DCMS announces new legislation to strengthen consumer IoT security

27 Jan 2020 02:54 PM

The Department for Digital, Culture, Media and Sport (DCMS) plan will see all consumer smart devices sold in the UK adhere to the three rigorous security requirements...

Digital Minister Matt Warman MP yesterday announced plans for new legislation to protect millions of users of internet-connected devices from cyber threats.

The Department for Digital, Culture, Media and Sport (DCMS) plan will see all consumer smart devices sold in the UK adhere to the three rigorous security requirements for the Internet of Things (IoT). These are:

1. All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting; 
2. Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner; and
3. Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online

These proposals follow the Regulatory proposals for consumer Internet of Things (IoT) security consultation through which DCMS engaged with industry on throughout 2019. That outlined Government thinking on how to build on 2018’s voluntary Secure by Design Code of Practice for consumer IoT security. DCMS has now released a comprehensive response to the consultation alongside the proposals which can be accessed here.

Government has now confirmed plans to adopt a staged approach to enforcing the top three guidelines in the Code of Practice through regulation, it has following industry feedback, agreed to consult further and modify plans in some key areas.

Whilst Government will in the future look to mandate further security requirements it will not now proceed with launching a voluntary labelling scheme for consumer IoT products. This will include examining an alternative option to the labelling scheme whereby retailers would be responsible for providing information to the consumer at the point of sale (both online and in stores).

The Government will also continue to work with international partners to ensure a global approach to IoT security is working with international partners to ensure that the guidelines drive a consistent, global approach to IoT security, ensuring that UK standards and regulation play a leading role and ensuring industry is able to easily trade internationally.

Digital Minister Matt Warman said:

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.

“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

Matthew Evans, Director of Markets, techUK said:

“Consumer IoT devices can deliver real benefits to individuals and society but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. techUK is therefore supportive of the Government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage.

“techUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.

“We look forward to working closely with Government and industry to ensure the implementation of the legislation provides protection for consumers whilst continuing to promote innovation within the IoT sector.”

The full Government response to the consultation on Regulatory proposals for consumer Internet of Things (IoT) security can be found here.

The original techUK response to the consultation can be accessed here.