The UK Government Department for Digital, Culture, Media &
Sports (DCMS)
has announced plans to introduce a new law aimed at ensuring
that internet-connected products are secure by design, and protecting users
from the threat of cyber-attacks.
The proposed new law, announced by DCMS on 27 January 2020, will require that:
- all
consumer internet-connected devices have unique passwords that are not
resettable to any universal factory setting;
- manufacturers
of consumer internet-connected devices provide a public point of contact
for vulnerabilities to be reported, which will be responded to in a timely
manner; and
- manufacturers of consumer internet-connected devices explicitly state the minimum length of time for which the device will receive security updates.
Typical consumer internet-connected (IoT) devices include smart televisions, cameras, home assistants and other smart devices. These three requirements will apply to all such devices sold in the UK.
According to the Government response, the new law is a response to concerns that despite the rapid increase in the use of internet-connected devices, and the associated cyber security risks, many devices currently on the market lack even basic cyber security provisions.
Failure to build in important security requirements (such as unique credentials) exposes consumer devices to vulnerability and has resulted in an increasing number of breaches involving internet-connected products. The Government notes that, based on some forecasts, by 2025 there will be 75 billion internet-connected devices worldwide and 10-15 devices per UK household.
To safeguard against cyber security risks in an increasingly internet-connected market, the Government believes that manufacturers must be held responsible for ensuring cyber security by design. The EU General Data Protection Regulation (GDPR) imposes obligations to implement data protection by design and default, and to take appropriate technical measures to ensure data is processed securely. The UK Government’s proposal puts flesh on these bones in the context of connected devices, by setting out some practical steps necessary to achieve a basic level of security.
This marks a decisive shift away from the UK Government’s previous position which encouraged the industry to adopt a voluntary approach. However, it follows a number of steps previously taken by the Government to encourage stronger industry practice, including supporting the European Telecommunications Standards Institute to develop the first global industry standard on good practice for cyber security in internet-connected devices (TS 103 645), and launching the Secure by Design Code of Practice for IoT Security which was similarly aimed at driving manufacturers to ensure that security is built into products before they reach UK consumers.
The DCMS suggests that it has proposed a robust and staged approach towards regulating the security of internet-connected devices, and is working with partners abroad to create international alignment on security related to internet-connected products. Therefore, whilst the requirements proposed under the new law are a first step towards government regulation of internet-connected device security, given the pace of technological change and evolving threat landscape, it is likely that this issue will remain an area of focus and we anticipate that the Government will mandate further requirements in the future.
