Government response to the Secure by Design informal consultation
Published 14 October 2018
Introduction
As the technological advances of the 21st century continue to accelerate, consumers are able to bring more and more ‘smart’ devices into their homes, such as smart TVs, connected toys, smart music speakers and smart washing machines. The Internet of Things (IoT) is already being put to effective use across a range of industries and it is delivering significant social and economic benefits.
As developments progress, we expect new and even better Internet of Things products and services. This will also involve companies using data to better anticipate and meet people’s needs, and to tailor information to individual consumers, on everything from home energy to security. This can save them time, effort and money.
But as with all new technologies, there are risks. There are a large number of internet-connected devices sold to consumers that lack even basic cyber security provisions. This situation is untenable - people’s privacy and safety is being undermined and, additionally, the wider economy faces an increasing threat of large-scale cyber attacks. As these products become more common, there is also an emerging risk that a coordinated attack on IoT devices could in future affect electricity supplies beyond individual homes. Like with DDoS attacks, by following basic security guidelines, manufacturers will help reduce the likelihood that their product may be misused in this way.
This Government wants to build a world leading digital economy and embrace the opportunities brought by new technologies. It is also important that the UK is one of the most secure places in the world to live and do business online. To support these aims the Government wants to make it as easy as possible for people to use internet-connected devices securely.
The Secure by Design Report
The UK Government published the Secure by Design: Improving the cyber security of consumer internet of things report on the 7 March 2018 which set out how we will work with industry to address the challenges of insecure consumer IoT. The Secure by Design report advocated to remove the burden from consumers to securely configure their devices and instead ensure that strong security is built IoT devices and services by design.
The report, and the continuing work which it sets in motion, is part of a broader programme of work under the Digital Charter. Through the Charter we will agree norms and rules for the online world and put them into practice. In some cases this will be through shifting our expectations of behaviour; in others we may need new laws or regulations.
Following the report’s publication on the 7 March 2018, we sought feedback on the report’s draft Code of Practice and the other interventions proposed in the report through an informal consultation, which ended on the 25 April 2018.
Feedback on the Code of Practice
In the March report, we called on readers to provide feedback and input to help us strengthen the report’s proposed measures to ensure that they meet the cyber security requirements of our increasingly digital society.
We received a wealth of feedback on the guidelines set out within the draft Code of Practice, from widespread support to seeking further clarification on content and scope. We have been working with a broad range of stakeholders, including the National Cyber Security Centre (NCSC), to amend the draft Code of Practice, to reflect this feedback, where appropriate.
The report itself was met with largely positive feedback from industry, but a number of respondents raised the question of how the Government will ensure that the Code of Practice is adopted by industry, and whether it will be through regulatory or non-regulatory means.
Implementing the Code
Following the feedback process, today we are publishing the finalised Code of Practice for Consumer IoT Security. Its thirteen outcome-focused guidelines bring together what is widely considered good practice in IoT security. Its aim is to support all parties involved in the development, manufacture and retail of consumer IoT with a set of guidelines to ensure that products and services are secure by design.
Our goal is to make adoption of the Code of Practice as easy as possible. To this end, we are publishing a mapping document and database that links the Code’s thirteen guidelines with the main industry standards, recommendations and guidance.
We welcome the many industry-led initiatives that seek to improve IoT security[footnote 1].
Examples include:
-
The IoT Security Foundation (IoTSF) have published an Application Note that maps the Code of Practice against their IoT security guidance.
-
The British Standards Institution (BSI) have developed an IoT security assurance scheme through which manufacturers can test their products against core IoT security recommendations, including the Code of Practice.
-
The GSM Association (GSMA) have developed IoT security guidelines and IoT security assessment scheme.
Demonstrating compliance with the Code of Practice will enable Government to continually assess adoption across industry. We continue to welcome pledges from industry to implement the Code in addition to the pledges that organisations have made to date.
The government will periodically review the Code, at least every two years, in cooperation with industry, civil society and academia.
International approach
International cooperation on cyber issues has become an essential part of wider global economic and security debates. We are all globally connected and we all depend on one another to maintain a safe and secure cyberspace. The supply chains of IoT products can be complex and international, often involving multiple component manufacturers and service providers.
To be truly effective, work to improve IoT security cannot be taken forward in isolation and needs to be coordinated globally to have real impact on international supply chains. We have therefore begun the process of developing a global standard through the European Telecommunications Standards Institute (ETSI) based on our Code of Practice. This is consistent with the feedback and advice we received during the informal consultation. We will also continue to support other industry bodies and international fora that develop security recommendations and standards on IoT security.
DCMS, FCO and the NCSC have also worked with a number of other international governments and ENISA. We will continue to work collaboratively with industry and international partners to implement joint solutions that make IoT more secure. We will work together to promote industry best practice in this space, incentivise action and inform consumers. Importantly, an agreement was reached between 53 nations, through the Commonwealth Cyber Declaration in April, to commit to work towards the development and convergence of approaches for internet-connected devices and associated services, in order to promote user security by default.
We will continue to work closely with international partners to ensure the continuation of a free, open, peaceful and secure cyberspace and develop a culture of cyber security that facilitates positive security change throughout the entire supply chain by taking advantage of existing and widely accepted technical protocols and standards.
Regulatory options
The feedback from the consultation indicated strong support for some form of regulation in this space, citing the growing risk of insecure IoT products being available on the UK market. Respondents are keen for the UK Government to ensure that citizen’s privacy, safety and security are protected.
Through a thorough assessment and mapping of the regulatory landscape, it is clear that many of the Code’s thirteen guidelines are aligned with current legislation, including:
-
The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) aligns with principle of guidelines 4, 5, 8, 9, 10, 11 and 13 in the Code of Practice
-
The Consumer Rights Act 2015 aligns with the principle of guidelines 1 and 6; and
-
The Protection from Unfair Trading Regulations 2008 aligns with the principle of guideline 3
Our ambition is for appropriate aspects of the Code of Practice to be legally enforceable and the UK Government has commenced work to map out the impacts of regulatory intervention and to consider which aspects of regulatory change are necessary with further details to be shared in due course.
Informing the consumer
As part of efforts to ensure that consumers have access to sufficient information on the security of IoT products to make informed decisions, DCMS outlined a number of proposals in the Secure by Design report. We have therefore published guidance for consumers on consumer internet-connected devices, such as smart TVs, connected toys and smart kitchen appliances.
To compile the guidance, DCMS mapped all published guidance and identified what information consumers could find from device instructions and product website information[footnote 2]. This was supplemented with engagements, such as with academics from the cSaLSA project and the PETRAS Cyber Hygiene Insight project[footnote 3][footnote 4].
DCMS also set-up a working group which included consumer groups, retailers, IoT experts and government departments. After October, the UK Government will work with devolved administrations and compile evidence as part of work to create further guidance for consumers on the recycling, reuse, resale and disposal of devices.
DCMS are also reviewing options to create a voluntary labelling scheme for consumer IoT products to aid consumer-purchasing decisions and to facilitate consumer trust in manufacturers that adhere to the Code. DCMS are considering several options at this stage for the voluntary label including a binary endorsement mark, (such as a kitemark based on specific guidelines within the Code of Practice), or an information label which would incorporate a variety of images and written information to convey specific information and features about a product. This label would also align with the Code of Practice.
Further details of the proposed labelling scheme will be published in spring 2019.
-
See PETRAS, 2018, ‘Summary literature review of industry recommendations and international developments on IoT security’, available on https://www.gov.uk/government/publications/secure-by-design ↩
-
This work showed that there is very little information provided on the security features of a device, whether updates are provided and if the product warranty includes the update period. DCMS therefore did not include guidance on pre-purchase research due to this lack of information, but will be engaging with manufacturers, particular via the labelling scheme, to see how clearer information can be provided to the consumer. ↩
-
Briggs, P. Prof. Coventry, L. Dr & Joinson, A. Prof. Cyber Security across the lifespan (cSaLSA) Project, University of Bath and Northumbria University, 2018. https://sites.google.com/site/csalsaproject/home ↩
-
Blythe, John Dr, Cyber Hygiene Insight Report, PETRAS, 2017. https://iotuk.org.uk/wp-content/uploads/2018/01/PETRAS-IoTUK-Cyberhygiene-Insight-Report.pdf ↩