When California rings in 2020, it will become the first state with legislation covering internet of things (loT) devices. Signed into law in September 2019, SB-327 Information Privacy: Connected Devices, was enacted in response to the growing blitz of open services and unbridled connectivity arriving courtesy the loT.
According to market research firm IHS, London, current projections peg 30 billion connected devices in 2020 and more than 75 billion by 2025. With everything-connected networks and IP systems come additional risks—some of which have been witnessed in recent attacks through baby monitors, smart speakers, surveillance cameras and even public USB ports. Statistics from “The State of loT Security Global Report Q2 2019”, issued by software provider Subex, show cyber-attacks on loT devices increased 13% in 2019.
With the loT, network protection is particularly vulnerable because of numerous available entry points. There’s also the issue of Bring Your Own Device (BYOD) and a growing plethora of apps, mainstream cloud access and the promise of new connectivity speeds from 5G adding to the precarious scenario. Any device in the public domain and with physical access presents a potential threat or risk to the network.
California’s law requires all loT devices made and sold in the state to be equipped with “reasonable security features” to protect the device and any information it contains from “unauthorized access, destruction, use, modification or disclosure.” The law defines these devices as anything that connects directly or indirectly to the internet and has an IP or Bluetooth address, covering a wide range of devices and services. According to the law, all devices with a means for authentication outside a local area network (LAN) need cybersecurity safeguards in place.
The law does away with ever-vulnerable default log-in credentials and requires a preprogrammed password unique to each device manufactured. It also requires the device contain a security feature that requires a user to generate a new means of authentication before access is granted. If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device or a way to generate new authentication credentials before accessing it for the first time. The law applies to individual manufacturers or companies that contract with another person to manufacture connected devices sold or offered for sale in California.
Pros and Cons
Many cybersecurity and privacy advocates laud the law as an important first step, since there’s currently no federal legislation in place to address loT security. Critics argue that the law may be too vague and could allow manufacturers to leave security holes like ones in the October 2016 Mirai botnet attack, brought on by insecure loT devices and resulting in a massive distributed denial of service that left much of the east coast without internet access.
It’s natural that as the wave of open system connectivity continues to magnify there will be legislation on the federal level. Several loT-related information and cybersecurity bills have been introduced in Congress, but stalled and stopped short prior to California’s nod to a state law.
New legislation on the move
The proposed (IoT) Cybersecurity Improvement Act of 2019 looks to address cybersecurity in connected devices from a federal perspective. As written, the bill would set baseline security standards for connected devices purchased by the government but not electronics in general. It requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget to take specified steps to increase cybersecurity for IoT devices. By March 31, 2020, NIST must develop recommendations for the appropriate use and management of IoT devices owned or controlled by the government, including minimum information security requirements for managing cybersecurity risks.
Democrats in the House and Senate on Oct. 23 reintroduced the Cyber Shield Act (first proposed in 2017), a voluntary certification program that verifies connected devices as hacker proof. Based on a rating system, the Cyber Shield Act would most likely result in a labeling system for consumers to better understand and evaluate the cybersecurity rating of the device.