The temptation is to say yes, but the reality may be different
We recently looked at some of the threats that come from smart or connected devices in the home, and the solutions we can employ. The threats arise because the devices are often inherently insecure when we buy them. The full solution seems obvious – make sure the devices are secure before they reach us.
Since this isn’t happening by design, perhaps it requires legislation.
We can arbitrarily separate connected devices into three categories: the business Internet of Things (IoT, used by business as part of their information technology); Industrial IoT (IIoT, used by business as part of their operational technology); and consumer IoT (the smart devices we use at home).
The good news is that many standards organizations around the world are engaged in developing IoT standards. The bad news is that only two legislatures have seriously attempted to control the security of consumer IoT. These are the State of California, and the United Kingdom.
Then-California Gov. Jerry Brown signed a cybersecurity bill, Security of Connected Devices (technically, SB327), into law in September 2018. It will come into effect in January 2020. But while its requirement on passwords is praised, the rest of the law is considered weak.
The law requires that each manufactured device has a unique password, and that it “requires a user to generate a new means of authentication before access is granted to the device for the first time.” Elsewhere, the requirement for “reasonable” and “appropriate” security features is considered effectively meaningless, since manufacturers cannot possibly know what those two words really mean.
The planned UK legislation
This just leaves the planned UK legislation. If it works, it would improve the security of smart devices both in the UK and elsewhere. Manufacturers will not build one secure device for the UK and an insecure device for elsewhere. Furthermore, again if it works, it could provide a blueprint for similar legislation in other countries and state laws in the U.S. – just as the EU’s GDPR is providing a worldwide blueprint for new privacy legislation.
In this article we are going to examine the proposed legislation, and consider whether it will be effective.
The UK has a traditional approach to business legislation. It first asks for voluntary adherence to an acceptable code of practice, often with an explicit warning that if it isn’t done voluntarily, legislation will make it compulsory.
In October 2018, the Department for Digital, Culture, Media and Sport (DCMS) published a Code of Practice for consumer IoT security. It comprises 13 separate recommendations to ensure security in smart devices, ranging from no default passwords through a vulnerability disclosure policy to make it easy for consumers to delete personal data.
These recommendations are purposely outcome-focused rather than prescriptive – they describe what should be achieved, but not how it should be done. They are, however, far more explicit than the requirements of California’s legislation.
The government is still going slowly, but there should be no doubt over the intention to regulate the sale of smart devices to the home. The proposal is to use the code of practice and introduce all 13 requirements in stages, starting with the first three. These are:
All IoT device passwords shall be unique and shall not be resettable to any universal factory default value.
The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues.
Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.
The consultation is not about whether this law should be implemented, but how it should be implemented.
This is where the UK comes up against the same problem faced by all governments proposing to regulate technology – how do you do so without stymying innovation in products, and stymying efficiency in business operation?
“We are mindful of the risk of dampening innovation and applying a strong burden on manufacturers of all shapes and sizes,” says the UK government, “This is why we have worked to define what baseline security looks like, in line with the ‘top three’ guidelines of the Code of Practice.” In reality, this regulation versus innovation is a circle that cannot be squared.
But there is a second problem that can be solved: how do you impose national regulations on overseas manufacturers? The immediate answer is that you cannot – so the government is imposing the regulations on UK resellers rather than foreign manufacturers.
The current consultation is over which of three implementation routes should be adopted. They all start with product security-labelling by the manufacturer, with legislation preventing the resale of products in the UK that do not have the manufacturers security label.
The three implementation options are:
Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products.
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self-declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645.
Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that the label is on the appropriate packaging.
And here’s the rub. All three options require self-declaration of security by the manufacturer. In other words, the government is introducing mandatory voluntary legislation. In its proposed format, this legislation relies on market forces for enforcement. It cannot force foreign manufacturers to build secure devices, but it can punish UK retailers for selling them. It puts the onus on the reseller to force the manufacturer to comply.
If we have learned anything from legislative history, it is that both the manufacturer and the reseller will follow the path of least resistance. Both will interpret the requirements as loosely as they think possible.
It is what the government does next that will decide whether this legislation succeeds or fails in its purpose. For example, the DMCS states, “We intend to create Primary legislation, when Parliamentary time allows, that gives the Secretary of State for DCMS the ability to set the requirements for a mandated labelling scheme and/or to set security requirements for devices on sale in the UK. These requirements would be set out in Secondary legislation.”
Secondary legislation in the UK does not require a vote in the House of Parliament – it merely requires the say-so of the relevant Secretary of State. The DCMS also states that the government’s intention is to make all 13 items of the Code of Practice mandatory. Once the three initial requirements become law, it would be theoretically possible for the government to require the remaining 10 principles of the Code of Practice at one per month over the following 10 months – or, indeed, anything else considered relevant.
Will the UK legislation make consumer IoT more secure?
Will it work? That is the $64 million question. It might, but it probably won’t. At least not as effectively as hoped.
There are two fundamental difficulties. The first is the self-declaration of security by the manufacturers. New and small manufacturers with a good idea will continue to rush to get their product to market ahead of competitors; and part of that rush will include under-development of security in favor of features; and over-selling of security in terms of labelling.
Insecure products will still get to market – and where is the value to the consumer if nine out of his 10 smart devices keep the hackers out but the 10th lets them in?
The second is a related problem: Who is to say whether a product conforms or not? The standard solution to such issues is to introduce mandatory third-party certification – and this could easily be done via the secondary legislation. But then who is to pay for the necessary product testing?
If manufacturers have to pay, they might simply abandon selling to the UK – it’s just one country in a very large global market.
If resellers have to pay, it could drive them out of the market – leaving the UK short on smart home devices. The temptation for the user would be to buy insecure, untested foreign products via foreign websites.
The government is obviously aware of these issues and is hoping to draw the market along with staged implementation, never quite demanding too much in one bite. Only time will tell whether it succeeds.
But the reality is that the circle will not be squared by this legislation on its own. The best hope for success will be if a critical mass of other governments and U.S. states sees value in the approach and enacts legislation requiring the same things. Only that will force all consumer IoT manufacturers to build secure consumer IoT devices.
In the meantime, it remains incumbent on all of us to take what precautions we can, and not assume that the devices we buy will be secure. As new research from Avast and Stanford University shows, we are still discovering how much of the world of IoT is unprotected.