Government response to IoT consultation sets out 'Secure by Design' policy
Published on 4th Jun 2021
The government has released a policy paper on the security of connected devices, setting out its intention to regulate IoT products and enforce 'privacy by design', to protect consumers from insecure systems and practices, such as universal default passwords.
From vulnerabilities in wearables, home security cameras, TVs and smart bulbs, to track-and-trace systems, the safety and security of connected devices is a topic that makes regular headlines. The UK government intends to introduce new legislation to regulate the safety of these products and provide better protections for UK consumers.
Following the adoption of a new European Standard on connected product security, and other similar standards being adopted around the world, new UK legislation will be introduced to ensure that products being made available to UK consumers comply with minimum standards for cyber security. This new legislation will sit alongside existing product regulations in relation to safety and environmental impact, such as the Electrical Equipment (Safety) Regulations, Radio Equipment Regulations and Restriction of Hazardous Substances.
The proposed legislation intends to protect consumers, and infrastructure from harm. However, increased safety and security is also intended to enable the Internet of Things (IoT) market to develop in the UK by reducing high profile security incidents and increasing consumer confidence in connected products.
Secure by Design
In October 2018, the UK's Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre released the "Code of Practice for Consumer IoT Security". The Code, pitched as a voluntary initiative and providing recommendations for good practice, lays out 13 principles that encourage IoT manufacturers to design their products and services "with security in mind".
Unfortunately, adoption and implementation of the Code has been slow, and the government launched a new consultation in July 2020 which noted that it continued to "see significant shortcomings with products on the market". The consultation presented three regulatory proposals, based around setting a baseline expectation of security for connected devices placed on the market in the UK.
Options for regulation included proposals ranging from mandatory compliance with three of the Code's guidelines, to making the entire Code mandatory, and requiring IoT manufacturers to label products with their security features and security update lifespan.
This new policy paper represents the outcome of that consultation, and sets out the government's plan to mandate compliance with three essential security requirements from the Code:
- A ban on universal default passwords;
- A transparent route for reporting vulnerabilities to the manufacturer (covering devices and their associated digital services); and
- Transparency on the minimum time period during which the product will receive security updates.
The risks presented by universal default passwords (such as the use of "admin, admin" for username and password) has been one of the government's primary concerns since the publication of the Code in 2018. The regulation is intended to cover all passwords used on a device, including admin interfaces, pre-installed apps and component firmware (the underlying controls for device hardware).
The intended regulation has been announced at a time of flux for manufacturers looking to place their products on the UK market, and coincides with wider modernisation efforts with regard to consumer products, in order to ensure regulatory frameworks reflect the modern market and economy.
The Department for Business, Energy and Industrial Strategy (BEIS) has also committed to "regulate smart appliances based on principles including interoperability, data privacy and cyber security", in order to support development of the market and ensure that "appropriate consumer protection is in place". Both DCMS and BEIS have stated they will ensure their approaches will be compatible, and also claim to be engaging with international partners to encourage wider regulatory interoperability.
The UK Product Safety Review recognises that the current framework for product safety regulation was intended for traditional, physical products and that reform is needed around the responsibilities placed on a manufacturer of a product that incorporates software. Since the General Product Safety Regulation is in scope of the review, it is possible we will see changes to that baseline regulation to better capture software as a kind of product.
Similarly, the EU's 2020 consultation on revising the General Product Safety Directive means that the definition of "product" is expected to be extended to capture standalone software.
Looking at these developments alongside the myriad other changes approaching the consumer product market, including the UK's continued commitment to the EU's Circular Economy Package, the draft Ecodesign and Energy Labelling Regulations, and the plan to incorporate amendments from the EU's New Deal for Consumers, businesses are likely to need to make dramatic updates to their design and manufacturing processes, and even supply chains, in the coming years.
The planned regulation will apply to any network-connectable devices and their associated services that are made available primarily to consumers.
In particular, relevant products include:
- smartphones and wearables,
- smart TVs, cameras and speakers,
- connected appliances such as fridges and washing machines, and
- smart home hubs and bridges (the links between your connected devices and home network).
Additionally, digital assistants such as Google Assistant, Alexa and Siri will be within scope.
Mirroring existing regulatory requirements
The legislation will place new obligations on economic actors involved in the supply of in-scope products to consumers in the UK. It seems very possible that, when introduced, we will discuss the obligations of the "connected product regulation" in the same breath as compliance with the regulations for low voltage products, radio equipment and restriction of hazardous substances.
The government intends to ensure that connected products incorporate certain security measures, via essential security requirements or designated standards, before they are considered safe to be placed on the UK market. It appears the regulation will follow a similar structure to EU product safety legislation, retained in UK law post-Brexit, which requires conformity assessments and declarations from manufacturers before products can be sold.
In line with existing product safety legislation, manufacturers of connected devices will be obliged to:
- Publish a declaration of conformity with the relevant designated standards and security requirements;
- Take action in the event that their products are not compliant; and
- Cooperate and comply with a designated enforcement authority.
The legislation will also incorporate provisions to allow ministers to introduce new requirements, and also adjust the scope of what is covered by the regulations as technology continues to evolve.
Although the policy paper does not specify the enforcement authority, following current enforcement trends we believe it is highly likely that the Office for Product Safety and Standards will be responsible for ensuring that the new regulations are followed. The authority will be able to investigate and take action in relation to non-compliance, and support economic operators' compliance with their obligations.
As with existing product regulations, it is anticipated that the authority will have powers to require corrective actions, issue sanctions and prosecute in serious instances of non-compliance.
There is limited information about when these changes will be made, with the policy paper stating that legislation will be introduced "when parliamentary time allows".
However, the Queen's Speech on 11 May 2021 provided details of the "Product Security and Telecommunications Infrastructure Bill", which will "require manufacturers, importers and distributors to ensure that consumer connected products available to UK consumers meet minimum security standards", meaning that legislative progress may be coming sooner rather than later.
Assuming that the government follows a similar structure to what is used for other areas where legislation is required to be flexible, we would expect the Bill, when issued as an Act, to grant the Secretary of State powers to introduce and manage the regulations. On a normal legislative timetable, we can expect the new Act to receive royal assent by this time next year, with a period of time specified first for the introduction of the new regulations, and then for the regulations to come into effect.