Government opens consultancy on IoT security laws

Building on the Secure by Design code of practice, the government plans to introduce mandatory security measures for connected devices

Graphic representation of IoT devices in businesses

The government plans to introduce new laws to ensure internet of things (IoT) devices are better protected from cyber attacks as standard.

IoT devices have been heavily criticised for their inherent lack of security features out of the box; security cameras used by businesses and individuals are often cited as one of the most pervasive vulnerabilities in a network.

Advertisement - Article continues below

The key part of the announcement is the proposed initiative to enforce a mandatory labelling scheme which would closely resemble the CE stickers consumer electronics must bear to show they have met the safety standards of the EU.

According to the Department of Media, Culture and Sport (DCMS), manufacturers of IoT devices such as security cameras, smart fridges and clever coffee makers must meet the IoT security standards as set out by the new laws to bear the IoT label or risk their products being removed from shelves by retailers.

DCMS will be hosting a public consultation to help them better understand the principles on which the new device security standards must be made. The public consultation invites anyone who has a strong view on the matter to contribute to the discussion, from business leaders, security analysts or anyone with an interest in the area.

Advertisement
Advertisement - Article continues below

The new laws will aim to extend the reach of the 'Secure by Design' IoT code of practice, a voluntary set of rules that businesses can sign up to abide by, originally launched in October 2018. The rules were quickly adopted by some of the world's largest tech firms including Samsung, HP, Centrica Hive and most recently Panasonic.

The rules were originally criticised for 'lacking teeth' by industry experts such as Kasperksy's David Emm, base don the voluntary nature of adhering to the 13 rules.

Advertisement - Article continues below

"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage," said Emm. "One government's guidelines, unless they have teeth, won't solve the problem entirely."

Specifically, the new laws will aim to mandate the top three rules as set out by Secure by Design.

  • IoT device passwords must be unique and remove the ability to reset to factory defaults.
  • Manufacturers will be subject to a vulnerability disclosure policy
  • Manufacturers also must explicitly inform customers of the minimum length of time for which the device will receive security updates before it goes end of life.

The new laws seem to have taken Emm's advice on board with the labelling idea, one that Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC) described as "innovative".

Advertisement - Article continues below

"Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it's unacceptable that these are not being fixed by manufacturers," said Levy. "This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes."

It's likely that products designed overseas will have to adapt their manufacturing standards also to meet the UK's new laws if they want to remain available to consumers. Foreign products already have to be made bespoke to the UK market due to the EU's CE sticker standards and the British Kitemark also.

"The Government's proposals to introduce cybersecurity laws for IoT devices is a step in the right direction in ensuring everyone has the confidence that their data and assets are protected," said Helen Lamprell, general counsel & external affairs director at Vodafone UK. "It's critical that the right technology and the right processes are deployed to answer the concerns of customers seeking to enjoy the benefits of IoT."

Advertisement - Article continues below

The open public consultation is now live for anyone to go and contribute to the discussion and have their views heard - it will remain open for five weeks. You can see the government's overview of the consultation on its website where you can also find details of how to participate.

The news follows the government's plans to become a world leader in designing out cyber threats. It announced a 70 million challenge in January inviting businesses to compete for a slice of the price by designing systems and hardware with security as a primary concern.

Components such as chips with specially designed, security-focused capabilities would be an example of this and the government hopes that it would increase a business' resilience to cyber threats.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020