California passes new law to govern cybersecurity across all IoT devices

3 min read
2

The age of information and connectivity means that pretty much anything these days can connect to the internet.  Even microwaves and fridges are now important devices that make use of the power of the internet and other black magic to do things beyond what they were bought for.  However, with a growing list of ways to connect to the internet also comes the threat of security as it just means there are so many more ways for criminals to now access potentially sensitive information from people.

Which is one of the reasons why countries around the world are looking to find ways of enforcing security rules to ensure the growing list of IoT connected devices does not put their people’s security at risk. We are not really clear yet on what this type of legislation will look like, but we might have a good idea of what it will entail as the U.S. State of California has just passed the first piece of legislation which aims to govern cybersecurity across all IoT devices.

The bill, or SB-327, requires that from the 1st January 2020, any manufacturer of a device that connects directly or indirectly to the internet must equip it with “reasonable” security features design to prevent unauthorised access, modification or information disclosure. If it can be accessed outside of a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

It’s definitely a step in the right direction and something which I can see the rest of the world quickly jumping on, though I do think it is perhaps a little too ambiguous in its definition of reasonable and should include not just means of authentication, but data retention, communication and encryption as well. Just requiring authentication is a little too lenient at this point in time and I wouldn’t be surprised if by the time this law comes to pass, its already been amended to include several other security measures.

It’s a need step for governments to enforce and protect people from doing stupid things on the internet through their different connected devices and manufacturers need to be forced to play their part to ensure they meet the necessary requirements and do not put other people at risk.

. That they’re not also looking to shape rules that prevent all these devices turning into various different versions of robot overlords though perhaps shows that their approach to understanding the true power of the internet and A.I. is a little limited. At least we can take comfort that when Skynet does take over it will at least be very secure.

Last Updated: October 2, 2018

Check Also

Google has mandated that new, popular Android devices offer at least two years of security updates

I’m a big fan of Android devices, but there’s one niggling problem with the operating syst…