“Bad news for hackers”: UK govt announces new IoT cybersecurity law

The commercial market for connected devices is booming, with new variations of IoT technology arriving on the market every day. The scale of this market is truly enormous, with research suggesting there will be 75 billion connected devices in homes by 2025.

 

But, beside the smart thermostat creating the perfect temperature and the smart TV adjusting the programme’s audio, there is an elephant in the room: security. 

 

“Over the past five years, there has been a great deal of concern expressed toward vulnerable consumers and inadequate cybersecurity protection,” explained John Moor, the managing director of the IoT Security Foundation. “Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge.”

 

Now, the UK government is moving to legislate new requirements for IoT device manufactures in an effort to improve consumer data security.  

 

The three central tenants of this new law are: 

• All devices must have a unique password and not be resettable to a universal factory setting

• Manufacturers must provide a public point of contact so that vulnerabilities can be reported quickly and easily

• Manufacturers must state the minimum length of time for which a device will receive security updates, whether in-store or online

 

The proposed requirements have been developed following a consultation with industry representatives and the National Cyber Security Centre, as the government tries to balance an increasing need for security with potentially stifling innovation and development.

 

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said digital minister Matt Warman. “Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.”

 

Devices that do not measure up to this proposed war would find themselves banned from sale in the UK.

 

Protection from cyber attacks is a hot topic across the world, with the US government looking to regulate IoT, as is the EU’s cybersecurity agency ENISA. The UK is something of a leader in this field, with the UK Government’s Code of Practice forming the basis for the EU’s first industry standard for consumer IoT security, published last year.

 

By drawing up this new law, the UK is looking to remain at the forefront of smart tech security. 

 

“The IoT Security Foundation welcomes the results of the consultation as it not only provides clarity for industry, it is great news for consumers and bad news for hackers,” concluded Moor.

 

For some, however, this legislation does not go far enough, arguing that the onus should be on manufacturers to ensure their devices are secure before sale.

“No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different?" said Ilkka Turunen, global director of solutions architecture at Sonatype. "Instead, manufacturers should be able to certify that their software, and their devices, are secure at the time of shipping, and should ensure their security updates last for the mandated time. These devices are far more personal than anything else in the market, potentially putting privacy or lives at risk. Therefore, the standards governing their manufacturing should be set at a strict level."

 

The government has taken the first steps towards regulating this industry, but it seems there is a long journey ahead.