Californian State Law Change For Internet Connected Devices

In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features.

By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. This could then open the manufacturer up for prosecution should the user become the victim of cyber crime because of weak security on the device.

This positive step will encourage the manufacture of products with greater cyber security that will roll out to wider global markets.

Internet of Things (IoT)-related cyber crime is well documented, with the Mirai and Owari botnets widely reported. In March 2018, DCMS (The Department of Digital, Culture, Media and Sport) and the NCSC published a report on Secure by Design, and called for industry, academic institutions and civil society to contribute to the proposed interventions. The report identifies two main risks associated with insecure IoT devices:

• consumer security, privacy and safety may be undermined by the vulnerability of individual devices; and
• the wider economy faces an increasing threat of large-scale cyber attacks launched from large volumes of insecure IoT devices.