On January 27, 2020, the United Kingdom’s Digital Minister Matt Warman (MP) announced the new legislation that the Department for Digital, Culture, Media and Sport (DCMS) has created to protect IoT consumers from cyber security threats. In an official release titled “Government response to the regulatory proposals for consumer Internet of Things (IoT) security consultation”, the minister revealed the three options under consideration for the consultation:
Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self assess and implement the security label on their consumer IoT products;
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with manufacturers to self assess that their consumer IoT products adhere to the top three guidelines of the Code of Practice for Consumer IoT Security and the ETSI TS 103 645; and
Option C: Mandate retailers to only sell consumer IoT products that have the IoT security label which evidences compliance with all thirteen guidelines of the Code of Practice for Consumer IoT Security and ETSI TS 103 645, with manufacturers expected to self assess and implement the security label on their consumer IoT products.
The plan seems promising and robust, noting the urgency of the legislation and the need to create order in the disruptive technologies market. It also does not shy away from technical mandates or from highlighting the responsibility the government has to get involved in the IoT market. But while the legislation is still a work in progress, we can try to anticipate certain measures by reviewing what has led up to the creation of the first IoT regulation in the UK.
From guidelines to regulations: how did we get here?
Two years ago, back in March 2018, the U.K. Government published the Secure by Design report which included a draft Code of Practice. The document, which collected best practice security measures for connected devices, outlined thirteen guidelines that manufacturers would need to implement in order to improve the security profile of their consumer IoT products.
The Government then held an informal consultation from 7 March to 25 April 2018 meant to collect feedback that would help refine these thirteen guidelines, with contributors including the National Cyber Security Centre (NCSC), industry representatives and external experts.
The final Code of Practice for Consumer IoT Security was published on 14 October 2018. Tech companies HP Inc., Centrica Hive Ltd and Green Energy Options were the first companies to sign up to commit to the Code and were commended for doing so by the British Government.
However, it turned out that this measure was not a strong enough. In a rather surprising move, the U.K. Government took a strong stance on the topic of cybersecurity, showing support in favour of the consumer and not the free market. As a result, in May 2019, DCMS published its Consultation on Regulatory Proposals for Consumer Internet of Things Security, which concluded on 5 June 2019.
The proposals under debate described new mandatory industry requirements that would ensure basic, objective security levels. The most important security measures centered around aspects of the top three guidelines within the Code of Practice for Consumer IoT Security and the ETSI Technical Specification (TS) 103 645:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products must provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers of IoT products must explicitly state the minimum length of time for which the device will receive security updates.
What now: where do we stand?
As of now, a concrete regulatory draft has not been produced and the DCMS has been very hesitant in making definitive statements, disclosing only the three key security requirements mentioned above and keeping mum about everything else. In terms of a timeline, the Government says it aims to deliver the legislation “as soon as possible”.
The DCMS has published mapping documentation, which maps the Code’s thirteen guidelines with existing U.K. and international IoT security recommendations and standards. The map primarily applies to device manufacturers and is proposed as a way to encourage awareness of compliance in the industry. “This document helps manufacturers understand how this Code sits within the broader standards landscape, and makes it simpler for them to implement the Code’s guidelines,” states the official response to the regulatory proposals from 3 February 2020. The map primarily applies to device manufacturers, and is a measure proposed by the DCMS to encourage awareness of compliance in the industry.
The government was more forthcoming about one issue which came as relief to manufacturers; analysts confirm that for now the Government seems to ease off the security labelling scheme, “recognising the potential disruption to businesses caused by affixing a label to physical products” as put by the reputable American-British law firm Hogan Lovells. The planned certification was not tossed away completely, but it will be focused more on information disclosure directly to the consumer, following the pattern of GDPR. The plan includes examining an alternative option to the labelling scheme whereby retailers would be responsible for providing information to the consumer at the point of sale (both online and in stores). Efforts will continue to be focused on the regulating of Security by Design, compliance and penalization, it seems.
Up next: what to expect?
In a very British manner of advancement under calculated hesitance, the Government has promised a "staged approach" to regulation. This means that a gradual, yet systematic program is in place which will include:
- Opening the door to further feedback from stakeholders to work hand in hand in developing the regulatory proposals.
- Providing businesses with sufficient time for effective and sustainable implementation.
- Publishing a final stage regulatory impact assessment later in 2020, which is expected to shed further light on the regulatory proposals.
Digital Minister Matt Warman said recently in a public statement: “We want to make the U.K. the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
This deep understanding of the perils of cyber-hacking and the importance of implementing a Security by Design approach shows great hope for the United Kingdom and strengthens its role as a key player in the global cybersecurity arena.
In its own press statement in January 2020, the DCMS concluded that “it is clear that there is currently an asymmetry between what consumers think they are buying and what they are actually buying.” Showing strong leadership, both towards its own citizens and as a world power, the U.K. has decided to demonstrate governmental responsibility for what can be described as a disruptive and untamed market.
Cynics may scoff at this stance of “cheap populism” as a means of appeasing the British public amid the insecurities surrounding Brexit. But I would argue that the U.K. has, for a while now, been a quiet yet determined actor in the cybersecurity and consumer privacy realms based on its strong enforcement of GDPR and active involvement in European cybersecurity panels.
That said, Brexit is likely to have an effect on U.K.–EU cyber security cooperation. In June 2019, the U.K. was shut out of a key EU meeting to discuss cybersecurity risks posed by Huawei, even though the U.K. had not yet left the bloc. This was seen as a sign of tensions to come between London and the EU after Brexit.
Many anticipate that the UK is (and will be) focusing on building its independent cybersecurity landscape, more than its efforts on existing EU cyber security frameworks. Back in March 2019, Sam Curry offered this analysis of the cyber implications of Brexit in Forbes magazine: “Ironically, this could lead to the worst possible way to trigger growth in the cybersecurity sector in the U.K. Developing new cyber talent in the private sector hasn’t been constrained by nationality within Europe, and there could be issues retaining or recruiting cyber talent repatriating to their countries of origin or to the continent. There could also be a massive run on consulting and talent in the UK not only to staff leaving talent, but to prepare for the regulatory gap that will be created by now absent European directives and regulations.”
It seems that preparing for the regulatory gap is exactly what the United Kingdom has begun to do.
As always - if you are interested in further information and insights, or have any questions regarding the UK’s Regulatory Proposals for Consumer IoT Security in particular or cybersecurity regulation in general, as well as general trends in cybersecurity regulation and standards, please reach out to me on LinkedIn or Twitter.