On January 1, 2020, California’s “Security of Connected Devices” law (Senate Bill No. 327), which was enacted in 2018, will require companies that manufacture any device that connects “directly or indirectly” to the Internet that is sold in California to incorporate within the device “a reasonable security feature or features.” What constitutes as a “reasonable security feature” is largely undefined, but if the device is capable of authentication outside of a local area network (LAN), then the security will be deemed reasonable if a preprogrammed password is unique to each device manufactured, or if the device requires the user to create a new password before the user can access the device for the first time.
The law received criticism for being too vague and for emphasizing generic protections, but it puts California ahead of the Internet of Things(IoT) regulatory curve, even though the federal government isn’t far behind. The Internet of Things Cybersecurity Improvement Act, legislation sponsored by Senators Mark Warner and Cory Gardner and Representatives Robin Kelly and Will Hurd, was reintroduced in March of this year. The bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, the government hopes to nudge manufacturers towards better IoT cybersecurity infrastructure through the government’s buying power. A press release by Congresswoman Kelly about the bill states:
“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices. It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
The federal legislation applies to “covered devices,” which are defined as “a physical object” that is capable of connecting to and is in regular connection with the internet; has computer processing capabilities that can collect, send or receive data; and is not a general-purpose computing device to include smartphones. The act:
- Requires the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices by no later than September 30, 2019.
- Directs the Office of Management and Budget (OMB) to issue then guidelines consistent with the NIST recommendations, and to review the policies at least every five years.
- Requires any Internet-connected devices purchased by the federal government to comply with the recommendations.
- Directs NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Requires contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
U.S. government agencies will be prohibited from acquiring or using a device from any vendor that does not have a vulnerability disclosure policy that informs government officials whether the devices they are using could be vulnerable to cyberattacks.
There appears to be some tacit recognition in both the California and federal legislation that it is difficult to regulate burgeoning IoT technology that is both evolving and facing new security threats on a near daily basis. What is “reasonable” today may not be reasonable tomorrow. Integrating cybersecurity into the design process, developing strong access control and password control mechanisms, and maintaining awareness of, as well as patching, system vulnerabilities, are commonsense methods of addressing looming these challenges.