This past September, California became the first state to take a first (small) step in addressing Internet of Things (IoT) security. ‎IoT devices include home security cameras, home temperature controllers, and a myriad of other devices that are usually ‎connected wirelessly to local area networks inside homes. IoTs have a reputation for poor security, as they often come with no ‎password or a password that is easy to crack. 

The Mirai botnet attack of September 2016 highlights the havoc caused by inadequate IoT security. A group of teenagers ‎created the Mirai botnet, which utilized unsecure IoT devices to stage a distributed denial-of-service (DDoS) attack to cripple ‎several high profile internet services, leaving the Dyn DNS service provider temporarily offline and rendering many popular ‎websites inaccessible, including Airbnb, Amazon, HBO, Netflix, PayPal, and Twitter. What is scary is that the Mirai attack af‎fected a few hundred thousand affected IoT devices. There are currently billions of IoT devices deployed around the world. ‎Some estimate the number could reach 20 billion by 2020, if we aren’t there already. ‎

California’s IoT cybersecurity law, California Senate Bill 327, signifies one attempt to address the risks associated with the lack ‎of security for IoT devices. SB 327 was signed in September 2018 by Governor Jerry Brown and will go into effect January 1, ‎‎2020. 

The IoT cybersecurity law requires manufacturers of IoT devices to equip the device with reasonable security features that ‎are:‎

• Appropriate to the device’s nature and function and;‎
• Appropriate to the information the device may collect, contain or transmit; and
• Designed to protect the device and any of its information from unauthorized access, destruction, use, modification or disclo‎sure.‎

Moreover, under the IoT cybersecurity law, IoT devices that are outside of a local area network must come equipped with a ‎unique preprogrammed password or the device must contain a security feature that requires the use to generate a new ‎means of authentication prior to first use. ‎

Although some proponents have welcomed the IoT cybersecurity law as a step in the right direction, others are less sanguine. ‎First, the law does not fully define what security features are “reasonable,” leaving it to IoT manufacturers to determine ‎whether the security features that they employ are compliant. Manufacturers could look to guidance from agencies such as ‎the National Institutes for Standards and Technology (NIST) to evaluate what will be “reasonable,” as NIST is currently seeking ‎comments on draft guidance that addresses security and privacy risks associated with IoT devices. Without further direction ‎from the California legislature, such clarification will likely come from future litigation as to whether an IoT manufacturer has ‎equipped its device with a reasonable security feature. However, the IoT law does not grant private parties a cause of action; ‎it delegates enforcement exclusively to the California Attorney General, city attorneys, county counsels, and district attor‎neys. Therefore, it will be up to these entities to pursue the issue under the IoT law, meaning that others, such as affected ‎consumers, would have to seek relief under other legal theories or authority.‎

Second, some critics have argued that the bill’s focus on passwords reflects a “superficial understanding” of IoT security risks, ‎observing that the focus on passwords fails to address other security concerns. For example, some experts warn that the major ‎security concern with IoT devices is the prevalence of unnecessary features that pose increased security risk. The solution, ‎then, becomes not the addition of ineffectual security features, but the “hardening” of IoT devices by removing unnecessary ‎features such as open listening ports. Others have suggested that IoT devices be restricted to “isolation” mode on the WiFi ‎access point so that they will not be allowed to talk to each other, thereby preventing them from infecting other IoT devices ‎or other devices on the network.

Third, now that California has acted where the federal government has not, other states may soon follow. The result could be ‎a patchwork of conflicting state laws similar to the breach notice laws enacted in all 50 states. In that instance, manufacturers ‎could face different - and possibly conflicting - IoT security requirements for IoT products sold in each state. Without the ‎benefit of a uniform federal law, the costs to manufacturers could be considerable.‎

Four years ago, a Federal Trade Commission (FTC) report observed that “increased connectivity between devices and the ‎Internet may create a number of security and privacy risks.” In the wake of the Mirai attack, there have been some attempts ‎by the federal government to address IoT security. For example, the IoT Cybersecurity Improvement Act of 2017 would re‎quire federal agencies to include provisions in government contracts to address security for IoT devices. However, the bill ‎remains before the Committee on Homeland Security and Government Affairs. Moreover, even if passed, it would only ad‎dress federal government contracts, and not the legion of IoT devices deployed in the private sector. Likewise, the IoT Con‎sumer TIPS Act of 2017 would direct the FTC to develop “voluntary educational cybersecurity resources for consumers” re‎lating to the IoT, and the SMART IoT Act would require the Department of Commerce to study the state of the IoT industry. ‎Like the IoT Cybersecurity Improvement Act of 2017, these other bills remain in committee. None of these would establish a ‎standard security directive for IoT devices destined for the private sector.‎

California remains at the forefront of governmental attempts to address IoT security. It will be seen whether California’s action ‎will prompt action by other states or at the federal level.‎