This past September, California became the first state to take a first (small) step in addressing Internet of Things (IoT) security. IoT devices include home security cameras, home temperature controllers, and a myriad of other devices that are usually connected wirelessly to local area networks inside homes. IoTs have a reputation for poor security, as they often come with no password or a password that is easy to crack.
The Mirai botnet attack of September 2016 highlights the havoc caused by inadequate IoT security. A group of teenagers created the Mirai botnet, which utilized unsecure IoT devices to stage a distributed denial-of-service (DDoS) attack to cripple several high profile internet services, leaving the Dyn DNS service provider temporarily offline and rendering many popular websites inaccessible, including Airbnb, Amazon, HBO, Netflix, PayPal, and Twitter. What is scary is that the Mirai attack affected a few hundred thousand affected IoT devices. There are currently billions of IoT devices deployed around the world. Some estimate the number could reach 20 billion by 2020, if we aren’t there already.
California’s IoT cybersecurity law, California Senate Bill 327, signifies one attempt to address the risks associated with the lack of security for IoT devices. SB 327 was signed in September 2018 by Governor Jerry Brown and will go into effect January 1, 2020.
The IoT cybersecurity law requires manufacturers of IoT devices to equip the device with reasonable security features that are:
- Appropriate to the device’s nature and function and;
- Appropriate to the information the device may collect, contain or transmit; and
- Designed to protect the device and any of its information from unauthorized access, destruction, use, modification or disclosure.
Moreover, under the IoT cybersecurity law, IoT devices that are outside of a local area network must come equipped with a unique preprogrammed password or the device must contain a security feature that requires the use to generate a new means of authentication prior to first use.
Although some proponents have welcomed the IoT cybersecurity law as a step in the right direction, others are less sanguine. First, the law does not fully define what security features are “reasonable,” leaving it to IoT manufacturers to determine whether the security features that they employ are compliant. Manufacturers could look to guidance from agencies such as the National Institutes for Standards and Technology (NIST) to evaluate what will be “reasonable,” as NIST is currently seeking comments on draft guidance that addresses security and privacy risks associated with IoT devices. Without further direction from the California legislature, such clarification will likely come from future litigation as to whether an IoT manufacturer has equipped its device with a reasonable security feature. However, the IoT law does not grant private parties a cause of action; it delegates enforcement exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys. Therefore, it will be up to these entities to pursue the issue under the IoT law, meaning that others, such as affected consumers, would have to seek relief under other legal theories or authority.
Second, some critics have argued that the bill’s focus on passwords reflects a “superficial understanding” of IoT security risks, observing that the focus on passwords fails to address other security concerns. For example, some experts warn that the major security concern with IoT devices is the prevalence of unnecessary features that pose increased security risk. The solution, then, becomes not the addition of ineffectual security features, but the “hardening” of IoT devices by removing unnecessary features such as open listening ports. Others have suggested that IoT devices be restricted to “isolation” mode on the WiFi access point so that they will not be allowed to talk to each other, thereby preventing them from infecting other IoT devices or other devices on the network.
Third, now that California has acted where the federal government has not, other states may soon follow. The result could be a patchwork of conflicting state laws similar to the breach notice laws enacted in all 50 states. In that instance, manufacturers could face different - and possibly conflicting - IoT security requirements for IoT products sold in each state. Without the benefit of a uniform federal law, the costs to manufacturers could be considerable.
Four years ago, a Federal Trade Commission (FTC) report observed that “increased connectivity between devices and the Internet may create a number of security and privacy risks.” In the wake of the Mirai attack, there have been some attempts by the federal government to address IoT security. For example, the IoT Cybersecurity Improvement Act of 2017 would require federal agencies to include provisions in government contracts to address security for IoT devices. However, the bill remains before the Committee on Homeland Security and Government Affairs. Moreover, even if passed, it would only address federal government contracts, and not the legion of IoT devices deployed in the private sector. Likewise, the IoT Consumer TIPS Act of 2017 would direct the FTC to develop “voluntary educational cybersecurity resources for consumers” relating to the IoT, and the SMART IoT Act would require the Department of Commerce to study the state of the IoT industry. Like the IoT Cybersecurity Improvement Act of 2017, these other bills remain in committee. None of these would establish a standard security directive for IoT devices destined for the private sector.
California remains at the forefront of governmental attempts to address IoT security. It will be seen whether California’s action will prompt action by other states or at the federal level.