California’s IoT cybersecurity bill: What it gets right and wrong
California state lawmakers should be lauded for SB 327, their well-intentioned legislative attempt at tackling one of the most pressing issues in the tech sector: IoT security. But as the law went into effect at the start of the year, they will also (unfortunately) soon be faced with the reality that it is inadequate for today’s security threat landscape.
To its credit, SB 327 – popularly known as the IoT security law – provides a good first step towards much-needed and extensive cybersecurity legislation: with an estimated 22 billion connected devices worldwide (and as many as 75 billion connected devices by 2025), the very existence of an IoT security law is encouraging. And further praise is warranted because the scope of the bill includes all devices that can connect directly or indirectly to the internet, as well as all connected devices sold in California – not just manufactured there.
But ultimately, the specifics of SB 327 fail to fully support its good intentions, as rapid technological development has outstripped legislative intent. And while it’s unlikely that legislation can fully catch up with cybersecurity development, the emphasis should be on incremental improvements – we must focus on the fruit we can reach, even as new buds sprout on higher branches.
If some of these specific concerns are met, we can drive iterative advancements, and force IoT device manufacturers to invest the appropriate time and money into the security of their products.
The most significant issue to be addressed is the law’s ambiguity: it requires all connected devices to have “a reasonable security feature” (appropriate to the nature of the device and the information it collects) that is designed to protect the user’s data from unauthorized access, modification, or disclosure. Beyond that vague prescription, the law only specifically states that each connected device must also come with a unique hard-wired password, or it must otherwise require a user to set their own unique password before using the device.
Some experts maintain that meeting the password requirements is all that’s needed to satisfy the regulation; in effect, the password is the “reasonable security feature.” If this interpretation is validated, it’s wholly insufficient for securing the IoT – especially for those connected systems that reside in our appliances, vehicles, and municipal infrastructures. And, if it’s deemed that a simple password will not meet SB 327’s requirements, it remains unclear what specific measures are necessary to meet the definition of a “reasonable security feature.”
The law’s terminology might have a saving grace, though: because the verbiage is so ambiguous, the bill could be subject to extensive amendments as cybersecurity deficiencies become clearer. So, in the interest of proactivity, what changes could be implemented to further strengthen this IoT security law?
First, the law should mandate that all data – both at rest and in transit – should be secured or encrypted. It should also specify security measures for data transport services.
Second, the law should require that all connected devices have updatable software and operating systems, and a commitment to deliver frequent updates – so that old vulnerabilities don’t expose an entire network to an attack. Because malicious software and firmware updates are common attack vectors, software updates should also be required to use secure boot and code-loading operations. These systems use digital signatures to verify that the device software comes from a trusted source and has otherwise not been tampered with.
To ensure these specific advancements are included in future cybersecurity legislation, we must use the power of our collective wallets. As users and consumers of IoT devices, we can use our buying power to demand secure, trustworthy devices – and, in the process, demand that manufacturers build security into these devices from the very start, not as a last-minute, ineffective add-on. California SB 327 is a good start out of the gate, but further legislation – and our collective consumer voice – can help us win the race.