The UK government has published a consultation document on the proposed regulation of consumer IoT devices. The consultation is not designed to see whether regulation is necessary, but to help the government “make a decision on which measures to take forward into legislation.”
The UK’s first preference is always for self-regulation, which rarely, if ever, works — no business welcomes limiting its own activities when its competitors might not. The failure of self-regulation is normally followed by legislative compulsion. In October 2018, the UK published a Code of Practice for IoT Security, but says now (PDF), “Despite providing industry with these tools to help address these issues, we continue to see significant shortcomings in many products on the market.”
The proposal and intent is to make three security requirements mandatory. These are, unique passwords at sale; a published point of contact as part of a vulnerability disclosure process; and a public statement on the minimum length of time during which the device will receive security updates.
The government is wary of placing too many burdens on manufacturers and vendors that might dampen innovation in the market. For this reason, it has simply selected the top three guidelines from the 13 contained in last year’s Code of Practice. Vendors should consider, however, that the initial legislation will be expanded over time — indeed, the government says, “It is our intention to mandate further requirements from the Code as part of staged approach to regulation.”
The attraction of these initial requirements is that they are easy to implement, easy to enforce, and “would protect consumers from many of the most significant and numerate risks (such as the Mirai botnet attack in 2016).” It should not be forgotten that thousands of compromised consumer devices can deliver major attacks against business.
The UK is also exploring a security labeling option that it intends to make compulsory. There are three options open for discussion. In each case the onus is on the manufacturer providing the relevant label — self-certified — with the retailer only allowed to sell products correctly labeled. The three options are a simple security label; a label confirming conformance to the top three guidelines from the Code of Practice; and a label confirming conformance to all 13 guidelines.
The government’s preferred option is the first. This would remain valid regardless of how many of the 13 guidelines become mandatory, nor how long it takes to introduce them into legislation.
The intention is to create Primary legislation that gives the Secretary of State for the Department for Digital, Culture, Media and Sport (DCMS) the ability to expand the legislation at will, subject only to further consultation. Once the Primary legislation becomes law, no further parliamentary vote will be required for its expansion.
The UK’s plans are generally welcomed by the security industry. “The initial proposals will focus on three areas, weak passwords, security updates and vulnerability disclosures,” comments Tom Gaffney, principal consultant at F-Secure. “From a security perspective we agree that these are major issues in the world of IoT threats today. As many as one third of IoT attacks abuse weak passwords and legislating to fix this basic issue can only be a good thing.î
Nevertheless, there is a strong belief that the currently published proposals can only be the beginning. Nick Buchanan, CTO at Armor Scientific, believes that it must be incumbent on the manufacturer rather than the consumer to be responsible for security. But he does not believe that the current plans go far enough.
“While the UKís legislative proposal is laudable, it is insufficient for protecting against IoT cyber-attacks,” he told SecurityWeek. “If manufacturers are left to self regulate their security practices, such legislation may fall short of its intended goal… we support the notion of third-party verification where devices are independently tested, similar to how other products receive certification from Underwriter Labs for electrical safety.”
Terence Jackson, CISO at Thycotic, also believes the regulations should go further. “I would like to see standardized vulnerability ratings on product packaging that would at a glance let a consumer know the cyber hygiene or threat level a device could introduce to their networks. Would you eat at a restaurant that was rated a C by a health inspector or would you move on and look for one with an A or B?”
What is clear from this UK government document is that the UK will introduce regulations on the sale of consumer IoT devices, and that while the initial regulation will be light, it will inevitably expand over time. If it proves successful, it could become a blueprint for other nations — what an international manufacturer can do for the UK market, it could also do for other markets.
Related: EU Telecommunications Standards Institute Publishes IoT Security Standard
Related: NIST Working on Global IoT Cybersecurity Standards