California IoT law may be reasonable, but what’s “reasonable” security?

Can California's new law that defines the necessity of "reasonable" security for IoT stand up to scrutiny once it's wielded in anger?
9 October 2018

Jerry Brown speaks during an event at the National Press Club April 2018. Source: Alex Wong/Getty Images/AFP

California has enacted the US’s first cybersecurity law specific to the internet of things. However, the law’s wording brings to light several of the issues which make legislating for IoT and cybersecurity in general highly problematic.

The law signed by California Gov Jerry Brown recently will go into effect on January 1, 2020. It requires that any manufacturer of a “connected device” will have to implement “reasonable security” features.

A connected device is “any device, or other physical object, that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.”

The definition of “reasonable security features” for IoT devices is ensconced in the legislation as “(1) Appropriate to the nature and function of the device; (2) Appropriate to the information it may collect, contain, or transmit; and (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

What is highly problematic is a lack of concrete definition of what “reasonable” security measures may be, and whether they may be “appropriate” to the device and the type of information collected.

The best definition to be found of a reasonable measure is “a means of authentication outside a local network,” that being either a unique password assigned by the manufacturer or a requirement (we assume, built into firmware) that requires users to establish a new password or authentication method before first use.

There is, therefore, a level of ambiguity in the legislation which screams potential lawsuits against IoT manufacturers (or, arguably, any maker of edge connection hardware) whose devices are compromised and can be held accountable as being a cause of damage to users or owners.

With this in mind, the enforcement mechanism for the new law means that the only prosecuting bodies permitted are the California attorney general and local government attorneys, who have “exclusive authority” to enforce it. This removes the possibility of class actions taken by private individuals.

Having said that, California (the world’s eighth largest economy) comprises hundreds, if not thousands of cities, counties, and judicial districts. As such, any manufacturer of IoT devices may well find themselves in the firing line of legal action taken by the local government on behalf of itself or affected citizens.

The Californian legislation is broadly in line with current national federal regulatory policy on networked technology, unlike its recent law ensuring net neutrality — see here and Tweet above.

While there are several industry-led certification programs which can be applied to IoT devices’ security standards & protocols, no such program is designed to identify every potential security flaw in every product design or its software, or in the way its code executes – and to expect otherwise is foolishness.

It may well be that the California definition of “reasonable” will eventually gravitate towards a commercial program or definition, such as one of NIST’s initiatives; the body already has several programs specifically regarding IoT security.