Locking up the 'internet of things'

A new internet of things (IoT) security law went into effect in California on January 1st, requiring devices to include "reasonable" and "appropriate" cybersecurity measures. But experts had mixed reactions to it. Schellman & Co privacy lead Debbie Zaller remarks on what she feels is a lack of specifics, which could be a weakness. Read full article below or in its entirety on the Washington Examiner website.


By Grant Gross

A wide range of "internet of things" connected devices are now required to include “reasonable” and “appropriate” cybersecurity measures under a California law that went into effect Jan. 1.

Covered devices, while not listed in the law, likely include smart thermostats, smart watches, printers, industrial sensors, security cameras, smart lightbulbs, smart television sets, digital video recorders, connected cash registers, connected cars, and other devices.

Hackers have used compromised security cameras and DVRs to shut down internet access to parts of the United States, and other devices are often shipped with easy-to-guess default passwords.

California’s law doesn’t contain long definitions of what constitutes reasonable security, but it does say that devices shipped with unique passwords qualify. Devices that require users to enter their own passwords before they can be used also meet the definition, the law says.

The law covers manufacturers of devices sold in California as well as companies that contract with manufacturers for internet of things devices. It gives the state’s attorney general, city attorneys, county counsels, and district attorneys the authority to enforce its regulations, but the law does not lay out penalties for violations.

The internet of things security law went into effect on the same day as a controversial consumer privacy law passed by California lawmakers.

Cybersecurity and legal experts had mixed reactions to the internet of things law. Some said it’s an important first step toward better internet of things security, while others said it is too vague to have a major effect.

The California law is important because it “sends a message to manufacturers of IoT devices that it is time to start taking security seriously,” said Jack Vonder Heide, president of Technology Briefing Centers, a consulting firm.

Vonder Heide said the lack of specific regulations isn’t a problem — yet. “It would be impossible to identify and codify all of the specific risks associated with IoT devices,” he said.

One potential downside of the law, however, is that the cost of compliance could be passed on to customers, he said.

“The law needs more specific requirements, better security requirements, and definitions for terms such as ‘appropriate’ and ‘reasonable.’”

But others pointed to the lack of specifics as a weakness. “This law is a step in the right direction but leaves many unanswered questions,” said Debbie Zaller, privacy leader at Schellman & Co., a security and privacy compliance assessor. “The law needs more specific requirements, better security requirements, and definitions for terms such as ‘appropriate’ and ‘reasonable.’”

The law covers devices capable of connecting to the internet but focuses its authentication regulations on devices “equipped with a means for authentication outside a local area network.” That could leave out many devices with no remote authentication features, Zaller said.

In addition, the regulations are sparse, with only the password and authentication provision, she added.

“There are no requirements for securing the data, in transit or storage, and no other security features,” she added. “There are well over 100 standards and frameworks related to IoT devices, and this law does not mention any of them.”

“While this law is a step in the right direction, it’s not even close to what is needed.”

The law also does not require internet of things makers to inform consumers on how to apply the security features or secure the device and data, Zaller said. “While this law is a step in the right direction, it’s not even close to what is needed.”

Sivan Rauscher, CEO and co-founder of SAM Seamless Network, agreed.

“The bill is definitely helpful and good-intentioned, but the real question is, is it enough?” she said. “As we’ve seen in recent months, the dramatic increase of smart devices and lack of regulation until now have created precise conditions for attackers to break into home networks through doorbells, thermostats, or baby monitors.”

The need for legislation is long overdue, she added, but the California law is only the start of a conversation about the security needs of homes and cities. “This conversation demands other players in the industry, such as network operators, service providers, cybersecurity professionals, educators, and consumer groups to all work together to ensure top security of IoT devices,” she added.

About the Author

Debbie Zaller

Debbie is Principal and co-owner at Schellman & Company, LLC. She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice. Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee. She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

More Content by Debbie Zaller
Previous Article
Safety and Cybersecurity First
Safety and Cybersecurity First

Three Steps to Ensure Employee Safety during a Pandemic

Next Article
Home Safe: 20 Cybersecurity Tips for Your Remote Workers
Home Safe: 20 Cybersecurity Tips for Your Remote Workers

Dark Reading recently asked a number of security experts for the most important advice they'd tell IT depar...






Now Providing C5 Examinations

Learn about C5