What do the UK’s newly proposed IoT laws look like?

28 Jan 2020

Image: © Rushay/Stock.adobe.com

The UK has proposed three new regulations for IoT devices, which aim to make them less vulnerable to hacking and cyberattacks.

There are now more IoT devices on the market than ever before, bringing a whole new set of cybersecurity challenges.

Last year, research found that there has been a 300pc surge in cyberattacks using IoT devices, highlighting the need for regulation in this area.

Some nations have already gotten the ball rolling. In March 2019, the US Congress began debating the Internet of Things Cybersecurity Improvement Act, which was an attempt to introduce a national standard for IoT.

Now, the UK is introducing new legislation to protect citizens and businesses from the growing threat of security issues caused by IoT devices.

Ahead of the introduction of the legislation, UK government research found that more than 90pc of 331 manufacturers supplying the UK market did not possess a suitably comprehensive vulnerability disclosure programme.

What standard does the UK want to set?

The UK Department of Digital, Culture, Media and Sport said it is advocating for a robust and staged approach to enforcing a number of new regulations, starting with ensuring that stronger security is built into products from the early stages of production and manufacturing.

After consultation with the UK’s National Cyber Security Centre (NCSC), industry and external experts, the government settled on the three most important security requirements for IoT devices.

Firstly, it proposed that IoT device passwords must be unique and not resettable to any universal factory setting. This will make it more difficult for unauthorised parties to gain access to devices.

Secondly, manufacturers of IoT products must provide a public point of contact, as part of a vulnerability disclosure. This will allow ethical hackers or consumers with concerns to disclose this information to the manufacturing companies, making them aware of issues as soon as possible and enabling them to solve the problem.

Finally, manufacturers of IoT products will have to explicitly state the minimum length of time for which the device will receive security updates. This is particularly relevant at the moment, considering the concerns over a recent announcement by Sonos, informing customers that security updates for one of its older speakers would be ending soon.

‘Not a silver bullet’

The government department acknowledged that these regulations are not a “silver bullet”, but “are the first practical step towards more secure devices.”

In a statement on the regulations, the UK government said: “Achieving full market compliance with these three guidelines will ensure consumers are being given important protection against the most basic vulnerabilities, such as those which resulted in the Mirai DDoS attack in October 2016.”

MP Matt Warman said: “I am conscious that our approach must also keep pace with technological change and innovation, and as part of our stage approach to regulation, we will also continue to review the code of practice for consumer IoT security every two years.

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

What’s next?

The UK will now conduct further stakeholder engagement to further develop its regulatory options based on the three new guidelines.

It will undertake further research to determine the best way to communicate security information to consumers, and is considering an alternative option to the traditional labelling schemes. This would mean that retailers have to provide information both in store and online.

As the nation is taking a staged approach to the introduction of these measures, it will be reviewing and amending its guidelines regularly. All of the consultation and feedback that has been undertaken so far, and the further consultation that will be received in the next few months, will contribute to the country’s final stage regulatory impact assessment later this year.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com