Government plans new laws to mandate minimum security standards for consumer IoT devices
Government expected to push for legal recognition of emerging TS 103 645 global IoT security standard
The government is planning new laws mandating minimum security requirements for Internet of Things (IoT) devices.
The proposal comes in the government's response to the Regulatory Proposals for Consumer Internet of Things (IoT) security consultation, which had been launched last year.
The aim of the consultation had been to identify the best options for improving security of consumer IoT devices, although regulation had been clearly on the agenda when the consultation was launched in May 2019.
"Many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions," wrote Matt Warman, Minister for Digital and Broadband in the Department for Digital Culture, Media and Sport (DCMS) in his foreword to the government's response.
He continued: "Over 90 per cent of 331 manufacturers, supplying the UK market, reviewed in 2018 did not possess a comprehensive vulnerability disclosure programme up to the level we would expect.
"Breaches involving connected devices are increasingly becoming common, simply because manufacturers had not built important security requirements, such as using unique credentials, into their products."
The government, he added, had previously urged the industry to adopt a voluntary code, but "it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design".
In response to the question, "Do you agree that the Government should take powers to regulate on the security of consumer IoT products?", the government responded:
"A worrying number of devices on the market still have basic flaws like default passwords, and too many manufacturers do not transparently communicate to their consumers how long the device will be supported by security updates or who to contact in the event of a vulnerability being identified.
"There is clear consensus that regulation in this space is needed in order to bring about sufficient change to protect citizens and the wider economy from harm…
"It is important to note that in addition to developing our plans for regulation, we continue to be active in the international standards space. In order to protect UK citizens, and the broader economy from harm, we know that there will need to be alignment at an international level.
"In February 2019, ETSI published TS 103 645, based on the Code of Practice for Consumer IoT Security [introduced in October 2018], this is the first globally applicable technical standard for consumer IoT security. ETSI are currently working on transposing the Technical Specification (TS) into a European Standard (EN).
The government, Warman added, was planning "a robust and staged approach" to enforcing better security on device makers, working with authorities in the US, Canada, Australia and New Zealand, as well as with European institutions.
Regulation has been a long time coming, with the European Commission launch on a consultation with a view to developing a regulatory framework back in April 2012.