The Department for Digital, Culture, Media and Sport is consulting on regulatory proposals regarding consumer Internet of Things security.
The DCMS says that it recognises the urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these products by design.
Having worked with stakeholders, experts and the National Cyber Security Centre (NCSC), the DCMS is now consulting on proposals for new mandatory industry requirements to ensure consumer smart devices adhere to a basic level of security. The proposals set out in the consultation seek to better protect consumers’ privacy and online security, which can be put at risk by insecure devices.
Options include a mandatory new labelling scheme, whereby the label would tell consumers how secure their products (such as “smart” TVs, toys and appliances) are. Retailers would be able to sell such products only with an IoT security label.
The consultation focuses on mandating the top three security requirements that are set out in the current “Secure by Design” code of practice for consumer IoT security that was launched last year. These include that:
- IoT device passwords must be unique and not resettable to any universal factory setting;
- manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy; and
- manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
Following the consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that do not.
An alternative option to the labelling scheme on which the Government is also consulting is to require retailers not to sell any products that do not adhere to the top three security requirements of the code of practice.
The consultation closes on 5 June 2019. To access the consultation, click here.