California governor signs IoT cybersecurity bill

Share this…

California Capitol Dome with Moon

This law will establish a cybersecurity standard for IoT manufacturers

Jerry Brown, Governor of California, signed last Friday a bill to regulate cybersecurity standards for devices connected to the Internet, establishing that the California government has the most demanding standards in the country concerning the technology known as the Internet of Things (IoT).

The bill (SB 327) will require manufacturers a “reasonable level of cybersecurity” on IoT devices, defined in the document as “any device that can be connected to the Internet with a Bluetooth connection or an Internet Protocol (IP)”. Digital forensics specialists from the International Institute of Cyber Security mention that as of January 1st, 2020, these devices will be required to have pre-loaded passwords or newly generated passwords before they can be accessed for the first time.

Cybersecurity experts often refer to IoT devices as easy-to-access targets for hackers. A report published in August by a digital forensics firm found that many users of Internet-connected devices that control public infrastructure systems do not change the factory default passwords on those devices, which may cause malicious agents to be able to find them and access them relatively easily.

This bill has not been exempt from criticism. “It is unclear how companies will be able to comply with the Californian law”, said Francis Dinha, CEO and co-founder of the OpenVPN software company. Dinha said many IoT device manufacturers lack the knowledge and resources needed to enforce the new California standards. “The most specific requirements, such as two-factor authentication (2FA) or the use of a VPN, would also help, but would not solve the root problem, which resides in the education and training that users require”.

Even with the short and medium-term drawbacks, the digital forensics expert believes that SB 327 is better than the Federal Smart IoT Act and the DIGIT Act, two bills that are currently being considered in the US Congress and with which lawmakers propose to demand studies and reports of the IoT devices available on the market, but without really impacting the regulation of this technology.

Last June, California had already passed a data privacy law, considered by many to be the strictest in the country. This law orders to stop any practice of collecting and selling personal data at the express request of the consumer.