California Creates the Nation's First Cybersecurity Law for "Smart Devices"

From microwaves to medical devices seemingly everything that has an electronic function is now a "smart device", has an IP address and is accessible with via an app on your phone or your favorite browser. Generally called Internet of Things (IoT) devices, there will soon be over 20 billion of these connected to the internet by 2020. With each additional device potential becoming an online target, it is more important than ever that manufactures take responsibility for the security of devices that they are selling. In a world where your watch, car, phone, doorbell and bedroom TV are vulnerable to hackers anywhere in the world, additional security measures must be taken to ensure that the these devices do not open your home or place of business to immediate intrusion or theft the instant its plugged in.

With increasing pressure on IoT manufactures but with little regulation, California Governor Jerry Brown signed Senate Bill No. 327, which as of Jan. 1, 2020, will require internet-connected device manufacturers "to equip the device with a reasonable security feature or features." The bill's authentication requirements which became law on Sept. 28, 2018 consist of the following provisions which will take effect on Jan. 1 2020:

• The preprogrammed, initial password is unique to each device manufactured. (No longer can manufactures ship each devices with, the waiting to be hacked, "Admin/Admin" or "Administrator / Password" UserID and password combination)
• The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

While the guidelines would only apply to devices that get sold to California consumers, it's likely that all U.S. consumers would benefit. In particular, banning default passwords on devices should make it more difficult for attackers to remotely take control of them. Many people within the cybersecurity industry, myself included, welcome this law if nothing else because it could mitigate an immediate threat millions of devices being on the Internet with default passwords still configured. Harvard University fellow Bruce Schneier agrees that this is a good start. “It probably doesn’t go far enough — but that’s no reason not to pass it,” he told The Washington Post.

For more details on just how much of a security problem IoT devices can be, take a look at this article on Forbes.com.

Michael Owens (@MichaelOwensGA) is the President and CEO of the U.S. Global Center for Cyber Policy.