The UK government has indicated it may regulate the internet of things (IoT) industry if voluntary regulation published yesterday fails to address a rampant lack of security in the market.
The Department of Culture, Media and Sport (DCMS), which leads on cyber-security, published guidance on Sunday 14 October addressing security in consumer-grade IoT. The guidance aims to ensure that products are secure by design and to help users make their devices more secure. It was developed in conjunction with the National Cyber Security Centre (NCSC).
The code – which contains 13 guidelines for securing IoT devices which will be reviewed every two years – is being hailed by the DCMS as a world first but must be viewed in the context of a global clamour to address the gaping holes in IoT security and the explosion in the number of products which are being internet-enabled.
The US state of California recently passed a law effectively banning weak and default passwords in devices.
The publication of the ‘Code of practice for consumer IoT security’ follows an informal consultation which ran from 7 March, when the Secure by Design report was published, to 25 April.
"Our ambition is for appropriate aspects of the Code of Practice to be legally enforceable and the UK Government has commenced work to map out the impacts of regulatory intervention and to consider which aspects of regulatory change are necessary with further details to be shared in due course," the government said in its consultation response.
Future action from DCMS may include introduction of a consumer labelling scheme which could involve either a binary kitemark system or an information label with text and icons to convey information about product features. Further information will be published in spring 2019, the department promised.
IoT devices: Untested and dangerous
Analysis by Tom Reeve, deputy editor
Security is often the last thing on manufacturers’ minds as they race to get new products on the market, and the evidence is that consumers don’t really care.
Lack of consumer demand and desultory enforcement of existing standards has meant there is little incentive for improvement.
The number of devices is set to explode. According to researchers Gartner, there were six billion IoT devices worldwide in 2015 but this is set to rocket to 150 billion by 2030 – approximately 15 for every person on the planet.
Users expect to be able to connect these devices to any network including those at work. Even if CISOs are able to apply restrictive policies on the connection and use of these devices, in reality they often become part of the growing menace of shadow IT.
Organisations attempting to protect data in line with their GDPR obligations will find it leaking out of multiple devices through no fault of their own.
The Code of Practice is a good first step, but the question is whether the government will ultimately have to step in to regulate.
The alternative is relying on the public to absorb a complex security message which goes against their instincts to acquire the newest, flashiest internet-enabled toys.
Feedback from the consultation welcomed the guidelines which were developed in consultation with industry but questioned how the government would enforce them and specifically whether this would involve regulation.
The government has produced a 200-page mapping document which links each of the 13 guidelines to existing standards and guidelines in the industry.
And the industry has responded to the code with its own mapping and assurance exercises. Examples include:
- The Internet of Things Security Foundation (IOTSF) has published a document which maps each of the guidelines against its IoT security guidance.
- The British Standards Institution (BSI) has developed an IoT security assurance scheme to enable manufacturers to test the compliance of products against IoT security recommendations.
- The GSMA Association has also developed IoT security guidelines and an assessment scheme.
The government has also sought to blunt the demand for regulation by showing how some of the guidelines are supported by existing legislation:
- The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) already supports guidelines 4, 5, 8, 9, 10, 11 and 13 in the code.
- The Consumer Rights Act 2015 supports guidelines 1 and 6.
- The Protection from Unfair Trading Regulations 2008 supports guideline 3.
Ilia Kolochenko, CEO of High-Tech Bridge, told SC Magazine UK: "Non-binding guidelines are certainly helpful, however, they are unlikely to make substantial changes. Moreover, most of the IoT manufacturers are located abroad in developing countries and will continue to care about costs rather than customers’ privacy or security."
Kolochenko said the government must regulate the IoT market. "Most of the manufacturers do not even adhere to the bottom line of security," he said. "Urgent regulatory intervention is required to protect our society before it becomes too late and expensive."
Andy Kays, CTO at threat detection and response specialist, Redscan said the code will help to improve security awareness, but he questioned how much it would improve standards. "To have a real positive impact, we need to ensure that there is improved cooperation on a global level and do more to help organisations prioritise security across the complete development lifecycle," he said.
Larger organisations are signing up to the code but smaller companies have less incentive to do so, Kays said. "New manufacturers and start-ups don’t have the same level of brand equity as more established organisations so there may be a tendency to take bigger risks in order to get products to market – and this can mean that cyber-security risks are less of a concern," he said.
Gavin Millard, VP of intelligence at Tenable, told SC Magazine UK, "Virtually all consumers are so used to buying a device, ripping the wrapping off and not giving a moment’s thought to the cyber-security implications of their new shiny toy."
Ollie Whitehouse, global chief technical officer at NCC Group, said: "Although challenges still remain within the realm of connected devices, it’s encouraging to see the solid foundations that have been laid by DCMS and NCSC. It is now up to all of us to think further about how we drive the adoption of the code’s principles and encourage investment in the security development lifecycle from the outset, to secure smart devices now and in the future."
James Wickes, CEO and co-founder of cloud-based visual surveillance company Cloudview, said, "Who will check that the manufacturers who have signed up to the code have actually implemented it across all their products? I’m sure they will have the best intentions, but there should to be some kind of government lab or initiative to test products and the information needs be shared and acted on. In my view there should also be a grading system, as certain connected devices will need a higher level of security than others, and it needs to be internationally recognised."
Duncan Jones, head of research at Thales eSecurity, said, "With consumers prioritising convenience and functionality over security – six in ten (57 percent) do not change the default security settings on their digital assistants – it's down to manufacturers to ensure security is embedded into devices from the point of creation. As we move forward, we expect security to play an enormous role in allowing the IoT ecosystem to reach its full potential."
"Whilst this is a step in the right direction, more can – and should – be being done to protect businesses," said Gary Cox, technology director at Infoblox. "Our recent report revealed over a third (35 percent) of companies in the US, UK and Germany reported more than 5,000 personal devices – ranging from smartphones to personal computers and laptops – connect to the corporate network each day demonstrating the scale of the vulnerability. With security being costly, there’s a possibility more devices will connect to professional networks, increasing the risk that they’re used for ransomware, data exfiltration and other forms of cyber-attack."