Kip Boyle: Hi everyone. Before we get started, Jake and I have a small request. You see, we're coming up on our 50th episode and that got us thinking about the next 50 episodes. And to do a great job with them, we need your help. So please go over to b.link/survey50, that's b.L-I-N-K/survey50, and tell us what you want to hear. Thank you. Okay, here's the next episode.

Speaker 2: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity counsel is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Jake, despite the fact that I've got a cold and I sound horrible, we're going to talk about yet another California law that will go into effect in early 2020, by the time you hear this episode. And this time it's going to be about Internet of Things devices.

Jake Bernstein: That is great because I don't think we've really covered the so-called Internet of Things, IoT, on our podcast very much, have we?

Kip Boyle: Really just once. I feel like I'm having adolescence all over again. We did an episode called the cyber risks of autonomous vehicles, and that was back in March of 2019. And we talked about was the case of a Jeep that was traveling at highway speeds that got hijacked by a cyber attacker, because why? It was an Internet of Things device and mayhem ensued.

Jake Bernstein: That's right. That's right. So let's go ahead and just define IoT again for our audience. And also by the way, perhaps by the time this airs, we'll have figured out how to fix things in post, as they say.

Kip Boyle: So what is an Internet of Thing? Well, the Internet of Things is just all the devices that connect to the internet. And generally what we mean by that is devices that are not already considered to be a computer, like a dedicated computer, standalone computer, smartphone or a tablet. So we're talking about internet protocol connected cameras, smartwatches, fitness trackers, doorbells, light bulbs, refrigerators, thermostats, you name it. If it can connect to the internet, it's a thing and it belongs on... And then it is part of the Internet of Things.

Jake Bernstein: Okay. So even most of our cars and trucks are online now. So they're also IoT devices, right?

Kip Boyle: Yeah. Even jet airliners and pieces of heavy equipment.

Jake Bernstein: Yeah. And I think robotic ships will also soon come online if they aren't already.

Kip Boyle: Yes. In fact, my understanding is that there are some trials already underway, where there could be like a car passenger ferry that travels a fixed route with very little deviation from their heading. And it's not going to be too distant in the future where today you might ride on a... At an airport, you might ride on a driverless train shuttle to get from one end of the airport to the next. And in the future, that might also happen when you board a ferry, boat or maybe a cargo ship.

Jake Bernstein: Wow. Yeah. So let's go the absolute other direction and look at another category of devices that both connect to the internet. And rather than being something we ride in, they actually ride around in us, they're implant.

Kip Boyle: Yeah, that's right. So medical devices, pacemakers, insulin pumps, electrodes that can help to regulate brain disorders, those are things that are attached to human bodies and many of them are able to be connected to the internet. By the way, in hospitals, you've got IV pumps and other medical equipment that does drug infusions, gamma knife, surgery, you name it, it's being connected.

Jake Bernstein: Wow. So that's more than a little scary. Is it possible for a threat actor, for example, to hack my insulin pump or pacemaker?

Kip Boyle: Absolutely. And that's not just a theory, it's not just an idea. It's actually been done. And I think a former vice president was put on the defensive one time about that. Do you remember the story of that?

Jake Bernstein: It was Dick Cheney, I believe, who had a pace maker. And I don't remember if anything actually ever happened, but I certainly remember hearing about his pacemaker being an IoT device, and that being a major security concern.

Kip Boyle: Yeah. As I recall, and listeners, correct us, it wasn't that it was internet connected per se, but it did have a wireless controller.

Jake Bernstein: A Wi-Fi crosstalk.

Kip Boyle: A Bluetooth. Yeah, Wi-Fi, Bluetooth. It was like a short range, fairly short range, wireless connection so that the doctor could interrogate the device without having to physically interact with it. And there was some concern that if somebody could get into the same room as the vice president with a wireless device, that they could manipulate the pacemaker.

Jake Bernstein: So an interesting, and perhaps I would imagine theoretical argument is whether or not that type of pacemaker is part of the IoT. It's not on the internet, but it certainly can connect. I'm not sure that in the future crosstalk a difference.

Kip Boyle: Well, I think in the future, we are going to see them connected to the internet, because today you've got short range wireless, but I'm sure the medical establishment would love to be able to sit down on a console in a medical center and pull up like a list of all their patients with all the pacemakers and to do real-time tracking, right? I mean, what if the pacemaker detected something and alerted the hospital, and then the hospital saw that on a console? And then they reached out to the patient and said, "You need to come in right away because we're getting preliminary indications that you're about to have a medical event." So I can see the motivation to put them all on the internet.

Jake Bernstein: Well, and isn't that kind of what the Apple Watch has done for a lot of people? I mean, it literally does that. And though it hasn't yet connected people to doctors, it's obviously always online.

Kip Boyle: Well, and it's revealed secret bases, secret military bases. Because military-

Jake Bernstein: I didn't know that.

Kip Boyle: Yeah. Military members who went for like a jog around the perimeter at the base, their steps and their route are GPS measured and logged and uploaded into the cloud, where it can be revealed to the public. So military members in certain locations are no longer allowed to wear devices that can reveal that inaudible.

Jake Bernstein: That is kind of amazing.

Kip Boyle: And deadly.

Jake Bernstein: Yeah, definitely a problem, for sure.

Kip Boyle: So we've absolutely established that there's this thing called the Internet of Things. And so now we need to regulate it. We need to govern it, right?

Jake Bernstein: Right. And of course, it was California that went ahead and did this first. In fact, the law, which was Senate Bill 327, and it was called the Security of Connected Devices, very creatively, was actually passed in September 2018, around the same time that the CCPA was passed. But-

Kip Boyle: I don't even remember hearing about it.

Jake Bernstein: I did hear about it at the time, but it was a very small component. And in any event, it will have gone into effect just recently on January 1st, 2020, hasn't yet happened as of time of recording. But as of time of publication, it should be in effect. And the introductory text reads in part, this bill beginning on January 1st, 2020, would require a manufacturer of a connected device as those terms are defined to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and design to protect the device and any information contained therein from unauthorized access, destruction, use modification, or disclosure as specified.

Kip Boyle: It makes me breathless just listening to you read.

Jake Bernstein: Well, what does it sound like to you? It sounds a bit like reasonable cybersecurity, doesn't it?

Kip Boyle: Yeah. Well, yeah, they actually even say that term. And we've talked about reasonable cybersecurity before, but I'm simultaneously encouraged to see that term in use again, but I'm also now concerned that the term is becoming overloaded or overly broad. So what are you taking away from that?

Jake Bernstein: Well, so first, I look at... I'm curious about the scope of this law and I think we have to look at the definition of connected device. And it is defined pretty broadly, meaning any device or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address. So-

Kip Boyle: Interesting.

Jake Bernstein: I mean, I believe that that covers everything that connects to the internet, period. Not just things that we would consider IoT devices. You could argue it also includes your typical laptop, smartphone, everything else.

Kip Boyle: Yeah. I think that's right. Although that may not be what they had in their mind when they did this, but the Internet of Things does include all the stuff on the internet before refrigerators showed up.

Jake Bernstein: Yep. Yes it does.

Kip Boyle: Okay. So what are the specific rules that we have to follow? Or is this just another somewhat vague law that's using conceptual ideas like appropriate to the information, reasonable, things that just practitioners like me just roll our eyes at?

Jake Bernstein: Well. So yes, the core of the law is the appropriate and reasonable language, as you said. But in this case, there are actually two ways to automatically meet the standard. The first one is that each device manufactured received its own unique pre-programmed password, or the device requires a user to generate a new means of authentication before access is granted to the device for the first time. So if you think about that, basically every laptop, every smartphone and tablet meets number two, right? You have to generate a new means of authentication when you first use the device. And then for number one, even though this law was clearly on almost over a year of delay between being passed and going into effect, we've actually seen unique pre-programmed passwords come into use pretty broadly. I would say that these days it's rare to find particularly a router or some other kind of home Wi-Fi device that doesn't have a unique password pre-programmed in.

Kip Boyle: I think I understand the intent here, but I find myself wondering like, okay, so I pull out an Internet of Things device and it has a unique pre-programmed password, but it also has an administrator account with the user ID of administrator and a password of administrator. So I'm just thinking out loud here like, does that device pass muster?

Jake Bernstein: I would say that if it has a way to get in that does not meet that rule, then I don't think it would. I mean, it wouldn't be reasonable to have that admin-admin set of credentials in addition to something that makes sense.

Kip Boyle: Okay. All right. So that's helpful. I think this is going in the right direction. Okay. So now what I'm wondering is what if manufacturers don't adhere to this? So are they going to get penalized or can I, as a consumer, file a lawsuit against them?

Jake Bernstein: Well, so here's where this particular bill falls flat, not just in my opinion, but other commentators have said so as well. There is no private right of action. So nobody except the California attorney general and then California local prosecutors can actually enforce the law. The law also exempts any device already regulated under federal law, which in theory, is not a problem, but it depends on what kind of regulation it is. And then worst of all-

Kip Boyle: That would be a medical device, right?

Jake Bernstein: Could be, yes. And worst of all, there are no penalties for non-compliance anywhere to be found in the law.

Kip Boyle: Okay. So this sounds like a very toothless law. Would you say so?

Jake Bernstein: Not necessarily. I mean, clearly it's not as strong as it could be. Just because there are no penalties for non-compliance laid out in the statute, doesn't mean that the attorney general doesn't have ways of penalizing. That said, it doesn't look good. If you look at most types of laws like this, they at least put a fine or some kind of number in there. So my guess is that this law... In a lot of ways, 2018, in terms of cybersecurity regulation, is like the stone age. And I just don't know if this law makes sense as written, both kind of automatic ways to comply with the law seem okay. But I wouldn't go much further than okay. Even if we discount the lack of penalties and the no private cause of action, what do you think about how the legislature in California has defined two automatically reasonable ways of complying?

Kip Boyle: Okay. So my feeling is that while I would like to see penalties and a few more specifics, directionally, I like the way this is going. I mean, as a practitioner, I appreciate being given latitude to figure out how to get the job done, to understand the intent and then to be allowed to look at my specific circumstances, and then to figure out what works best in my situation. It's one of the reasons why the payment card industry data security standard kind of rubs me the wrong way a bit, is because they're so specific and so prescriptive that you can get cyber security silliness sometimes because it's just so literal that you just don't have any latitude at all.

So I think directionally, this is good. It's specific, but not too specific. My sense is that California is saying, "Okay, this is a step in the right direction, so let's take a step and then let's see what happens." I don't know. I wasn't part of how this particular sausage got made, but that's how I'm interpreting it. It's good, but there probably needs to be more, and then that more will come later.

Jake Bernstein: Yeah. And I think I largely agree with that. And the sausage making aspect of this cannot be ignored. These laws are passed as part of a very messy process. And you think about what a true mandate with penalties could do to emerging markets. And you see quickly how you may not want to necessarily come in super hard and fast right away. And so I think that California is... Well, they have a reputation for passing all kinds of laws, some of which are... Sometimes people think they're silly, other times not. I think this is a good law, or at least a good concept. I agree that it's execution needs work. But most importantly, I completely agree with your thinking on the ability to let practitioners do their thing. And I think that cybersecurity is just like your typical Consumer Protection Act violation. It changes so fast and there's an infinite number of possibilities that you cannot realistically legislate specific methods. You'll just fail.

Kip Boyle: Yeah. And this gets back to my book inaudible it doesn't innovate, right? So cyber's a dynamic risk and you can't just say, "Okay, let's come up with the ultimate checklist that will never be changed. Let's come up with the ultimate law that will never need to be modified." I mean, that isn't going to happen. It's not realistic to find better ways. And I think it's really cool actually in a way that California is leading on a lot of this legislation, not just IoT devices, but also on privacy. Because if you think about, you've got Silicon Valley in California, right? So the designers of these IoT devices, maybe not the manufacturers, but the designers of these devices are in that state, many of them, most of them. And so I think it's appropriate that California should provide leadership on this.

Jake Bernstein: Yeah. I completely agree. I wouldn't be surprised if this spreads as well over to other places. So I think we'll just have to see where this goes.

Kip Boyle: But I have a question for you. So the law is, if I understand correctly, is enforceable by the California attorney general. Now you, dear sir, were an assistant attorney general for the state of Washington. If you still had that job, and if this law was a Washington state law, and you became aware of a manufacturer of a device that was not conforming to the law, how would you go about enforcing it, given that it doesn't contain specific enforcement guidelines?

Jake Bernstein: Well, first of all, if it was Washington, it would probably include... A violation of this law would be considered a violation of the Consumer Protection Act. And the Consumer Protection Act has built-in penalties. So at least there's guidance there. The same could be true of California, but essentially, I would enforce this law if I could, because I think it would be a relatively straightforward type of investigation. You would say, "Look, you have a device. It connects to the internet via a Wi-Fi or Bluetooth, and you didn't secure it in any fashion." I think right now there's so much low-hanging fruit on this type of thing that-

Kip Boyle: Easy pickings, my friend.

Jake Bernstein: Easy pickings. Exactly. So I wouldn't be surprised if the California attorney general takes this on more than a few times. They're a pretty big office. They have the resources. And quite honestly, these cases would be simple enough for the most part, that one assistant attorney general is going to be able to handle dozens.

Kip Boyle: Well, that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about yet another California cybersecurity law that will go into effect in early 2020, and this time it concerns devices on the Internet of Things. We'll see you next time.

Speaker 2: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT, for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.