Government opens consultancy on IoT security laws
Building on the Secure by Design code of practice, the government plans to introduce mandatory security measures for connected devices
The government plans to introduce new laws to ensure internet of things (IoT) devices are better protected from cyber attacks as standard.
IoT devices have been heavily criticised for their inherent lack of security features out of the box; security cameras used by businesses and individuals are often cited as one of the most pervasive vulnerabilities in a network.
The key part of the announcement is the proposed initiative to enforce a mandatory labelling scheme which would closely resemble the CE stickers consumer electronics must bear to show they have met the safety standards of the EU.
According to the Department of Media, Culture and Sport (DCMS), manufacturers of IoT devices such as security cameras, smart fridges and clever coffee makers must meet the IoT security standards as set out by the new laws to bear the IoT label or risk their products being removed from shelves by retailers.
DCMS will be hosting a public consultation to help them better understand the principles on which the new device security standards must be made. The public consultation invites anyone who has a strong view on the matter to contribute to the discussion, from business leaders, security analysts or anyone with an interest in the area.
The new laws will aim to extend the reach of the 'Secure by Design' IoT code of practice, a voluntary set of rules that businesses can sign up to abide by, originally launched in October 2018. The rules were quickly adopted by some of the world's largest tech firms including Samsung, HP, Centrica Hive and most recently Panasonic.
The rules were originally criticised for 'lacking teeth' by industry experts such as Kasperksy's David Emm, base don the voluntary nature of adhering to the 13 rules.
"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage," said Emm. "One government's guidelines, unless they have teeth, won't solve the problem entirely."
Specifically, the new laws will aim to mandate the top three rules as set out by Secure by Design.
- IoT device passwords must be unique and remove the ability to reset to factory defaults.
- Manufacturers will be subject to a vulnerability disclosure policy
- Manufacturers also must explicitly inform customers of the minimum length of time for which the device will receive security updates before it goes end of life.
The new laws seem to have taken Emm's advice on board with the labelling idea, one that Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC) described as "innovative".
"Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it's unacceptable that these are not being fixed by manufacturers," said Levy. "This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes."
It's likely that products designed overseas will have to adapt their manufacturing standards also to meet the UK's new laws if they want to remain available to consumers. Foreign products already have to be made bespoke to the UK market due to the EU's CE sticker standards and the British Kitemark also.
"The Government's proposals to introduce cybersecurity laws for IoT devices is a step in the right direction in ensuring everyone has the confidence that their data and assets are protected," said Helen Lamprell, general counsel & external affairs director at Vodafone UK. "It's critical that the right technology and the right processes are deployed to answer the concerns of customers seeking to enjoy the benefits of IoT."
The open public consultation is now live for anyone to go and contribute to the discussion and have their views heard - it will remain open for five weeks. You can see the government's overview of the consultation on its website where you can also find details of how to participate.
The news follows the government's plans to become a world leader in designing out cyber threats. It announced a 70 million challenge in January inviting businesses to compete for a slice of the price by designing systems and hardware with security as a primary concern.
Components such as chips with specially designed, security-focused capabilities would be an example of this and the government hopes that it would increase a business' resilience to cyber threats.
Choosing a collaboration platform
Eight questions every IT leader should askDownload now
Performance benchmark: PostgreSQL/ MongoDB
Helping developers choose a databaseDownload now
Customer service vs. customer experience
Three-step guide to modern customer experienceDownload now
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now