Legislation is the only way to secure the IoT industry

We use connected devices more and more both at home and at work, from wireless routers to connected doorbells and security systems, smart lighting and even clever coffee makers. And it is just the start. In the UK alone, the government has predicted there will be more than 420 million connected devices in the next three years.

Keeping these devices secure is a big issue. Nobody wants their home camera security footage to be hacked, the communications they have with their digital speaker listened into, or their workplace email intercepted. To protect users, the UK Government recently took a step towards greater IoT device security with the release of its Code of Practice for Consumer IoT Security.

A code that 'lacks teeth'

The code is made up of 13 guidelines, laid out in the government's 'Secure by Design' review published by the DCMS and the National Cyber Security Centre (NCSC) in March. The code launched with two named companies in support - HP and Centrica Hive - and later received backing from a handful of other companies, including Samsung. It was hardly a resounding endorsement from a multi-billion pound sector, but it's a start.

More worryingly, the review was criticised at launch by tech experts for 'lacking teeth' due to it being optional.

Talal Rajab, head of cyber and national security at techUK tells us his organisation is "strongly encouraging companies to sign up", and "would expect to see more companies signing up to the Code going forward".

Much of the IoT kit we buy comes from so-called 'white label' makers - producers based outside the UK who make kit or components to be branded and sold by others. This raises questions as to whether a UK-based code would, in fact, have any teeth.

Steffen Sorrell, principal analyst at Juniper Research, argues that some companies we buy from already follow strict codes. "Foxconn, a Taiwanese company, manufactures products that both already follow the code of practice (the iPhone, for example) and are recognised as secure," he explains.

However, he notes that if devices from other, non-compliant companies, make their way into the UK IoT ecosystem, it would be almost impossible to hold those manufacturers to account. "In all likelihood, GDPR breaches and fines will be difficult to enforce upon Chinese device manufacturers," says Sorrell. "There will be little incentive to change on the part of low margin, high volume players. The endgame must be legislation if there is to be real impact."

However, to the UK Government's credit, it has already started work on building a global standard through the European Telecommunications Standards Institute (ETSI), based on its own code of practice.

We should note, too, that other nations are also active in this area. For example, California recently moved to introduce a new law that will require manufacturers to program unique default passwords, rather than standardised ones, into every device they make from 1 January 2020.

Covering the basics

So, does the UK's Code of Practice go far enough? Steffen Sorrell explains that while the code is "certainly useful in terms of outlining the basic responsibilities for security and privacy within the value chain," the code itself is rather basic.

"There is nothing within the code that recommends a risk assessment to identify what level of security a device requires," he explains, and nothing about "supply chain trust and agreements."

"Can a component supplier be trusted to maintain a software driver, for example? It is these proprietary software 'blobs' that are often the cause of devices remaining unpatched. Home routers are a case in point here."

He adds that for a national code of practice such as this to be effective, it would need to include more in-depth best practice advice that can be tailored based on target audiences, such as the consumer and industrial markets.

However, techUK's Talal Rajab argues that the Code of Practice is not meant "to provide a panacea to all IoT supported cyber threats affecting all types of IoT products and services", but is instead designed to simply support service providers, app developers and retailers with practical steps.

Retail and public information

The Code of Practice flags just one of its 13 guidelines as primarily relevant to retailers (the protection of personal data). But do retailers have a bigger role to play?

Stefan Sorrell thinks so. "Retailers could play a key role in better informing the consumer. For example, displaying that such and such a product adheres to the guidelines, and is thus recommended as a 'trusted choice' or similar," he explains.

"Technology and security risks have shifted so rapidly over the past decade that few consumers understand security best practices. Products should promote adherence to the code in a fashion that allows the end user to understand its benefits and, perhaps, why they are paying a little more for the product."

As Talal Rajab explains: "The Code shifts the burden for keeping products and services secure away from the consumer, but they clearly have an important role and we need to ensure that they are informed. Retailers are critical to doing so."

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.