The UK Government has developed a “Secure by Design review” in collaboration with the National Cyber Security Centre, manufacturers and retailers. The review focusses on how to ensure consumer internet of things (“IoT”) products and associated services are sufficiently secure. As products become increasingly connected, security breaches threaten to move from an inconvenience or economic risk to a safety risk. Regulators recognise this trend and it underpins an increased emphasis on security across the globe. We expect to see efforts to ensure alignment across global markets on these issues.
The review anticipates a fundamental shift in the approach to managing cyber risks. In particular, the review proposes a draft Code of Practice, aimed primarily at consumer IoT product manufacturers, which has “thirteen practical steps to improve the cyber security of consumer IoT”. Those developing smart devices will be expected to embed security in those products that is for life, and not “bolted on” as an “afterthought”. However, the draft Code provides some flexibility on the meaning of life. Manufacturers must state, with reasons, the minimum length of software support for their products.
The draft Code proposes the following thirteen practical steps and suggests which stakeholders hold primary responsibility for each step. They are designed to address two key risks: (1) the risk to individuals whose devices are compromised and (2) the malicious use of those hacked devices to destabilize the broader network. The stakeholders are: the device manufacturer, IoT service provider, mobile application developer and retailer. The list is set out in order of importance, and the top three “should be addressed as a matter of priority”:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
The final version of the Code is expected to be published in Summer 2018 – in the meantime, the Government is seeking further input on this published draft.
In addition to the draft Code, the review outlines proposed measures that the Government would take forward throughout 2018. These include voluntary labelling schemes, information sharing and guidance, providing training and professional development, considering regulatory options and more – all with a view to improving consumer and professional awareness and ensuring the issues are dealt with at the appropriate regulatory or legislative level.
Got feedback on the review? Stakeholders are invited to contribute via firstname.lastname@example.org until the 25th April.
The press release can be found here: https://www.gov.uk/government/news/new-measures-to-boost-cyber-security-in-millions-of-internet-connected-devices
The review can be found here: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf