The UK Government has unveiled new rules for the growing consumer connected objects segment, forcing the ecosystem to take a more rigorous and conscious approach to security.
The new law has been drafted by the Department for Digital, Culture, Media and Sport (DCMS), focusing on three requirements for the manufacture and sale of connected objects in the UK:
- Devices must have unique passwords and no ‘factory reset’ option
- Reporting functions for vulnerabilities must be created by all manufacturers
- Consumers must be made aware of the minimum length of time security updates will be received for the products at the point of sale
Although connected devices have been flooding onto the market in recent months, the security credentials of some are questionable. There are likely to be many reasons for this, though the pursuit of profitability is likely to be sitting at the top of the list.
Security is a growing concern for the general public in an increasingly digital society, though the risks are still greatly undervalued. It would be safe to assume only a small number of consumers would genuinely veto a purchase due to digital security concerns, and in the absence of consumer pressure for greater security, the Government is seemingly forcing the hand of the IoT ecosystem.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said Digital Minister Matt Warman.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
The industry on the whole has been gradually moving towards the concept of ‘Secure by Design’ though the question is whether this progress is fast enough to prevent serious consequences. And to be fair, consumers are becoming more aware of the risks of a digitally orientated society. However, the fact that data breaches and leaks still occur validates the argument that security attitudes are not evolving fast enough.
“Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed,” said Nicola Hudson, Policy and Communications Director at the National Cyber Security Centre.
“It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”
This is perhaps the risk which is being faced today. As these devices are just making their way into mass market purchases, new customers are being engaged, and perhaps these new customers are not technology-enthusiasts. Some might consider purchasing a TV today as no different from a decade ago, therefore not appreciated the risk which a gateway to the internet creates.
The question is whether this is the best approach to ensure security?
The consumer IoT space is an incredibly fragmented and embryonic ecosystem. There are a huge number of inventors attempting to create the next big thing and companies attempting to embed connectivity into everything or anything. It is a lot of moving parts and plenty of opportunity for something to go wrong.
Some companies might go out of business, and therefore stop offering security updates. In the mad rush to get products to market, some elements might be overlooked. And of course, there are those who will simply ignore the rules.
This might sound negative, but it is reality. The Government is not doing anything wrong by suggesting this new law, it is certainly progress to force more security conscious products onto the market, but there are of course challenges to be aware of also. But as with every challenge, there is an opportunity to be the good guy.
Security solutions for digital products are nothing, anti-virus software has been around for decades after all, but security platforms to manage all connected objects inside the home are not common. This is not to say products should not be ‘Secure by Design’ but added layers of security, and a proposition which helps manage the complexities might well be a product more digitally aware consumers would buy into.
In creating these new rules, the ecosystem is being forced down the right path, while it promotes the concept of cybersecurity in the minds of the consumer also. The more aware, and afraid, the consumer is of the dangers of a digital society, the more likely they are to spend money. The question is, who could create a platform to address this area? The telcos are in a strong position, but you can bet Big Tech is already investigating.
Source: https://telecoms.com/502043/uk-imposes-new-iot-rules-designed-to-improve-safety/