DCMS report on cyber security for the Internet of Things
What are the risks associated with the Internet of Things and what needs to be done to make the Internet of Things safer for consumers?
The background
While the increasing connectivity via the Internet of Things (IoT) is championed by the DCMS as a “fantastic opportunity” for the UK, concerns have been raised over its security. Rapid uptake in devices such as smart thermostats, smart lighting and intelligent speakers paired with the fact that many lack basic cyber security has led to two primary risks being identified:
- consumer security, privacy and safety is being undermined by the vulnerability of individual devices; and
- the wider economy faces an increasing threat of large scale cyber-attacks launched from large volumes of insecure IoT devices.
In the report the DCMS notes that the government must “ensure that individuals are able to access and benefit from connected technologies safely, confident that adequate security and privacy measures are in place to protect their online activity”. The report advocates a “secure by design” approach to consumer IoT security which means that security measures should be embedded in the design process rather than bolted on afterwards. This secure by design approach follows five guiding principles; reducing burden, transparency, measurability, facilitating dialogue and resilience.
In the report the DCMS notes that the government must “ensure that individuals are able to access and benefit from connected technologies safely, confident that adequate security and privacy measures are in place to protect their online activity”. The report advocates a “secure by design” approach to consumer IoT security which means that security measures should be embedded in the design process rather than bolted on afterwards. This secure by design approach follows five guiding principles; reducing burden, transparency, measurability, facilitating dialogue and resilience.
The development
This report was commissioned as part of the government’s wider National Cyber Security Strategy (outlining the government’s cyber security ambition over a five year period). The review upon which this report is based was done in close collaboration with industry and was primarily focused on the development of a “Code of Practice” (Code) for those developing, operating and selling IoT services and solutions, including device manufacturers. The Code sets out practical steps to improve the cyber security of consumer IoT products and connected services. It lists 13 points in order of priority for the implementation of the secure by design approach, with the guidance being that the top 3 should be addressed as a matter of priority:
- no default passwords: all IoT device passwords must be unique and not resettable to any universal factory default value;
- implementation of a vulnerability disclosure policy: all companies that provide internet-connect devices and services must provide a public point of contact and ensure that discovered vulnerabilities should be acted on in a timely manner; and
- keeping software updated: all software components should be securely updateable. The need for updates should be made clear to consumers and be easy to implement.
The DCMS notes that the preference of the government would be for the market to solve the issues outlined and for the industry to adopt the “Code of Practice” in order to start making IoT more secure for the consumer. However, if this is not done then the DCMS will look to make the Code compulsory through law.
Why is this important?
The report and subsequent guidelines now expects the producers of IoT devices to build in tougher security measures to negate the risk of cyber security breaches. This will affect device manufacturers, IoT service providers, mobile application developers and retailers. It could signal a significant shift in the way that certain members of the industry develop their IoT products or software. Additionally, while there are currently no published fines or penalties for non-compliance with the Code, it is noted that if the guidance and the Code are not adopted by the industry, the DCMS will push for the Code to be formalised into law, which will result in penalties for non-compliance. The DCMS is also keeping an eye on its international partners in terms of regulations, and will not be worried about bringing the UK into line with those countries that have more stringent regulatory frameworks.
Any practical tips?
Predictably enough, IoT is beginning to attract regulatory attention. The IoT industry as a whole would do well to adopt its own compliance road-map now, rather than wait for the government to start imposing more heavy-handed rules.
Practically speaking, it must make sense for lawyers everywhere to start playing their part in the development of IoT – in particular by sharing these types of developments (eg the DCMS’s proposed Code of Practice) with the innovation teams. Understanding where the government’s priorities lie (eg via the 13 listed points in the Code) may make a huge difference to the development of IoT devices and wider compliance. This is in addition to ensuring GDPR compliance of course. All in, the lawyer’s role in relation to IoT devices is looking increasingly critical…
Stay connected and subscribe to our latest insights and views
Subscribe Here