We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Illustration of a lock superimposed over a collage of home gadgets
  • The Noun Project
  • Business Impact

    California wants to stop hackers from taking control of smart gadgets

    A proposed state law would help bolster the security of internet-connected devices, but what’s really needed is federal action.

    California has been a pioneer when it comes to shaping policies to tackle everything from climate change to consumer privacy. Now it could take the lead in yet another area: cybersecurity for online gadgets.

    The state’s lawmakers have just sent California’s governor, Jerry Brown, draft legislation that aims to tighten the security of web-connected devices.

    If he approves it, California will become the first US state with a law specifically tailored for the internet of things (IoT).

    It’s not hard to see why such legislation is needed. Barely a day goes by without some new report of hackers compromising all kinds of products, from web-connected dolls to security cameras. And billions of new connected devices will be flooding onto the market over the next few years.

    Some experts think it’s only a matter of time before hacked gadgets cause serious injuries, and perhaps even kill people (see “For safety’s sake, we must slow innovation in internet-connected things”).

    California’s legislation, which would come into effect in January 2020, requires connected devices to have a “reasonable” security feature or features “appropriate to the nature and function of the device.”

    It also requires manufacturers to either create a different default password for every gadget they sell or prompt users to change a common default password before they use a device for the first time.

    All too often, gadgets still come with common hard-coded passwords. That means if hackers can crack the password, they can take control of a large number of similar devices. Other security controls governing things like communication with different devices vary widely, and often reflect industry-developed standards.

    There are federal and state laws that dictate how consumer data gathered via IoT products should be handled. However, until now there hasn’t been legislation that focuses on IoT security.

    Some cybersecurity experts, like Robert Graham of Errata Security, have criticized the California legislation for being too vaguely worded, and for not doing more to stop firms from building insecure features into their devices.

    Supporters say that the potential threat of litigation will force manufacturers to focus more on security as they build their smart devices. “The [bill’s] language is deliberately very loose,” says Beau Woods, an Atlantic Council fellow specializing in information security, “but that’s to get companies to think about how they can make [products] secure by design.”

    Sign up for Clocking In
    A look into how technology is shaping the workplace of the future

    There’s another good reason for not being overly prescriptive: things can change incredibly fast in cybersecurity, so what may seem like a reasonable defensive measure today could soon feel outdated.

    Still, the law could usefully have included a specific requirement that companies swiftly release patches for any security holes found in their products’ software. And it could have forced them to set up systems that make it easy for people to report flaws and be rewarded for doing so (see “Crowdsourcing the hunt for software bugs is a booming business—and a risky one”).

    The fact that it missed this opportunity doesn’t mean the draft legislation should be vetoed. If companies beef up their products’ security so they can keep selling them in California’s massive market, those changes will likely benefit other states too.

    California’s initiative could also spur action at the federal level, which is where the critical issue of IoT security really needs to be addressed.

    A couple of draft bills have already been floated in Congress, including one known as the IoT Cybersecurity Improvement Act of 2017 that would require companies doing business with the federal government to make sure their web-connected products use software that can be easily patched, don’t contain known security vulnerabilities, and and have passwords that can be changed.

    The bills are languishing in committees. California’s legislative push could help breathe new life into them and generate bipartisan support for action.

    Keep up with the latest in security at Business of Blockchain 2019.

    May 2, 2019
    Cambridge, MA

    Register now
    Illustration of a lock superimposed over a collage of home gadgets
    More from Business Impact

    How technology advances are changing the economy and providing new opportunities in many industries.

    Want more award-winning journalism? Subscribe to All Access Digital.
    • All Access Digital {! insider.prices.digital !}*

      {! insider.display.menuOptionsLabel !}

      The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

      See details+

      12-month subscription

      Unlimited access to all our daily online news and feature stories

      Digital magazine (6 bi-monthly issues)

      Access to entire PDF magazine archive dating back to 1899

      The Download: newsletter delivery each weekday to your inbox

    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.