A significant announcement has been made last week by DCMS as a follow-up to the Secure by Design UK Government Code of Practice for Consumer IoT Security. As mentioned in prior emails, ETSI has launched Technical Specification 103 645 – and all details about this are included in the email below.
This new consultation includes *lots* of very interesting data as well as guidelines for labelling. Comments from outside the UK are encouraged too.
As a special treat to our members, the DCMS Secure by Design Team conducting the Consultation will be presenting a summary of the contents of the consultation and be able to answer any questions you might have in a Webinar organised by the UK Chapter of the Internet Society.
The Webinar will be recorded.
Topic: DCMS Consultation on regulatory proposals for Consumer IoT Security
Time: May 20, 2019 3:00 PM London
——– Forwarded Message ——–
| Subject: | Consultation on regulatory proposals on consumer IoT security |
|---|---|
| Date: | Wed, 1 May 2019 12:03:05 +0100 |
| From: | Secure by Design Mailbox <securebydesign@culture.gov.uk> |
| CC: |
Dear colleague,
I am reaching out to raise awareness of our consultation on regulatory proposals for consumer IoT that we are launching today.
As you are aware, the Government published theCode of Practice for Consumer IoT Security and its supporting documents in October 2018. In February, ETSI, the European Standards Organisation, Iaunched Technical Specification 103 645, the first globally-applicable industry standard on the cybersecurity of consumer IoT. TS 103 645 builds on the Code of Practice, but has been developed for wider European and global needs. Signatories to the Cybersecurity Tech Accord endorsed the ETSI TS 103 645 in March.
As the IoT continues to grow, establishing an effective baseline is an increasingly urgent issue to protect consumers’ privacy, security and safety. Following ministerial steers, we have undertaken work, alongside a number of stakeholders, to establish which appropriate aspects of the code to mandate.
Our regulatory proposals centre around the top three guidelines of the Code of Practice, namely:
- Mandating that IoT device passwords must be unique and not resettable to any universal factory setting.
- Mandating that manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Mandating that manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
We see the above proposals as the absolute minimum baseline security that should be required of consumer IoT products. This should be seen as a first step, and in the future, we expect to expand the criteria to include most or all guidelines in the Secure by Design Code/ETSI TS 103 645 to further drive the baseline level of security in products and reflect this in future legislation. As we stated in March 2018, we will also continue to update the Code of Practice in response to the ever-evolving threat landscape.
Through engagements with external stakeholders and evidence gathering, it is clear that consumers would value having more security information for devices they are considering buying. DCMS funded Harris Interactive to conduct a survey of 6,482 UK consumers to test various DCMS label designs. The key findings from the survey were that:
- Consumers ranked security the third most important piece of information when buying devices/products, more important than product design, brand reputation and online reviews.
- Of the 3,317 consumers that didn’t rank ‘security’ in their top four buying considerations, 72% said this was because they assumed that security was already built into devices that were on the market.
- 73% of participants stated it was important or very important to introduce a labelling scheme based on DCMS labelling designs. This contrasts with only 11% stating it was unimportant.
- The Icons with Text Underneath design ranked highest out of the four labels across every monadically-tested metric, such as ease of understanding and influencing consumers to switch brands if a product had the label.
A separate PETRAS study reviewed the current landscape of documentation and online materials provided for 270 devices and found that only 10% of devices provided information which explicitly referenced security updates.
This is why our preferred option for regulation is to mandate retailers to only sell products that have the following security label (the content of which we will also be consulting on), which will indicate compliance with the above mentioned top three guidelines of the code:
Following initial feedback from industry, the label will initially be run on a voluntary basis from Summer 2019 until regulation comes into force, and this voluntary “grace period” will help avoid placing too heavy a burden on manufacturers and retailers who have extensive international supply chains (and are bound by existing supplier contracts).
We invite you to read the consultation and welcome any feedback that you and your organisation may have. We would also be grateful if you could raise awareness of the consultation amongst your organisation and interested contacts. If you would like further information on the consultation, please reply to this email address (securebydesign@culture.gov.uk) and a member of the team will pick up your query.
Kind regards,
The DCMS Secure by Design team