Will Calfornia's Legislation Protect IoT Consumers or Be a Toothless Tiger? (Part 1)
California is leading the way in legislating IoT security.
Join the DZone community and get the full member experience.Join For Free
Few people would argue that cybersecurity is in a parlous state. From attacks like Mirai, carried out via small IoT devices like home routers, air-quality monitors, and personal surveillance camera), to vulnerabilities unearthed in connected cars, a smart gun, windmills, and smart home controllers, it's clear that attacks are pervasive and devices woefully inadequate at preventing cyber attacks. With the exponential growth of connected devices, each with their own specific security requirements, it's a problem we can expect to increase.
In response, California has proposed legislation, and if passed, they will become the first state in the world to regulate IoT security. Let's take a look at their efforts:
What Is California's Legislation?
The bill SB-327 Information privacy: connected devices is currently awaiting signature or veto by the Governor of California’s desk, where it will be either signed or vetoed. If signed, the legislation will go into effect on January 1, 2020. The bill calls for “security procedures and practices appropriate to the nature of the information.”
The bill would require “reasonable security feature or features that are appropriate to the nature and function of the device.” More specifically, “if a connected device is equipped with a means for authentication outside a local area network,” any default password must be unique to each device; or, users must be prompted to set a unique password when he or she sets up the device.
It also requires manufacturers to either create a different default password for every gadget they sell or prompt users to change a common default password before they use a device for the first time.
Will the Califonia Specific Laws Set a Precedent?
The bill defines “manufacturers” to include the producers of the device vendors and those who manufacture them on behalf of such organizations and connected devices that are sold or offered for sale in California.
Manufacturers are obliged to allow users to have full control or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. Additionally, no obligations or duties are imposed upon electronic stores, gateways, marketplaces, or other means of purchasing software or applications to review or enforce compliance with these statutes.
However, the legislation can be described as vague and ambiguous at best and woefully inadequate at worst. While it's claimed that the potential threat of litigation will force manufacturers to design with 'security first,' the laws do not provide individuals with a private right of action against non-compliant manufacturers. Only the attorney general, a city attorney, a county council, or a district attorney has the authority to enforce the requirements. I believe the removal of class lawsuits and private litigation is problematic, as it is the area where consumers (both enterprise and individuals) are most likely to have an impact.
But, understandably, one benefit of legislation is that it becomes a means to offer a formal response to societal concerns about cybersecurity — at a time when there have been numerous bills put before the government proposing everything from minimum standards to score and rating mechanisms. The Federal law, in these instances, has moved slowly, with numerous readings and referrals to various committees. While the California legislation is far from perfect, it offers a framework for other states as well as future opportunities for more precise wordsmithing as technology innovates further.
Want to see how the legislation fits into other US efforts at cybersecurity laws? Check out Part 2 of this article.
Opinions expressed by DZone contributors are their own.