The government has launched fresh consultations as a prelude to a new regulatory framework that will make it mandatory for IoT device manufacturers to make their products secure by design by incorporating security into such products at the design stage.
The upcoming laws to regulate the sale of IoT devices that feature security vulnerabilities will essentially make it binding on manufacturers to stop the use of universal default passwords in consumer IoT products, ensure that there is a contact point for security researchers to report vulnerabilities, and also ensure that consumers must be informed of the minimum length of time for which security updates will be provided for their devices.
It was in March last year that the government introduced its first Security By Design Report in collaboration with the National Cyber Security Centre (NCSC) and industry specialists. The purpose of the report was to call for IoT device manufacturers to take greater responsibility to implement security mechanisms into their products.
The report outlined 13 steps to improve the security of consumer IoT devices that included the eradication of default passwords, making it possible for consumers to delete their personal data stored in IoT devices, making devices resilient to outages, and updating software automatically with clear advice for consumers.
Government to spend up to £100 million on IoT device security
Earlier this year, to demonstrate its seriousness towards the security of IoT devices, the government promised to invest up to £70 million through its Industrial Strategy Challenge Fund to support research into the infusion of security and protection solutions into hardware and chip designs at the development stage.
At the same time, the government has also promised to invest a further £30 million to ensure the safety and security of Internet-connected smart devices, 420 million of which would be deployed across the UK within the next three years.
The additional £30 million investment will also be used as part of the government’s Ensuring the Security of Digital Technology at the Periphery programme and will be used to ensure the safety and security of IoT devices and in finding solutions to combine cyber and physical safety and security with human behaviour, influence new regulatory response and validate and demonstrate novel approaches.
“We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products. This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks,” said Digital Minister Margot James.
All IoT devices in the future could be secure by design
On Wednesday, Margot James announced that the government is launching fresh consultations as a prelude to a new regulatory framework that will make it mandatory for IoT device manufacturers to make their products secure by design by incorporating security into such products at the design stage.
“Whilst Government have previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. So today we are launching our consultation on regulatory next steps for consumer IoT, which builds on the extensive work that we have done to date with industry,” she said when addressing attendees at the IET conference.
“Companies such as HP, Centrica Hive, Panasonic and Green Energy Options have all pledged their public support for the Code and we encourage other manufacturers and retailers to follow suit. But many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions. This is unacceptable. The Government has a duty of care to its citizens, to help make sure they can access and use the internet safely,” she added.
Describing the ambit of the upcoming regulations, James said that the government will mandate security requirements for IoT devices by first forbidding the use of universal default passwords in consumer IoT products, forcing manufacturers to ensure that there is a contact point for security researchers to report vulnerabilities, and ensuring that consumers are informed of the minimum length of time for which security updates are provided for their devices.
Security labels for IoT products also on the cards
James also noted that even though UK consumers already care a lot about their personal security and privacy, they are, at present, unable to make informed choices as they are not being provided easy access to important information concerning the security of the products they are looking to purchase.
To address this, she said that the government is also mulling the introduction of a “voluntary labelling scheme” that will help consumers differentiate between products that have basic security provisions and those that do not.
Commenting on the government’s intention to ensure that all IoT devices sold in the future will be secure by design, Yossi Naar, co-founder and chief visionary officer at Cybereason, said that even though it will be unpopular among vendors, the proposed legislation is a very good idea, is reasonable and easy to execute.
“For a long time there has been a vocal and ongoing discussion within the white-hat community about governments stepping in to ensure that manufacturers and software vendors are working together to fix the vulnerabilities as quickly as possible. We’ll see how this discussion and future debates play out in the coming years.
“Overall, the lack of clear disclosure procedures is actively harming the security of these devices and the motivation of qualified researchers to use their skills to help vendors (some might even turn to the dark side and sell these vulnerabilities on the dark-web). While I don’t think regulation should specify some form of remuneration – it would be wise to encourage it (wise by the vendors),” he added.