Internet of Things – DCMS consultation on security for consumers
What are the Government’s proposals for ensuring the security of everyday items which are always connected to the internet (Internet of Things)?
The Department for Digital, Culture, Media and Sport (DCMS) launched a consultation on proposed security measures for everyday products with internet connectivity, which closed on 5 June 2019. It sets out proposals for increasing security in products at source as well as providing clear information to consumers to allow them to take their own security steps.
Proposals include a mandatory labelling scheme. This would require devices to be sold with the information required to secure the product. Without a compliant label, they could not be sold.
The consultation also incorporated the key security requirements set out in the current “Secure by Design” code of practice for consumer IoT security (as launched last year). This requires that:
- IoT device passwords must be secured with a unique code which is not resettable to a universal factory setting
- manufacturers of IoT products must provide a public point of contact, in order to facilitate disclosure of vulnerabilities
- manufacturers must explicitly state the minimum time for which security upgrades will be provided, with an end of life policy for the product in question.
Following the consultation, the plan is for the labelling scheme to be entered into on a voluntary basis initially, with further regulation to follow once the responses to the consultation have been considered. An alternative proposal is to prohibit the sale of items which do not comply with the key requirements (as above) of the “Secure by Design” code of practice.
Why is this important?
Previous approaches in this area have firmly left the onus on consumers themselves to ensure that the products they use are secure from cyber-attack. Due to a widespread lack of expertise and appreciation of risk in this area, this has led to significant weaknesses. With connected devices becoming increasingly part of the infrastructure in homes and in businesses, it is important that baseline levels of security are included in products, at source by the manufacturers, who are better able to assess the risks and counter the threats.
Any practical tips?
IoT manufacturers who want to get ahead of the curve would do well to start thinking about the voluntary labelling scheme. The more industry can move on a voluntary, rather than regulated, basis the more IoT developers will be able to retain a level of flexibility as the IoT revolution takes hold. Above all, they should adopt a security by design approach. Privacy infringements will not go down well with the regulators who may well be itching to try to keep IoT under control before it really takes off.