February 3, 2020

In March 2018, the UK Government published the Secure by Design report, which included a draft Code of Practice, which set out thirteen outcome-led guidelines that manufacturers would need to implement in order to improve the cyber security of their consumer Internet of Things (IoT) products.

The Government then held an informal consultation from 7 March to 25 April 2018, and this feedback helped to refine the Code’s guidelines. Following engagement with the National Cyber Security Centre (NCSC), industry and external experts, the finalised Code of Practice for IoT Security was published on 14 October 2018.

In May 2019, the Department for Digital, Culture, Media and Sport published a consultation on regulatory proposals for consumer Internet of Things security.

The proposals are for new mandatory industry requirements to ensure consumer smart devices adhere to a basic level of security. In other words, to ensure that strong cyber security is built into smart devices by design. The consultation ran from 1 May 2019 to 5 June 2019, and closed with 60 formal written responses.

Options under consideration for the consultation were:

• Option A: mandate retailers to only sell consumer IoT products that have the IoT security label, and manufacturers to self-assess and implement the security label on their consumer IoT products;
• Option B: mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, and manufacturers to self-assess that their consumer IoT products adhere to the top three guidelines of the Code of Practice for Consumer IoT Security and the European Telecommunications Standards Institute (ETSI) global industry standard, TS 103 645; and
• Option C: mandate retailers to only sell consumer IoT products that have the IoT security label that evidences compliance with all thirteen guidelines of the Code of Practice for Consumer IoT Security and ETSI TS 103 645, and manufacturers to to self-assess and implement the security label on their consumer IoT products.

Part of the call for views was also intended to gather feedback on the details of a voluntary labelling scheme, as a first step towards the first option outlined above, which is designed to help consumers make more informed decisions when purchasing consumer IoT devices.

Based on the consultation feedback, the Government says that it is satisfied that the three proposed security requirements are the correct ones to form the proposed mandatory baseline in the first instance. The Government intends to pursue a staged approach to regulation in this area and is starting with focusing on the most important security requirements (the top three guidelines in Code/ETSI TS), but, through continuous stakeholder consultation, it intends to mandate further security requirements in the future to ensure that regulation is keeping pace with emerging technology.

The Government is also encouraging manufacturers to implement all thirteen guidelines of the Code of Practice for Consumer IoT Security within their products and processes where appropriate.

The Government will also consider additional options that should be undertaken to assess the security of products to encourage transparency across the supply chain. The Government will examine whether it is feasible for manufacturers to provide retailers with information on whether their products adhere to the additional ten guidelines in the Code of Practice/ETSI TS. The Government recognises that certain guidelines will not be applicable to all consumer IoT devices and therefore there needs to be flexibility in how the remaining measures in the Code are met.

As for the wording of the security requirements, the Government will use the feedback received to inform its policy proposals and development of any legislative provisions to ensure that unintended consequences are limited. The Government says that it is not mandating that an end of life policy for the product be published, but rather that the product comes with information that states the minimum length of time for which it will receive security updates.

As for the voluntary security label, the Government recognises the complexity of supply chain management and potential disruption to business as a result of affixing a label to physical products. Given the difficulties of manufacturers being willing to place a negative label on their products and the difficulty for retailers to take necessary steps to validate the manufacturer’s claims in a voluntary scenario, the Government says that it will not proceed with launching the voluntary labelling scheme at this time and will undertake further policy development based on the feedback.

The Government notes the concerns as to how self-assessment would work in practice, and who would be liable in the event of a false declaration of conformity. It is not advocating a specific assessment process for manufacturers to follow, but encouraging the supply chain to use tools and guidance already available, i.e. industry-led assurance and certification schemes that best meet their price point and are consistent with the Code of Practice.

Responses to the consultation also reinforced the Government’s view that consumers should not be expected to assess the security of the devices that they purchase, as the information is not readily available or easily accessible.

In conclusion, the Government says that deeper consideration needs to be given to this issue. Consumers need to be confident about the security of their smart devices and therefore the Government will be conducting further policy development on how UK retailers (or those selling into the UK) can best evidence security information to consumers at the point of sale, whilst still ensuring minimum disruption for the supply chain.

As for the costs and benefits of the options proposed, as well as the costs of implementing the approach within the secondary market and costs to small and micro-businesses, the Government says that it will engage with industry as proposals develop, and will be commissioning further evidence work over the coming months to better understand the impacts of all proposed regulatory options.

As for enforcement of the regulatory proposals, respondents were clear that it would naturally fall within Trading Standards’ existing role for consumer protection in the UK. The Government, however, says that it is mindful of placing more responsibility on existing UK agencies at a time when resources are prioritised on existing consumer protection priorities. It says that it has been working to better understand how this regulation could be effectively enforced through existing UK agencies and will continue to do so in the coming months.

The Government says that it will now conduct further stakeholder engagement to develop the regulatory options based on the top three guidelines in the Code of Practice and ETSI TS. The Government will also undertake further work to determine the most appropriate way to communicate security information to consumers. This will involve examining an alternative option to the labelling scheme whereby retailers would be responsible for providing information to the consumer at the point of sale (both online and in stores).

The Government’s intention to take a staged approach to mandating further security requirements, beyond the most important three guidelines indicated in the document, it will review and amend, as required, the Code of Practice for Consumer IoT Security every two years. It intends to publish a final stage regulatory impact assessment later in 2020. To read the Government’s response in full, click here.