The Government has recently published a Consultation on how best to insulate consumers from cyber risks relating to the Internet of Things, in an effort to protect the public from data breaches, lack of control of and connectivity to the internet, and an increased threat to privacy.
WHAT IS IOT?
The term IoT relates to devices that connect to the internet such as smart watches, washing machines, televisions to toasters, and are usually used by consumers.
WHY IS REGULATION NEEDED?
Even though the use of IoT devices are growing exponentially, consumers have been given no authoritative protection from the risks associated with constant internet connectivity, which currently lack very basic cyber security measures.
The consultation notes on page 6 “[o]ften these vulnerable devices become the weakest point in an individual’s network, and can undermine a user’s privacy and personal safety. Compromised devices at scale can also pose a risk for the wider economy through distributed denial of service (DDOS) attacks such as Mirai Botnet in October 2016”, which, through the use of IoT devices and in an effort to profit from bringing down servers relating to online game Minecraft, left much of the US east coast without access to the internet for some time.
In another example, consumers were left helpless when in January 2019 fans of Youtuber PewDiePie allegedly hacked into Google Home smart speakers, Google Chromecasts and Smart TVs to promote his YouTube channel. They were able to exploit a common weakness known to hackers in Google’s media player, forcing devices to play YouTube content without the owners consent.
Whilst the burden currently rests with consumers to implement necessary cyber security measures on IoT devices, this is difficult in practice given the number of different manufacturers and the issue of aligning many operating systems.
The Consultation notes the “urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these products by design”.
WHAT ARE THE PROPOSALS?
The Consultation refers to the balancing act of the “risk of dampening innovation” whilst protecting consumers. Nevertheless, it notes the “top three” guidelines in a Code of Practice, published in October 2018, namely that:
– All IoT device passwords shall be unique and not resettable to any universal factory default value;
– The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues and
– Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.
The Government hopes that these measures will insulate consumers from the most prevalent security risks, build consumer confidence and shift the onus of protection away from the public.
One of the biggest issues is implementation of these security measures, with the Government noting the following three options:
Option A: Mandate retailers to only sell consumer IoT products that have an IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products.
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with the burden on manufacturers to self-declare that their consumer IoT products adhere to technical guidelines and the guidelines within the Code of Practice for IoT Security.
Option C: Mandate that retailers only sell consumer IoT products with a label that proves compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that a label is on the appropriate packaging.
Some of the proposals put forward by the Government are set to be implemented on a voluntary basis until mandatory regulation comes into force including the launch of a voluntary security labelling scheme.
The security label will be a way of informing consumers on the security of their IoT device and whether they follow the “top three” guidelines explained above.
The aim is for products to be labelled either positively or negatively, at the point of designing the product. One prominent feature will be “the minimum length of time (month and year) for which the device will receive security updates” from manufacturers. The example image below notes a date of December 2021.
WHO ARE THE PROPOSALS AIMED AT?
The Consultation is aimed at manufacturers, service providers, app developers, retailers and those with any interest in the IoT field.
Now that the consultation period is closed, the Government will review feedback submitted by stakeholders and use it to shape the statutory regulation of IoT security. The aim is to produce legislation with a prior final impact assessment to be published.