In response to what the government has identified as significant shortcomings in the security of consumer internet of things (IoT) devices, the government is consulting on proposals to regulate their security.
The consultation is aimed at a broad range of entities connected with the IoT, ranging from device manufacturers and IoT service providers to mobile application developers and retailers.

Risks and regulation

There are inevitable security risks associated with IoT devices. Particular concerns include the use of identical or hard-locked default passwords and a lack of regular software updates. Often these vulnerable devices become the weakest point in an individual’s network and can undermine a user’s privacy and personal safety. Compromised devices at scale can pose a risk for the wider economy through distributed denial of services attacks such as the Mirai botnet in October 2016.

In response to these risks, the government published a code of practice (the code) in October 2018. The code was intended to improve the security of consumer IoT devices, with a view to the industry self-regulating and voluntarily adopting high standards.

However, having identified continued significant shortcomings in the security of IoT devices, the government is now consulting on making certain security measures contained in the code mandatory. In doing so, the government has consulted with the National Cyber Security Centre, and across the public and private sector, in order to balance the need to set an effective standard that protects consumers while minimising the additional burden on industry.

What are IoT devices?

An IoT or smart device is, in its broadest sense, any device that is able to transfer data over a network. Popular examples include smart televisions, internet-connected toys, smart speakers and even smart appliances such as refrigerators that are able to monitor content levels or ovens that can be controlled remotely.

Security measures

The government also identified a lack of transparency between what consumers think they are buying and what they are actually buying. The proposals in the consultation relate to affixing security labels to IoT devices, primarily in order to evidence compliance with the following top three security measures set out in the code:

  • IoT device passwords must be unique and not resettable to a universal default.
  • IoT device manufacturers must provide a public point of contact as part of a vulnerability disclosure policy.
  • IoT device manufacturers must state the minimum length of time for which the product will receive security updates.

The proposals

The consultation includes proposed designs for security labels and outlines three different options for retailers to adhere to when selling IoT devices:

  • Devices must have an IoT security label implemented by the manufacturer which states whether or not the device complies with the top three security measures described above, as self-assessed by the manufacturer. This is stated to be the government’s preferred option.
  • Devices must adhere to the top three security measures, as self-assessed by the manufacturer.
  • Devices must have a label that evidences compliance with all 13 security measures contained in the code, as self-assessed by the manufacturer.

Impact for businesses

The consultation highlights how IoT security clearly remains high on the government’s agenda. The proposals help to bring the UK a small step closer to its bid to being “the global leader in online safety” and ensuring that it “is secure and resilient to cyber threats, prosperous and confident in the digital world”, the latter being one of the aims of the national cyber security strategy.

The proposals also form part of a range of wider government initiatives to protect consumers’ privacy and online security, as well as to cement consumer trust in the use of new and emerging technologies; sentiments that have also been recognised by the IoT industry at recent discussions with the Department for Digital, Culture, Media & Sport about cyber security (see, for example).

Given the collaborative nature with which the proposals have been put together in conjunction with industry stakeholders, and that all three proposed options are based on the existing voluntary code, the requirements set out in the consultation are likely to be familiar to those forming part of the IoT supply chain and to whom the suggested requirements will apply. Manufacturers are already required to grapple with concepts such as “security by design” under the General Data Protection Regulation (679/2016/EU) and therefore consider privacy and security risks, and appropriate measures at the outset of a project or product development, rather than as an afterthought.

The government’s preferred security labelling option appears to be a middle ground, when compared with the other two options, and seeks to empower consumers to make an informed decision about the devices they are buying, rather than leaving control in the hands of retailers, for example. The transparency afforded by the labelling scheme will also mean that security will also become a differentiator in the market, with consumers preferring more secure products. Much of the onus in the government’s preferred option therefore appears to rest principally with:

  • The IoT manufacturers and their suppliers to self-assess product compliance.
  • The retailers to sell only compliant products.

While the proposed standards intend to balance consumer protection against minimising the additional burden on industry, it will be interesting to see how well smaller, less sophisticated market entrants will be able to comply with these new mandatory requirements in practice.

Cyber security experts have commented that the government’s proposals are a good start, however, it remains to be seen whether stakeholders seek to dilute the strength of the proposed options during the consultation process, particularly in light of any feedback following the introduction of the security labelling on a voluntary basis in the meantime.

Next steps

The government is seeking feedback on all aspects of the consultation by 5 June 2019. The government intends to introduce the security labelling on a voluntary basis, pending the outcome of the consultation and any legislative changes made to implement the proposals coming into force.

The consultation is available here.

 A version of this article appeared first in the June edition of PLC Magazine.

Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773

Claire Wiseman
Claire Wiseman
Senior Associate & Professional Support Lawyer, Digital TMT, Sourcing and Data, London
+44 20 7466 2267