The government of California is set to become the first in the world to regulate security of the Internet of Things (IoT). The bill, which calls for improved security of connected devices, is currently on the Governor of California’s desk, where it will be either signed or vetoed by Jerry Brown.
Despite again setting California at the forefront of tech policy, this piece of legislation is woefully overdue. Getting “stuff” and “things” online is the 21st century equivalent of a gold rush. But in their haste to connect, the tech industry all too often leaves security as an afterthought. Instead, manufacturers should be incorporating anti-hacking measures into the core infrastructure of their connected devices. Policy makers are currently doing very little to ensure that cybersecurity is more carefully considered earlier on in the design process.
If signed, the legislation will go into effect on January 1, 2020. The bill (SB-327) calls for “security procedures and practices appropriate to the nature of the information.” It also asks that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.”
Although IoT legislation of this kind is sorely needed, many critics say that the wording of the bill is too vague, and that it’s not advising IoT manufacturers on exactly which security measures they should be taking. For instance, the only specific requirement outlined in the bill is for all connected devices to come with a “preprogrammed password” that is “unique to each device manufactured.”
“The requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps,” says Ruth Artzi, Senior Product Marketing Manager at the cybersecurity firm VDOO. “There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards.”
Other analysts think that the bill is too focused on telling manufacturers what to do, where in the case of internet security, it may be more fruitful to advise them of what not to do. "[The bill] is based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips,” writes security researcher Robert Graham. "The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add 'security features' but to remove 'insecure features'.”
Where concern with the bill stems from disagreement about how regulators should proceed, no one is arguing with the necessity of getting IoT policy on the table as soon as possible. But IoT technology is changing all the time, and coming up with effective legislation for the industry is a daunting task. Some experts say that the language is deliberately loose, challenging product designers to come up with stronger security solutions that won’t become immediately outdated.
At the very least, California’s action will likely set the stage for discussion of IoT legislation at the federal level, which is where it’s needed most. “[California’s bill] could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level,” writes Derek Hawkins in the Washington Post, “If signed by Brown, [it] could rekindle the national discussion in a similar way to how landmark privacy law the state recently approved helped spur high-level talks between the Commerce Department and tech giants about federal privacy regulations.”