California Wants to Stop Hackers from Controlling IoT Gadgets

Democratic California governor Jerry Brown is making history by signing a bill into law that sets cybersecurity standards for Internet-connected devices. This includes all Internet-connected devices: your smart refrigerator, thermostat, car, computer, and everything in between.

His signature would make California the first state to pass a law surrounding cybersecurity of the Internet of Things (IoT), a field that is experiencing high rates of advancement but is hampered by a lack of security rules.

Voices of Opposition

Most experts agree that this bill is crucial, but many disagree with its localized governance and its vague language. And although the federal government is making IoT security moves of their own, they’re still bogged down by red tape.

Some cybersecurity experts say the bill doesn’t actually address the issues that cause connected devices to become vulnerable to hacks.

Bruce Schneier is a security technologist at the Harvard Kennedy School in Boston. He says, “A California law that manufacturers have to adhere to in California is going to help everybody. Of course, it probably doesn’t go far enough — but that’s no reason not to pass it. It’s a reason to keep going after you pass it.”

One Step Forward or Two Steps Back?

Some experts argue that the language in the bill is too broad and vague; security researcher Robert Graham thinks the bill “would do little to improve security while doing a lot to impose costs and harm innovation.”

He wrote, “It’s based on the misconception of adding security features; the point is not to add ‘security features’ but to remove ‘insecure features’. Adding features is typical ‘magic pill’- or ‘silver bullet’-thinking that we spend much of our time in infosec fighting against.”

Ruth Artzi, cybersecurity firm VDOO’s Senior Product Marketing Manager, agrees, saying the bill can only protect consumers against “the most basic automated threats.”

She adds, “The requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps. There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards.”

Staunch Supporters

Supporters of the bill say the vague wording can work in its favor; “The [bill’s] language is deliberately very loose but that’s to get companies to think about how they can make [products] secure by design,” says Beau Woods. Woods is an Atlantic Council fellow in information security.

Since things move very fast in technology, cybersecurity often works even harder to keep up with the newest protocols and best practices. By keeping the language vague, the bill doesn’t become obsolete or need to be amended with new terms and practices, according to its proponents.

IoT Cybersecurity Concerns Are Growing

IoT cybersecurity is just getting started; there will be billions of new devices connecting to the Internet in the next few years. Schneier thinks that we need to be wary of IoT’s rate of advancement compared to its security’s rate of improvement. Even if it means slowing down IoT development and innovation, we must prioritize cybersecurity, he says.

In 2016, the Mirai cybersecurity attack targeted webcams and connected devices to take down Netflix, Spotify, and other sites for several hours.

California legislators hope that the bill, named “SB-327”, will fix some of these issues by creating a baseline standard for security in IoT devices. Currently, there are no standards, and when this type of decision is left up to the device’s manufacturer, security often falls in priority to the bottom of the list.

California’s bill mandates that manufacturers ship devices with “a reasonable security feature or features” that can prevent hackers from accessing them. The features that the bill mentions are vague because of the wide variety of IoT devices expected to flood the market within the next few years. The bill will also require devices to come equipped with strong, unique passwords that users can update after purchase.

What’s the Federal Government Got to Say?

It’s pretty sad when a state is doing most of the legwork for a bill that should already have passed federal law-making houses. One bill in Congress right now to address IoT cybersecurity is called “The Internet of Things Cybersecurity Improvement Act”. The bill would require the federal government’s buying power to improve IoT cybersecurity.

Initiated by Senators Democrat Mark Warner from Virginia and Republican Cory Gardner from Colorado, the bill mandates that all companies working with the federal government should create devices that can be patched with security updates, ship with unique passwords that can be changed, and avoid known cybersecurity vulnerabilities.

Unfortunately, this bill doesn’t do enough to protect every citizen and their data from a cybersecurity crime; it only protects the government and its contractors.

The Securing IoT Act is another bill that requires that the FCC (Federal Communications Commission, also known as the archnemesis of net neutrality) develop cybersecurity protocols and standards for connected devices and equipment.

In a rare surprise, both parties agree that there should be federal standards for cybersecurity, but unfortunately, neither party has done enough to advance either bill in Congress.

California Leads by Example Again

California’s been tackling all of the big technology arguments recently; it just passed a law reinstating net neutrality to a stronger degree, and now it’s about to sign into law a bill enacting cybersecurity standards to protect consumers. All Brown needs to do is sign it into the law books.

The law would become active in January 2020, which is still way too far away, in our opinion. Between now and 2020, though, this new bill will hopefully push the federal government to beat California’s standards with stronger requirements and a high frequency of regulation.

What do you think about the state of cybersecurity these days? Is the federal government doing enough to protect its citizens against a group of hackers? What results do you hope California’s bill yields? Let us know your thoughts in the comments!