California has been a pioneer when it comes to shaping policies to tackle everything from climate change to consumer privacy. Now it could take the lead in yet another area: cybersecurity for online gadgets.
The state’s lawmakers have just sent California’s governor, Jerry Brown, draft legislation that aims to tighten the security of web-connected devices.
If he approves it, California will become the first US state with a law specifically tailored for the internet of things (IoT).
It’s not hard to see why such legislation is needed. Barely a day goes by without some new report of hackers compromising all kinds of products, from web-connected dolls to security cameras. And billions of new connected devices will be flooding onto the market over the next few years.
Some experts think it’s only a matter of time before hacked gadgets cause serious injuries, and perhaps even kill people (see “For safety’s sake, we must slow innovation in internet-connected things”).
California’s legislation, which would come into effect in January 2020, requires connected devices to have a “reasonable” security feature or features “appropriate to the nature and function of the device.”
It also requires manufacturers to either create a different default password for every gadget they sell or prompt users to change a common default password before they use a device for the first time.
All too often, gadgets still come with common hard-coded passwords. That means if hackers can crack the password, they can take control of a large number of similar devices. Other security controls governing things like communication with different devices vary widely, and often reflect industry-developed standards.
There are federal and state laws that dictate how consumer data gathered via IoT products should be handled. However, until now there hasn’t been legislation that focuses on IoT security.
Some cybersecurity experts, like Robert Graham of Errata Security, have criticized the California legislation for being too vaguely worded, and for not doing more to stop firms from building insecure features into their devices.
Supporters say that the potential threat of litigation will force manufacturers to focus more on security as they build their smart devices. “The [bill’s] language is deliberately very loose,” says Beau Woods, an Atlantic Council fellow specializing in information security, “but that’s to get companies to think about how they can make [products] secure by design.”
There’s another good reason for not being overly prescriptive: things can change incredibly fast in cybersecurity, so what may seem like a reasonable defensive measure today could soon feel outdated.
Still, the law could usefully have included a specific requirement that companies swiftly release patches for any security holes found in their products’ software. And it could have forced them to set up systems that make it easy for people to report flaws and be rewarded for doing so (see “Crowdsourcing the hunt for software bugs is a booming business—and a risky one”).
The fact that it missed this opportunity doesn’t mean the draft legislation should be vetoed. If companies beef up their products’ security so they can keep selling them in California’s massive market, those changes will likely benefit other states too.
California’s initiative could also spur action at the federal level, which is where the critical issue of IoT security really needs to be addressed.
A couple of draft bills have already been floated in Congress, including one known as the IoT Cybersecurity Improvement Act of 2017 that would require companies doing business with the federal government to make sure their web-connected products use software that can be easily patched, don’t contain known security vulnerabilities, and and have passwords that can be changed.
The bills are languishing in committees. California’s legislative push could help breathe new life into them and generate bipartisan support for action.