The two states are moving more quickly than the U.S. in demanding tighter security for smart devices
How smart devices work at protecting our information is front of mind of lawmakers, worried enough about the details sent back and forth — and how their protected — to start pushing for laws that demand more security for consumers.
Sen. Mark Warner (D-VA) co-sponsored a bill on this front back in 2017. It failed. But that law, now called the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, is back in play.
The state of California has beat them to it, passing a similar bill, SB 327, which was signed into law in September 2018 — and goes into effect on January 1, 2020.
Oregon is also moving swiftly with House Bill 2395, which passed its House of Representatives on April 16, and now moves towards its Senate. These state laws may seem less important than a federal bill — but they have their place too believes Sivan Rauscher CEO and co-founder of Sam Seamless Network, a cybersecurity tech platform that works in the home to protect devices at the router level.
California and Oregon want manufacturers to assign passwords unique to each new deviceiStock
"State bills are crucial on a national level as manufacturers lack an understanding of cyber security and need more than laws - they need guidance to make their products safer," said Rauscher by email. "The IoT legislation helps push awareness that we need to solve the security problem - getting manufacturers to write secure code, helping users understand the dangers involved and ensuring the telcos/service providers can protect the end-users."
How are important is the security of smart devices? If recent data leaks are any indication, they appear very important certainly to lawmakers. There were more than two billion data records stolen in 2018 alone around the world, reports CB Insights, a research firm.
Credit card companies may give people a pass on the charges made to their accounts from stolen numbers or even hackers. But consumers are saying they want more protection around their other details: passwords, emails and passport numbers, just some of the personal data companies lost control over in 2019 alone.
In 2019, data breaches have made consumers' emails, passwords and even passport numbers vulnerableiStock
To people in the U.S, companies don't seem to be able to get a handle on protecting their information. That's why 67 percent do want the government to step in on their behalf. That's the findings of a survey from data analytics firm SAS in December 2018. At that time, consumers were already taking matters in their own hands with 77 percent changing their privacy settings, 56 percent deleting apps on their mobile devices, and 65 percent declining those lengthy terms of agreements.
State by state
The Oregon bill requires that each specific device that is sold, have its own unique password. That's critical to avoid brute force attacks — where a hacker pushes through a basic password to crack into multiple devices. The reason that can happen so easily, is that companies typically make smart products, whether they're a smart light bulb or a router, with the same password, such as "password" so consumers can launch them easily.
The expectation is that people would then change their password — they often do not. That makes it simple for a hacker to use "password" to break into not just one device, but thousands — as long as people haven't changed the code.
California's bill to add security measures for smart devices passed last yeariStock
In California, the law would require manufacturers to add a "reasonable security feature or features" to connected devices sold or offered for sale in the state. Also, like Oregon's law, California demands that each "preprogrammed password is unique to each device manufactured."
Oregon's law also requires manufacturers selling products in their state are in "compliance with requirements of federal law or federal regulations that apply to security measures for connected devices," reads the bill.
In other words: If the federal government adds even stricter rules — companies need to follow those too.
The Federal law would create cybersecurity requirements around IoT devices by March 31, 2020 . A request to speak with someone from Sen. Warner was not returned. But the bill appears to state that vendors would have to make sure "their devices does not contain any known security vulnerabilities, uses industry standard technology, and doesn't have any fixed credentials."
Oregon's bill to require more security in IoT products is working its way to the state's senate.iStock
Would that be enough to lock down and protect everyone from data breaches and potential hacks? Unlikely. But federal along with state guidelines on smart devices and their security, bring a level of basic protection — one that today isn't even there.
"The IoT legislation's that are currently being considered are to create a standard for IoT devices with security in mind," said Sam Seamless Network's Rauscher. "The idea is to set security standards as a minimum. Even if they can enforce the laws, I think the legislation alone will not be enough as laws alone won't be able to completely prevent cyber security attacks but it's definitely a step in the right direction."
GearBrain TV: How to Secure your Smart Devices www.youtube.com