Legislation for the cyber security of smart consumer devices

The government wants your views on a law to protect consumers who buy devices that connect to the Internet of Things.

The UK government has published proposals for a new law that will help protect millions of smart device users from cyber criminals. A call for views on these legislative proposals for the cyber security of consumer smart products has been made by the UK's DCMS.

Building on momentum

In cyber security, we all share an ambition to move towards a world where all consumer smart devices meet important security requirements, and all consumers and the wider economy can be better protected from harm. There is some good momentum to build on: 

  • In March 2018, the DCMS first published the Code of Practice for Consumer IoT Security, calling out important security principles that all manufacturers and retailers should adopt. 

  • In May 2019, they held a consultation on regulation proposals. They considered the option of mandating a security label, mandating the entire Code of Practice for Consumer IoT Security, or mandating the ‘priority’ top three aspects within it. The responses to this consultation showed widespread support for a legislative baseline to enable the IoT to grow safely, and also showed support to mandate the three security requirements outright, which are listed below. 

    • Device passwords must be unique and not resettable to any universal factory setting. 

    • Manufacturers must implement a means to manage the report of vulnerabilities.

    • Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

  • In January 2020, DCMS published its response to this consultation, and reiterated their commitment to protecting citizens from the harms that vulnerable smart devices can bring. 

In parallel, DCMS have been working with global standards bodies, most notably ETSI, to further refine this approach through robust feedback with industry, academia and other governments. In February 2019, ETSI published Technical Specifications 103 645, and in June 2020, following a voting process with representatives from over 20 national standards organisations, published ETSI EN 303 645

Share your knowledge on IoT security

The government is asking for your opinions via its Call for Views survey. In the Call for Views, there is a great deal more detail:

  • the scope of products the legislation would apply to
  • the security requirements that the UK government is proposing to mandate
  • a proposed enforcement approach

The Call represents a vital opportunity for the DCMS to test their proposed approach, and for stakeholders to give them feedback in order to build a regulatory framework that is world-leading, promotes innovation, and protects consumers. 

Cyber security professionals are encouraged to participate. The DCMS point out that it is only with the input of a diverse range of organisations that their regulatory framework can be as comprehensive and robust as possible, and as such, they will welcome feedback on our approach. .   

The DCMS also wish to celebrate the many organisations who do prioritise the security of their products and the safety of their users. In coming months, there could well be upcoming opportunities for further public statements, and also engagement with Ministers. Organisations wishing to find out more about adding their support are asked to get in touch with Thomas Keelan (thomas.keelan@dcms.gov.uk).

Further information

Links to relevant assets are given below:

MORE ABOUT: ,