Government Has Officially Entered the Cybersecurity Business

To Protect Yours, Look to ioXt—and Hit the (haX)Lab

Eight months ago, I wrote about the impending tide change that California law, State Bill 327, the first IoT-specific security law in the U.S., would bring. Now that January 1, 2020 is just around the corner, a big wave is coming into view. As it so happens, the California law is now joined by similarly-intended Oregon House Bill 2395. Both go into effect January 1, 2020.  

The question for device makers is, what are you doing to make sure you comply on January 1, 2020, and all the days after?  

Because if you’re not in compliance with CA SB 327 and OR HB 2395, you can’t ship your product in California and Oregon come New Year’s Day. 

With California’s and Oregon’s unprecedented and explicit regulation of the IoT, we’re entering a new era; one where device makers are going to be held accountable for security failures that lead to hacking and data theft. State governments, Congress and federal agencies are all considering regulating the security of connected devices—and at having manufacturers who sell IoT devices to the government meet specific cybersecurity standards.

Government is now officially in the IoT security regulation business. What does that mean at the moment? Both the California and Oregon bill require that all IoT devices sold within their states be equipped with “reasonable security measures.”  

While “reasonable” is vague and open to interpretation, CA SB 327 does specifically target weak default login credentials. It requires that each device have a unique preprogrammed password and that the device require a user to create a new means of authentication for first-time access. The Bill also requires device manufacturers take steps to ensure all devices can be automatically patched when security vulnerabilities are identified. 

Some believe the law’s ambiguity is intentional and that its author, State Senator Hannah-Beth Jackson, wants to empower industry to determine the details. Jackson testified in 2018 before the Assembly Appropriations Committee that CA SB 327 “gives industry wide latitude in determining what precise security measures are needed for each particular device” in light of the “ever-changing landscape of cybersecurity.”  

Which brings us to ioXt. 

The ioXt Alliance, which is composed of manufacturers, network operators, retailers, and government organizations, is the textbook definition of what Jackson recommends. The Alliance was born of a desire for industry to lead efforts to protect the Internet of Things. Its purpose is to give retailers and consumers peace of mind about device security. Today, ioXt is the global standard for IoT security and preeminent IoT security alliance. 

At the heart of the Alliance is the ioXt Security Pledge, eight security principles for consumer product design and manufacturing that help bring security, upgradability and transparency to the market and directly into the hands of consumers. Of the eight principles that make up the pledge, the first ties right in to what the California and Oregon security laws mandate: that a product shall not have a universal password across that unique security credentials will be required to operate a fresh, out-of-the box device. The ioXt Certification Program incorporates this principle and the remaining seven in defining a common method to assess and rate the overall security of tested products.   

For companies that want to aggressively search for and fix security vulnerabilities, there’s ioXt haXlab. With haXlab, manufacturers benefit from a virtual machine and ultimate pen testing environment that helps them bring their products into compliance and repair any product weaknesses before bad hackers even have a shot.  

For manufacturers, haXlab solves three critical issues: 

• It solves the problem of “What is reasonable security?” Placing a device in haXlab removes the confusion and helps manufacturers meet their obligation to make reasonable security efforts.

• It provides a safe way to uncover and fix vulnerabilities. With haXlab, manufacturers have a way to expose vulnerabilities in a controlled environment, as well as a managed vulnerabilities disclosure program (VDP) to track reported vulnerabilities and the vulnerability remedies.

• It allows device makers to continuously test and improve IoT security. haXlab provides the IoT device manufacturer with the ability to continuously test and improve the security of their IoT devices, relieving some of the burden of ensuring device security.

In short, ioXt’s haXlab provides a clear and present solution to today’s cybersecurity requirement and an ever-unfolding map through the evolving “landscape of cybersecurity.”

Conclusion

California SB 327 and its Oregon House Bill 2395 are just the start of government IoT security regulation. They’re definitely about to make a splash in the IoT device market as they require manufacturers to assume responsibility for at least minimum-security features in their devices.  

But device manufacturers need a compliance plan and a way to execute it. Further, they need a means to stay ahead of the curve—to be informed about evolving industry best practices and what will be expected of them in the future, regardless of where they sell their products.

Fortunately, through its Alliance, Pledge and haXlab, ioXt is equipped and dedicated to provide clarity, guidance, and certification programs that enable manufacturers to comply with whatever security laws the states may throw at them—and then some.