Government opens consultancy on IoT security laws

Building on the Secure by Design code of practice, the government plans to introduce mandatory security measures for connected devices

Graphic representation of IoT devices in businesses

The government plans to introduce new laws to ensure internet of things (IoT) devices are better protected from cyber attacks as standard.

IoT devices have been heavily criticised for their inherent lack of security features out of the box; security cameras used by businesses and individuals are often cited as one of the most pervasive vulnerabilities in a network.

Advertisement - Article continues below

The key part of the announcement is the proposed initiative to enforce a mandatory labelling scheme which would closely resemble the CE stickers consumer electronics must bear to show they have met the safety standards of the EU.

According to the Department of Media, Culture and Sport (DCMS), manufacturers of IoT devices such as security cameras, smart fridges and clever coffee makers must meet the IoT security standards as set out by the new laws to bear the IoT label or risk their products being removed from shelves by retailers.

DCMS will be hosting a public consultation to help them better understand the principles on which the new device security standards must be made. The public consultation invites anyone who has a strong view on the matter to contribute to the discussion, from business leaders, security analysts or anyone with an interest in the area.

Advertisement - Article continues below

The new laws will aim to extend the reach of the 'Secure by Design' IoT code of practice, a voluntary set of rules that businesses can sign up to abide by, originally launched in October 2018. The rules were quickly adopted by some of the world's largest tech firms including Samsung, HP, Centrica Hive and most recently Panasonic.

The rules were originally criticised for 'lacking teeth' by industry experts such as Kasperksy's David Emm, base don the voluntary nature of adhering to the 13 rules.

Advertisement - Article continues below

"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage," said Emm. "One government's guidelines, unless they have teeth, won't solve the problem entirely."

Specifically, the new laws will aim to mandate the top three rules as set out by Secure by Design.

  • IoT device passwords must be unique and remove the ability to reset to factory defaults.
  • Manufacturers will be subject to a vulnerability disclosure policy
  • Manufacturers also must explicitly inform customers of the minimum length of time for which the device will receive security updates before it goes end of life.

The new laws seem to have taken Emm's advice on board with the labelling idea, one that Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC) described as "innovative".

Advertisement - Article continues below

"Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it's unacceptable that these are not being fixed by manufacturers," said Levy. "This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes."

It's likely that products designed overseas will have to adapt their manufacturing standards also to meet the UK's new laws if they want to remain available to consumers. Foreign products already have to be made bespoke to the UK market due to the EU's CE sticker standards and the British Kitemark also.

"The Government's proposals to introduce cybersecurity laws for IoT devices is a step in the right direction in ensuring everyone has the confidence that their data and assets are protected," said Helen Lamprell, general counsel & external affairs director at Vodafone UK. "It's critical that the right technology and the right processes are deployed to answer the concerns of customers seeking to enjoy the benefits of IoT."

Advertisement - Article continues below

The open public consultation is now live for anyone to go and contribute to the discussion and have their views heard - it will remain open for five weeks. You can see the government's overview of the consultation on its website where you can also find details of how to participate.

The news follows the government's plans to become a world leader in designing out cyber threats. It announced a 70 million challenge in January inviting businesses to compete for a slice of the price by designing systems and hardware with security as a primary concern.

Components such as chips with specially designed, security-focused capabilities would be an example of this and the government hopes that it would increase a business' resilience to cyber threats.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020

How to connect one, two or more monitors to your laptop

29 Jun 2020