challenges, both internationally, but also, 
importantly, to consumers. And making sure consumers have 
confidence in what they're buying, I think, is very important, 
not just to us, terms of the oversight role, but should be to 
all of you. And I assume that it is.
    So, one of the issues is labeling. OK? There were good 
arguments, both sides, right? I thought the argument, ``Hey, 
this isn't energy. It's a little bit more complex.'' Mr. 
Bergman, I think you mentioned, ``This isn't energy.'' Right? 
This is very complex. So, what else can we, or you, or the 
combination of both, be doing to build consumer confidence that 
the, you know, baby monitor is not being used as some kind of 
twisted device to, you know, say things to young children that 
every American thinks is abhorrent? Right? So, why don't we 
just go down the line. And we'll start--and end the hearing 
with each of you weighing in on that question.
    OK. Go ahead, Mr. Romine.
    Dr. Romine. Thank you, Mr. Chairman.
    Senator Sullivan. Confidence. Consumer confidence. Big 
picture. What do we--what should we be doing?
    Dr. Romine. A big part of the stated purpose of my 
laboratory at NIST is cultivating trust in IT. And to that end, 
we work diligently in the cybersecurity arena to try to promote 
that kind of trust through management of risk. That's our 
mantra, is, How do you manage the risk? We do not solve the 
cybersecurity problem, ``OK, it's fixed, we're done, let's move 
on.'' It's an ongoing, dynamic arena.
    That's certainly true in the IoT space. The reason we 
established a formal program in IoT security a few years ago 
was the mounting concerns about IoT as a completely different 
type of IT device that needed to be understood in the context 
of its use and because it was going to be so pervasive. You 
talked about billions of devices. The sheer scale of this 
problem is different than anything we've seen before in the 
cybersecurity space.
    So, we will continue to work diligently with our colleagues 
in the private sector to do the best that we can to raise the 
effort that's needed by adversaries to try to break into these 
systems.
    Senator Sullivan. OK.
    Let's just--I don't want a repeat--thank you--I don't want 
a repeat of everybody's opening statements, but----
    Mr. Eggers. Sure.
    Senator Sullivan.--keep it short, concise, succinct. But, 
Mr. Eggers, next to you.
    Mr. Eggers. Senator, I----
    Senator Sullivan. Consumer confidence.
    Mr. Eggers. Thank you.
    Senator Sullivan. How do we build it?
    Mr. Eggers. I think the effort we're doing here, we're in 
relatively early stages, meaning that we're going to come out 
on the other side of this effort with a product that will 
achieve your interests in security, Mr. Chairman, Mr. Ranking 
Member. I think that the capabilities that are in the 
documents, if you will, the standards, the efforts that we are 
looking to hold ourselves to in building will be what you're 
looking for. We want to take that work, that consensus work, 
and push it globally.
    On the labeling front, I think it's a very good issue to 
tackle. One of the things why I think it's valuable to be here 
is because we do value your concerns, what--how you see a 
label, and what it means to you. It's not anything we shy away 
from. One of the things that we try to do at the Chamber is 
work through issues, consider pros and cons, and come out on 
the other side with a position that works for a number of 
stakeholders. You're not wrong to want something that----
    Senator Sullivan. You need to be succinct, here, so----
    Mr. Eggers. Yes.
    Senator Sullivan.--wrap it up.
    Mr. Eggers.--that communicates effectiveness. However, I do 
believe that, if there is a government-directed or quasi-
directed label, it won't keep up with this baseline effort that 
we are trying to achieve, purely and simply.
    Senator Sullivan. Mr. Mayer.
    Mr. Mayer. So, I think we have to be careful that we don't 
create a false sense of confidence by putting a label out there 
that may not be able to maintain its currency. I'll give you an 
example. Senator Markey mentioned the car. Those cars today are 
software, they're computers, they're sensors talking to each 
other, they're moving back and forth among each other within 
the car, to other cars, and back to the factories. What is a 
level one this afternoon, by this evening might be a level 
three, because there's been a change in some configuration. So, 
as we move toward AI, big data, 5G, in terms of connectivity--
and we're moving there quickly--we're going to have to 
understand that it---there's going to be a requirement for a 
different level of effort to protect and secure these devices. 
And that's going to be constantly evolving, because the 
adversaries are going to come at this level, the defenders are 
going to go here, the adversaries are going to go here, 
defenders are going--here. We're in this constant wrestling 
match. That's the environment we're in. And we have to put as 
much control in the hands of the experts, the technicians, the 
statisticians, the mathematicians, the people who can actually 
build the algorithms that will keep us safe and keep these 
environments safe. That's the environment we're moving toward. 
It's going to be very complicated.
    Senator Sullivan. Mr. Bergman.
    Mr. Bergman. Thank you for the opportunity, Senator.
    Senator Sullivan. Consumer confidence. How do we build it?
    Mr. Bergman. CTA is a big fan of consumer education. We've 
invested in a consumer awareness campaign. We have now--since 
2017, our public service announcements have gone out 25,000 
times over national cable networks, local and TV/radio 
stations. At the same time, we find that everyone has their 
part to play, and our focus is on making the devices as secure 
as possible.
    One of the reasons that this is so important is that our 
major members on the retail side are demanding action from us 
and from the manufacturers. I can give you a specific example. 
Best Buy, major brick-and-mortar and online retailer, is not 
only coming to us and saying, ``We need a clear way to 
communicate what the cybersecurity requirement is to the 
manufacturer of the IoT device before it goes in our store, and 
we need that to be accepted by industry, we need it to be 
acceptable to the government, we need it to be something that 
we can work with on a global level.'' Not only is Best Buy 
working with us, in terms of giving us this input, they're 
literally chairing one of our committees to solve these 
problems. These--this is one of the market incentives that's 
arising.
    Another factor is the recognition that consumers are 
uncomfortable about buying IoT devices, for the issues that 
we're talking about today. And that is an incentive to everyone 
in the ecosystem to solve the problem.
    Senator Sullivan. Mr. Geiger, last word.
    Mr. Bergman. Thank you.
    Mr. Geiger. Thank you. I think that the most important 
thing that you can do for consumer trust is to pass data 
security legislation that requires reasonable security for 
personal information. A lot of the harms that are driving the 
privacy debate are not due to a failure of notice, choice, 
access, transparency, or use restrictions. They're failures of 
security. They're failures because of unauthorized access or 
accidental data breach. The Marriott and Equifax breaches are 
excellent examples of failures of security, not other privacy 
principles. Voluntary guidance, we think, alone, will not work. 
And we hear from some of the companies here today--or 
associations here--talking about the baseline for IoT security. 
We think that that's great, and it's very fruitful work, and it 
should be a factor into what is considered reasonable for 
security of personal information. The point is that there has 
to be some sort of enforcement mechanism behind it to prompt 
adoption.
    Thank you.
    Senator Sullivan. Well, I want to thank all the witnesses. 
I want to thank Senator Markey. A very, very informative 
hearing. We have a lot of work to do, all of you, all of us, 
but I think this is an important step forward.
    The hearing record will remain open for two weeks. During 
this time, Senators may submit questions for the record. Upon 
receipt, the witnesses are, respectfully, requested to submit 
their written answers to the Committee as soon as possible.
    Again, thank you to all of our witnesses today. Excellent 
hearing.
    This hearing is now adjourned.
    [Whereupon, at 4:30 p.m., the hearing was adjourned.]

                            A P P E N D I X

    Response to Written Questions Submitted by Hon. Roger Wicker to 
                        Charles H. Romine, Ph.D.
    Question 1. To what extent will NIST's final IoT cyber baseline 
account for the varying levels of risk that different types of 
connected devices pose, and if so how? Does the baseline incorporate a 
one-size fits all approach or one that is more risk-based?
    Answer. The Core Cybersecurity Capabilities Baseline is intended to 
identify a common set of capabilities for IoT device cybersecurity, in 
other words a ``floor.'' It is expected that a) profiles will be 
developed that adapt this baseline to their market sector and provides 
flexibility to add additional required capabilities (informed by market 
specific use cases and risks); and b) industry-led consensus standards 
may evolve to further elaborate on the implementation of the 
cybersecurity capability as appropriate for that market. This path 
provides for an adaptable approach informed by risk and taking into 
account the broad range of device capabilities and use cases 
encompassed in the Internet of Things.

    Question 2. How serious is the U.S dependence on foreign 
information and communications technology? Who are we dependent on and 
how do we reduce this dependence to ensure the security of the U.S. 
supply chain?
    Answer. NIST cannot comment on ``identifying the U.S dependence on 
foreign information and communications technology and who are we 
dependent on'' as these are out of NIST's scope of work.
    Securing the information and communications technology and services 
supply chain is a top priority for the Administration. As directed by 
the Executive Order on the topic, the Office of the Director of 
National Intelligence is responsible for assessing ``threats to the 
United States and its people from information and communications 
technology or services designed, developed, manufactured, or supplied 
by persons owned by, controlled by, or subject to the jurisdiction or 
direction of a foreign adversary'' and the Department of Homeland 
Security for assessing and identifying ``entities, hardware, software, 
and services that present vulnerabilities in the United States and that 
pose the greatest potential consequences to the national security of 
the United States.'' Pursuant to the EO, Commerce, in consultation with 
other departments and agencies will determine if an information and 
communications technology or services transaction

  (A)  poses an undue risk of sabotage to or subversion of the design, 
        integrity, manufacturing, production, distribution, 
        installation, operation, or maintenance of information and 
        communications technology or services in the United States;c

  (B)  poses an undue risk of catastrophic effects on the security or 
        resiliency of United States critical infrastructure or the 
        digital economy of the United States; or

  (C)  otherwise poses an unacceptable risk to the national security of 
        the United States or the security and safety of United States 
        persons.

    While NIST does not lead any of these assessments or 
determinations, NIST stands ready to provide expertise if and when it 
is requested. NIST continues to work on guidance, methods and tools for 
organizations to conduct cyber supply chain risk assessments and to 
clearly and effectively communicate security requirements and 
capabilities to suppliers and customers.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                        Charles H. Romine, Ph.D.
    As the U.S. Government's repository of standards-based 
vulnerability management data, NIST's National Vulnerability Database 
(NVD) plays a critical role in receiving, standardizing, and analyzing 
cybersecurity vulnerabilities as they are discovered.
    Question 1. You indicated in your testimony that IoT 
vulnerabilities are accounted for in the database, but can you please 
explain how common these types of vulnerabilities are as compared to 
other information technology vulnerabilities? Have you seen any 
patterns of increased reporting frequency related to IoT devices?
    Answer. As of now, IT vulnerabilities make up the majority of items 
accounted for in the National Vulnerability Database, but we do see an 
increase in the reporting of vulnerabilities related to IoT. This is to 
be expected with the continuing growth of IoT applications. NIST will 
continue to work with industry, standards bodies, and the Common 
Vulnerability and Exposures (CVE) Board to ensure that IoT vendors and 
the vulnerability research community participate in this open and 
common method for alerting and reporting about vulnerabilities.
    Your testimony described NIST's Internal Report 8200 that was 
published in November 2018. The report described five separate IoT 
technology application areas including connected vehicles, consumer 
products, health processes, smart buildings, and smart manufacturing 
capabilities. As you are likely aware, there are comprehensive 
applications of IoT in the agricultural economy, often referred to as 
``precision agriculture.'' Precision agriculture equipment appears to 
fall into a few of these listed categories from the report.

    Question 2. How is NIST accounting for agricultural applications of 
IoT in its considerations of promoting data security and privacy 
standards?
    Answer. NIST IR 8200 selected five example IoT technology 
application areas to provide context for the analysis of available 
cybersecurity standards for IoT but does not reduce the applicability 
of the report across applications. Much existing cybersecurity and 
privacy work at NIST are applicable for agricultural applications of 
IoT, such as the Cybersecurity Framework and the Privacy Framework 
initiatives. NIST IR 8228 highlights areas of consideration for privacy 
and cybersecurity of IoT that are broadly applicable. The ongoing NIST 
work to identify a core set of cybersecurity capabilities for IoT 
devices is intended to identify a ``floor'' across most IoT devices, 
regardless of industry vertical.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Todd Young to 
                        Charles H. Romine, Ph.D.
    Question 1. Can you speak to what the Federal Government is 
currently doing to prepare for future Internet of Things (IoT) cyber 
threats the country may face?
    Answer. NIST cannot speak for other Federal Government agencies.
    NIST's Cybersecurity for the Internet of Things program supports 
the development and application of standards, guidelines, and related 
tools to improve the cybersecurity of connected devices and the 
environments in which they are deployed. By collaborating with 
stakeholders across government, industry, international bodies, and 
academia, the program aims to cultivate trust and foster an environment 
that enables innovation on a global scale.

    Question 2. What more can and should NIST, the Department of 
Commerce, and others in the Executive Branch be doing to prepare?
    Answer. Some of the considerations NIST is addressing in IoT 
include the following:

   Mitigate risks through education and awareness. As an 
        organization becomes aware of its current and potential IoT 
        usage, it needs to understand IoT device risk considerations 
        and the challenges such as present. An organization using IoT 
        devices may need to adjust organizational policies and 
        processes to address the cybersecurity and privacy risk 
        mitigation challenges throughout the IoT device lifecycle and 
        implement updated mitigation practices for the organization's 
        IoT devices.

   Maintain U.S. leadership in IoT-related standards 
        development. It is vital to build a pipeline of contributions 
        for the development of standards. Research can lead to new 
        ideas and discoveries that form the basis for new standards 
        that benefits consumers.

   Develop a workforce prepared to address IoT challenges. 
        Workforce development is an essential element of preparedness. 
        The National Initiative for Cybersecurity Education (NICE) 
        Cybersecurity Workforce Framework provides a roadmap for 
        cybersecurity workforce management, as well as for the delivery 
        of education and training content across the Nation.

    Question 3. What statutory authority do NIST and other government 
stakeholders require to take appropriate action?
    Answer. NIST is carrying out its IoT-related programs under its 
existing statutory authorities.

    Question 4. What is the single greatest IoT threat to the average 
consumer?
    Answer. Addressing security throughout of the life-cycle of IoT 
products and services, and securing the web and cloud interfaces, will 
be keys to improving security of IoT for consumers of these products 
and services, whether they are individuals, businesses or governments. 
The IoT world of the future will require secure connectivity and user 
confidence in security. It will be challenging for manufacturers and 
developers of consumer-grade, low-cost IoT devices to view the cost of 
life-cycle device security as a necessity.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Amy Klobuchar to 
                        Charles H. Romine, Ph.D.
    My bill with Senator Thune, the Cyber Security Exchange Act, would 
establish a public-private exchange program to recruit cybersecurity 
experts in the private sector and academia to do tours of duty in the 
Federal Government for up to two years, while also creating a program 
for government cybersecurity experts to do rotations in the private 
sector.

    Question 1. In your view, is our current cybersecurity workforce 
adequately trained and distributed among Federal agencies to properly 
secure Internet of Things (IoT) devices from cyberattacks?
    Answer. NIST shares your concern about the Federal Government's 
preparedness for securing our information systems, including IoT 
devices, from cyber-attacks. To address these concerns, NIST plays a 
lead role in implementing the Executive Order on America's Cyber 
Workforce and convenes the National Initiative for Cybersecurity 
Education (NICE) Interagency Coordination Council, among other 
activities. NIST does not play a role in measuring the adequacy of 
training at other Federal departments and agencies, or in evaluating 
workforce distribution among agencies for securing IoT devices.

    Question 2. How would such a public-private exchange program help 
the ongoing effort to secure vulnerabilities in IoT devices?
    Answer. The Administration does not have a position on the Cyber 
Security Exchange Act. However, the Executive Order on America's Cyber 
Workforce notes ``The United States Government must enhance the 
workforce mobility of America's cybersecurity practitioners to improve 
America's national cybersecurity. During their careers, America's 
cybersecurity practitioners will serve in various roles for multiple 
and diverse entities. United States Government policy must facilitate 
the seamless movement of cybersecurity practitioners between the public 
and private sectors, maximizing the contributions made by their diverse 
skills, experiences, and talents to our Nation.'' As a general matter, 
exchange programs have the potential to provide employees the 
opportunity to develop and improve skills in diverse settings and to 
apply those new and improved skills in this rapidly changing area to 
better mitigate all types of cybersecurity vulnerabilities. In 2018, 
the Administration submitted a legislative proposal to amend subpart B 
of part III of title 5, United States Code by adding a new chapter 
titled ``Assignments To and From External Organizations,'' which would 
authorize agencies to establish an Industry Exchange Program, for 
science, technology, engineering, or mathematics. These fields, which 
include cybersecurity, could benefit from an exchange of idea and 
talent between the Federal Government and private sector.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Roger Wicker to 
                             Matthew Eggers
    Question 1. Mr. Eggers, in your testimony, you noted that market 
and/or policy incentives may be needed to jump-start development of IoT 
cybersecurity components and business practices. What are some of the 
incentives that could drive businesses to build better cybersecurity 
into the design of their Internet-connected products?
    Answer. The Chamber is assessing the establishment of a Buy Strong 
IoT Coalition to promote the production, purchase, and deployment of 
more secure IoT products. We want device makers, service providers, and 
buyers to gain from the business community leading the development of 
state-of-the-art IoT components and sound risk management practices. 
But which comes first--strong devices or strong market demand? 
Stakeholders are trying to think through and solve a chicken-and-egg 
strategy problem.
    If created, the Coalition would explore facilitating a process in 
the marketplace that generates both security and value for buyers and 
sellers. Indeed, market and/or policy incentives may be needed to 
initiate progress, but the specifics are yet to be determined.
    Meanwhile, the Chamber recognizes that increasing IoT cybersecurity 
is a challenge that no single group or business association can tackle 
alone. Any solution(s) that the Coalition develops needs to be 
ambitious yet manageable. Proposed solutions also need to be tested to 
avoid mistakes, as well as communicated to the public. It is difficult 
for a coalition that comes up with a solution(s) to also have the 
influence and resources to implement it alone. This means that the 
Coalition is going to have to persuade other people, including members 
of Congress and administration officials, to buy in to its goals and 
want to help industry succeed.

    Question 2. How serious is the U.S dependence on foreign 
information and communications technology? Who are we dependent on and 
how do we reduce this dependence to ensure the security of the U.S. 
supply chain?
    Answer. Supply chains are the arteries of American commerce. They 
affect companies large and small, are essential to U.S. 
competitiveness, and help determine our quality of life. Information 
and communications technology (ICT), or cyber, supply chains are a 
driving factor in the most critical debates of the day.
    Our ICT supply chains are deeply interwoven with a number of 
foreign trading partners. The Chamber believes that ICT security policy 
must be geared toward facilitating trade and managing risk. The cyber 
supply chain is a globally distributed, interconnected set of 
organizations, people, processes, services, and other elements. 
American companies are committed to ensuring that their ICT products 
and services reflect the latest cybersecurity protection, while 
maintaining their organizations' place in a highly competitive 
marketplace.
    The Chamber is calling for a swift, private sector-led rollout of a 
secure 5G network as part of our push to bolster U.S. infrastructure 
and economic prosperity. Developing and deploying cellular networks 
that cover an entire country and reliably serve millions of subscribers 
present an array of challenges and opportunities. Complexity and high 
equipment costs, for instance, have favored some large foreign vendors 
that offer relatively inexpensive solutions, including bundling 
technology, services, and financing in a single offering. This 
arrangement has created some dependence on a handful of overseas 
providers.
    The Chamber is assessing the pros and cons of new approaches, such 
as virtualized networking technology (aka network function 
virtualization), which can feasibly offer pathways to reduce such 
dependency by leveraging a broader array of off-the-shelf ICT 
solutions. Meanwhile, ambitious public-and private-sector efforts are 
underway to manage cyber supply chain risk and threats. The Chamber is 
engaging the administration on the White House's May 2019 executive 
order on securing the ICT supply chain, as well as related initiatives.
    Our Cybersecurity Working Group is reviewing a number of bills that 
are germane to your question, including S. 893, the Secure 5G and 
Beyond Act of 2019; S. 1457, the Sharing Urgent, Potentially 
Problematic Locations that Yield Communications Hazards in American 
Internet Networks (SUPPLY CHAIN) Act of 2019; and S. 1625, the United 
States 5G Leadership Act of 2019. The latter bill, which you sponsored, 
calls for a new Supply Chain Security Trust Fund grant program.
    While the Chamber has not yet taken a position on S. 1625, this 
program could help communications providers, particularly those in 
rural areas, remove from their networks certain equipment determined to 
possibly threaten U.S. national security. Your bill offers a novel 
approach to strengthening cyber supply chains. The Chamber welcomes 
discussing it with you and your staff members,
                                 ______
                                 
    Response to Written Question Submitted by Hon. Roger Wicker to 
                              Robert Mayer
    Question. How serious is the U.S dependence on foreign information 
and communications technology? Who are we dependent on and how do we 
reduce this dependence to ensure the security of the U.S. supply chain?
    Answer. Thank you for the opportunity to respond to the question 
from Senator Roger Wicker.
    The U.S., like other nations, has a high degree of dependency on 
foreign information and communications technology. It is the very 
nature of today's hyper-interconnected world that creates these mutual 
dependencies that for the most part have served to fuel unprecedented 
levels of innovation and economic growth. Trust is the single most 
essential factor necessary to ensure the integrity and sustainability 
of this economic and social engine.
    When we look broadly at this ecosystem from the perspective of 
information and communications technology and services, we see a highly 
competitive and global market where the U.S procures products from, and 
provides product to, a large number of organizations throughout the 
world. When we narrow the aperture to the procurement of 
telecommunications equipment, especially with respect to products and 
services that are needed for wide-scale 5G deployment, our dependency 
on foreign-sourced equipment and services becomes more acute.
    As I indicated in my testimony, there are three main alternative 
suppliers to Huawei which include Nokia, headquartered in Finland, 
Ericsson in Sweden, and Samsung in South Korea. USTelecom members are 
working closely, productively, and cooperatively with these and other 
global partners to ensure accountability around security and privacy 
and to embrace those business practices that have been proven to build 
increasing trust over time.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Todd Young to 
                              Robert Mayer
    Question. Mr. Mayer, in your testimony you discuss the strategic 
partnership between global industry leaders and the important mission 
of the Council to Secure the Digital Economy, which ``is to identify 
sophisticated and evolving cyber threats and the security practices.''
    Given that there is consistent evidence of IoT security 
vulnerabilities, how concerning is it to see U.S. allies allowing the 
same technology companies--that the U.S. has deemed to be a national 
security threat--to operate within their borders?
    Answer. USTelecom formed the Council to Secure the Digital Economy 
in 2018 in response to the growing recognition that cybersecurity is a 
global problem that requires global solutions; the convergence of 
information, communications and technology necessitates strong cross-
sector collaboration.
    Since we formed this industry-led initiative with 13 of the largest 
global ICT companies, we have worked in close partnership with multiple 
Federal agencies including the Department of Homeland Security (DHS), 
the National Telecommunications and Information Administration (NTIA), 
and the National Institute of Standards and Technology (NIST). We are 
now expanding our engagement with international governments as we 
pursue further work in the area of botnets, IoT baseline security, and 
cyber crisis coordination.
    There is no question that IoT security is one of the most 
significant cybersecurity challenges we face today and it requires 
vigilant leadership from both industry and governments throughout the 
world. When companies are found to present undue risk to a nation's 
national and economic security, and when those risks have the potential 
of harming the global digital ecosystem, it is imperative that 
governments work to mitigate those risks.
    The U.S. Government is taking strong measures to assess and address 
what the national security community has defined as an ``unusual and 
extraordinary'' threat. While the IoT threat will not be eliminated as 
a result of any prohibition on a single country or company, it is our 
hope that discussions with our allies produce a common understanding of 
the threat and that appropriate risk mitigation measures are taken to 
effectively address the threat.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Amy Klobuchar to 
                              Robert Mayer
    Question. In order to identify gaps in the availability of 
broadband service on farmland and ranchland, Chairman Wicker and I 
introduced the Precision Agriculture Connectivity Act, which was signed 
into law as part of the 2018 Farm Bill. While reliable broadband is the 
foundation to help farmers streamline their operations, improve crop 
yields, and boost their bottom line, IoT smart agriculture also plays a 
critical role in improving farming. Can you discuss how the security of 
IoT smart devices is critical for many industries, especially in rural 
areas?
    Answer. Thank you for the opportunity to respond to the question 
from Senator Amy Klobuchar.
    USTelecom is committed to securing IoT devices across all 
industries, including agriculture, and in partnership with the Consumer 
Technology Association we convened 13 global companies and a group of 
20 organizations to develop the leading industry consensus on IoT 
security worldwide (known as the C2 Consensus).\1\
---------------------------------------------------------------------------
    \1\ Council to Secure the Digital Economy, The C2 Consensus on IoT 
Device Security Baseline Capabilities (2019), https://
securingdigitaleconomy.org/wp-content/uploads/2019/09/CSDE_
IoT-C2-Consensus-Report_FINAL.pdf.
---------------------------------------------------------------------------
    Our project leveraged hundreds of subject matter experts across the 
communications and IT sectors based on the principle that the best way 
to achieve security is to advance security specifications developed by 
the world's leading experts.
    The core set of baseline capabilities we developed are broadly 
applicable--vertically and horizontally--across markets. They apply to 
the diverse range of new IoT devices, accommodating the broad spectrum 
of device complexity, regardless of the deployment environment.
    The agricultural industry is no exception. IoT devices used for 
smart agriculture are neither immune to being compromised and used in a 
pervasive botnet attack nor are they invulnerable to being targets of a 
cyber-attack. An attack that disrupts or manipulates IoT agriculture 
devices could cause losses to the Nation's farmers and the agricultural 
industry more broadly. As more IoT smart agriculture devices come to 
market and are increasingly used in precision farming, we would 
encourage the U.S. agricultural industry to make use of the security 
advances that USTelecom and its partners are actively promoting, along 
with practices based on industry-specific risk profiles. By raising the 
market's expectations for security, our recommendations will help to 
lift all new IoT devices' cybersecurity, including devices used in 
agriculture.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Roger Wicker to 
                            Michael Bergman
    Question 1. Who is best suited to promote and drive increased IoT 
cybersecurity-the businesses that manufacture, supply and sell 
connected devices or the consumers that buy them?
    Answer. The Consumer Technology Association (CTA) represents more 
than 2,200 member companies, 80 percent of which are small businesses 
and startups. Given its role in the industry, CTA is working to secure 
devices by coordinating with the businesses that manufacture, supply 
and sell them. CTA is uniquely positioned to play this important role 
because of its expertise, experience and broad membership across the 
entire consumer technology industry. CTA also has a long history as a 
technical standards body, dating back to the 1920s. CTA's Technology 
and Standards program is accredited by the American National Standards 
Institute and includes more than 70 committees and over 1,000 
participants.
    With respect to device security, CTA has taken several steps to 
help coordinate the security efforts of its members. In May 2018, CTA 
announced that it was working with the Council to Secure the Digital 
Economy (CSDE) to develop the International Anti-Botnet Guide. The 
Guide is a playbook that offers companies across the digital ecosystem 
a set of baseline tools, practices and processes they can adopt to help 
protect against the threat of botnets and other automated distributed 
attacks in addition to advance security. In March 2019, through the 
CSDE, CTA convened 18 major cybersecurity and technology organizations, 
industry associations and standards bodies to identify baseline 
security capabilities for the rapidly growing IoT marketplace 
(``Convene the Conveners'' or C2). This unprecedented industry effort 
seeks to identify baseline security capabilities for the rapidly 
growing IoT marketplace.
    CTA is undertaking this work with its members on IoT security to 
protect consumers. For example, CTA is developing industry consensus 
for IoT security capabilities that will help consumers directly in 
addition to companies in the retail sector who are increasingly focused 
on ensuring the products they sell adequately protect their customers. 
Retailers want their consumers to feel comfortable and safe when buying 
products, and CTA shares this desire. CTA has also invested in 
educating consumers and businesses about security and will continue 
moving forward. As an example, CTA, in partnership with the Department 
of Justice's Cybersecurity Unit, released consumer guidance on securing 
IoT devices in July 2017.\1\ In addition, CTA has developed and 
released the Connected Home Security System to guide connected home 
dealers and professionals through the most secure and best practices 
available for installing and configuring products, devices and systems.
---------------------------------------------------------------------------
    \1\ U.S. Department of Justice Cybersecurity Unit and Consumer 
Technology Association, Securing Your ``Internet of Things'' Devices 
(July 2017), available at https://www.justice.gov/criminal-ccips/page/
file/984001/download.
---------------------------------------------------------------------------
    Consumers are already faced with a significant number of features 
when choosing a device, and indications are that they expect the 
manufacturer and retailer to ensure that the device is secure at the 
time of purchase. Educating consumers on security--that they should 
consider it and what to look for--is a significant task. CTA and its 
member companies are focused on making devices secure.
    Question 2. What are the challenges associated with an IoT device 
cybersecurity certification and labeling scheme?
    Answer. At CTA, we are focused on ensuring the devices themselves 
are secure; that is our priority. A critical first step is achieving 
industry consensus for IoT security baselines. That is why CTA has 
initiated, through the Council to Secure the Digital Economy (CSDE), a 
convening of 18 major cybersecurity and technology organizations, 
industry associations and standards bodies to identify baseline 
security capabilities for the rapidly growing IoT marketplace 
(``Convene the Conveners'' or C2) effort. It is also why CTA is working 
closely with the National Institute of Standards and Technology (NIST) 
in the agency's efforts to create a core IoT Cybersecurity Capabilities 
Baseline.
    CTA has been supportive of other labeling efforts, like the Energy 
Star labeling program. However, it is important to recognize that 
evaluating cybersecurity risk is different from labeling a product for 
energy consumption. A labeling or certification regime is only as 
strong as the requirements upon which the regime is built. But 
prescriptive requirements, whether they come in the form of a 
regulation or in the form of labeling, suffer from the same weaknesses 
with respect to cybersecurity. Manufacturers are best equipped to 
develop secure devices when they can decrease risk through flexible 
approaches and best practices that are outcome driven.
    It must also be noted that consumers are faced with many labels, 
icons and marks when purchasing a new product. Another label or mark 
will be one of many, so the consumer must be taught to look for this 
element. This consumer education is a significant undertaking and is 
not addressed by labeling proposals at this time.

    Question 3. How serious is the U.S dependence on foreign 
information and communications technology? Who are we dependent on and 
how do we reduce this dependence to ensure the security of the U.S. 
supply chain?
    Answer. The U.S. government has taken actions in recent weeks 
regarding certain aspects of the global supply chain for information 
and communication technology (ICT). CTA will continue its efforts to 
promote trust and security throughout the ICT environment.
    This work must take place globally, with U.S. government and 
industry leadership. Largely due to U.S.-led innovations, the present 
ICT environment draws on--and will continue to draw on--a robust and 
dynamic global supply chain. CTA is focused on ensuring information and 
communications technology is secure, no matter where it is 
manufactured. In CTA's view, the important question is whether a 
manufacturer of a device or technology can be relied upon to produce it 
securely.
    CTA's priority on securing information technology is reflected in 
the leadership role it has played, for example, through the Council to 
Secure the Digital Economy (CSDE) a convening of 18 major cybersecurity 
and technology organizations, industry associations and standards 
bodies to identify baseline security capabilities for the rapidly 
growing IoT marketplace (``Convene the Conveners'' or C2).

    Question 4. Given the hearing discussion about potential mandates 
for IoT devices, can you share CTA's past experience regarding 
proposals with technological mandates and their effect on innovation?
    Answer. Technological innovation moves much faster than Congress 
and regulation, which means that technology mandates fail to keep pace 
with innovation. In the cybersecurity context, the absence of 
technology mandates has allowed public-private partnerships to develop 
and innovative security solutions to flourish. We believe dynamic 
solutions driven by powerful market forces are the best answer to 
global, systemic challenges to IoT security. IoT security solutions 
must include ecosystem-wide consensus, voluntary standards and best 
practices and standards that scale. NIST's recent efforts on IoT 
security best represent the productive, important role government 
should play in cybersecurity. CTA will continue to engage in NIST's 
process via the C2 effort, a convening of 18 major cybersecurity and 
technology organizations, industry associations and standards bodies to 
identify baseline security capabilities for the rapidly growing IoT 
marketplace.
    In contrast, technological mandates can cause negative consequences 
for consumers. For example, on August 31, 2017, the Federal 
Communications Commission (FCC) finally sunset its requirement for 
televisions and other devices to have analog tuners, eight years after 
full-power broadcast stations ceased transmitting analog signals. This 
mandate forced manufacturers to build bulkier, more expensive devices 
rather than innovating to meet consumer demand. For the manufacturers 
that wanted to market smaller, cheaper and more modern devices, they 
had to petition the FCC for permission, in turn tying up both industry 
and government resources without a benefit to consumers.
    Meanwhile, government mandates can also backfire in other ways. In 
1996, Congress mandated that all TV sets include the so-called ``V-
Chip,'' a feature that CTA developed as an option to allow parents to 
block children's viewing of selected programs. Prior to the mandate, 
television manufacturers said they would promote the V-Chip feature as 
a factor differentiating their sets from competitive models. However, 
once the V-Chip was required in virtually every TV set, manufacturers 
had no competitive reason to advertise or showcase the feature. Because 
of the mandate, the V-Chip was a marketplace failure and has been 
widely ignored by consumers. A 2001 study showed that only 9 percent of 
families used the feature regularly, and that number has doubtlessly 
fallen even lower since then.\2\
---------------------------------------------------------------------------
    \2\ Gabrielli, J., Traore, A., Stoolmiller, M., Bergamini, E., & 
Sargent, J. D. (2016). Industry Television Ratings for Violence, Sex, 
and Substance Use (3rd issue., Vol. 183, Rep.). See: https://
pediatrics.aappublications.org/content/138/3/e20160487
---------------------------------------------------------------------------
                                 ______
                                 
     Response to Written Questons Submitted by Hon. Jerry Moran to 
                            Michael Bergman
    Question 1. The Modernizing Government Technology (MGT) Act was 
enacted in 2017 in an effort to replace unsupported, legacy IT systems 
that plagued Federal agencies and posed significant cybersecurity risks 
to the Nation's critical infrastructure.
    While IoT devices are relatively new developments compared to most 
legacy IT systems used by Federal agencies, how should ``patching'' 
updates be used to protect against preventable cyber vulnerabilities in 
IoT devices?
    Answer. The Chamber applauds Sen. Moran's leadership on developing 
and passing the MGT Act. Many parts of the Federal Government's 
information technology (IT) infrastructure are woefully outdated. 
Obsolete technology systems are inefficient and especially susceptible 
to cyberattacks, which, among other challenges, puts the personal 
information of citizens at risk. The bipartisan MGT Act will help the 
Federal Government improve its information systems.
    The Chamber urges businesses to keep all software current, 
including enterprise information systems, web browsers, and IoT 
devices. Software flaws are nearly unavoidable in devices, making the 
ability to patch software and firmware necessary. The Chamber supports 
the inclusion of an update mechanism in the draft IoT cyber baseline. 
NIST's proposed suite of cyber capabilities calls for the software and 
firmware in IoT devices' to be updated using a secure, controlled, and 
configurable process.

    Question 2. Your testimony described Project Security's engagement 
with over 30 foreign governments to create and implement their 
respective cybersecurity programs in an effort to promote international 
alignment of ``flexible, globally accepted risk-based approaches to 
cybersecurity.''
    Would you please describe the most significant barriers to 
successfully aligning our Nation's cybersecurity standard frameworks 
with those of other governments?
    Answer. Persuading foreign officials to adopt the industry-led IoT 
cyber baseline is a key hurdle to aligning U.S. approaches to 
cybersecurity with those of other governments. The Chamber believes 
that IoT cyber efforts are most effective if they reflect international 
standards and industry-driven practices. Standards, guidance, and best 
practices relevant to cybersecurity are typically led by the private 
sector and adopted on a voluntary basis; they are optimal when 
developed and recognized globally. Such approaches avoid burdening 
multinational enterprises with the overlapping, and often conflicting, 
requirements of multiple jurisdictions.
    The Chamber appreciates that NIST has been actively meeting with 
foreign governments urging them to embrace a core IoT security 
capabilities baseline. The Chamber urges the administration to work 
with international partners and believes that these discussions should 
be stakeholder driven (e.g., industry actively participates) and occur 
routinely. A fragmented global cybersecurity environment creates much 
uncertainty for device makers and buyers and splinters the resources 
that businesses devote to sound device development, production, and 
assessments. Congress should support NIST's efforts on IoT cyber 
outreach with additional funding.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Todd Young to 
                            Michael Bergman
    Question 1. What is the most effective approach policymakers can 
take to incentivize businesses to adopt necessary cybersecurity 
protections from IoT?
    Answer. The U.S. Chamber of Commerce appreciates that Congress is 
contemplating incentives that induce the practical, voluntary use of 
the core cybersecurity capabilities baseline for Internet of Things 
(IoT) devices. The IoT cyber baseline is being developed by industry 
and the National Institute of Standards and Technology (NIST) and is 
expected to be completed in 2019.
    The Chamber believes that policies intended to encourage businesses 
to adopt sound cybersecurity practices, including those related to 
internet-connected devices, must feature flexibility and support robust 
public-private engagement. The most important incentive that Congress 
and the administration could extend to companies is the assurance that 
the IoT cyber baseline will remain collaborative, adaptable, and 
innovative over the long term. The presence of these qualities, or the 
lack thereof, will be a key determinant of participation by industry in 
an IoT cyber baseline. Closely related, businesses want government 
partners in the fight against organized criminals and nation states or 
their proxies that threaten IoT devices.
    Any IoT cybersecurity regime that industry concludes favors 
compliance and bureaucracy over creativity, speed, and dynamism will 
almost certainly create a powerful disincentive to participation by the 
private sector. Incenting businesses to use a rigid and prescriptive 
IoT cyber baseline will distort the marketplace by driving private-
sector investment toward compliance with lowest common-denominator 
solutions, thus making the U.S. less secure.

    Question 2. What is the most effective approach policymakers can 
take to incentivize consumers to adopt necessary cybersecurity 
protections from IoT?
    Answer. The Chamber is working to better understand buyer behavior. 
A number of IoT cyber advocates take a ``build it and they will come'' 
approach to IoT cyber, which is consistent with traditional, rational 
notions of economics. But it is unclear if consumers--including 
individuals, households, businesses, and public institutions--will (1) 
pay for the cost of additional security features or (2) be able to 
identify a strong device without a nonregulatory tool to help them make 
educated choices.
    The Chamber is seeking to discern how people make purchasing 
decisions regarding IoT technology and supports the introduction of 
more secure devices into the networks of businesses and the hands of 
consumers. Accordingly, the Chamber is exploring the creation of a Buy 
Strong IoT Coalition. The group would advance sensible public policies 
in this space and promote the production and deployment of secure IoT 
products both domestically and internationally. The Coalition would 
convene discussions with multiple stakeholders to frame key problems 
and sell a solution(s) to a broader audience, consumers included.
    The 2018 Botnet Road Map calls for establishing robust markets for 
consumer and industrial devices. The Chamber believes that the IoT 
ecosystem would benefit from the leadership of the business community 
in the development of cutting-edge devices and risk management 
activities. The Coalition would facilitate a market-based process that 
generates both security and value for buyers and sellers. A key goal of 
the Coalition is to make the purchase of strong connected devices 
increasingly understandable, easy to do, and widespread.

    Question 3. How important is Federal preemption of state laws?
    Answer. A national approach to bolstering IoT cybersecurity is 
critical to reducing the expanding policy and regulatory fragmentation 
that is taking place domestically and overseas. There is a clear market 
demand for a common IoT cyber baseline to guide a path for businesses 
and standards bodies to follow. A fragmented cybersecurity environment 
creates uncertainty for device makers and buyers and splinters the 
resources that businesses devote to sound device development, 
production, and assessments.
    The Chamber urges the Senate Commerce Committee to consider 
legislation that would spur device makers to build to the cyber 
baseline, while granting legal liability and regulatory protections to 
the makers and sellers of strong IoT equipment.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Roger Wicker to 
                             Harley Geiger
    Question. How serious is the U.S dependence on foreign information 
and communications technology? Who are we dependent on and how do we 
reduce this dependence to ensure the security of the U.S. supply chain?
    Answer. IoT technologies are manufactured, operated, and consumed 
around the world. Just as U.S. technologies and services are consumed 
abroad, technology manufactured in other regions is certainly consumed 
in the US. Rapid7 has no data on which regions supply the most 
technology to the US, though we believe it is always advisable to 
investigate and evaluate risk. In regards to IoT, we encourage the U.S. 
to seize the opportunity to bring clarity to the IoT supply chain, 
evaluate the vulnerabilities and exposures most common to these devices 
and their ecosystems, and implement updated management programs to work 
both post-market and across the manufacturing process.
    One thing we have experienced first-hand is the added complexity of 
coordinating vulnerability disclosures with manufacturers in multiple 
regions and timezones. Rapid7 supports a collaborative model of 
vulnerability disclosure for IoT devices based on transparent 
guidelines. It would be valuable to establish a system or authority 
that can help those who discover vulnerabilities in IoT devices or 
components to identify affected manufacturers and service providers, 
assist with the disclosure, track the remediation of vulnerabilities, 
and coordinate with relevant third parties both domestically and 
internationally.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                             Harley Geiger
    Question 1. The Department of Commerce report titled ``Fostering 
the Advancement of the Internet of Things'' that was published in 2017 
highlighted concerns related to connected device manufacturers' 
capabilities to effectively update and upgrade their devices to 
mitigate security flaws. Rapid7 provided comments to the Department of 
Commerce in the development of the report that flagged that 
``manufacturers entering the IoT space do not traditionally offer 
frequent or fast-paced support or updates on their products, and are 
only beginning to look into quick response practices for vulnerability 
patching.''
    Do you have any recommendations for this committee to effectively 
promote or incentivize proactive ``patching'' solutions among connected 
device manufacturers?
    Answer. When it comes to patching, the general distinction between 
IoT manufacturers and operators matters, though these roles can 
sometimes be interwoven. Manufacturers assemble the physical devices or 
``things'' that end-users interact with. The operator provides services 
that incorporate the device, as well as backend systems in the cloud 
(where the data relating to the device and its usage is normally 
stored), and often some kind of web or mobile interface (through which 
the device is accessed). Confusingly, the ``manufacturer'' may also be 
the ``operator,'' depending on whether they are only providing the 
physical endpoint or also running the web-based components.
    This distinction matters because the incentives to patch can be 
different for manufacturers and operators. The incentives for 
manufacturers of the physical technologies to provide patching 
capability, and to actually issue patches, most often come from their 
customers (such as operators) demanding them, or regulators mandating 
them (commonly in relation to safety concerns). The incentives for 
operators to patch backend systems often come from risk management 
concerns around liability, reputation, and harm (for example, risk of 
data breach). It is also important to recognize that manufacturers and 
operators may have limited control over each other's patching 
processes, and are often reliant on the other to keep up with patching.
    Below, we provide three recommendations for the Committee to 
incentivize IoT patching that touches on both manufacturers and 
operators: data security legislation, agency regulation of specific 
sectors, and consumer transparency. These recommendations are intended 
to work together, and we believe they are achievable in both the policy 
and technical sense.

  1)  Require reasonable security for personal information. 
        ``Reasonable security'' should include security updates, where 
        appropriate based on the risks.

      Legislation that requires reasonable security protections for 
        personal information will apply to IoT devices collecting and 
        processing that information, and thus to operators running the 
        systems that handle that data. The security update capability, 
        and the actual deployment of updates to patch known 
        vulnerabilities, will be among the basic technical controls 
        regulators consider when evaluating whether an IoT operator 
        provides reasonable security for personal information. This 
        will strengthen the security of IoT devices and related 
        technologies (such as cloud storage of information collected 
        through IoT devices) in sectors that are otherwise not covered 
        by the jurisdiction of Federal agencies. This can also prompt 
        IoT operators to place greater pressure on device manufacturers 
        to include a patching capability and mitigate known 
        vulnerabilities as needed. There are many examples of a 
        reasonableness requirement for data security in Federal and 
        state statutes and regulations which the Committee may draw 
        upon. A requirement of reasonable security for personal 
        information should not be IoT-specific, but should encompass 
        IoT as well as other technologies. Security of personal 
        information is fundamental to privacy and should be included in 
        any privacy legislation. Even if a privacy bill fails to move 
        forward, it would still be worthwhile for the Committee to 
        consider legislation that would require reasonable security for 
        personal information.

  2)  Support coordinated but enforceable agency actions on IoT 
        security based on industry standards. These actions may include 
        security-by-design principles, such as security update 
        capability.

      Rapid7 believes the combined effect of agencies' proactive 
        sector-specific requirements, existing FTC unfairness 
        authority, and data security legislation (as referenced above), 
        would promote broader adoption of basic IoT security practices, 
        including patching. To the extent possible, these efforts 
        should be coordinated around an IoT security baseline, driven 
        by consensus and grounded in standards, to avoid fragmented 
        requirements.

      Federal agencies have domain expertise and existing authority to 
        require basic IoT security within their areas of jurisdiction--
        such as NHTSA for vehicles, FDA for medical devices, CPSC for 
        product safety, FAA for drones, OMB for government procurement, 
        FTC for unfairness, etc. These requirements can include 
        security-by-design principles for IoT manufacturers, such as 
        incorporating a security update capability from the design 
        phase forward. Many agencies have begun the work of clearly 
        describing their expectations for IoT security, but many others 
        have not. The Committee should support agencies' efforts and 
        exercise its oversight role to ensure that agencies are acting 
        effectively to strengthen IoT security, or whether legislation 
        is necessary to prompt meaningful action.

      Importantly, not only can agencies encourage adoption of secure-
        by-design practices, agencies can also remove barriers to 
        adoption by clarifying or evolving product certification or 
        approval processes that might be impacted by issuing security 
        updates. For example, in its guidance on Postmarket Management 
        of Cybersecurity in Medical Devices, issued in 2016, the FDA 
        clarified that: ``For cybersecurity routine updates and 
        patches, the FDA will, typically, not need to conduct premarket 
        review to clear or approve the medical device software 
        changes.'' Prior to this publication, fear of having to go 
        through the product approval process again was often cited as a 
        reason for not issuing patches for medical devices.

      Agency IoT security requirements should be harmonized, to the 
        extent possible, by following a consistent baseline supported 
        by industry standards. NIST is currently developing an IoT Core 
        Security Capability Baseline as part of its ``Botnet Roadmap,'' 
        and Rapid7 has advocated for security update capability to be a 
        part of that baseline. The NIST IoT security baseline should be 
        a helpful reference for agencies establishing minimum security 
        expectations across IoT deployments. However, basic IoT 
        security precautions--such as security updates--are already 
        widely recognized in best practices documents, and we are 
        skeptical that completion of new voluntary guidance or best 
        practices is needed before agencies take action on basic IoT 
        security. Voluntary guidance should not replace formal 
        accountability and enforcement mechanisms when baseline 
        security is not met.

  3)  Facilitate voluntary transparency programs for consumer IoT 
        security. The transparency program should consider security 
        update capability as a key feature to communicate to consumers 
        prior to purchase.

      Congress should support consumer awareness programs to enhance 
        the transparency of critical security features of consumer IoT 
        devices, such as certifications, seals, or labels. These 
        critical security features should include whether the device is 
        capable of receiving security updates, as well as the estimated 
        period the manufacturer intends to provide security update 
        support. The NTIA multistakeholder process for IoT security 
        update capability concluded this was key information to 
        communicate to consumers prior to purchase. The UK Dept. for 
        Digital, Culture, Media, and Sport is also undergoing a 
        regulatory consultation to explore requiring retailers selling 
        IoT devices to communicate this information to consumers. As 
        part of the ``Botnet Roadmap,'' the Departments of Commerce and 
        Homeland Security are exploring ways to communicate critical 
        security features to end users prior to purchase.

      A manufacturer or operator indicating they will support a product 
        for a period of time is no guarantee that they will issue 
        patches for every major cybersecurity issue, or do so in a 
        timely manner. However, the incentive is more compelling if FTC 
        Section 5 authorities underpin adherence to claims of security 
        support.

      IoT transparency programs also encourage consumers to think 
        critically about what they can and should expect from their IoT 
        vendors. Providing consumers with clear information about 
        critical security features, such as update capability, in IoT 
        devices will foster market competition based on security, build 
        consumer trust in the security of IoT products, and help 
        consumers fulfill their role in maintaining security.

    Question 2. Your testimony highlighted a list of common 
cybersecurity vulnerabilities and exposures prevalent to IoT devices, 
including insufficient security of stored and transit data, weak 
credentials, mobile application access, and insufficient update 
practices among others.
    Would you please further explain how ``lack of segmentation'' could 
increase the vulnerability of IoT devices?
    Answer. A vulnerability in one device component can provide an 
access point for attackers, who can then use that access to compromise 
other components--unless those components are separated to prevent this 
movement. A hypothetical: Attackers exploit a vulnerability in a smart 
car's infotainment system, and then use that access to compromise the 
car's driving functions--the infotainment system and the driving 
functions are distinct controls, but lack of segmentation between the 
two enabled the attacker to compromise both. This principle can be 
extended beyond components comprising a single device--lack of boundary 
defenses can risk attackers compromising multiple devices or networks 
by gaining access to one vulnerable device.
    Segmentation and boundary defense are included in several best 
practices documents and standards. For example, they are cited as 
foundational controls in the Center for Internet Security's (CIS) 
Critical Security Controls, and reiterated Internet of Things Security 
Companion to the CIS Critical Security Controls. Segmentation is also 
included in NIST's NISTIR 8228 ``Considerations for Managing Internet 
of Things (IoT) Cybersecurity and Privacy Risks.''

    Question 3. Based on the multiple components that oftentimes make 
up the circuitry of the IoT device, does this make the ``supply chain'' 
cybersecurity protocols increasingly difficult to track for these 
devices?
    Answer. Yes. The supply chain for IoT is complex, and 
manufacturers' use of commodity, third party hardware, software, and 
subcomponents can lead to ambiguity of ownership for developing and 
deploying security updates and vulnerability mitigations. Individual 
off-the-shelf software components may be months-to-years old before 
being assembled into the final product, bringing old and commonly known 
software vulnerabilities along with them.The widespread use of common 
components also means that a vulnerability in one component can be 
present in many disparate devices. The interdependencies among common 
components can leave end-users exposed while the details of remediating 
vulnerabilities are worked out between vendors.

    Question 4. Please describe in detail the harms associated with 
enacting a Federal preemptive privacy bill that excludes security 
provisions. Does a Federal breach notification requirement need to be 
included in any Federal privacy legislation that is considered?
    Answer. Data security is fundamental to privacy and failure to 
include it in privacy legislation will be harmful. First, it's 
important to be precise about what we mean when we refer to data 
security. In the context of privacy legislation, ``data security'' is a 
requirement to protect personal information--however ``personal 
information'' is defined in the legislation. This is an affirmative, 
not an implied, obligation for covered entities to provide reasonable 
technical, administrative, and physical safeguards to protect personal 
information from unauthorized access or accidental breach. In this 
context, data security does not encompass the security of data or 
systems that have nothing to do with the personal information protected 
by the privacy legislation.
    Failure to incorporate data security provisions into privacy 
legislation risks harm to consumers, businesses, and the U.S. approach 
to data protection law. These harms will be especially severe if a 
Federal bill preempts state privacy laws, which include laws requiring 
security of personal information, without establishing a Federal data 
security standard that is at least as strong as the status quo.

   Consumers: Consumers will be harmed because of the increased 
        risk of unauthorized access or accidental breach of personal 
        information. All Americans should be provided reasonable 
        security for their personal information, but state and sectoral 
        Federal laws only provide consumers with highly uneven data 
        security protection dependent on sector and geography. Only 
        half of U.S. states currently have data security laws, and 
        while many share common ``reasonable practices and procedures'' 
        language, the state laws vary (for example: some apply only to 
        certain entities, like financial institutions or government 
        contractors). At the same time, Federal privacy legislation 
        that preempts state data security laws without establishing a 
        robust Federal data security standard would harm consumers by 
        stripping away existing safeguards. Breach and theft of 
        personal information are major drivers of consumer privacy 
        concerns. These events are generally a failure of security, not 
        other privacy principles such as choice, transparency, access, 
        or use limitations. While the other privacy principles are 
        important, consumers will continue to suffer harmful breaches 
        without broad adoption of reasonable security for personal 
        information. Establishing a robust requirement of security for 
        personal information as part of Federal privacy legislation 
        would provide consistent baseline protection for consumers, 
        many of which do not have such protection at the state level, 
        without scrapping the safeguards that are in place.

   Businesses: A failure to include data security provisions in 
        Federal privacy law would be detrimental to businesses as well. 
        The patchwork of data security laws makes compliance more 
        difficult for businesses of all sizes, especially those with 
        limited resources. Regulatory enforcement for data security 
        based on concepts of unfairness or duties of care provide less 
        certainty for businesses than an affirmative requirement for 
        reasonable security. Businesses benefit can be harmed by the 
        security failings of other businesses--such as the spread of 
        malware from one entity to another, or automated denial-of-
        service attacks targeting services on which many businesses 
        rely--and businesses benefit with other businesses implement 
        strong security to resist these attacks. In addition, 
        businesses are harmed by loss of consumer trust due to 
        perceptions of poor security following well-publicized data 
        breaches of personal information. Establishing a harmonized and 
        consistent standard of data security will improve security 
        outcomes by setting expectations across the ecosystem, 
        streamline compliance with security obligations, and help 
        rebuild consumer trust in privacy protection.

   US approach to data protection: A ``comprehensive'' privacy 
        law that lacks security requirements would be a negative shift 
        that brings the U.S. approach to data protection out of step 
        with historical precedent and foreign privacy regimes. Nearly 
        every major Federal privacy law includes an express data 
        security or confidentiality requirement, such as COPPA, HIPAA, 
        GLBA, and the Privacy Act. This is also true of several non-US 
        privacy frameworks, such as the EU's GDPR and Canada's PIPEDA. 
        (Note: although the California Consumer Privacy Act of 2018 
        (CCPA) did not include data security provisions, California 
        already had data security laws in place prior to enactment of 
        CCPA.) Data security has long been considered to be fundamental 
        to privacy, going back to the Privacy Act and the OECD Fair 
        Information Practice Principles. A Federal privacy overhaul 
        that lacked data security would fall short of existing 
        protections, make the U.S. an outlier with modern privacy laws 
        abroad, and risks setting a precedent that weakens the current 
        concept of privacy rights as inclusive of requirements to 
        secure data.

    Breach notification should be considered separately from data 
security requirements and need not be incorporated in privacy 
legislation. Data security should not be confused with a requirement to 
notify consumers of a breach. Breach notification has distinct 
implementing language which does not expressly require reasonable 
security for personal information. Breach notification requirements 
only apply after a breach has occurred, while data security safeguards 
are critical to preventing breaches from occurring. The cost and 
complexity of breach notification alone does not sufficiently 
incentivize good security, as demonstrated by continued occurrence of 
severe data breaches caused by poor security in spite of enactment of 
breach notification laws in all 50 states. Moreover, as a practical 
matter, debates over breach notification can get mired in differences 
over the form and timeline for notification.

                                  [all]