The Department for Digital, Culture, Media and Sport (DCMS) has this week announced that it is launching a consultation looking at how it can regulate industry to better secure Internet-of-Things (IoT) devices.
Digital Minister Margot James gave a speech at the IET conference in London, where she said that whilst the government had hoped a voluntary approach to IoT security would work, over time this has proven not to be the case.
The consultation states that the government continues to see “significant shortcomings in many products in the market”. It’s aim is to “restore transparency within the market” and to ensure “manufacturers are clear and transparent with consumers by sharing important information with consumers”.
Working with the National Cyber Security Centre, DCMS is now consulting on proposals for new mandatory industry requirements.
“When you look at what makes a world leading digital economy then cyber security is a crucial component of this.
“And as data driven technologies become more and more widely adopted, cyber security is an issue that should concern policymakers all across the world.
“Because the consequences of a major breach could be catastrophic. Forecasts vary, but some suggest that by next year, there will be an estimated twenty billion internet connected devices worldwide.
“The cyber security of these products is now as important as the physical security of our homes. Secure by design Organisations need to be taking care of their customers.”
The Digital Minister said that the most effective way to secure the products is to make sure that they are “secure by design” and that security should not be an afterthought. Everything should be embedded.
DCMS’s ambition is that the following security requirements be made mandatory in the UK:
- All IoT device passwords should be unique and should not be resettable to any universal factory default value
- The manufacturer should provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues
- Manufacturers will explicitly state the minimum length of time for which the product will receive security updates
The government is also considering mandating retailers to only sell consumer IoT products that have an IoT ‘security label; mandating retailers to only sell consumer IoT products that adhere to the above guidelines; or mandate retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice
“Many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions. This is unacceptable. The Government has a duty of care to its citizens, to help make sure they can access and use the internet safely.
“Whilst Government have previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design.
“We are advocating a staged approach to regulation which will increase the baseline level of security within products whilst also providing manufacturers with sufficient time to implement the proposals.
“But mandating security requirements based on the code’s top three guidelines is just the first step in the legislative journey.”