Last week the UK’s Product Security and Telecommunications Infrastructure Act received royal assent and hence became law, placing the UK at the head of a global race to secure devices designed for the Internet of Things (IoT). Key security improvements to be delivered through this legislation include:
- IoT devices will no longer have default passwords when supplied;
- manufacturers must give security researchers a way to communicate newly-discovered vulnerabilities; and
- transparent information about the lifespan of software updates must be made available to customers.
David Rogers MBE was one of the prime movers behind this legislation. He told Commsrisk of his gratitude for all the work done by fellow contributors whilst explaining it is a starting point for further refinement of IoT security rules.
The collective work that led to Part 1 of the Act (Product Security), has been going on since around 2014 with people from industry, academia, government, the security research world and then parliament including politicians and staff putting an immense amount of effort into getting this right. The Act is a piece of primary legislation which means that it provides the underlying framework for how it will be managed, the fines and so on. The technical aspects which have already been signposted by the government – banning default passwords, mandating vulnerability disclosure for manufacturers and transparency in software updates, will all come as part of secondary legislation. What this means in practice is that it gives great flexibility in being able to adapt to the cyber security situation as it evolves.
The UK is far from alone in seeking to tighten security surrounding IoT devices. The new law will be used to impose rules derived from standard EN 303 645 for IoT security by the European Telecommunications Standards Institute (ETSI). Having an international standard means device manufacturers can seek to follow the standard in the knowledge this will likely make them compliant with the laws found in multiple jurisdictions. Some details may vary, but other countries following a similar path include India, Australia and members of the European Union.
Rogers commented on the history and future applicability of the ETSI standard:
The baseline security requirements outlined in the UK’s Code of Practice for IoT Security, and subsequently standardised in ETSI EN 303 645, provide an excellent reference for policy makers and manufacturers alike and will largely remain valid as long as we have connected electronics and software.
Rogers also gave credit to responsible IoT manufacturers whilst highlighting the need to impose obligations on businesses that have not behaved well. If necessary, manufacturers must be forced to work with the white hat hackers who like to find faults that were previously unknown.
I’m very pleased that this has been passed into law. There are so many elements of this work that have shown how effective government can be in terms of sensible regulation. The original Code of Practice was designed to take existing good practice and endorse it, whilst eliminating bad practices. The technology and security techniques / practices described were already there to be used. They were already being implemented by the responsible IoT solutions providers, but for some companies, they seemingly couldn’t be bothered – putting consumers, companies and countries’ economies at risk. This legislation is also a vote of confidence in security researchers – the good guys from the hacking community who’ve reported vulnerabilities to companies who’ve then threatened or ignored the researchers, continuing to ship poorly secured and even dangerous products. All of this marks a moment in time for product security – the moment we said enough is enough – you have to create, ship and sell products that are secure by design.
Cynics like me observe that having a law is not the same as enforcing a law. Enforcement is especially vital when products are likely to be imported from countries that set lower standards for security. Some parts of this law will be difficult to enforce in practice. For example, what evidence will be scrutinized if it is suspected that a foreign business has ignored the security flaws communicated to it by independent researchers? Just providing an email address or web portal does not mean anyone bothers to read or act upon the messages received. The UK is placing the responsibility for enforcement with the Office for Product Safety and Standards (OPSS), a division of the UK government’s Department for Business, Energy & Industrial Strategy (BEIS). Much will depend in practice on the resources given to the OPSS.
David Rogers has successfully worked with government to bring about positive change that will mean ordinary people are better protected from potential security flaws in IoT devices. However, there is a lot more work to be done. Most governments have a dismal track record when it comes to defending the public from cyberthreats, usually because they fail to spend enough money or recruit the skills required for effective protection. Making standards enforceable by law at least means there will be some pressure on businesses to comply, even if most of that pressure stems from future news stories about non-compliant products. But we should be wary of assuming that every aspect of a law will be enforced to the same extent. The era of default passwords may thankfully be nearing its end, but it would be rash to conclude that all IoT manufacturers will now pay sufficient heed to security.