Effective January 1, 2020, connected devices sold in California would have built-in security features designed to protect against unauthorized access, destruction, use, modification, or disclosure.
This was among the provisions of Senate Bill No. 327 signed into law by California Governor Jerry Brown on September 28, 2018, the first cybersecurity law on the Internet of Things (IoT) enacted in the United States.
According to the law, “connected device” means any device or other physical objects that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
These devices could be anything from phones to microwave ovens to refrigerators to thermostats and voice assistants to cars.
Setting a security standard for device manufacturers may have been a timely move as the installed base of IoT devices is forecast to grow to almost 31 billion worldwide by 2020, with the IoT market projected to be worth over $1 billion annually from 2017 onwards, according to Statista.
Security firm Trend Micro commented in a corporate blog post that California's IoT law highlights the need for built-in security and the growing move toward security-by-design.
“Its enforcement could help reduce attacks through device vulnerabilities, incidents in which users are the frequent victims. More importantly, this law can reduce the burden of users who have had to compensate for the unstandardized level of security in currently available connected devices,” Trend Micro said.
The MIT Technology Review commented that “it’s not hard to see why such legislation is needed.”
It explained, “Barely a day goes by without some new report of hackers compromising all kinds of products, from web-connected dolls to security cameras. And billions of new connected devices will be flooding onto the market over the next few years.”
FutureIoT reported on October 8, 2018, that IoT-malware grew three-fold in the first half of the year.
Among the provisions of the new law is that “preprogrammed password is unique to each device manufactured” and the “device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
A Washington Post article, however, said that the law only protects against a small portion of cyber threats.
“But eliminating weak default passwords is an elementary move that only offers a basic safeguard against a sliver of digital threats,” the article stated.
“The fact that it's only California that's taking action — and is considered a trailblazer for such a simple step that many security experts think should already be a best practice — underscores the challenges facing policymakers and manufacturers when it comes to improving the notoriously poor security of connected devices,” it added.
The article, however, acknowledged that setting IoT security standards is “a step toward defending against cyber attacks such as the massive Mirai botnet that harnessed the power of hijacked devices to disable major websites in 2016.”
An article in the China Law Blog pointed out that “most IoT products being made in China by foreign companies are being sold in the United States, including California,” the new law has broader implications in China and maybe in other parts of Asia as well.
SB 327 defined device manufacturers as “persons who manufacture, or contract with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”
This places the burden of “equipping devices with a reasonable security feature” not only to contractors but more specifically the manufacturers of the device.
As the blog post pointed out: “It is important to emphasize that SB-327 does not impose any requirements on users of IoT devices, but rather on manufacturers. This will essentially mean that companies that manufacture qualifying devices may need to re-do or re-develop or maybe even re-invent their IoT products.”
Security-by-design has a long way to go, and both supporters and critics of the landmark California law are one in saying that this could just be the beginning of a long journey.
“It demonstrates the role governments and their respective regulatory bodies play in promoting security through guiding principles that can usher the safer development and deployment of IoT devices,” Trend Micro said.
Photo by Kai Pilger from Pexels