The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: California's Internet of Things cybersecurity bill could lay groundwork for federal action

with Bastien Inzaurralde


California is once again poised to take the lead on important new technology policy.

A bill to set cybersecurity standards for Web-connected devices — from thermostats to webcams to cars — is awaiting Gov. Jerry Brown’s (D) signature after cruising through the state legislature late last month. If Brown signs it, California would become the first state to pass legislation to govern security of the Internet of Things, which experts say is crucial as these products proliferate and malicious hackers find new ways to exploit them.

Yet cybersecurity researchers are split on the bill, and some argue it fails to address the core issues that make connected devices vulnerable to hacks. But it could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level. California’s bill, if signed by Brown, could rekindle the national discussion in a similar way to how landmark privacy law the state recently approved helped spur high-level talks between the Commerce Department and tech giants about federal privacy regulations.

“A California law that manufacturers have to adhere to in California is going to help everybody,” said Bruce Schneier, a security technologist at the Harvard Kennedy School and author of a new book on IoT security. “Of course it probably doesn’t go far enough — but that’s no reason not to pass it. It’s a reason to keep going after you pass it.”

Policymakers grew more concerned about vulnerabilities in IoT devices after the massive Mirai botnet attack in 2016 highlighted just how poorly secured many such devices are. In that incident, hackers exploited weaknesses in webcams and other connected devices and used them to launch cyberattacks that took down Netflix, Spotify and other major websites for hours.

The California bill, SB-327, seeks to address some of those flaws, setting baseline cybersecurity standards for IoT devices where none exist. It requires manufacturers to equip connected devices with “a reasonable security feature or features” designed to prevent bad actors from accessing them, though it doesn’t define exactly what those features should be. It also mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products.

There’s legislation on the table in Congress that would go further. The Internet of Things Cybersecurity Improvement Act, introduced by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), would use the federal government’s buying power to boost IoT security. Under the bill, any companies that do business with the federal government would have to ensure that their connected devices are patchable, come with passwords that can be changed, and are otherwise free of known security vulnerabilities. Another bill, the Securing IoT Act, would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.

Those efforts and others have so far failed to gain traction, despite bipartisan agreement that some sort of federal standards may be necessary.

Still, some experts said the California bill's broad language was too vague to be effective, and offered an example of how not to approach IoT security. Well-intended as it might be, the bill “would do little improve security, while doing a lot to impose costs and harm innovation,” according to security researcher Robert Graham.

“It’s based on the misconception of adding security features,” he wrote in a widely circulated post on the cybersecurity blog Errata Security.

“The point is not to add ‘security features’ but to remove ‘insecure features,' " he wrote. “Adding features is typical ‘magic pill’ or ‘silver bullet’ thinking that we spend much of our time in infosec fighting against.”

As it stands, the bill would only protect against “the most basic automated threats,” according to Ruth Artzi, Senior Product Marketing Manager at the cybersecurity firm VDOO. “The requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps,” Artzi told the security site Threatpost. “There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards.”


PINGED: Georgia is at the center of a legal battle on whether the state should stop using direct-recording electronic voting machines and switch to paper ballots., The Washington Post's Ellen Nakashima reported. “On one side are activists who have sued the state to switch to paper ballots in the November midterm elections to guard against the potential threat of Russian hacking or other foreign interference,” Ellen wrote. “On the other is Secretary of State Brian Kemp, who has declared the electronic system secure and contends that moving to paper ballots with less than two months to Election Day will spawn chaos and could undermine confidence among Georgia’s 6.8 million voters.”

In a hearing last week before U.S. District Judge Amy Totenberg, Michael Barnes, director of Kennesaw State University’s Center for Election Systems, testified that the server hosting data that counties use to build ballots is air-gapped, Ellen reported. “But he acknowledged that he uses a thumb drive to transfer ballot proofs from the server to his desktop computer, which he uses for email,” my colleague wrote. “From there, he moves the data to a Dropbox-like site, where counties can retrieve the ballot data. ‘So he’s connected a supposedly air-gapped system to the Internet in at least two ways,’ Richard DeMillo, a Georgia Tech computer scientist who also testified Wednesday, said in an interview after the hearing.”

PATCHED: Former Green Party presidential candidate Jill Stein intends to take a look inside voting machines in Wisconsin, and election equipment vendors aren't thrilled. “Two corporations that supply most of the voting machines in Wisconsin, Election Systems & Software of Omaha, Nebraska; and Dominion Voting Systems of Denver, are suing the state Elections Commission and the Stein campaign in Dane County Circuit Court in Madison over the Stein campaign’s plans to evaluate the source code,” Grigor Atanesian of the Wisconsin Center for Investigative Journalism reported.

Stein paid for the 2016 presidential election recount in Wisconsin and state law allows her to examine the source code. “The voting machine companies are seeking to block the Elections Commission and the Stein campaign from publicizing ‘in any media or public forum whatsoever any information or materials or any opinions, conclusions, or comments concerning the review,’” Atanesian wrote.

The Wisconsin Center for Investigative Journalism also examined potential vulnerabilities in the state's election system even though Wisconsin uses a paper trail. “Top cybersecurity experts from the United States, Canada and Russia interviewed by the Center said that some practices and hardware components could make voting in Wisconsin open to a few types of malicious attacks, and that Russian actors have a record of these specific actions,” Atanesian reported.

PWNED: “Malicious attackers have recently tried to gain access to students' financial aid refunds at multiple colleges in a scheme that involves sending fraudulent emails to students, according to a warning issued by the Education Department,” The Post's Susan Svrluga reported Saturday. ”The target is federal student aid refunds, money distributed to students after tuition and other education costs are paid. The U.S. Education Department’s Office of Federal Student Aid received multiple reports from colleges and universities about the phishing campaign targeting student email accounts, a department spokesman said.”


— In an upcoming book titled “Identity Crisis,” three political scientists express doubts that Russian interference determined Donald Trump's victory over Hillary Clinton in the 2016 presidential election, The Post's Dan Balz reported on Saturday. Citizens, especially white Americans, voted based on identity issues such as race, religion, gender and ethnicity rather than economics, according to John Sides of George Washington University, Michael Tesler of the University of California at Irvine and Lynn Vavreck of the University of California at Los Angeles.

“The release of hacked emails in July and October 2016 ‘did not clearly affect’ Clinton’s favorable ratings nor perceptions of her honesty, they write,” Dan reported. “They also say that, given the billions of tweets and social media postings during the campaign, Russian content was probably only an infinitesimal share of the total. Claims that the Russians turned the election should be greeted ‘with something between agnosticism and skepticism — and probably leaning toward skepticism,’ they say.”

— “Attorneys for Kaspersky Lab faced tough questioning Friday from a three-judge federal appeals court panel in what could mark the Russian anti-virus company’s last chance to make a public case against a U.S. governmentwide ban,” Nextgov's Joseph Marks reported. “That December 2017 congressional ban came after months of alarms across government that Kaspersky software might be used as a spying tool for the Russian government or that the company might be compelled to collect and turn over U.S. government information under Russian law.”

Judges on the U.S. Court of Appeals for the District of Columbia appeared unconvinced by a Kaspersky attorney's argument that the congressional ban specifically and unfairly targets the company, Nextgov reported. “Judge David Tatel suggested Congress’ goal in passing the Kaspersky ban was ‘attempting to protect the security of U.S. computer systems,’ rather than punishing the company,” Marks wrote. The Kaspersky ban is scheduled to go into effect on Oct. 1.


Apple Has Started Paying Hackers for iPhone Exploits (Motherboard)


— “At least nine out of every 10 cyberattacks start with an email, according to the threat intelligence firm FireEye,” Fifth Domain's Justin Lynch reported. “In a September report, the company said that ‘a single malicious email can cause significant brand damage and financial losses.’ The report is based on 500 million emails that were sent between January and June 2018.”


— “Dutch authorities arrested and expelled two suspected Russian spies months ago for allegedly trying to hack a Swiss laboratory that conducts chemical weapons tests, Switzerland’s government confirmed Friday as it summoned the Russian ambassador to protest an ‘attempted attack,’” the Associated Press's Jamey Keaten reported. “Moscow quickly rejected the accusation, the latest Western claim about Russian spying and other acts of interference. This time, the alleged target was the Spiez Laboratory, which analyzed samples from the March poisoning of former Russian spy Sergei Skripal and his daughter in England.”

The AP reported that Swiss authorities had opened a broader investigation into “political espionage” in March 2017. “Switzerland’s Foreign Ministry said it summoned Russia’s ambassador to ‘protest against this attempted attack’ and demanded that Russia ‘immediately’ end its spying activities on Swiss soil,” Keaten wrote.

Then, on Saturday, Switzerland's Office of the Attorney General said prosecutors were also probing whether the two suspected Russian agents sought to hack the World Anti-Doping Agency as part of the investigation into political espionage, Reuters's John Revill reported. “Swiss media on Saturday said the WADA offices and International Olympic Committee in Lausanne had both been targeted,” Revill wrote. “Both organizations in recent years have been investigating widespread doping of Russian athletes, which has led to dozens of competitors being banned and the country being barred from international events.”

— More cybersecurity news from abroad:

In the Balkans, Russia and the West Fight a Disinformation-Age Battle (The New York Times)



Coming soon


North Carolina residents assess their flooded homes:

Residents in Lumberton N.C., find their neighborhoods flooded and their homes hard to reach. (Video: Jorge Ribas, Ashleigh Joplin/The Washington Post)

FEMA administrator casts doubt on Puerto Rico hurricane death toll:

FEMA Administrator William “Brock” Long on Sept. 16 echoed President Trump’s remarks about how many Puerto Ricans died from Hurricane Maria, saying figures are (Video: JM Rieger/The Washington Post)

TV reporters tell viewers what wind and rain feel like:

Television reporters stood in the middle of Hurricane Florence to keep viewers informed about wind, rain and flying debris. (Video: JM Rieger/The Washington Post)