Starter for five on Legislating the Internet of Things
In layman’s terms, the Internet of Things (IoT) can be summarised as anything that is connected to the internet. This includes ‘personal’ devices such as TV’s, smartphones, smart appliances and wearable technology but also complex computers and sensors that are used to manage and operate local, national (and even international) infrastructure.
The UK Government is proposing new laws aimed at better securing and protecting the data collected by connected devices and we have set out below our thoughts on the form of the new legislation and how it may develop in future.
- Why legislate?
According to Gartner, by the end of this year, around 14 billion devices world-wide will be connecting to the internet[i]. These devices in combination have access to vast quantities of our personal data and yet it is also well-known that many contain inherent security flaws such as hardcoded pre-set passwords and software bugs.
For the individual, a vulnerable device can threaten privacy and personal security – often leading to serious financial and sometimes reputational damage. However, where vulnerable devices are exploited in large numbers, the security and economy an organisation, or even a nation, can also be put at risk. By way of example, in 2016, hackers were able to commandeer an army of infected IoT devices (such as webcams and DVD players) to launch denial of service attacks which separately brought down the Liberian internet and Dyn (a well-known domain name service provider of popular websites including Twitter, Spotify and SoundCloud).
- What is the precedence for this type of legislation?
USA: In August last year, the USA became the first country to pass a law specifically aimed at the manufacturers and retailers of IoT devices. When the law comes into effect in California in 2020, it will mean that every connected device sold in that state must come with a password unique to the device.
Japan: Japan also announced in February that it is launching a proactive investigation into 200 million IP addresses across the country to search out devices with vulnerable or compromised security with the aim of educating global Internet Service Providers and telecoms suppliers to better understand (and deal with) vulnerabilities in networks and devices.
UK: Here in the UK, in October 2018, the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) launched a first-of-its-kind ‘Secure by Design’ voluntary Code of Practice (CoP) in relation to internet-connected devices.
The CoP has been backed by some major players in the field including Centrica Hive, HP and Panasonic.
Europe: The European Telecommunications Standards Institute (ETSI) Technical Committee on Cyber-Security recently issued some industry standards for internet-connected consumer devices. The standards are based on the UK’s CoP and it is the first such industry standard to apply globally to a range of devices including connected toys and baby monitors, connected safety products such as smoke detectors and door locks, smart cameras, TVs and speakers, health trackers, home automation and alarm systems, connected appliances and smart home assistants.
- What will the new legislation do?
The new proposed UK legislation will build on the existing voluntary CoP and will instigate a security labelling system to identify how secure the IoT product is.
To gain an IoT security label, a manufacturer will need to:
- ensure that the device comes with a unique password that is not resettable to a universal factory setting;
- state clearly the minimum length of time that security updates will be made available; and
- offer a public point of contact to allow hackers and security researchers to report flaws and vulnerabilities.
Initially the labelling scheme will be voluntary but eventually retailers will only be able to sell products with an IoT security label.
- How effective will it be?
The new legislation has the potential to influence manufacturers and suppliers of IoT devices all over the world who will need to ensure that their devices meet UK standards in order to makes sales here, however, it is not the full picture. The complexities of securing data and infrastructure goes beyond physical devices, applications and networks and into the realms of human behaviour where there will probably always be a tendency to act irresponsibly (particularly in relation to passwords).
In addition, protecting data is not just about security and there are wider privacy issues at play when we consider the many ways that freely given data can be utilised and commoditised by providers of connected devices. Most people accept that in order to enjoy the benefits of connected technology they must consent to some use of personal data, but few understand the full pathway of that data once it is given over.
Legislation aimed at protecting the physical security of end devices is therefore only part of the picture. The labelling will help with aspects of security that were previously outside of user control but ongoing education as well as internal management and regulatory control remain a vital aspect of data security.
- What more can be done?
Tackling the issue of data security in relation to IoT devices requires a global approach from legislators and educators that targets manufacturers, retailers and consumers. Each player should be continually assessing the entire end-to-end pathway through which a cyber-attack can pass to identify and mitigate the risks at every point.
We need an ongoing programme to educate users of connected devices as to how personal data can be collected, utilised and potentially abused by providers and third-party agents. Easy access to accurate information - not scaremongering - will enable users to take greater responsibility for the security of their own data and equip them to challenge unnecessary intrusions into their privacy.
Finally, much like the journey to wide acceptance of on-line banking, providers of these devices will need to earn user trust by proving they can act responsibly in relation to the security of devices as well as with the data that they collect. We all watch the Huawei story with interest ….
Click here for the latest advice from the National Cyber Security Centre on how to keep your connected devices safe.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.