Sen. Ed Markey (D-MA) and Rep. Ted Lieu (D-CA-33) reintroduced the Cyber Shield Act on March 24, 2021. The proposed legislation is not new to Congress; Sen. Markey and Rep. Lieu previously introduced the Cyber Shield Act in both 2017 and 2019. However, the bill never made it to a vote in either the House or the Senate.
As written, the Cyber Shield Act calls for the creation of a voluntary cybersecurity certification program for Internet of Things (IoT) devices. IoT devices span a wide range of products, including cell phones, laptops, cameras, smart home assistants, smart locks, baby monitors, and smart kitchen appliances, and the Act’s provisions would apply to any internet-connected consumer product that transmits data or controls the actions of a physical object or system. The proposed legislation would establish a cybersecurity advisory committee comprised of subject matter experts from various areas, including academia, government, industry, consumer groups, and the public. The advisory committee would be tasked with creating certain cybersecurity benchmarks. If IoT products meet these benchmarks, manufacturers could certify them with a “Cyber Shield” label, allowing consumers to opt for certified products.
The proposed legislation is identical to the 2019 bill, which made only minor substantive changes to its 2017 counterpart. These revisions include the introduction of a provision allowing the Secretary of Commerce to remove the Cyber Shield certification if a product or manufacturer falls out of compliance with the advisory committee’s benchmarks. Additionally, the 2019 and 2021 versions require the Inspector General of the Department of Commerce to periodically evaluate the level of business participation in the Cyber Shield program and public awareness of the Cyber Shield label.
The reintroduction of the Cyber Shield Act serves as an indication of lawmakers’ continued efforts to make progress on IoT device security. For example:
- On December 4, 2020, President Trump signed into law the IoT Cybersecurity Improvement Act of 2020, requiring IoT devices purchased by the federal government to meet minimum security standards.
- In February 2021, the co-chairs of the Internet of Things Caucus, Reps. Susan DelBene (D-WA-01) and John Katko (R-NY-24), reintroduced a bill that would allow the FCC to collect data on the growth of IoT devices that depend on 5G networks.
- Similarly, in May 2020, Reps. John Joyce (R-PA-13) and Richard Hudson (R-NC-8) introduced the Advancing IoT Manufacturing Act, which would require the Department of Commerce to study and subsequently make recommendations to Congress regarding how to incorporate IoT devices into the manufacturing industry.
In a press release announcing the reintroduction of the Cyber Shield Act, Sen. Markey stated that “[w]ith as many as 75 billion IoT devices projected to be in our pockets and homes by 2025, cybersecurity continues to pose a direct threat to economic prosperity, privacy, and global security.” Rep. Lieu added that the legislation would encourage cybersecurity to be “top of mind for industry and consumers alike.”
The full text of the proposed Cyber Shield Act may be found here.