California passes Nation’s First IoT Cybersecurity Law

California has become the first state in the United States to pass a cybersecurity law pertaining to the Internet of Things (IoT). Although being wildly vague in its content, the law will provide a platform for the next generation IoT related legislatures to pass.

First IoT Cybersecurity Law
IoT receives its first legislature that focusses on security

The myriad of interconnected electronic devices that are also primarily connected to the internet encompasses the Internet of Things (IoT). According to IoT Analytics, there are more than 7 billion active IoT devices in 2018, with the number projected to increase to 21.5 billion by 2025. Capitalizing on the burgeoning market, manufacturers often produce cheap and easier to use IoT devices that don’t have robust security measures build in them. Therefore, IoT devices are extremely vulnerable to hacking. This has prompted California to pass an IoT cybersecurity law that orders manufacturers to implement better security measures in their IoT devices. By doing so, it becomes the first U.S. state to pass any legislation concerning the security of IoT devices.

There have been several instances of IoT devices being prone to an attack in the hands of a capable hacker. In the Netherlands, a woman reported that her internet-connected camera present in the living room was hacked and then used to stalk her for several months. Thankfully, she found out about the hack before the hackers could gain compromising details about her life. It was recently discovered that Samsung and Roku Smart TV’s could be hacked and wirelessly controlled, which prompted the companies to quickly install security patches on them. Some users associated Alexa’s creepy laugh as an indication of being remotely hacked.

The IoT cybersecurity bill, called SB 327, was first introduced in 2017 and passed the California Senate in late August 2018. On 27th September, 2018, the bill became a law when Governor Jerry Brown signed it off. A pre-emptive strike against hackers, the IoT cybersecurity law encapsulates all IoT devices – including “smart devices”. It states that starting 1st January, 2020, the manufacturer of a device that “directly” or “indirectly” connects to the internet must equip itself with “reasonable security features”; designed to prevent unauthorized access that could lead to disclosure, modification, or destruction of information. The bill, however, only mentions once specific security measure – that if a device is discoverable outside of its local area network, it should come with a unique password that users should be forced to set up during installation.

The bill has been severely criticized for its vagueness. Robert Graham, a cybersecurity expert, has stated that the bill has focused on adding “good’ features instead of removing bad ones that make devices vulnerable to attacks. The bill, according to him, will result in manufacturers making poor security choices and leaving large security holes in the whole range of authentication systems barring the specific “password requirement”. He argues that the bill should have addressed the ways in which viruses can jump across IoT devices on the same network and the human inefficiency in applying security patches to these devices.

However, Harvard University fellow Bruce Schneier has praised the law, deeming it to a good start for further IoT related legislatures to be introduced in government. He states that the state-wide rule would benefit customers elsewhere as it’s easier for manufacturers to abide by one design for their product. The implementation of “unique password” would significantly thwart hackers from hearing your conversations through smart speakers or watching your actions through security cameras. Meanwhile, until the law gets implemented, it’s advisable to buy IoT devices from reputable brands that follow good cybersecurity practices.