Government unveils new laws for IoT and internet-connected devices

Government IoT proposals would introduce security labeling to internet-connected devices

Basic cyber security features will need to be built into internet-connected devices under new laws outlined today by the government.

Unveiled by Margot James, Minister of State for Digital and Creative Industries, the laws are intended to help protect households and small businesses from insecure Internet of Things (IoT) devices.

One of the proposals is a new labelling scheme that would explain how well-protected products such as smart TVs, toys and appliances are.

The government claims that the move will mean that "retailers will only be able to sell products with an Internet of Things security label".

Many consumer products that are connected to the internet are often found to be insecure

The consultation also reinforces the main security requirements set out in the government's ‘Secure by Design' code of practice, including:

• IoT device passwords must be unique and not resettable to any universal factory setting;
• Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy;
• Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

However, security labelling will be launched as a voluntary scheme following the consultation, with the aim of helping "consumers identify products that have basic security features and those that don't".

Digital minister Margot James said: "Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk.

"Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.

"These new proposals will help to improve the safety of internet-connected devices and is another milestone in our bid to be a global leader in online safety."

The news comes a day after Margot James held a roundtable on IoT security with the likes of Amazon, Philips, Panasonic, Samsung, Miele and Yale.

The government claims that it is "working with international partners to ensure that the guidelines drive a consistent approach to IoT security" and that "the proposals set out in the consultation have the potential to impact security of devices made across the world to meet the UK's future standards".

National Cyber Security Centre (NCSC) technical director, Dr Ian Levy added: "Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it's unacceptable that these are not being fixed by manufacturers.

"This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes."

Security firm Pen Test Partners described the consultation as a "great start" and "something to be genuinely pleased about", but added that "it is early days and a fairly light touch".

If there was a legal requirement that retailers could not sell any products that don't adhere to the top three security requirements of the Code it would force manufacturers into line

It said: "The digital minister Margot James today announced a concrete mandate for dealing with the slew of insecure IoT dross that has plagued consumers over the last few years.

"The aim is simple, to ensure that the millions of household items that are connected to the internet are better protected from cyber attacks.

"One of the options is to introduce a mandatory labelling scheme, where a label would indicate to consumers how secure the devices are. This means that retailers could only sell approved devices. This is a huge step forward.

"Our view has always been that while labelling is a useful option, a far stronger message could be sent. If there was a legal requirement that retailers could not sell any products that don't adhere to the top three security requirements of the Code it would force manufacturers into line."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.