Wednesday, February 26, 2020

Testifying in Annapolis in the Senate and then the House about IoT Security

Last week I testified at a hearing in Annapolis in the state senate finance committee on SB 443 Consumer Protection - Security Features for Connected Devices. Today, I testified in the state House of Delegates in the Economics Matters Committee on the house version of the bill, HB 888. The two bills are identical, and my written testimony is here.

The bill is very simple. It requires that connected devices, IoT devices, either have a unique, per-device key/password, or that the owner be required to change the password at first usage. The idea is that there would no longer be default passwords in use for a particular model of IoT device. In general, I think that this is a very good idea. Personally, I would like to see the bill go further. There could be some guidelines for strong passwords and other security features such as delays after a certain number of incorrect password attempts. But, I'm thrilled to see that Maryland is following in California's footsteps and introducing this type of legislation.

I found the experience of testifying in the Senate Finance Committee starkly different from that in the Economics Matters Committee in the House. The senate committee heard 13 bills that day and took almost 3 hours before they got to ours. I was on a witness panel with Joseph Jerome, Director of Multistate Policy at commonsense.org, Katie McInnis, Policy Counsel for Consumer Reports, and Holly Jacobs from the state attorney general's office. All of the panelists were well spoken and compelling. Not surprising considering that we were just saying that there should be a minimum baseline of security in connected devices. I found the senators to be engaged but not very knowledgeable about technology. In particular one senator who dominated the questioning seemed particularly clueless and slightly hostile to the bill.

The House Economics Committee heard 6 bills today. Ours was the fourth. I found the testimony on the first three bills incredibly interesting as they dealt with consumer privacy. One bill addressed breach notification. The other two dealt with storage of biometric data and location information. There was some minor opposition to the bills, mostly procedural, as the opposing witnesses requested that the efforts on these bills be merged into a comprehensive privacy and security law that would address all of the issues, rather than having piecemeal legislation. This seemed perfectly reasonable to me.

There were only two of us on my panel today, Katie McInnis from Consumer Reports and me. Katie spoke about the importance of protecting IoT devices as consumers are adopting more and more of these. She spoke about 19 documented hacks in December. The delegate who introduced the bill, Ned Carey, showed a video from the evening news of a hacker speaking to a little girl through a compromised Ring doorbell. I basically summarized my written testimony, but I also had received a link to a story earlier today about a major WiFi compromise, and I included a summary of this and how it relates to the current bill in my testimony. These IoT compromises are so common that there was a major story the very day of the hearing.

 I was pleasantly surprised by the level of discussion in the Q&A. Unlike their colleagues in the senate, the delegates were very knowledgeable about technology, IoT and security and privacy. They not only got it, but they chimed in with anecdotes of their own, and it was clear to me that this bill is very popular with the committee.

I always find it interesting to see how laws are created. While there is currently tremendous partisan gridlock in Washington, and I'm sure at the local and state levels as well, I was fortunate to not see any such issues in the two hearings. At least everyone seems to be in agreement that we need to do more to protect online connected devices.