UK Legislation Seeks Mandatory Security Standards for IoTFines of Up to $13 Million Would Apply to Non-Compliant Manufacturers, Distributors
Manufacturers, importers and distributors selling many types of internet-connected devices in Britain may soon have to adhere to a new set of cybersecurity standards.
Proposed new legislation, known as the Product Security and Telecommunications Infrastructure Bill, would apply to a range of devices, including smartphones, TVs, speakers and toys.
Introduced to Parliament on Wednesday, the bill seeks to to allow "the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products," according to the government's Department for Digital, Culture, Media & Sport. The bill was developed by DCMS together with Britain's national incident response team, the National Cyber Security Center, which is part of intelligence agency GCHQ.
The bill also includes a proposal to appoint a regulator to oversee compliance with the standards, backed by the ability to fine violators up to 10 million pounds ($13.3 million), or up to 4% of a firm's global revenue, whichever is greater.
"The regulator will also be able to issue notices to companies, requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation," DCMS says.
The bill further aims to make it easier for telecommunications network operators to upgrade and share infrastructure, to help speed the rollout of faster and more reliable broadband and mobile networks, it says.
"The reforms will encourage quicker and more collaborative negotiations with landowners hosting the equipment, to reduce instances of lengthy court action which are holding up improvements in digital connectivity," DCMS says.
Target: Default Passwords
Among the more stringent security standards that the bill would impose on device makers: banning default passports on devices, clearly informing customers about how long the manufacturer will continue to develop security updates and patches for a device, and offering a single point of contact for security researchers and others to report any flaws or vulnerabilities they might discover in such products.
The government says four out of five manufacturers of internet-connected devices products currently fail to implement reasonable and appropriate security measures.
Default passwords pose an ongoing concern because there's no incentive for many users to change it to a unique password, says Trevor Morgan, product manager at data security firm Comforte AG. As a result, many devices are easy for attackers to subvert, as they have done numerous times in the past, such as via the Mirai botnet.
"Nobody should miss default passwords," Morgan tells Information Security Media Group. "Overall, anything like this proposed U.K. legislation that institutes common sense rules for vendors to follow and that makes people more aware of and engaged in cybersecurity is a welcome step toward a safer and more secure digital home."
Under the proposed legislation, businesses would be required to investigate all compliance failures, produce statements of compliance and maintain thorough records. In addition, the law would be applicable to both physical shops and online retailers which import technology into Britain. Retailers would also be barred from selling any products that do not meet required, minimium security standards.
Mandatory Security by Design
If passed into law after being agreed by both houses of Parliament and receiving Royal Assent, the government would provide at least 12 months' notice to enable manufacturers, importers and distributors to adjust their business practices, before the legislative framework came into full force.
Many security researchers have long urged any business that builds technology to maintain an easy, reliable way for them to report flaws they might find in their products. But according to a recent IoT Security Foundation study, up to 80% of organizations still lack a clear vulnerability disclosure policy, says Laurie Mercer, a security engineer at bug bounty program HackerOne. With the proposed legislation, "the simple action of having a process in place for identifying, reporting and fixing vulnerabilities is going to be more than just a best practice and instead a legal requirement," he says. "We're getting to a place where security by design will be a mandatory requirement and not an afterthought."
Working From Home Remains Widespread
With most businesses continuing to support employees working from home - via their own home networks and in some cases also devices, all of which can connect to the corporate network - the security of home networks and devices has increasingly become a business concern. But a recent investigation by U.K-based non-profit organization Which? found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
"U.K. households have more than 10 different connected devices on average, from televisions to thermostats. While these products can bring huge benefits and convenience for consumers, as homes become more connected they can become more of a potential target for hackers," according to the Which? report.
The proposed law would mandate security requirements for a range of home networking and computing products, says John Goodacre, director of the Digital Security by Design challenge run by the government body U.K. Research and Innovation.
"However, the policy accepts that vulnerabilities can still exist in even the best-protected consumer technologies, with security researchers regularly identifying security flaws in products," Goodacre says. "In today's world, we can only continue to patch these vulnerabilities once they are found, putting a plaster over the wound once damage may have already been done."
Currently, digital technology product manufacturers are required to comply with safety rules that prohibit their devices from causing physical harm to individuals, for example, via overheating, sharp components or electric shock. No regulations, however, protect individuals from poor information security controls or breaches that result from the use of such devices, says Gerhard Zehethofer, vice president of IoT at identity and access management software company ForgeRock.
"Common-sense fixes like the banning of default passwords and incentivizing manufacturers to keep on top of security updates and vulnerabilities will help protect consumers and their data, building the trust that the IoT market needs to achieve its full potential," he says.
Legislation: Opportunity and Limits
The bill would help address another problem: A widespread lack of cybersecurity awareness among non-technical users, says George Papamargaritis, MSS director at cybersecurity firm Obrela Security Industries.
"Many consumers are completely unaware of the risks smart devices can present and often connect them into their homes without any consideration on security. However, research has shown that attackers are using smart technology as a gateway onto home networks, to spy on internet activity, steal confidential information and, in some cases, even identities," Papamargaritis says. "The fact that this new legislation bans default passwords is a huge step forward and it will encourage device manufacturers to consider security before marketing products, otherwise they could face business-destroying fines."
But the proposed law still faces debate in Parliament and an uncertain future, says Alan Calder, CEO of software vendor GRC International Group.
"The trouble is that, for all those software sectors in which we already have each of the three items identified for action - no default passwords, vulnerability disclosure and identified support lifetimes - we also have widespread failure to build on them to improve cybersecurity," Calder says. "The cybersecurity industry makes substantial efforts to get organizations to use strong passwords, patch vulnerabilities and update out-of-support software - but significant numbers of organizations, most of which have IT and security teams, fail to heed the warnings."
Whether this new legislation would drive more organizations to take security more seriously remains to be seen, says Andy Norton, cyber risk officer at Armis. "Legislation can only do so much," he says.
But as Parliament now reviews the bill, numerous experts say the common-sense fundamentals it's calling for would at least be a welcome boost.