On Sept. 28, California Governor Jerry Brown signed Bill SB-327, which will be the first U.S. cybersecurity law regulating the Internet of Things—an area known for lacking in security measures.
Going into effect Jan. 1, 2020, the law requires any manufacturer of ‘smart’ device—one that connects to the Internet directory or indirectly—to equip it with “reasonable security features” that are designed to prevent unauthorized access, modification, or information disclosure. The law says if the device can be accessed from outside a local area network with a password, then each device either needs to come with a unique password, or the device must require users to set their own password upon first connecting. In short, the law cracks down on enabling hackers to gain access by guessing generic default credentials assigned to devices.
The bill was first introduced in 2017 and gained senate approval in late August of this year. It makes California the first state in the U.S. to enact such a law.
While, on the surface, this seems like a good first step in cracking down on manufacturers’ IoT security measures, the law has seen both positive and negative reaction. Criticisms of the bill say it doesn’t do much to address the aspects of IoT that have led to data breaches, is too vaguely worded, or is unnecessary due to existing similar regulation.
Currently at the federal level, the Securing IoT Act of 2017—which would require the FCC to set cybersecurity standards for wireless devices. Meanwhile, the IoT Cybersecurity Act of 2017—still to be voted on—would designate security standards for government-purchased connected devices, exclusively.
Renown cybersecurity expert Robert Graham denounced the bill in a blog post on Errata Security, saying it will do little to improve security while imposing costs and harming innovation. “It’s based on the misconception of adding security features,” Graham said. “It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management.”
On the other side, Harvard Kennedy School security technologist Bruce Schneier told the Washington Post, “A California law that manufacturers have to adhere to in California is going to help everybody. Of course. it probably doesn’t go far enough—but that’s no reason not to pass it. It’s a reason to keep going after you pass it.”
So, what do you think? Will SB-327 spur needed real improvement in IoT cybersecurity, or do you agree with its critics? Let us know in the comments.