Government tightens law around IoT cyber security

Rigorous new legislation is set to protect the security and privacy of millions of users of internet of things (IoT) devices across the UK under plans drawn up by the Department for Digital, Culture, Media and Sport (DCMS).

Announced today by digital minister Matt Warman, the law will force manufacturers of smart connected devices to adhere to a set of stringent cyber security requirements.

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said Warman.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.

“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

As proposed in the original DCMS consultation held in the spring of 2019, the legislation will contain three key rules: that all consumer IoT device passwords must be unique, and not resettable to any factory setting; that IoT device manufacturers must have a public point of contact for anybody to report a vulnerability, and that reports are quickly acted upon; and that manufacturers must explicitly state a minimum length of time for which devices will receive security patches when sold.

The measures were developed with input from industry and the UK’s National Cyber Security Centre (NCSC), and DCMS said they would set new standards for best practice requirements for those that make and sell smart, connected devices to consumers.

The legislation builds on a voluntary Secure by Design code of practice for consumer IoT goods, which the government introduced back in 2018. The first of its kind in the world, the code sets the standard for stronger security measures to be designed into IoT products, and is backed by, among others, Centrica Hiva, HP Inc Geo and Panasonic.

A globally applicable standard based on the UK’s has since been published by European standards body ETSI.

DCMS said the government hoped to further develop legislation that protects consumers more effectively, is easily implemented by end-users, and still supports the long-term growth of the IoT.

Nicola Hudson, policy and communications director at the NCSC, said the legislation should be hugely welcomed. “It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past,” she said.

Matthew Evans, director of markets at TechUK, added: “Consumer IoT devices can deliver real benefits to individuals and society, but TechUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up.

“TechUK is therefore supportive of the government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage. TechUK has been working on these three principles for the past four years.

John Moor, managing director of the IoT Security Foundation, said: “Over the past five years, there has been a great deal of concern expressed toward vulnerable consumers and inadequate cyber security protection.

“Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge, yet after a thorough and robust consultation, those baseline requirements have now been universally agreed.

“The IoT Security Foundation welcomes the results of the consultation as it not only provides clarity for industry, but is great news for consumers and bad news for hackers.”