The UK Government has announced plans for legislation that would require greater security to be built into IoT devices. The US Government is looking at legislation versus self-regulation.
The UK’s Minister for Digital, Culture, Media & Sport. Margot James, announced the plans in a press release on 1 May. She said the move would ensure that millions of household items connected to the internet are better protected from cyber attacks.
The government is looking to mandate the top three security requirements that are set out in the current ‘Secure by Design’ code of practice, launched in 2018.
- IoT device passwords be unique and not resettable to any universal factory setting;
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy;
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
The code is presently voluntary. It was published in October 2018 to “support all parties involved in the development, manufacturing and retail of consumer IoT.”
It advocates for stronger cyber security measures to be built into smart products from the design stage. So far Centrica Hive, HP Inc Geo and Panasonic have signed up.
The department has initiated a consultation process on the proposed legislation with the release of an options paper along with a number of supporting documents, including one outlining the findings of a study on the use of product labelling schemes for internet-enabled products.
Mandatory labelling mooted
Options under consideration for the new regime include a mandatory new labelling scheme that would tell consumers how secure their products such as ‘smart’ TVs, toys and appliances are.
The security label would initially be a voluntary scheme to help consumers identify products that have basic security features and those that don’t.
US looks to strengthen cyber security
The US Department of Commerce subcommittee on security held a meeting on “Strengthening the Cybersecurity” of the Internet of Things on 30 April.
According to Multichannel News, the hearing was the latest in a year-long conversation about cybersecurity, but with the new impetus of billions of IoT devices there is now bipartisan support for overall online privacy and security legislation, and growing impatience among Democrats unsatisfied with “the current public-private partnership, voluntary efforts, approach toward what one senator called the ‘Internet of Threats’.”
According to the announcement of the hearing its purpose was to examine “the security threats and challenges posed by the Internet of Things (IoT), and ways to incentivise building more cybersecurity by design into connected devices and the networks that support them,” and “the importance of 5G network security to connected devices and the manner in which the federal government, businesses community, and consumers can promote and support increased IoT cybersecurity.”
Industry preference for voluntary approach
Industry witnesses at the hearing were Michael Bergman of the Consumer Technology Association, Matthew Eggers, US Chamber of Commerce; Harley Geiger, Rapid7; Robert Mayer, US Telecom – The Broadband Association; Charles Romine, National Institute of Standards and Technology (NIST). Their testimonies can be found on the hearing’s web page.
Multichannel News summarised the witness statements saying that in general the supported the current approach of working with NIST on voluntary baseline standards and labels and certifications, rather than ones imposed by the government, was the way to go.
“The arguments were that industry was more nimble and flexible to address the constantly evolving changes driven by AI and Big Tech and 5G than federal regs.”
