California’s cybersecurity law for the internet of things (IoT) is now official. It was approved by California Governor Jerry Brown last week, more than a year after it was introduced as SB 327 in February 2018. It bears the distinction as the first IoT-related law enacted in the U.S., and now sets security standards for the manufacturing of connected devices.
The new law requires manufacturers of any connected device sold in California to equip its products with “reasonable” security features appropriate to “the nature and function of the device,” as well as to “the information it may collect, contain, or transmit.” It also sets standards on authentication features of the device. Under this new law, authentication is deemed “reasonable” if the device is preprogrammed with a unique password or if the device requires users to generate a new means of authentication before the first use. Such standards could have reduced the threat from malware like Mirai, preventing the malware from using default usernames and passwords to infect devices.
In addition, manufacturers would be obliged to incorporate security from the design phase, as the law states that connected devices must be designed to protect against “unauthorized access, destruction, use, modification or disclosure.”
The law will take effect on January 1, 2020, giving manufacturers almost two years to prepare for its enforcement.
Although it's the first to come into fruition, California’s IoT-related law isn’t the only one of its kind. Other proposals have been introduced in U.S. Congress that share the same goal of improving the use of IoT. However, the other proposals, such as the Cybersecurity Improvement Act of 2017, SMART IoT Act, IoT Consumer Tips Act, and the DIGIT Act, are all in different stages of the legislative process and have yet to become law.
Security and regulation
These legislations reflect what governing bodies see as sectors for improvement in the field of IoT, possibly in preparation for the growing number of connected devices. California's IoT law highlights the need for built-in security and security by design. Its enforcement could help reduce attacks through device vulnerabilities, incidents in which users are the frequent victims. More importantly, this law can reduce the burden of users who have had to compensate for the unstandardized level of security in currently available connected devices.
Although it's still two years away from enforcement, this new law’s official enactment draws focus on user concerns and defines some liability over IoT insecurities. It demonstrates the role governments and their respective regulatory bodies play in promoting security through guiding principles that can usher the safer development and deployment of IoT devices.
In the meantime, as standards for IoT continue to be refined, individual users and organizations alike should continue to employ best practices in their use of IoT devices.
The Trend Micro™ Home Network Security solution can provide additional protection by checking internet traffic between the router and all connected devices. Our IoT scanning tool has been integrated into the Home Network Security solution and HouseCall™ for Home Networks scanner. Enterprises can also monitor all ports and network protocols for advanced threats and thwart targeted attacks with the Trend Micro™ Deep Discovery™ Inspector network appliance.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.