In 2019 the UK government consulted on regulatory proposals for consumer IoT security. It set out the need to restore transparency within the market, especially between manufacturers and consumers, by ensuring information about the security requirements built into products is more clearly communicated. The government has now published the outcome of the consultation and ultimately intends to introduce legislation.
The consultation covered whether the UK government should assume powers to regulate the security of consumer IoT products. Other questions examined core proposals on security requirements within consumer IoT products, considering the risk of dampening innovation and avoiding placing a heavy burden on UK manufacturers and retailers.
Many devices have basic flaws like default passwords, and many manufacturers do not transparently communicate to their consumers how long the device will be supported by security updates or what to do if a vulnerability is identified. There is clear consensus that regulation is needed to bring about sufficient change to protect individuals and the wider economy from harm.
The UK government says that it has taken on board respondents’ feedback on what the defined roles and expectations of participants in the supply chain should be and what the implications could be for specific parties. It has commissioned further analysis work to understand and gather evidence on the effects of its proposed regulatory approach on consumers, retailers, manufacturers and relevant actors within the supply chain.
In February 2019, ETSI published Technical Specification 103 645, based on the UK’s Code of Practice for Consumer IoT Security. This is the first globally applicable technical standard for consumer IoT security. ETSI are currently working on transposing the TS into a European Standard.
The government encourages manufacturers to implement all thirteen guidelines of the Code within their products and processes, where appropriate. However, it focuses on three guidelines in particular:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
These three requirements will be reflected in the proposed legislation.
Feedback also highlighted the need for additional options to assess the security of products to encourage transparency across the supply chain. To address this, the government will examine whether it is feasible for manufacturers to provide retailers with information about whether their products adhere to guidelines in the Code of Practice/ETSI TS. The UK government recognises that certain guidelines will not apply to all consumer IoT devices. Accordingly, there needs to be flexibility in how the Code’s guidelines are met.
The government is not mandating that an end of life policy for the product be published, but it is advocating that the product comes with information about the minimum length of time for security updates.
The government encourages the supply chain to use tools and guidance already available, that is, industry led assurance and certification schemes that best meet their price point and are consistent with the Code. The government hopes that this approach will not only reduce costs for the manufacturer, but also help avoid some unintended barriers to market for conscientious manufacturers of all sizes.
Responses to the consultation have also reinforced the government’s view that consumers should not be expected to assess the security of the devices that they purchase. The information is not readily available or easily accessible, and many make the (incorrect) assumption that all devices are already ‘safe’ because they are for sale through trusted forums or marketplaces. The government is conducting further policy development on how UK retailers (or those selling into the UK) can best evidence security information to consumers at the point of sale, whilst still ensuring minimum disruption for the supply chain.
The government says that it will continue to engage with industry as proposals develop and will be commissioning further evidence work over the coming months to better understand the effects of all proposed regulatory options on secondary markets as well as on small and micro firms.
Respondents felt that enforcement action would naturally fall within Trading Standards’ existing role for consumer protection in the UK. The government is working to better understand how this regulation could be effectively enforced through existing UK agencies and will continue to do so in the coming months.
Next steps
The UK government takes the issue of consumer IoT security very seriously and appreciates the urgent need to move the expectation away from consumers securing their devices and instead ensure that strong cyber security is built into these products by design.
The government will conduct further research to develop regulatory options based on the Code of Practice and ETSI TS. It will also carry out work to determine the most appropriate way to communicate security information to consumers.
The government intends to take a staged approach to mandating further security requirements to ensure that regulation is keeping pace with technological change and the threat landscape. This staged approach will involve reviewing the Code every two years and amending it as required. The government will publish a final stage regulatory impact assessment later in 2020.