Digital Minister Matt Warman has announced that the government is set to introduce a new legislation that would put the onus of making IoT devices secure from cyber attacks on the manufacturers of such devices.
The new legislation will be introduced “as soon as possible” considering that billions of new IoT devices, such as televisions, cameras, home assistants and their associated services, will be used for consumer or business applications by 2025.
The new legislation is expected to make it mandatory for IoT device manufacturers to ensure that device passwords will be unique and not resettable to any universal factory setting, to provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner, and to explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought,” said Digital Minister Matt Warman.
Plans for the new legislation were drawn up by the Department for Digital, Culture, Media and Sport (DCMS) following the conclusion of a consultation process around enhancing the security of IoT devices that was initiated in May 2019.
Nicola Hudson, Policy and Communications Director at the NCSC, said that the new legislation will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.
Government spending millions to enhance the security of IoT devices
In January last year, the government had promised to invest up to £70 million through its Industrial Strategy Challenge Fund to support research into the infusion of security and protection solutions into hardware and chip designs at the development stage, thereby signalling its intent to promote ‘security by design’ for all IoT devices used by businesses and individuals.
At the same time, the government had also promised to invest a further £30 million to ensure the safety and security of Internet-connected smart devices, 420 million of which would be deployed across the UK by 2022.
The following month, the government promised to invest up to £6 million in firms that could come up with new ideas to enhance the security of IoT devices.
“Innovate UK has up to £6 million to invest in organisations with ideas that address industry-focused cyber security-related challenges. The investment forms part of the UK Research and Innovation Strategic Priorities Fund, which supports the highest priorities identified by researchers and businesses.
“It is part of a set of measures by UK government to build increased security and protections into digital devices and online services. As well as this programme, this includes an up to £70 million investment through the Industrial Strategy Challenge Fund to tackle digital security by design,” said the government in a press release.
In October, the government announced that it will invest £36 million in a fresh partnership with ARM to develop a new chip design that will protect devices from cyber attacks and will foil hackers’ attempts at remotely taking control of computer systems.
Commenting on the partnership, ARM said that the new £36 million investment by the UK government will be used to develop the Morello Board, a prototype hardware that will enable industry partners to assess the security benefits of a range of prototype architectural features in real-world scenarios.
“Creating the Morello prototype board commits Arm to more than £50 million worth of engineering and research. The ultimate goal is to design a new Arm-based platform that will make it far harder for bad actors to take full control of a computer system- even if they manage to hack it,” the company said.