Promoting cyber security for Internet of Things devices

The roll-out of 5G networks is ramping up with limited services available in parts of the US and South Korea. 2019 will see the launch of 5G in selected cities across the UK. This new, much faster, mobile connectivity will support a proliferation of internet-enabled devices. With expected benefits in terms of reduced latency and much greater capacity, many expect to see a proliferation of Internet of Things (IoT) devices as 5G becomes a reality.

It is timely, then, to review market practice and regulation of cyber security in connected devices. Building on its October 2018 Code of Practice for IoT Security, the UK is consulting on new rules to bring an enhanced level of security to consumer IoT products and services. (Note that the proposed legal changes would not affect industry IoT.) Those likely to be affected are:

• device manufacturers
• IoT service providers (cloud and network services packaged as part of an IoT solution)
• developers of mobile apps that form part of an IoT solution
• retailers to consumers.

The 2018 Code, and the corresponding ETSI standard (Technical Specification 103 645), brought together thirteen outcome-focused guidelines, based on current best practice. However, Government considers that a self-regulation model has not achieved sufficient improvements, and legal changes is needed to adequately protect purchasers. The new proposal is for mandatory industry requirements to ensure that smart devices being sold to consumers offer at least a basic level of cyber security.

Research carried out as the project showed that 72% of consumers expected a degree of security to be built-in to IoT devices they on the market – the reality currently falls short.

The proposed rules identify three areas of focus, corresponding with the top three guidelines in the Code of Practice and ETSI standard:

• passwords: IoT devices should have unique passwords that are not resettable to a universal factory default value.
• transparency: Manufacturers should offer a public point of contact for reporting of security vulnerabilities.
• lifespan: Manufacturers should state the minimum time period during which the product will receive security updates.

What options are under consideration?

How the regulations will work will be influenced by stakeholder feedback. The options under consideration include obligations on retailers to sell IoT products to consumers only if:

1. the product carries a positive or negative security label, indicating whether or not it complies with the top three guidelines set out in the Code of Practice and ETSI standard. Compliance is self-declared by the manufacturer.
2. the product adheres to the top three guidelines,
3. the product complies with all of the thirteen guidelines.

Manufacturers would self-declare compliance and add an appropriate security label to packaging. Label design is included as part of the consultation.

A new compliance burden

These plans place the main burden of compliance on manufacturers to assess compliance of their products, and retailers to ensure that non-compliant products are not sold. The detailed obligations and sanctions for non-compliance are not explored in detail, although respondents are invited to comment on what fines etc would be appropriate. Government currently favours Option A, taking the view that it strikes the right balance between consumer protection and placing a new compliance burden on innovative businesses.

You can comment on the proposals here, until 5 June 2019.