The law sets a cybersecurity standard for Silicon Valley's IoT manufacturers starting in 2020.
California Gov. Jerry Brown on Friday signed a bill regulating the cybersecurity standards of internet-connected devices, setting up the state to have the country's toughest standards for the so-called “internet of things.”
The bill, SB 327, will require a level of “reasonable security” on IoT devices, which are defined as anything capable of connecting to the internet with a Bluetooth connection or internet protocol. Starting on Jan. 1, 2020, those devices will be required to come preloaded with unique pre-programmed passwords or newly generated passwords before they can be accessed for the first time.
Cybersecurity experts frequently cite IoT devices as easy targets for hackers. A report published in August by IBM Security and Threatcare found that many users of internet-connected devices that control public infrastructure systems do not change factory-default passwords, many of which can be found online with relative ease.
The new law has its critics, though. It’s not clear how businesses will comply the state law, Francis Dinha, CEO and co-founder of the software company OpenVPN, told StateScoop. Dinha said that many device manufacturers will still lack the knowledge to enforce California's new standards. More specific requirements — two-factor authentication or use of a virtual private network — would also help, but wouldn’t solve the root problem educating users, he said.
But Dinha said SB327 is better than the federal Smart IoT Act and DIGIT Act — two bills currently under consideration in Congress that would mandate a study and report of IoT devices, but include no regulatory impact.