While most people in the technology space have taken note of the upcoming introduction of the California Consumer Privacy Act (CCPA), due to go into effect Jan. 1, there has been less attention paid to the introduction of California’s Internet of Things (IoT) Security Law, also set to go into effect Jan. 1.
It is widely expected that the CCPA will be used as a guideline for similar laws in other states across the US, eventually leading to something resembling the European General Data Protection Regulation (GDPR), as the ability to protect consumer data becomes one of the driving forces of technology development.
The IoT Security Law, could have a similar, far-reaching impact, given that even Gartner’s conservative estimates points to 20.4 billion IoT devices in use by next year. Other estimates say double that, but it is unclear how prepared connected enterprises are for the introduction of this new piece of state legislation.
The IoT Security Law
Daniel Pepper, partner at the law firm BakerHostetler, explained that the new law obliges companies building connected products to implement “reasonable security features” on said products.
However, he pointed out that the definition of reasonable is vague (registration required), but the law does consider the device’s function and the type of data it collects when determining how reasonable those security features are. The law also calls for devices that connect to the internet to have a unique password and to require that a user generate a new password or method of authentication when they fire up the device for the first time. For reference:
In fact, the definition of connected device is quite broad. Under the definition, a connected device is any device or “other physical object” that can connect to the internet (even by being paired with another device) and assigned an IP or Bluetooth address. Some of the devices — and only some — include:
- Copy machines
- Fax machines
- VoIP-enabled phones
- Bluetooth headsets
- Medical diagnostic equipment
- Personal fitness monitors
- Wristwatches (iWatch)
- Connected vehicles
Related Article: What Marketers Need to Know About CCPA ... Before It's Too Late
In fact, it covers just about anything that can be connected to the internet. Dean Sysman, CEO and co-founder of Axonius, argued that the word "reasonable" could be a major stumbling block. Although the idea to require manufacturers to provide reasonable cybersecurity for IoT devices sold in California is noble, the new law lacks clarity surrounding the finer details.
He added that much of the guidance included is written for general security measures not specific to IoT devices, making some of the requirements nearly impossible to comply with. “It also provides little to no specificity on the types of penalties that can result from an offense, what the maximum penalties are or if harm to consumers must be proven to seek such undefined penalties,” he said.
As before, securing devices is key. According to Allot's Consumer View on Mobile Security report, a relatively high percentage of respondents (76%) said they protect their mobile devices with simple security settings such as phone access passwords, lock-screen codes and encryption settings. However, device security settings do not protect against malware.
Currently, when new IoT devices and corresponding software are created, risk reduction is frequently an afterthought. It is not always a top priority for device makers to collaborate and create security measures with service providers since no initial implementation incentive is seen due to a lack of profit and competition on the security side of software development. That said, most service providers are in fact ideally positioned to deliver network-based security solutions as a value-added service for their customer base which provides them with an additional competitive advantage and a clear path to increased revenue.
Consumer Data and Security
Gabe Turner is director of content at Security Baron, a website dedicated to IoT, he is also a lawyer. Turner said that while this law is a step in the right direction towards protecting consumers’ data, many companies have already started inputting more security measures into their devices from the design process anyway.
This is also due to the public outcry about the lack of security on IoT devices. At least 70% of consumers told researchers from Bain & Company that they would buy more IoT devices if cybersecurity was more heavily addressed. In the same vein, 93% of executives said that they’d pay around 22% more for IoT devices with improved security, so this is an area where both distributors and consumers are behind. “It’s no wonder that the IoT cybersecurity market will be worth $11 billion in 2020, $2 billion more than in 2018,” he said.
IoT companies in the US should be focusing on security, both to protect consumer data and their bottom lines.
Securing the Global IoT
But it’s not just the US companies who should be ready for the legislation, Sivan Rauscher, CEO and co-founder of SAM Seamless Network, said. Governments, industry, SMBs and consumers all need to work together to ensure top security of IoT devices.
Rauscher argues that IoT security should be a joint effort. She added that the rapid increase of smart devices and lack of regulation until now have created precise conditions for attackers to break into home networks through doorbells, thermostats or baby monitors. Manufacturers must now make IoT devices with the highest possible security measures built in and make it easy for consumers to change passwords and update firmware.
Consumers however also need to do their part and must learn how they can protect themselves, and ISPs need to protect the gateways to home networks. Part of being ready for the legislation also means that companies consider the longevity of smart devices and the ability of manufacturers to provide security updates in a timely manner.
Encrypting Consumer Data
But the response has been positive so far. Requiring companies to delete user data or encrypt in such a manner that only the user can decrypt is a major step forward. This means that companies can build products in which they have no way to access user data. Only the user or end customer can “read” or decrypt IoT device data, Garrett Kinsman, co-founder of IoT connectivity and security provider Nodle, explained.
He too agrees that the wording is difficult, notably what the definition of "reasonable" means. Today the vast majority of IoT products have little to no security implemented, and a “best effort” approach is the most likely to succeed and be implemented.
This will most likely take the form of a proper access control system when it comes to accessing the device and its administration functions while not covering things like secure updates or encrypted data and communications. “Different devices harness different kinds of data. For example, health devices collect the most personal and valuable data — smartwatches and wearable smart clothing in particular,” he added. “This is why you just saw Google acquire FitBit, and Facebook coming in just $10 million behind in the bidding.”
Growth of IoT Devices
A shift that is happening quickly is that we are rapidly being surrounded by more IoT devices that are not our own, think smart fridges, CCTV cameras or autonomous vehicles which collect innumerable amounts of data about us without our permission. It is this aggregation of data which provides the most valuable intelligence and will have the most profound impact on our personal privacy and crucially need good security features.
There are other positives in the law, it requires unique passwords and unique key generation on devices, which is a vast improvement on how devices are built today. Most Wi-Fi routers use an “Admin” username and “Admin” password or hardcoded default values. However, manufacturers will have to implement this kind of feature correctly, typically many Wi-Fi router manufacturers will generate a new default passwords based on the router’s unique identifier (its MAC address), this sort of mechanism was and still is abused as it becomes possible to guess the unique password used for the device.
While this is a good first step there are better solutions that could be deployed in order to drastically improve the security of these devices and the privacy of their users such as using cryptographic signatures for verifying and authenticating devices and users.
So, what will happen under the law in the event of a breach. Pepper explained that private parties do not have the authority to sue under the California law; rather, the law delegates enforcement exclusively to the California Attorney General, city attorneys, county councils and district attorneys.
The law also does not specify what types of penalties officials can seek for violations, what the maximum penalties are or whether officials must prove that actual harm to consumers has occurred before seeking penalties. Only time will tell how it will happen.