The first major piece of cybersecurity legislation to address vulnerabilities in Internet of Things (IoT) devices has passed in California, and is ready to be signed into law by Governor Jerry Brown.
First introduced in 2017 by State Senator Hannah-Beth Jackson, SB-327 calls for “a manufacturer of a connected device… to equip [it] with a reasonable security feature or features that are appropriate to the nature and function of the device… to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
While the bill represents a milestone in creating a legal basis for security standards, not every security expert likes it. Among the most vocal critics has been Errata Security’s Robert Graham, who blogged about it, saying it’s a “bad bill based on a superficial understanding of cybersecurity/hacking that will do little [to] improve security, while doing a lot to impose costs and harm innovation.” in a released last week.
Graham went on to say “the point is not to add ‘security features’ but to remove ‘insecure features’… arbitrary features like firewall and anti-virus add to these products [that] just increase the attack surface making things worse.”
The law has also been criticized for being too vague.
“The law should be defined in a more specific manner, as the requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps. There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards,” wrote VDOO Senior Product Marketing Manager Ruth Artzi in an email to Threatpost.
Proponents of the bill acknowledge its imperfections, but view it as a good start. “[I]t probably doesn’t go far enough — but that’s no reason not to pass it. It’s a reason to keep going after you pass it,” said author and security technologist Bruce Schneier to the Washington Post.
California has recently taken a more proactive stance in filling the legal gaps in technology-related issues, including its recent passage of the country’s first major Consumer Privacy Act. Since neither SB-327 nor the Consumer Privacy Act would take effect until 2020, their overall impact on the tech industry and consumers remains to be seen.
