This article is an excerpt from GovLoop’s recent guide,” 7 State & Local Tech Trends to Watch.” Download the full guide here.
IoT is the network of physical devices that can connect, collect and exchange data. As IoT evolves, so does the number of web-connected devices. IoT tools that are improving quality of life include cars, thermostats and other sensor-enabled devices. These gadgets are boosting efficiency, driving data analytics and increasing economic growth.
IoT’s valuable connections also create new cybersecurity vulnerabilities. Alongside the benefits, however, each link in the chain presents an enticing target for cyberthreats. This reality is forcing agencies to reevaluate how they protect citizens’ data. Cybersecurity standards offer a new way of keeping IoT networks safe and sound.
California is leading the charge on regulating IoT cybersecurity. The state recently became America’s first with laws mandating basic security standards for IoT devices. Gov. Jerry Brown (D) signed two bills into law in September 2018 that may inspire similar legislation elsewhere.
“California is a huge marketplace,” said State Assemblywoman Jacqui Irwin, who represents the state’s 44th district. “Our requirements will often be put into products that are sold elsewhere. If the federal government wants to put together regulations for these devices, more power to them.”
Irwin crafted Assembly Bill 1906, while California State Sen. Hannah-Beth Jackson from the 19th district crafted Senate Bill 327. The bills will take effect Jan. 1, 2020, implementing privacy and security benchmarks for IoT devices. One guideline requires a “reasonable security feature or features” for all IoT devices and the data they collect, contain and transmit.
“We want to make sure people start thinking about security by design,” said Irwin, Chairwoman of the California State Assembly’s Select Committee on Cybersecurity. “We want to make sure that any private information is protected, but we wanted it to be flexible enough for innovation.”
IoT devices will meet California’s new rules by having a unique, preprogrammed password or requiring users to create a new “means of authentication” before granting initial access. Such features discourage hackers and prevent accidental data mishandling.
“It’s like having a burglar going around your neighborhood and the simplest thing you can do is have your front door locked,” Irwin said. “Ninety percent of the time, they’re going to go to the next house. Ten percent of the time they’re going to break the window. These basic security measures are going to prevent lots of hacking into devices as the players will move on to the next device that isn’t secured.”
The privacy and security concerns IoT raises are the issue. IoT networks handle vast amounts of data, making them ripe for exposing sensitive information about users. The connections enabling the networks, meanwhile, present vulnerabilities and targets for cyberthreats.
“You don’t want your IoT devices to turn into spy devices if you have a camera,” Irwin said. “We also saw from the Mirai botnet attack that lots of these IoT devices were taken over to down portions of the internet.”
A botnet is a series of devices that is compromised by a cybercriminal, who can then operate it remotely. Mirai affected scores of computers infected by malware — software intentionally created to harm computers, networks and servers — and used them without the machines’ owners knowing. Mirai’s code was released in September 2016, and the botnet continues to trouble cyber researchers and law enforcement today.
Mirai’s operators used the botnet to conduct distributed denial of-service (DDoS) attacks aimed at overwhelming and interrupting the internet connections of the target devices. DDoS attacks use large numbers of unique IP addresses to disrupt machines or network resources connected to the internet.
KTUU reported in September 2018 that three men were each sentenced to five years’ probation, 2,500 hours of community service and $127,000 in restitution payments for their role in operating Mirai.
After Mirai, critics have argued that California’s standards are vague or don’t regulate IoT enough. Irwin countered that the legislation is a starting point for future discussions about the issue.
“Whether it goes far enough remains to be seen,” she said. “We want to see what manufacturers do and what problems they come up with.”
Irwin added that cooperation between the public and private sectors is crucial for creating the best IoT regulations.
“We understand that our government and our economy are largely driven by what’s going on in the tech industry,” she said. “It’s irresponsible for them not to be at the table.”