As part of its ongoing, five-year 1.9 billion pound security initiative, the United Kingdom (UK) government is planning to
introduce new cybersecurity measures to better address Internet of Things (IoT) products that are online around the country.
This development follows similar efforts across both the channel and the pond, with the European Union Agency for Network and Information Security (ENISA) introducing baseline guidelines for IoT security and the United States Government Accountability Office (GAO) published recommendations regarding IoT security guidelines for the Department of Defense, respectively.
Secure by Design
The UK’s Secure by Design review has been developed with support from device manufacturers, retailers, and the National Cyber Security Centre (NCSC) to address a major number of glaring vulnerabilities in many smart IoT devices, such as smart TVs, toys, and speakers. This comes as multiple IoT-borne attacks and breaches have made headlines, such as the exposure of the data of over 800,000 owners because of an IoT teddy bear’s poorly secured MongoDB database.
According to the report, every household in the UK owns at least ten internet-connected devices, and that number will rise to fifteen per household by 2020. The objective of the review is to ensure that security measures are implemented during the design stage rather than tacked on later. The report notes that protecting consumers from IoT exploits requires a fundamental shift in the industry’s approach to managing cyber risks, namely, a need to move away from placing the burden on consumers to securely configure their devices and instead ensure that strong security is built in by design.
Provisions from Secure by Design include a requirement that all IoT device passwords must be unique and not resettable to any universal factory default value, an implementation of a vulnerability disclosure policy, a requirement to keep software updated, and a need to store credentials and security-sensitive data in a secure manner, monitor system telemetry data, and more. Other provisions include a requirement that users can easily delete personal data on devices and that installation and maintenance of devices is made easier.
Another interesting proposal is a voluntary labelling scheme for consumer IoT products to aid consumer purchasing decisions and to nurture consumer trust in companies. The UK government hopes that a labelling scheme will provide consumer with essential information on IoT products to help them make informed purchasing decisions, which will in turn boost consumer trust with retailers and manufacturers. On the retailer side, they will be able to select products with security features when deciding what should be available for consumers to buy, and manufacturers can use labels to demonstrate their commitment to protecting consumers’ privacy, safety, and data.
How the Guidelines will be Implemented
The Department of Digital, Culture, Media, and Sport has stated that it would work closely with retailers and consumer rights bodies to provide advice and support.
NCSC technical director Ian Levy has said that “we are pleased to have worked with DCMS on this vital review, and hope its legacy with be a government ‘kitemark’ clearly explaining the security promises and effective lifespan of products.” He likened the aforementioned IoT provisions to food labels, that just as people can manage fat content of people, the same can be done for cyber security of technology products. Currently, the DCMS is inviting feedback on its draft proposals ahead of conducting more work this year to develop recommendations further, with the hope that the provisions and guidelines might evolved into full-fledged regulations.
With the United States and the European Union beginning to take the problem of lax IoT security seriously, the UK government has joined the discussion with its own Secure by Design review. The review introduces provisions and guidelines for IoT security, such as forbidding default passwords, requirements that devices be up to date, and a voluntary labelling scheme, to name a few. With the guidelines, the UK government hopes to facilitate a more trusting relationship between consumers, retailers, and manufacturers by requiring the latter to step up to the plate on securing their devices, while helping consumers make informed decisions.