AA+W - Fotolia
The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) are unveiling details of proposed legislation that will mandate cyber security requirements for smart devices into UK law.
DCMS and the NCSC are now seeking views on the scope of the rules, what the industry will need to do to comply with them, and an overview of industry guidance, alongside what powers could be granted to a designated enforcement body.
These powers could include the ability to temporarily ban the supply or sale of a product during testing; the ability to permanently ban insecure products if a breach is identified; the ability to serve a recall notice compelling manufacturers to take back insecure products; the ability to apply for court orders to confiscate or even destroy insecure products; and the ability to issue penalty fines directly to businesses that break the law.
“This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected,” said digital minister Matt Warman.
“I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products.
“People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals,” said Warman.
Ian Levy, NCSC
“People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously,” added Ian Levy, technical director of the NCSC.
“We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”
As previously reported, the proposed legislation will have three core requirements: unique device passwords that cannot be reset to factory settings; a designated public point of contact at manufacturers for vulnerability reporting; and clear information stating the minimum length of time for which the device will receive security updates.
These three tenets already form the nucleus of a voluntary code of practice introduced in 2018 and are also being incorporated into a global standard through the European Telecommunications Standards Institute (ETSI).
British Retail Consortium (BRC) assistant director Graham Wynn welcomed the latest consultation. “IoT products are quickly growing in popularity, but most people still do not realise the dangers to personal data from smart products that are insecure. We welcome practical proposals from the government based on the three rigorous requirements to ensure that consumers’ safety and privacy are protected,” he said.
“TechUK has continually supported government’s efforts to ensure IoT products are secured at the design stage, starting in 2018 with the Secure-by-Design Code of Practice and now through this legislation,” added TechUK CEO Julian David.
“This important step will help ensure consumers are sufficiently protected, building trust and driving wider adoption across this growing sector, which can ultimately improve the lives of UK citizens,” he said.
Read more about IoT security
- Report from Lloyd’s Register Foundation calls for urgent action to secure industrial infrastructure, as the IoT leaves it increasingly exposed.
- A £400,000 funding pot is on offer for innovators to design schemes that boost IoT security.
- Maintaining secure networks and IoT use may seem secondary, but following proven protocols to stay digitally protected is one way to come out on top, especially during a pandemic.
- BSI’s David Mudd reveals how a pragmatic and realistic approach to security vulnerabilities underpins its IoT kitemark, helping give users the confidence to buy smart devices safely.