Legislation for the cyber security of smart consumer devices

Legislation for the cyber security of smart consumer devices

The government wants your views on a law to protect consumers who buy devices that connect to the Internet of Things.

The UK government has published proposals for a new law that will help protect millions of smart device users from cyber criminals. A call for views on these legislative proposals for the cyber security of consumer smart products has been made by the UK’s DCMS.

Building on momentum

In cyber security, we all share an ambition to move towards a world where all consumer smart devices meet important security requirements, and all consumers and the wider economy can be better protected from harm. There is some good momentum to build on: 

  • In March 2018, the DCMS first published the Code of Practice for Consumer IoT Security, calling out important security principles that all manufacturers and retailers should adopt. 

  • In May 2019, they held a consultation on regulation proposals. They considered the option of mandating a security label, mandating the entire Code of Practice for Consumer IoT Security, or mandating the ‘priority’ top three aspects within it. The responses to this consultation showed widespread support for a legislative baseline to enable the IoT to grow safely, and also showed support to mandate the three security requirements outright, which are listed below. 

    • Device passwords must be unique and not resettable to any universal factory setting. 

    • Manufacturers must implement a means to manage the report of vulnerabilities.

    • Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

  • In January 2020, DCMS published its response to this consultation, and reiterated their commitment to protecting citizens from the harms that vulnerable smart devices can bring. 

In parallel, DCMS have been working with global standards bodies, most notably ETSI, to further refine this approach through robust feedback with industry, academia and other governments. In February 2019, ETSI published Technical Specifications 103 645, and in June 2020, following a voting process with representatives from over 20 national standards organisations, published ETSI EN 303 645

Share your knowledge on IoT security

The government is asking for your opinions via its Call for Views survey. In the Call for Views, there is a great deal more detail:

  • the scope of products the legislation would apply to
  • the security requirements that the UK government is proposing to mandate
  • a proposed enforcement approach

The Call represents a vital opportunity for the DCMS to test their proposed approach, and for stakeholders to give them feedback in order to build a regulatory framework that is world-leading, promotes innovation, and protects consumers. 

Cyber security professionals are encouraged to participate. The DCMS point out that it is only with the input of a diverse range of organisations that their regulatory framework can be as comprehensive and robust as possible, and as such, they will welcome feedback on our approach. .   

The DCMS also wish to celebrate the many organisations who do prioritise the security of their products and the safety of their users. In coming months, there could well be upcoming opportunities for further public statements, and also engagement with Ministers. Organisations wishing to find out more about adding their support are asked to get in touch with Thomas Keelan (thomas.keelan@dcms.gov.uk).

Further information

Links to relevant assets are given below:

Copyright Lyonsdown Limited 2021

Top Articles

Hackers are using hacked Chipotle email account to steal your passwords

Hackers have reportedly taken control of an email marketing account used by the Chipotle food chain and are using the account to fool Internet users to share their personal information…

Hackney Council exposed personal details of vulnerable citizens online

Hackney Council committed an IT blunder that publicly exposed the names and addresses of women placed in temporary accommodation for their own safety.

US medical imaging firm Express MRI discovers a major security breach

Express MRI suffered a security breach in July last year that potentially compromised the personal healthcare information of patients.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]