The UK Department for Digital, Culture, Media and Sport (DCMS) has presented three main initial guidelines with the goal to protect millions of users from cyber-attacks, setting a new standard for smart device manufacturers and providing the peace of mind required by users to fully enjoy the benefits of the Internet of Things (IoT).
Which are the reasons leading to the need for new regulations?
From the publication done by the UK Department for Digital, Culture, Media and Sport (DCMS), it is understood that the main reasons for the new regulation would be:
1. The increase in the number of internet-connected devices by UK households. The presence of internet-connected devices is continuously increasing, especially at our homes where the Internet of Things (IoT) can play a fundamental role to make our lives more comfortable. Actually, it is estimated that in 2020, every UK household will be equipped with 15 smart devices. Some other forecasts suggest that by 2025 our world will be populated with 75 billion internet connected devices.
2. The need to increase transparency and consumer trust around internet-connected devices. According to a survey quoted by the DCMS, security becomes the third most relevant factor considered by consumers when purchasing a smart device. However, 72% of respondents believe that devices already include all security features when they are released to the market although this may not always be the case, especially when low cost smart products are purchased. Transferring the responsibility from consumers to manufacturers by ensuring that products are secure by design could be the most effective way to ensure consumer trust.
Which approach has been followed until now and what can be expected in the future?
Since 2016 the UK Government has engaged with several stakeholders in the industry, retailers, academics and international governments to identify proposals that could improve the cyber security of internet-connected devices. The different initiatives in these years have translated into the definition of best practices and guidelines that were supposed to be used by manufacturers to improve the security features of their smart products.
Now, after the conclusion in June 2019 of a consultation on regulatory proposals for consumer IoT security, the UK Government has started a journey in which regulation will be taking a staged approach. To start with, the government has presented three main guidelines whose compliance should lead to higher protection of consumers:
1. IoT device passwords must be unique and not resettable to any universal factory setting.
2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
3. Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
Starting from here, the UK Government will work towards a broader baseline and the enforcement of further security requirements.