Protection from teddy bears and toasters

CYBERSLEUTH

As many politicians have learned over the decades to their regret, one should assume that all microphones are turned on and all walls have ears. By the year 2020, almost everything will have ears. Experts predict there will be 20 billion internet-connected devices, ranging from children’s toys to kitchen appliances to televisions, computers, phones and cars that may be capable of monitoring communications or collecting data on the geographic location, purchasing habits and internet searches of consumers. Case in point — the Washington Post reported earlier this year that the German government told parents to destroy a Bluetooth-capable doll called “My Friend Cayla” when it was discovered that the doll collects everything it hears via an internal microphone, and was transmitting those conversations to a voice recognition company in the United States.

Because such consumer devices have not traditionally been capable of communicating electronically, little focus has been placed on making them less vulnerable to hacking or the possibility of them surreptitiously recording or monitoring conversations. Such devices have been found to have serious security flaws; they are often shipped with default passwords that are hard-coded and thus can’t be changed easily, and software or firmware that cannot be updated or patched when security threats are discovered. Further, there is an almost complete absence of rules governing the manner in which data on the users’ personal habits are collected, used or disclosed.

Given the hostility to privacy issues shown by President Donald Trump and Ajit Pai, Trump’s choice to head the Federal Communications Commission Chairman, federal and state lawmakers will need to step up to fill the void. Earlier this month, in a rare display of bi-partisanship, U.S. Senate Cybersecurity Caucus co-chairs Mark Warner (D-Va.) and Cory Gardner (R-Colo.) introduced a bill dubbed the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 that would require companies supplying internet-connected devices purchased by the U.S. government to certify in writing that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities.

Warner and Gardner’s clever approach should be applauded. Rather than having non-technical lawmakers spend hundreds of hours attempting to craft regulations that are full of holes and out-of-date almost before they become law, these senators are betting that suppliers will do the heavy lifting to improve security in exchange for the opportunity to sell their products to the federal government, an enormous purchaser of goods. Although this bill would apply only to connected products purchased by the federal government, federal procurement standards often influence state procurement officials and can help establish minimum requirements for commercial purchasers as well. Chief technology officers and their general counsels may reasonably view federal procurement standards as an informal means to meet the “reasonable man” standard applied for many torts. Using only devices that comply with a federal procurement standard should help companies defend against litigation over a cyberattack.

The bill also takes other commonsense steps to improve cybersecurity, not through top-down regulations that prompt howls of protest from anti-government critics, but by focusing on improving business practices. For example, the bill would require each executive agency to inventory all internet-connected devices in use by the agency. Any cybersecurity expert will tell you that the bedrock of responding to an ongoing cyberattack, and preventing repeat attacks in the future is to know what devices in the corporation may have provided the entryway that cyber criminals exploited. The bill would also provide an exemption for so-called white hat hackers — hackers who test computer systems for vulnerabilities — from being found in violation of the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.

The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom and VMware.

California lawmakers should follow the lead of Sens. Warner and Gardner and enact similar commonsense requirements to secure the internet-connected devices used by state government agencies. As discuss previously in this column, Gov. Jerry Brown earmarked a paltry 9.9 million to fund cybersecurity for the entire state, ignoring requests from agencies including the court system for more money to improve security measures in their computer networks and systems. Security funding in future years may be no better, so lawmakers should require those companies that want to sell their products to the California state agencies ensure their internet-connected products are secure.

California has eight pieces of pending legislation currently, but it appears that most of them would do little to create a quick, effective response to cyber threats. As an example, Assembly Bill 276 would request California college system to complete a report that evaluates the state of cybersecurity education and training programs, and to determine the extent to which the state is meeting the workforce needs of the cybersecurity industry. Assembly Bill 364 would require the governor’s Office of Business and Economic Development to complete a study to evaluate the economic impact of California’s cybersecurity industry. Ho hum.

Assembly Bill 650 could result in somewhat more useful technical steps by requiring the state’s director of technology to develop baseline security controls for the state based on emerging industry and National Institute of Standards and Technology standards. Assembly Bill 1306 would require the California Cybersecurity Integration Center within the Office of Emergency Services to develop a cybersecurity strategy for California in coordination with the Cybersecurity Task Force. Interesting, but the time for planning to make a plan is long past.

The most promising pending legislation was Senate Bill 327 sponsored by Sen. Hannah-Beth Jackson (D.-Santa Barbara). The bill would require a manufacturer that sells or offers to sell any device, sensor or other physical object that is capable of connecting to the internet to equip the device with certain security features that protect it from unauthorized access, destruction, use, modification or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information. Jackson ordered the bill be moved to inactive status in June.