2020 California IoT Law Could Raise the Bar for Security
Security has become the shadow side of the Internet of Things. That’s especially been the case following the October 2016 Mirai botnet attack against the DNS provider Dyn, which resulted in scores of prominent websites suffering connectivity problems. Before the attack, it was hard to imagine that scores of connected devices such as IP cameras, routers and TV modems could cause such chaos.
There have been calls to regulate IoT devices, but to date, little relevant legislation has been passed. And since manufacturers have little incentive to spend the extra money to offer a reasonable level of security in their products, the same type of unsecured IoT devices that enabled the Mirai botnet are still commonplace now.
The situation could change following the passage of the California law SB 327, which demands connected devices have “reasonable security.” The law is slated to take effect in January 2020. “There is a larger theme or trend going on here in California, where we’re looking at privacy and security issues in a broader way than in the past,” said Christine E. Lyon, a partner at Morrison Foerster. Traditionally, most states have data security and privacy laws focused on specific types of high-risk data such as medical information, credit card numbers, financial account information, social security numbers and so forth. The IoT-focused security bill SB 327, as well as the California Consumer Privacy Act of 2018, break precedent in their broad approach. “For me, one of the interesting aspects of this IoT security law is it doesn’t refer to personal information at all,” Lyon said. It also doesn’t single out consumer devices. Instead, the law essentially says: “If a device is connected to the internet or capable of being connected — if it has an IP, Bluetooth address or equivalent, then you have to have security,” Lyon summarized. One of the law’s narrower provisions is that it forbids the use of default passwords, which, incidentally, was the shoddy security practice that enabled the Mirai botnet attack against Dyn.
The law’s broad approach has won both praise and condemnation from pundits. As for the latter, Robert Graham from Errata Security describes the legislation as a “typically bad bill based on a superficial understanding of cybersecurity,” while security guru Bruce Schneier wrote: “This law is not a panacea. But we have to start somewhere, and it is a start.”