U.K. to form IoT cybersecurity regulation this year

The U.K. government has announced that it will soon pass new legislations to help strengthen cybersecurity protection on Internet of Things devices. The U.K. Department for Digital, Culture, Media and Sport (DCMS) has released a set of draft proposals for new IoT security regulations.  

The proposals are composed by three requirements on IoT devices:

• All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
• Manufacturers of consumer IoT devices must explicitly state the minimum length of time that the device will receive security updates at the point of sale, either in store or online

According to a recent report from WRAP, a non-profit organization focusing on resources and sustainability in the U.K., the country’s households will have 10 to 15 IoT devices on average by the end of 2020. With 5G networks going live throughout the U.K., both business and consumer sectors will continue to have an increasing amount of connected devices. 

If they’re no rules for manufacturers to follow, considering the rising number of connected devices everywhere, it could potentially assist large cyberattacks to be launched, such as, distributed denial-of-services attacks (DDoS), spreading malware or breaching networks. 

“Whilst the U.K. government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cybersecurity is built into these products by design,” said Matt Warman, the minister for Digital and Broadband at DCMS. 

“Citizen’s privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”

The new law, which aims to reinforce a better IoT cybersecurity environment, will follow a seventh-month study to introduce the official legislation. The DCMS will work with retailers and manufacturers as the proposals proceed. 

EU and U.S. moving in the same direction

Some security flaws in smart homes were under the spotlight last year. Smart camera manufacturer Wyze accidently exposed a customer database on the internet; Amazon’s smart home subsidy Ring was reported for failing to establish an additional authentication layer during the log-in process. 

More security actions are needed to build a secure IoT environment. In fact, the U.K. government isn’t the first official making an effort to boost cybersecurity of IoT.  

On the first day of January 2020, a new law, Senate Bill No.327 went into effect in California. It requires connected device manufacturers to equip the device with at least one reasonable security feature, such as better password protection. 

In the meantime, the European Union Agency for Network and Information Security (ENISA) has released a “Good Practices for Security of IoT” report last November, addressing the issues of software development lifecycles for IoT devices and how can it be better designed to eliminate cyber vulnerabilities. The department is also working on legislation in this field.