Regulatory proposal on mandatory IoT security label
Retailers will only be able to sell items with an Internet of Things (IoT) security label which would tell consumers how secure their products are
Retailers will only be able to sell items with an Internet of Things (IoT) security label which would tell consumers how secure their products are
The Department for Digital, Culture, Media and Sport (DCMS) is consulting on regulatory proposals regarding consumer Internet of Things (IoT) security on options including a mandatory new IoT security label.
DCMS has consulted with experts at the National Cyber Security Centre (NCSC) and across the public and private sector to determine which aspects of the Code of Practice for Consumer IoT Security should be made mandatory in the first instance, balancing the need to deliver an effective baseline that protects consumers whilst also minimising the additional burden on industry.
Following the consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.
Digital Minister Margot James said: “Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.
“These new proposals will help to improve the safety of Internet connected devices and is another milestone in our bid to be a global leader in online safety.”
The UK government takes the issue of consumer IoT security very seriously, according to the DCMS.
The press release from DCMS says: “As the technological advances of the 21st century continue to accelerate, consumers are bringing more and more ‘smart’ devices (i.e. consumer IoT products) into their homes, such as smart TVs, internet connected toys, smart speakers and smart washing machines. The Internet of Things (IoT, also known as ‘internet-connected’ or ‘smart’ products) is already being used across a range of industries and it is delivering significant benefits to the lives of its users.
“In the future the number of more developed consumer Internet of Things products and services will increase. These devices will be able to anticipate and meet their users’ needs and will be able to tailor information specifically to them across everything from home energy to security. This will offer users the opportunity to live more fulfilling lives; saving time, effort and money.
“As with all new technologies, there are risks. Right now, there are a large number of consumer IoT devices sold to consumers that lack even basic cyber security provisions. This situation is untenable. Often these vulnerable devices become the weakest point in an individual’s network, and can undermine a user’s privacy and personal safety. Compromised devices at scale can also pose a risk for the wider economy through distributed denial of service (DDOS) attacks such as Mirai Botnet in October 2016.”
Mirai scans the internet for IoT devices that run on the ARC processor. This processor runs a stripped-down version of the Linux operating system. If the default username-and-password combo is not changed, Mirai is able to log into the device and infect it.
The Mirai botnet employed a hundred thousand hijacked IoT devices to bring down Dyn.
DCMS has previously stated their preferred approach whereby industry self-regulate to address these issues, but that DCMS would consider regulation where necessary. In October 2018 they published a Code of Practice for IoT Security, alongside accompanying guidance, to help industry implement good security practices for consumer IoT.
Despite providing industry with these tools to help address these issues, they continue to see significant shortcomings in many products on the market.
DCMS recognises that security is an important consideration for consumers. A recent survey of 6,482 consumers has shown that when purchasing a new consumer IoT product, ‘security’ is the third most important information category (higher than privacy or design) and among those who didn’t rank ‘security’ as a top-four consideration, 72% said that they expected security to already be built into devices that were already on the market. It’s clear that there is currently a lack of transparency between what consumers think they are buying and what they are actually buying.
There is a need to restore transparency within the market, and to ensure manufacturers are clear and transparent with consumers by sharing important information about the cyber security of a device, meaning users can make more informed purchasing decisions.
One of the core aims of the consultation is to listen to feedback on the various implementation options DCMS has developed in partnership with industry and stakeholders. These include the following three options:
Later this year, the security label will initially be run on a voluntary basis until regulation comes into force and the government will make a decision on which measures to take forward into legislation following analysis of the responses received through this consultation.
Any regulation will need to mature over time, and additional information for this approach is within the consultation stage impact assessment ‘mandating security requirements for consumer IoT products’.
Not long ago, the House of Lords Communications Committee had recommended a new regulatory framework for digital services in the UK as part of the government’s Internet Safety Strategy.
Cyber security plays important role if consumers and businesses are to reap the benefits of IoT devices.
Peter Carlisle, Vice President at nCipher Security said: “Consumers and businesses are discovering and benefiting from the opportunities the IoT provides each day. Yet, IoT devices have also become one of the most vulnerable entry points for attackers. The IoT exposes consumers and businesses to new security vulnerabilities due to its increased network connectivity and the devices within it not being secured by design. It is so vast and complex that finding data protection solutions which can span across the entire network, providing scalable encryption key management and not impeding data analytics can be a serious challenge.
“By encouraging ‘Security by Design’ and introducing a new labelling system to tell users whether an IoT device can be trusted, the proposed legislation signals a positive step in the right direction. It could ensure that security is baked into IoT devices, protecting both businesses and consumers from the offset and going a step further than the voluntary “code of practice” announced last year.
“After all, when it comes to cybersecurity prevention is always better than a cure.”