It’s not just the EU that’s working on a new set of rules for cybersecurity (see ENISA outlines new cybersecurity rules for service providers and OTTs). The UK’s DCMS (Department of for Culture, Media and Sport) has now outlined a set of proposals developed in conjunction with the UK’s National Cyber Security Centre (NCSC).
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” said the Minister for Digital and Broadband Matt Warman.
The proposed legislation will require IoT devices sold in the UK to follow three rules:
- Passwords must be unique and not resettable to a universal factory setting
- Manufacturers of consumer IoT devices must provide a point of contact to make it easy for consumers to report vulnerabilities and these must be acted upon in a timely fashion
- The minimum term for receiving security updates must be made clear to consumers at the point of sale – whether that’s in a store or online.
The proposed new regulations could ban devices from the UK that do not follow these principles.
This is not the first time the UK government has acted on IoT security though. In October 2018, it introduced the ‘Secure by Design Code of Practice’ for IoT developers, although this was a voluntary code that was unenforced.
This move signals several things. Firstly, it indicates that the UK intends to have a similar set of laws to those proposed by the EU going forward. In essence this is a piece of pro-UK, me-too PR following on from the ENISA announcements that says ‘we will have similar laws with or without the EU’. Secondly, it indicates that the UK government is well aware of increasing IoT adoption but also of IoT vulnerabilities. Finally, it shows that the government considers manufacturers and businesses supplying such devices and services to be responsible for ensuring their customers are safe and secure.
B2B service providers should consider their services in this area in light of both this announcement and that of ENISA. Fully managed services for IoT devices that ensure they function as intended, and remain both connected and secure is a promising area of future revenue generation, as is the ability to manage such provisions for smaller business customers. As the range and volume of devices increases, it will be increasingly difficult for smaller businesses and consumers to manage IoT connectivity and security themselves. In particular, ensuring devices remain connected and faults are fixed quickly is set to become an ever-more thorny issue. This makes fully managed IoT services attractive if provided at the right price.
Security is essential and workable rules must be set in place. However, it would be a shame if smaller businesses and commuinity IOT groups such as ours in Brighton were forced out of IOT experimentation.
It's an interesting conundrum - it's sensible for government to want IoT device providers and businesses to ensure basic security arrangements, but you're right in where does the line lay. If lay people and very small businesses are building or customising their devices then will there be the same expectations/rules as for very big firms. I guess asking you to have a unique password isn't hard for you to comply with, but the proposed reporting arrangements might be. We must ensure that a benign set of rules doesn't turn into an albatross around the necks of individuals and small community organisations because that would impede innovation.