LITIGATION SUPPORT TIP OF THE NIGHT

On January 1, 2020, California Senate Bill No. 327 will become effective. See Title 1.81.26 of Part 4 of Division 3 of the California Civil Code. The new law will restrict the use of default passwords in devices that connect to the internet. This is great step forward in enhancing the cyber security of the Internet of Things. The law specifically requires a manufacturer to, "equip the device with a reasonable security feature or features that are (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit, and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified." 1798.91.04. This leaves open the possibility that a device can be secured without a password such as by using universal 2nd factor authentication or other means.

Either a unique, pre-programmed password must be assigned to each device, or the device must require a user to generate a new means of authentication before he or she access it for the first time.

Notably the law does not create a private right of action and leaves enforcement to the State.

The Tip of the Night for December 5, 2016 discussed the NIST Cybersecurity Framework Reference. Earlier this year the National Institute of Standards and Technology introduced Cybersecurity Framework Roadmap. The Roadmap addresses NIST's efforts to improve version 1 of the Framework. It gives some insight to how organizations are trying to improve their cybersecurity plans.

NIST is focused on improving cybersecurity in the following areas.

Cyber-Attack Lifecycle

A network penetration goes through a sequence of events. A plan called Coordinated Vulnerability Disclosure, will allow for multiple stakeholders to understand the initial indicators of an attack; its severity; how it can be mitigated; and how the root cause can be addressed. Information sharing is key to disclosure of threats and NIST's SP 800-150 - Guide to Cyber Threat Information Sharing has a 'traffic light' protocol which helps to show when information should be distributed.

Measuring Cybersecurity

NIST seeks to develop a way to better measure cybersecurity strategies. It has developed the NIST Special Publication 800-55 Revision 1 Performance Measurement Guide for Information Security, which layouts a four level structure.

Referencing Techniques

NIST is developing a catalog to let those facing a threat select the most appropriate reference.

Small Business Awareness and Resources

NIST recognizes that nearly half of U.S. workers are employed by small businesses. The NISTIR 7621 Revision 1 - Small Business Information Security addresses the needs of small businesses. NIST breaks down cybersecurity awareness for businesses which can't employ people to focus on this area full time.

Governance and Enterprise Risk Management

Getting 'buy-in' from upper management is critical for properly addressing cybersecurity threats. NIST recommends the Baldrige Cybersecurity Excellence Builder as a guide to help organizations manage cybersecurity risk management.

Recently, Bloomberg News, The Times [of London]; and Wired Magazine, have reported on the insertion of chips by Chinese factories into servers designed in the United States, which were used to secretly access the networks the hardware was connected to. A Portland, OR based company, Elemental, supplied servers to Amazon designed to assist with video compression. The manufacture of the servers was handled by Super Micro Computer, Inc., of San Jose, CA, which outsourced part of the work to subcontractors in China, that allegedly inserted chips not part of the original design. These servers are used by the Department of Defense; the United States Navy; and as part of the CIA's drone program. Hardware implants are extremely difficult to implement. Nevertheless, Bloomberg reports that America's largest company, Apple, found that someone installed these malicious chips. "Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards."

Elemental Technologies was created in in 2006 to market code for graphics chips designed to handle the increased demand for streaming online video. The chips were designed to look like different motherboard parts (e.g., signal conditioning couplers). Some of these chips altered Linux operating system code to prevent servers from checking for passwords. According to a study at the University of Michigan, the chips could be used to get full access to operating systems, and hardware security analysis would not be able to find the chips.