The aim of the legislation is to help protect UK citizens and businesses from the threats posed by cyber criminals increasingly targeting the Internet of Things devices.
By hacking IoT devices, cyber criminals can build an army of devices that can be used to conduct DDoS attacks to take down online services, while poorly-secured IoT devices can also serve as an easy way for hackers to get into networks and other systems across a network.
The proposed measures from the Department for Culture, Media and Sport (DCMS) have been developed in conjunction with the UK’s National Cyber Security Centre (NCSC) and come following a consultation period with information security experts, product manufacturers and retailers and others.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” said Matt Warman, minister for digital and broadband at DCMS.
They also follow on from the previously suggested voluntary best practice requirements, but the legislation would require that IoT devices sold in the UK must follow three particular rules to be allowed to sell products in the UK.
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time that the device will receive security updates at the point of sale, either in store or online.
It is currently unclear how these rules will be enforced under any future law. While the government has said that its “ambition” is to introduce legislation in this area, and said this would be done “as soon as possible”, there is no detail on when this would take place. A DCMS spokesperson said that the department will be working with retailers and manufacturers as the proposals move forward.
Many connected devices are shipped with simple, default passwords that in many cases can’t be changed, while some IoT product manufacturers often lack a means of being contacted to report vulnerabilities – especially if that device is produced on the other side of the world.
In addition to this, it’s been known for IoT products to suddenly stop receiving support from manufacturers, and providing an exact length of time that devices will be supported will allow users to think about how secure the product will be in the long term.
If products don’t follow these rules, the new law proposes that these devices could potentially be banned from sale in the UK.
“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cybersecurity is built into these products by design,” said Warman.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought,” he added.
“Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed,” said Nicola Hudson, policy and communications director at the NCSC.
“It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”
The UK isn’t alone in attempting to secure the Internet of Things — ENISA, the European Union’s cybersecurity agency, is also working towards legislation in this area, while the US government is also looking to regulate IoT in an effort to protect against cyberattacks.