Government opens consultancy on IoT security laws

Graphic representation of IoT devices in businesses

The government plans to introduce new laws to ensure internet of things (IoT) devices are better protected from cyber attacks as standard.

IoT devices have been heavily criticised for their inherent lack of security features out of the box; security cameras used by businesses and individuals are often cited as one of the most pervasive vulnerabilities in a network.

The key part of the announcement is the proposed initiative to enforce a mandatory labelling scheme which would closely resemble the CE stickers consumer electronics must bear to show they have met the safety standards of the EU.

According to the Department of Media, Culture and Sport (DCMS), manufacturers of IoT devices such as security cameras, smart fridges and clever coffee makers must meet the IoT security standards as set out by the new laws to bear the IoT label or risk their products being removed from shelves by retailers.

DCMS will be hosting a public consultation to help them better understand the principles on which the new device security standards must be made. The public consultation invites anyone who has a strong view on the matter to contribute to the discussion, from business leaders, security analysts or anyone with an interest in the area.

The new laws will aim to extend the reach of the 'Secure by Design' IoT code of practice, a voluntary set of rules that businesses can sign up to abide by, originally launched in October 2018. The rules were quickly adopted by some of the world's largest tech firms including Samsung, HP, Centrica Hive and most recently Panasonic.

The rules were originally criticised for 'lacking teeth' by industry experts such as Kasperksy's David Emm, base don the voluntary nature of adhering to the 13 rules.

"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage," said Emm. "One government's guidelines, unless they have teeth, won't solve the problem entirely."

Specifically, the new laws will aim to mandate the top three rules as set out by Secure by Design.

  • IoT device passwords must be unique and remove the ability to reset to factory defaults.
  • Manufacturers will be subject to a vulnerability disclosure policy
  • Manufacturers also must explicitly inform customers of the minimum length of time for which the device will receive security updates before it goes end of life.

The new laws seem to have taken Emm's advice on board with the labelling idea, one that Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC) described as "innovative".

"Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it's unacceptable that these are not being fixed by manufacturers," said Levy. "This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes."

It's likely that products designed overseas will have to adapt their manufacturing standards also to meet the UK's new laws if they want to remain available to consumers. Foreign products already have to be made bespoke to the UK market due to the EU's CE sticker standards and the British Kitemark also.

"The Government's proposals to introduce cybersecurity laws for IoT devices is a step in the right direction in ensuring everyone has the confidence that their data and assets are protected," said Helen Lamprell, general counsel & external affairs director at Vodafone UK. "It's critical that the right technology and the right processes are deployed to answer the concerns of customers seeking to enjoy the benefits of IoT."

The open public consultation is now live for anyone to go and contribute to the discussion and have their views heard - it will remain open for five weeks. You can see the government's overview of the consultation on its website where you can also find details of how to participate.

The news follows the government's plans to become a world leader in designing out cyber threats. It announced a 70 million challenge in January inviting businesses to compete for a slice of the price by designing systems and hardware with security as a primary concern.

Components such as chips with specially designed, security-focused capabilities would be an example of this and the government hopes that it would increase a business' resilience to cyber threats.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.