There are organizations dedicated to closing the gender gap in technology, like Girls Who Code and the Anita Borg Institute. There are also special days and key moments in time like Women’s Equality Day and Equal Pay Day, which bring awareness to the challenges women face in technology. It’s because of initiatives like these that young women today are better prepared to face the challenges of a male dominated industry. While it’s great to see progress being made, there is still much more work to be done, and I believe now is the right time to inspire and support more women who are interested in the field.

One of the ways I hope to show my support and pay it forward to the next generation of women technologists is by sharing my story at this year’s Grace Hopper Celebration, the world’s largest gathering of women technologists. It’s taking place this week in Houston. Applying to present at Grace Hopper is something my daughter encouraged me to do, and I could not be more proud to take her advice and share my experiences navigating the workforce.

Given my role at Workday, which includes managing a team that works on everything from data science and machine learning, to core technologies and user-centric design, and my experiences guiding my daughter, I’m able to reflect back on the young worker I was. Using these experiences, I can share my top tips and practical advice for my daughter — and legions of young women like her — to help them build successful, happy, and rewarding careers. Though my goal is to help women, these tips can be useful for all young people entering the workforce straight from college.

1. Build meaningful connections. A workplace can seem a lot like college. There are many different types of people, each with their own values, ambitions, and desires. However, at work, you don’t get to choose who you hang out with. You collaborate with many different people, and the ability to connect with those people, despite differences, is essential. Look to draw bridges, not lines in the sand, and be deliberate about making connections.

Take the relationship you have with your boss, for example. Your manager plays a large role in your success at work, and a good relationship can positively impact the trajectory of your career. The first step towards a better bond is gaining his or her respect. Listen to your manager’s visions and up your game in that area to make his or her job easier.

Or, let’s say you don’t work well with someone on a team, try making a personal connection. When I first started working, I didn’t even know who the San Francisco 49ers were. I couldn’t participate in certain conversations about sports while my fellow coworkers were bonding and strengthening their connections with each other, which translated into better working relationships. So, I learned about sports, and as it turns out, now I love football. Sports might not work for everyone, but find something to bond over, a shared interest. The most successful people I know are connectors. They connect with people at a human level. Be a connector.

2. Embrace your soft skills. In college, there are clear lines of success, like getting straight A’s. In the workplace, the criteria is not as transparent. It isn’t just about what you know, or how many lines of code you churn out. Instead, soft skills, including the ability to connect, play a big role in success. Another critical soft skill is how you present yourself. Express your ideas with confidence and figure out how to make them heard. Earlier in my career, I would say something and it would take me a while to realize that people weren’t listening, that my point hadn’t been heard or wasn’t being debated. I had to learn how to become more vocal. College doesn’t always prepare you for this different kind of working environment, so set your expectations now and learn how to be agile. Whatever your situation, find strategies that work for you.

3. Ask for what you want. One of my early mistakes was to assume that working hard would translate into new opportunities. I thought that if my boss and senior leadership team were aware of my contributions, I would be rewarded. So, I sat back and waited. Too often, I missed out on the most important assignments. Finally, I gathered up the courage to speak to my manager. He told me that, because I didn’t tell him I wanted the opportunity and someone else stepped up, they got the assignment. Ask for what you want and clearly communicate your interest. Your personal success is there to be created if you speak up openly and honestly.

4. Respect everyone’s time, including your own. “Time is money.” I couldn’t agree more. You lose credibility in the workplace if you waste your time or your colleagues’ time. Admittedly, in my first year on the job, I was often late to meetings, even the ones I organized. I attributed that to being busy, to company culture, and I didn’t think anyone noticed. But my coworkers did. People started skipping my meetings because they started late, ended late, and weren’t the most productive use of my colleagues’ time. I changed my habits and started managing my time effectively. The most respected leaders are unfailingly punctual. Be punctual, be prepared, and make your meetings useful.

5. Take care of self care. I used to think that working long hours was the only path to success, so I worked 18-hour days. Then a close friend pointed out that I was irritable, anxious, and stressed. Today, I know that when I am more charged and relaxed, I do better at work and at home. In this era of constant connectivity, disconnecting is hard and I think this will be the hardest thing for my daughter. But you have to disconnect every day and do at least one thing that brings you joy outside of work. Paint. Dance. Run. Hike. Volunteer. Go to the gym. It is easier to motivate and inspire others when you recharge yourself.

Diverse workforces fuel innovation and drive market growth, and women play an important role in this. That’s why it’s critical to offer support to the next generation of women technologists and empower their careers. I hope this advice helps more women grow in their careers and that, one day soon, they will find themselves in a place where they can become a connector for the next generation.

Written By: Madhu Venkatesh. She is senior director of software engineering at Workday. Within this role, she manages a team that researches emerging technologies to drive innovation and deploy the next generation of products for the company. Prior to Workday, she was a director of engineering at Advisor Software and oversaw cloud-based projects that enhanced a wealth management platform for financial advisors. She holds a Master of Business Administration degree from Saint Mary’s College of California.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT … View Full Bio

Test drive an IT career, get the latest on women in technology and learn how CompTIA Certifications put you ahead in the hiring line using AWIT’s Intro To Tech. Great for anyone interested in a holistic view of the industry. Bonus: Access AWIT’s social media channels. Get started now.


Looking to advance your career, start a tech company or access news and information about women in technology? Search women’s technology programs and find something to match your interest. Start exploring!


Women working in IT often hold interesting, flexible positions that keep them intellectually stimulated and involved. In these Real IT Stories, women explain how they got into IT and what feels the most rewarding. Hear from some interesting people


Share the message that technology is a great place for women and girls. Find a group to speak to and use the Dream IT Speaker Resources to get a great start on your presentation. Materials are available for the U.S., UK, Australia and New Zealand.

  • 83 percent of the analyzed routers were found to have vulnerabilities to potential cyberattacks;
  • Across all severity levels, 32,003 vulnerabilities were found in a sample of 186 routers— on average, routers contained 172 vulnerabilities; and
  • 28 percent of the vulnerabilities found were categorized as “high risk” or “critical” with an average of 12 critical vulnerabilities and 36 high-risk vulnerabilities for each router.

According to the study, the problem is likely to be more common for IoT devices since cyberattacks can cause massive damage to all connected devices.

“Simply resetting your router is not enough,” the study warns.  “Automated updates are by far the most feasible option to keep IoT devices and consumer data safe.”

The study stresses the severe consequences of Wi-Fi router manufacturers leaving IoT devices unpatched for known vulnerabilities and the urgency for these manufacturers to commit more resources to identify and mitigate vulnerabilities in open source to reduce cybersecurity threats that put consumers, the infrastructure, and the economy at risk.

A full copy of the study is available online here.

The push for AI comes as companies face a huge increase in threats and more-sophisticated criminals who can often draw on nation-states for resources. More than 121.6 million new malware programs were discovered in 2017, according to a report by German research institute AV-Test GmbH. That is equivalent to about 231 new malware samples every minute.

Of course, nobody thinks AI is the cure-all for stopping threats. New operating systems and software updates introduce unpredictable risks, and hackers adopt new tactics.

“Is AI a silver bullet? Absolutely not,” says Koos Lodewijkx, vice president and chief technology officer at IBM Security. “It’s a new tool in our toolbox.”

Because of those limitations, reliance on algorithms “is a little concerning and in some cases even dangerous,” says Raffael Marty, vice president of corporate strategy at cybersecurity firm Forcepoint, which is owned by defense contractor Raytheon Co. RTN 1.32%

Still, most cybersecurity experts believe that AI can do a lot more good than harm as hackers get smarter and more determined. Here are a few examples of how cybersecurity pros are using artificial intelligence—and what’s next for the technology.

Detecting malware

Traditionally, security systems look for malware by watching for known malicious files and then blocking them. But that doesn’t work for zero-day malware—threats that are unknown to the security community.

AI is helping to solve that problem and identify new attacks as soon as they appear. The systems analyze existing malware and see what characteristics the files have in common, then check to see if potential new threats have any of those traits, says Avivah Litan, a cybersecurity analyst at Gartner Inc.

Enlisting AI

That is the method used at security firm CrowdStrike Inc. When a user clicks on a suspicious file, the company’s tool scans hundreds of different attributes—such as the size, content and distribution of code in the file—then runs them through a machine-learning algorithm that compares them to the company’s malware database and determines how likely the file is to be malicious.

“The reason why machine learning works so well for malware is that there’s so much data out there—it’s easier to train the system,” says CrowdStrike’s director of product marketing, Jackie Castelli.

One big hurdle for this approach to identifying malware is false positives: Currently, some AI systems classify a lot of benign programs as threats, which is a big problem given how many attacks companies face and how much time it can take to investigate each lead. But most security vendors that focus on laptops, mobile phones and other devices are working on the problem, Ms. Litan says.

Getting detailed data on users

Organizations in a range of fields, including government, retail and finance, are trying to keep unauthorized users out of their systems by combining machine learning with biometrics—studying physical information about users, like fingerprints and voices.

With biometric systems, people access services by talking or scanning a part of their body instead of entering a username and password. Machine learning can be used to analyze small differences in these characteristics and compare them to data on file, making verification precise.

For instance, financial-services firms such as Fidelity Investments, JPMorgan Chase JPM -0.66% & Co. and Charles Schwab Corp. SCHW -0.44% have deployed biometric technology for customer service that scrutinizes hundreds of voice characteristics, such as the rhythm of speech.

Nuance Communications Inc., NUAN -1.41% which develops speech-recognition software used in mobile phones, has started to incorporate behavioral biometric information, such as a person’s vocabulary, into its machine-learning algorithms.

When voice and behavioral data are combined, the system is precise enough to tell identical twins apart, says Brett Beranek, director of security strategy at Nuance. That is because characteristics such as vocabulary and frequency of pauses will differ even if people’s voices sound the same.

One hurdle for biometric technology is selling users on the idea. Researchers at the University of Texas at Austin’s Center for Identity have found that many consumers are wary of biometric authentication because of concerns about privacy, government tracking and identity theft.

Mr. Beranek says many U.S. consumers haven’t been exposed to biometric technology, unlike people in many European countries, and recommends organizations that use it address concerns and questions that customers might have. Many banks, for example, offer online explanations about how it works and how they use encryption to protect stored biometric data.

Sifting through alerts

A typical large corporation receives tens of thousands of security alerts each day warning about possible malware, newly discovered ways to exploit security flaws and ways to remediate threats, according to cybersecurity experts.

So, companies are investing in AI to help determine which alerts are most important, and then automate the responses.

Companies “can’t handle all the security alerts, and they’re missing things that are really important,” says Gartner’s Ms. Litan. “If you look at almost all the data breaches that took place in the last 10 years, there’s a security alert that notified them, but it was buried at the bottom of the list.”

For example, the breach announced by Equifax Inc. in September 2017 was partly blamed on a flaw in the Apache Software Foundation’s Struts software program. A patch for the vulnerability was issued several months before the incident at Equifax occurred, but the company failed to address the issue, The Wall Street Journal reported. The breach compromised personal information belonging to about 147.9 million consumers.

A spokeswoman for Equifax said in an email that the company has since hired a new chief information-security officer and chief technology officer, and has increased its security and technology budget by more than $200 million this year.

About three years ago, International Business Machines Corp. IBM 0.13% started training its Watson AI system on cybersecurity, with the goal of helping security teams manage the influx of threat information. The system combs through alerts, recognizes patterns and determines things such as what malware is involved, whether it is related to previous attacks and whether the company is being specifically targeted. That way, security teams can focus on the most likely threats and put the rest aside.

“We want to use AI to do all the investigative work and essentially give the analyst a researched case,” says Mr. Lodewijkx, adding that IBM determined that its own security analysts spend about 58% of their time doing repetitive work such as studying alerts.

“We’re aiming to take all of that 58% away from the analyst, so they’re able to deal with the uniquely human tasks,” he says.

More than 100 companies currently use Watson for cybersecurity, including Sri Lanka’s Cargills Bank Ltd. and Swiss financial-services provider SIX Group. Like most AI, the technology took years to develop and encountered bumps along the way. For example, Watson at one point concluded that the word “it” was the name of the most dangerous malware, because it appeared so frequently in malware research, Mr. Lodewijkx says.

Tracking down enemies

One common struggle for data-breach victims is figuring out who attacked them, because criminals and nation-state hackers use a number of techniques to obfuscate their identity. Some cybersecurity researchers and analysts believe machine learning can be used to attribute attacks, which can help companies defend against them and prepare for future incidents.

Security systems can mine and analyze information on registries and online databases to find clues about the infrastructure that criminals set up to launch attacks, such as domain names of websites and IP addresses associated with the devices they use for hacking.

When hackers leave all those traces, “you create a behavior footprint that you leave behind that is unique,” says Chris Bell, chief executive of Diskin Advanced Technologies. The firm uses machine learning to analyze these footprints, determine who is behind an attack and who their next victims may be.

The technology is still in the early stages, but customers in the aviation, utility and financial-services industries have used it to spot pending attacks and automatically block IP addresses associated with criminal groups, according to Mr. Bell.

Written By: Adam Janofsky
Mr. Janofsky is a reporter for WSJ Pro Cybersecurity in New York. He can be reached at
[email protected].

Appeared in the September 19, 2018, print edition as ‘How AI Can Help stop Cyberattacks.’

How AI Can Help Stop Cyberattacks

“Social engineering is essentially the easiest tool in the hacker’s toolbelt,” says Kathryn Sherman, a supervisory special agent with the Federal Bureau of Investigation. “All the information they need is available to them free online,” she says, because corporations have put more of our personal data online. “Less-technical hackers are using it to gain access to companies and are defrauding our economy for billions of dollars.”

Today about a third of all cyberattacks start with social engineering, according to research by International Business Machines Corp. and the Ponemon Institute. Five years ago the number was 19%.

Social-engineering attacks that include a detailed fraudulent business email are responsible for $12.5 billion in losses, the FBI says.

Behind the push

A few things are pushing social engineering to the forefront of online fraud. Companies like Apple Inc. and Microsoft Corp. have invested billions in improving the security of their products, and consumers have moved much of their data to cloud computing services, making conventional hacking less effective.

Don’t Be Fooled

The three most common social-engineering techniques, according to the FBI

“Over the past five years they have made hardware and software really difficult to break,” says Christopher Hadnagy, chief executive of Social-Engineer LLC, a consulting company that helps companies understand these techniques. “Where we’re seeing the big vulnerabilities is in social engineering.”

Ken Bagnall, a vice president at the computer-security company FireEye Inc. says one reason these types of attacks are so effective is their use of what he calls psychological authentication. “If you have the name of their boss in an email, people will have a huge emotional response,” he says. “And all social engineering is based on emotional response.” The criminals are masters of techniques like these, Mr. Bagnall says. Phishing emails, for example, have 10 times the click-through rate of marketing emails, he says.

Def Con demonstration

At the DEF CON computer-security conference in Las Vegas in August, hackers made a sport of their social-engineering techniques. In front of an audience in a Caesars Palace conference room, they called and conned their way through the call centers of a variety of large companies, probing for security weaknesses, says Mr. Hadnagy, the organizer of this particular event.

The contest is meant to raise awareness about the problem, not to do anything malicious, says Mr. Hadnagy. “We demonstrate social engineering by actually making calls to people and getting random strangers to give you pieces of information they should never give you,” he says.

During the event, he says, hackers asked their marks a range of things. Who is the company’s caterer? What operating system is on the employee’s computer? Will they click on a webpage provided by the social engineer? Most of the callers pretended to be a co-worker calling in for some help. Some pretended to be with the company’s IT support group. One said he was a reporter working on a story.

Everyone who tried succeeded in fooling the company they called to some degree, Mr. Hadnagy says. And more than half of the contestants managed to con employees into visiting websites that they shouldn’t have, he says.

Companies are getting wise to social engineering, however. For example, at FACC AG , a maker of aircraft parts and systems that lost millions in an attack, education about social engineering is now a priority, says Andreas Perotti, a company spokesman.

The company’s IT department regularly sends out information on new scams and takes steps to educate new hires on this topic too, he says. “It is important to incorporate this education in the daily work life,” says Mr. Perotti.

Other companies are starting to factor social-engineering training into their compensation plans, says Dave Burg, a cybersecurity executive with the professional-services company Ernst & Young LLP. Employees who do well in phishing tests, for example, get paid bonuses. Those who consistently fail them can face sanctions or even termination, he says.

Written By: Robert McMillan
Mr. McMillan is a reporter for The Wall Street Journal in San Francisco. He can be reached at [email protected].

How Hackers Talk Their Way Into Getting Company Secrets


Appeared in the September 19, 2018, print edition as ‘Hackers’ Prime Target: Your Mind.’

Last week the State Board of Education adopted California’s first ever model K-12 computer science standards. These standards are voluntary and intended to provide substantive guidance while also allowing for flexibility and innovation across LEAs to determine from a variety of approaches how best to incorporate computer science into their curricula based on local capacity and context.

Computer science is the study of how technology and computing systems are created, with opportunities over the grade spans for students to collaborate to create their own applications and develop complex data files. California’s new standards cover six core computer science concepts (such as algorithms and programming) and seven core practices (such as creating computational artifacts and recognizing computational problems). They also encourage student critical thinking and discussion about the broader ethical and social implications and questions related to the growing capabilities of technology in society.

The study of computer science will enable California’s students to better understand how the digital world they are growing up in is made and how it works, for example:

How does the Internet work? How does Netflix use computing algorithms to determine what new shows I might like based on what shows I’ve been watching? How does my Facebook page know what online shopping I’ve been doing? What does it mean to “hack” into a computer system to steal or damage information? How is automation going to change the workforce and labor market? In what ways is technology combining with medical researchers to improve diagnoses or treatments of disease?

Last Thursday the state board also reviewed the recommendations of a blue ribbon computer science strategic implementation advisory panel on strategies to support educators and ensure equitable access for students to computer science courses. Most of the recommendations were addressed to districts and county offices of education, such as adopting computer science as a graduation requirement and identifying existing computer science curriculum that aligns well to the newly adopted standards. Other recommendations were directed more to state policy leaders, such as the importance of additional state funding to incentivize districts to begin to bring computer science into their curricula and to provide appropriate professional learning opportunities for teachers, and the need for changes in credentialing and supplemental authorizations that would more easily allow existing teachers of math, science, business and career technical education to be qualified to teach computer science.

Not all students who study computer science will want to major in it in college and make a career out of it. But if they never have the opportunity to take computer science courses before getting to college, they won’t have the chance to discover if it’s a field they’d like to pursue.

And that’s important because computing jobs are the largest sector by far of all STEM (Science, Technology, Engineering and Math) jobs. In California alone there are currently 75,000 open computing jobs waiting to be filled, in every industry sector across the state. The average salary for those jobs is $110,000. The social mobility opportunities that a computer science degree and/or computing skills can provide for California’s low-income students, those of color or English learners and girls are enormous.

College Board data indicates that while much more progress is needed, numbers and diversity of California students taking a computer science AP exam have increased in recent years.

In 2016-17 only 488 California public high schools (out of just over 1,300) offered a Computer Science AP course (either AP Computer Science-A or Computer Science Principles AP or both) but that number has increased to 569 schools for 2017-18.

In 2014-15, 2,924 California public school students took the AP computer science Aexam; in 2015- 2016 that number rose to 3,481 students.

These are indications of growing interest — and demand — but still involve a tiny fraction of California’s student population. The AP Computer Science A course is more technical, emphasizing problem solving using Java and requires strong math skills.

But in 2016-2017, the College Board introduced a new AP course, called Computer Science Principles, which was intentionally designed for broader student access. It does not rely on any particular programming language, instead offering a multidisciplinary approach to teaching the underlying principles of computation. The course introduces students to the creative aspects of programming, abstractions, algorithms, large data sets, the Internet, cybersecurity concerns and computing impacts. As a result, the numbers of California students taking AP computer science courses in 2016-17 jumped to 6,781, with 3,581 taking the new Computer Science Principles AP exam and 3,200 taking the Computer Science-A AP exam.

In addition, while California public school Latinx students made up only 16 percent of total student CS AP test takers in 2015-2016, they made up 25 percent of total California public-school computer science AP test takers in 2016-2017 and 34 percent of the test takers for the new Computer Science Principles AP course.

The home to Silicon Valley, California is having a Computer Science Education moment. Thanks to the efforts of all the computer science advocates, momentum is clearly growing. And now that California has recommendations for scaling computer science and has Computer Science Standards that provide guidance, I’m betting that California’s next state education policy leaders will be eager to support districts and charter schools to ensure all California’s K-12 students begin to have access to quality computer science opportunities.


Trish Williams is a member of the California State Board of Education.


Oak Tech 006

The following CyberAegis students received NCWIT awards:

  • Arushi Dogra:  California: San Diego Affiliate Winner
  • Emily Park:  California: San Diego Affiliate Winner
  • Hannah Zheng:  National Certificate of Distinction
  • Lily Hu:  National Certificate of Distinction
  • Lucy Gao:  National Certificate of Distinction
  • Madeline Tran:  California: San Diego Affiliate Winner
  • Shruti Verma:  California: San Diego Affiliate Honorable Mention

The award includes recognition at a regional event, scholarship and internship opportunities, and membership in the NCWIT community.

The sense of community was the part of the award that appealed most to Arushi Dogra. She is taking what she learns from professionals in the field and applying it to her own work mentoring younger students.

“In the search to find others like me and making new friends, I really appreciate being a part of the NCWIT community, which is filled with young girls that are interested in the same things as me,” Dogra said. “Winning this award has also given me the opportunity to spread my passion to younger girls as a Program Leader that teaches coding through AppInventor.”

Hu and Arushi are not sure if they will pursue careers in cybersecurity, but they realize that the skills they are learning through cyber competitions will apply no matter where their career paths take them.

“I feel a sense of pride being on the path to helping companies, programs, or even the nation in the increasingly technological future,” Hu said. “Being a female only adds to that pride.”

They also know that being advocates for cybersecurity and STEM will help increase participation from young women whose perspectives can help solve what are some of the greatest challenges of our time.

“Young women need to be exposed and encouraged to enter these areas so that the next generation consistently has increased female representation in STEM,” Dogra said. “This increased diversity in the field would aid in bringing different perspectives to a problem and coming up with multiple solutions. This encouragement would also help many women find their true passions in technology and give them the confidence to enter the field earlier in life.”

Applications for the 2019 NCWIT Aspirations in Computing Award are due November 5. For more information on the award its application process, visit the NCWIT website. For more information about CyberAegis, visit


If already a member, download the publication HERE.
If not a member, join the National CyberWatch Center HERE. Then enjoy the members-only portal that houses a community forum, the 2018 Innovations in Cybersecurity Education publication, exclusive discounts, and more!
Materials Materials Materials:
You want ’em, we got ’em. Presentation and workshop materials from all FIVE years of the Community College Cyber Summit (3CS) are now available on our website. They include cybersecurity instructional materials, scholarship information, professional associations, cloud-based lab solutions, and more! The plethora of materials is here for you to access to enhance your classroom. Go to the “conference materials” tab on the navigation bar HERE.
Community College Cyber Summit (3CS)
July 30 – August 1, 2019
Bossier Parish Community College/Shreveport, Louisiana

vpnMentor have produced a video which shows just how you’re inviting hackers into your home, and how easy it can be for them to access your sensitive information. Disturbingly, the team were able to manipulate all of the devices tested to gain access to your home.

Amazon Echo – A wiretap waiting to happen?

Our research revealed a critical vulnerability related to the first-generation Echo’s physical design. Hackers were able to open the device up and manipulate it using a specially crafted SD card. This means that malicious actors could live stream audio from its microphone, and remotely use its services.

The video showcasing this in action, as well as advice to protect yourself, is viewable here.

Keeping Cyber Criminals At Bay

With such terrifying findings, vpnMentor wants to highlight just how simple it is for your home to be targeted by malicious hackers.

However, the experts at vpnMentor have compiled a list of recommendations to protect users from becoming an easy target:

  • Always research a product, and any existing security threats to it, before you buy.
  • Only buy your smart gadget from an officially certified source.
  • Be aware of any signs of physical intervention with the product.
  • Directly address the seller if you or someone else has identified any major misconfiguration.
  • Make sure your smart device is properly configured and regularly updated.
  • Keep your externally facing smart devices on a separate network.

Ariel Hochstadt, co-founder of vpnMentor, commented: “If you are going to introduce smart technology into your home, it is important that you remain attentive with your devices to ensure that only those you trust have access. By following our set of simple rules you can ensure the best security practices have been met and saving you from becoming an easy target for crime.”

For more information on cybersecurity, and how to make sure your devices are protected, you can read the full vpnMentor guide here. You can also watch their video investigation here to see how one unsuspecting family was affected after their devices were hacked.

Fotolia 104123748 Subscription Monthly M 730x480

Barring any strong opposition to the bill from the public or the private sector, if signed by Gov. Jerry Brown, the new bill would enter into effect starting January 1, 2020.

Also: New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers

The bill’s main provision is that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.”

Just like most legislative efforts, the bill is pretty vague in what “reasonable security” should be, but it does go into details when it comes to device authentication procedures.

According to the bill’s approved text, “if a connected device is equipped with a means for authentication outside a local area network,” the authentication system must meet one of two criteria.

  1. If the device uses a default password, the password must be unique to each device; or,
  2. The device must prompt users to set up their own password whenever the user sets up the device for the first time –criteria put in place to avoid manufacturers shipping devices with the same default credentials.

Also: Bill that would have the White House create a database of APT groups passes House vote

And that’s all of the SB-327 bill. No other provisions. Just a very precise specification regarding the handling of default credentials for IoT devices, and the use of a generic term of “reasonable security” that every IoT device vendor could interpret the way they want.

As security researcher and infosec pundit Robert Graham points out, this new IoT security law, despite its good intentions, isn’t particularly useful in the current state of the IoT market, and will not fix any of the problems that plague IoT devices.

“It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips,” Graham wrote yesterday in his analysis of the bill.

“The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add ‘security features’ but to remove ‘insecure features’.

“For IoT devices, that means removing listening ports and cross-site/injection issues in web management,” Graham said. “We don’t want arbitrary features like firewall and anti-virus added to these products. It’ll just increase the attack surface making things worse.”

“In summary, this law is based upon an obviously superficial understanding of the problem,” the researcher concluded. “It in no way addresses the real threats, but at the same time, introduces vast costs to consumers and innovation.”

cyber security cybersecurity device 60504