Legislation is the only way to secure the IoT industry
Industry experts say the Government's Code of Practice will struggle to protect against unsafe devices from abroad
We use connected devices more and more both at home and at work, from wireless routers to connected doorbells and security systems, smart lighting and even clever coffee makers. And it is just the start. In the UK alone, the government has predicted there will be more than 420 million connected devices in the next three years.
Keeping these devices secure is a big issue. Nobody wants their home camera security footage to be hacked, the communications they have with their digital speaker listened into, or their workplace email intercepted. To protect users, the UK Government recently took a step towards greater IoT device security with the release of its Code of Practice for Consumer IoT Security.
A code that 'lacks teeth'
The code is made up of 13 guidelines, laid out in the government's 'Secure by Design' review published by the DCMS and the National Cyber Security Centre (NCSC) in March. The code launched with two named companies in support - HP and Centrica Hive - and later received backing from a handful of other companies, including Samsung. It was hardly a resounding endorsement from a multi-billion pound sector, but it's a start.
More worryingly, the review was criticised at launch by tech experts for 'lacking teeth' due to it being optional.
Talal Rajab, head of cyber and national security at techUK tells us his organisation is "strongly encouraging companies to sign up", and "would expect to see more companies signing up to the Code going forward".
Much of the IoT kit we buy comes from so-called 'white label' makers - producers based outside the UK who make kit or components to be branded and sold by others. This raises questions as to whether a UK-based code would, in fact, have any teeth.
Steffen Sorrell, principal analyst at Juniper Research, argues that some companies we buy from already follow strict codes. "Foxconn, a Taiwanese company, manufactures products that both already follow the code of practice (the iPhone, for example) and are recognised as secure," he explains.
However, he notes that if devices from other, non-compliant companies, make their way into the UK IoT ecosystem, it would be almost impossible to hold those manufacturers to account. "In all likelihood, GDPR breaches and fines will be difficult to enforce upon Chinese device manufacturers," says Sorrell. "There will be little incentive to change on the part of low margin, high volume players. The endgame must be legislation if there is to be real impact."
However, to the UK Government's credit, it has already started work on building a global standard through the European Telecommunications Standards Institute (ETSI), based on its own code of practice.
We should note, too, that other nations are also active in this area. For example, California recently moved to introduce a new law that will require manufacturers to program unique default passwords, rather than standardised ones, into every device they make from 1 January 2020.
Covering the basics
So, does the UK's Code of Practice go far enough? Steffen Sorrell explains that while the code is "certainly useful in terms of outlining the basic responsibilities for security and privacy within the value chain," the code itself is rather basic.
"There is nothing within the code that recommends a risk assessment to identify what level of security a device requires," he explains, and nothing about "supply chain trust and agreements."
"Can a component supplier be trusted to maintain a software driver, for example? It is these proprietary software 'blobs' that are often the cause of devices remaining unpatched. Home routers are a case in point here."
He adds that for a national code of practice such as this to be effective, it would need to include more in-depth best practice advice that can be tailored based on target audiences, such as the consumer and industrial markets.
However, techUK's Talal Rajab argues that the Code of Practice is not meant "to provide a panacea to all IoT supported cyber threats affecting all types of IoT products and services", but is instead designed to simply support service providers, app developers and retailers with practical steps.
Retail and public information
The Code of Practice flags just one of its 13 guidelines as primarily relevant to retailers (the protection of personal data). But do retailers have a bigger role to play?
Stefan Sorrell thinks so. "Retailers could play a key role in better informing the consumer. For example, displaying that such and such a product adheres to the guidelines, and is thus recommended as a 'trusted choice' or similar," he explains.
"Technology and security risks have shifted so rapidly over the past decade that few consumers understand security best practices. Products should promote adherence to the code in a fashion that allows the end user to understand its benefits and, perhaps, why they are paying a little more for the product."
As Talal Rajab explains: "The Code shifts the burden for keeping products and services secure away from the consumer, but they clearly have an important role and we need to ensure that they are informed. Retailers are critical to doing so."
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
The Total Economic Impact™ of IBM robotic process automation
Cost savings and business benefits enabled by robotic process automationFree Download
Multi-cloud data integration for data leaders
A holistic data-fabric approach to multi-cloud integrationFree Download
MLOps and trustworthy AI for data leaders
A data fabric approach to MLOps and trustworthy AIFree Download