Ministers move to make current guidelines a legal requirement

The UK government has proposed new laws to improve the security of Internet of Things (IoT) devices – connected products that include everything from home voice controllers to ‘smart’ refrigerators.

Under the new rules, manufacturers would be required to provide secure, unique passwords for each connected device, while removing the ability for them to be restored to factory settings.

Vendors would also be expected to offer a point of contact to enable customers to report security vulnerabilities in products.

And manufacturers must explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

The laws, proposed by the Department for Digital, Culture, Media & Sport (DCMS), would make mandatory the previously voluntary guidelines issued by the government in the ‘Secure by Design’ code of practice, introduced in October 2018.

A consultation will also determine whether IoT products must be clearly labelled to spell out to customers how secure they are.

The bill was put forward today by Margot James MP, minister for digital and the creative industries, who said: “The Internet of Things represents a new chapter of how technology becomes more common in our homes, making people’s lives easier and more enjoyable.

“Forecasts vary, but some suggest that by next year, there will be an estimated twenty billion internet connected devices worldwide.

“In the UK alone, it is estimated that ownership of smart devices could rise to 15 devices per household within the next twelve months.

“The cybersecurity of these products is now as important as the physical security of our homes. Secure by design organizations need to be taking care of their customers.”

James told how companies including HP, Centrica Hive, and Panasonic have already thrown their weight behind the code of practice, voluntary guidelines launched last year by the department.

Security dialogue

David Rogers, CEO of IoT security consultancy firm Copper Horse, developed the original guidelines for connected devices and was a key figure in writing the new proposal.

He told The Daily Swig: “We’ve had a lot of contribution and support from all quarters, but I think most importantly from the security research community – the hacking world.

“Many of the long list of people around the world that I’ve spoken to, listened to, or read their work have been banging this drum for many years.

“In their own ways, they are fighting the good fight and have a passion to ensure people are not harmed, and that companies making money from producing insecure products are called out, speaking truth to power.”

“Right from the start I was keeping a list of things that were in the ‘too hard’ or ‘not right now’ category, and we promised to review the code of practice every two years,” he added.

More ideas may well be put forward during a consultation period on the government’s plans.

“This review also may also mean further measures from the existing code being put into legislation,” Rogers continued.

“In terms of new things, there were emerging issues that many of us felt that we could or should tackle. I personally would like to see us look at the issues that come from controlling and coercive behaviour.

“Smart home and other IoT technologies are being used by domestic abusers, and I feel that we need to say something about that in order that designers can consider these factors when creating IoT products.

“These types of socio-technical issues are new, but in my view we should not be frightened of tackling them head on.”

Quality control

As for whether the law will actually be enforced – granted it passes through parliament – Rogers is confident that mainstream manufacturers will want to follow suit – but said he is wary of ‘cowboy’ vendors.

He said: “All across the world, people are saying the same thing, manufacturers are already realising that we’re in a new world. In fact, those manufacturers that already have secure software development lifecycles and are acting responsibly towards consumers probably already conform to the vast majority of the code of practice.

“It’s the cowboy vendors out there that we need to be worried about. We’ll see during the consultation period about the regulatory and legislative options what the feedback is, but those items I mentioned are very easy to measure and that is important when it comes to enforcement.”

A consultation period will run until June 5. Anyone can share their views on the proposal.