The Oregon state legislature isn’t waiting for Congress to act on growing concerns about the lack of security in web-connected household appliances, such as smart assistants, security cameras, and streaming television sets, a category of devices known as the “internet of things.”
This month, the Oregon House of Representatives passed a bill that would require internet of things devices to include “reasonable” security features. Oregon House Bill 2395, introduced at the request of Democratic state Attorney General Ellen Rosenblum, would require each device to ship with a default password and would require new users to get authenticated before accessing the device. The bill awaits action in the state Senate.
The bill was inspired by a California internet of things security bill that passed in 2018, said Kristina Edmunson, spokeswoman for Rosenblum.
Supporters hope the Oregon bill will “have a positive effect on manufacturers investing time and money into equipping internet-connected devices with more robust security,” Edmunson said. “Security by design is not only critical to consumer trust, security, and privacy, but also to national security.” She pointed to multiple examples in recent years of botnets using compromised internet of things devices to launch attacks.
[Related: Social media blackout sets ‘troubling precedent’]
The bill “motivates” internet of things device manufacturers to design more security devices under the threat of civil liability under the Oregon Unlawful Trade Practices Act, Edmunson said. That state law allows victims of unlawful trade practices to recover actual and punitive damages.
Lawmakers in Congress introduced internet of things security legislation in 2017 and reintroduced it again in March, but the Internet of Things Federal Cybersecurity Improvement Act has not yet moved forward. The federal legislation would only cover devices marketed and sold to government agencies.
The Oregon bill prompted a mixed reaction from cybersecurity experts. Some praised the state for taking action on a critical security issue while Congress fails to act. Ben Wald, vice president of solutions implementation at Very, an internet of things product design and development firm, called the California and Oregon bills a “step forward.”
“Any effort to improve cybersecurity is an effort in the right direction,” he said. “Given the rapid proliferation of smart devices connecting everything from fish tanks to doorbells, many consumers are increasing their cyber risk with substandard products. Legislation like the Oregon bill will help tame the Wild West of IoT devices.”
[Also read: Senate advances anti-robocall measure]
Other security experts insisted on federal legislation to fix internet of things security holes. A patchwork of state regulations could be “burdensome” to businesses, said Greg Sparrow, senior vice president and general manager at CompliancePoint, a risk mitigation and security consultancy. Multiple state laws don’t make sense “for a marketplace that is consuming goods from across the globe.”
“State efforts for regulations around data security and privacy are good for press and consultants like us, but bad for businesses,” Sparrow said, noting that federal legislation would make a level playing field for companies. “What is needed is a clear and concise federal standard for data security and privacy with a focus on defining consumer rights.”
Other experts questioned whether any legislation would have major effects.
“It’s good that state legislators care,” said Greg Scott, a cybersecurity professional and author. “But how does a state enforce standards on products made overseas and distributed all over the world?”
While some federal security standards for internet of things devices may make sense, they may be difficult to draft, given the variety of connected devices being sold, Scott added.
“Does a standard for, say, a thermostat, make sense for, say, a baby monitor?” Scott added. “If so, the law should specify only the standards, not how to meet them. And the standards need to be flexible enough that they don’t hamper innovation.”
The public needs to be educated about potential risks, Scott recommended. “While manufacturers carry a responsibility to build quality products, consumers also carry a responsibility to educate themselves and make smart choices,” he said. “The most powerful cybersecurity practitioners are the everyday people who buy and use these devices.”
A series of videos to educate consumers might be more effective than legislation, Scott suggested.
“We can’t legislate security,” he said. “But we can share knowledge.”
