NCC Group welcomes DCMS call for evidence to improve consumer IoT security legislation
The UK’s Department for Digital, Culture, Media and Sport (DCMS) has released a detailed call for evidence on the legislation that will mandate security requirements for consumer Internet of Things (IoT) devices.
Over the coming months, the DCMS will be consulting with the public, manufacturers and industry experts to ensure the proposed legislation will work in practice when implemented.
Proposals announced earlier this year set out three basic requirements to ensure the security of consumer IoT devices:
- Device passwords must be unique and not resettable to any universal factory setting
- Manufacturers must provide a public point of contact so anyone can report a vulnerability
- Information stating the minimum length of time for which the device will receive security updates must be provided to customers
During this process, the DCMS will also scope out what powers could be granted to a designated enforcement body. This could include the ability to temporarily ban the supply or sale of a product during testing, permanently ban insecure products if a breach is identified and issue penalty fines directly to any organisations that break the law.
This work is part of the UK government’s long-term commitment to improving security across all consumer IoT devices, and builds on the implementation of the global standard implemented by theEuropean Telecommunications Standards Institute (ETSI) last year.
Last year, NCC Group worked with leading consumer body Which? to publish research detailing vulnerabilities we discovered in popular connected toys. Our findings highlighted how many device manufactures are still struggling with the basics and underlined the urgent need for more rigorous standards to be applied across connected toys for children.
Commenting on the DCMS’s plans, Ollie Whitehouse, global CTO at NCC Group said: “This is a significant step towards establishing more robust security requirements for IoT devices and giving consumers the confidence that the devices they are using are safe and secure.
“Being resilient is no longer a question of cyber literacy – it's now about empowering manufacturers with the tools and knowledge to embed security by design into consumer IoT devices from the outset.
“It’s great to see that an evidence-based approach has been followed when setting out the security requirements, but this needs to be constantly reviewed to ensure continued resilience. We also welcome the proposal of a designated enforcement body, which will give teeth to the legislation.
“Over the next few months, the cyber security industry will play a vital role in upskilling manufacturers and the enforcement body to ensure that they are able to proactively monitor compliance and improve standards. This action in the UK is just one of a number of global initiatives being introduced, and it’s brilliant to see that governments across the world are working towards a future where only the safest and most secure devices are available to consumers.”
About NCC Group
NCC Group exists to make the world safer and more secure.
As global experts in cyber security and risk mitigation, NCC Group is trusted by over 15,000 clients worldwide to protect their most critical assets from the ever-changing threat landscape.
With the company’s knowledge, experience and global footprint, it is best placed to help businesses identify, assess, mitigate and respond to the evolving cyber risks they face.
To support its mission, NCC Group continually invests in research and innovation, and is passionate about developing the next generation of cyber scientists.
With over 1,800 colleagues in 12 countries, NCC Group has a significant market presence in North America, continental Europe and the UK, and a rapidly growing footprint in Asia Pacific with offices in Australia and Singapore.