UK.gov cooks up code of conduct to enforce a smidge of security on Internet of S**t kit
No legislation or fines, are you some kind of IdIoT?
The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today.
The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large-scale cyber attacks.
Around 100,000 infected IoT devices under the Mirai Botnet, mostly CCTV cameras, rendered many high-profile sites inaccessible in 2016.
However, how it plans to police the code remains unclear.
The Register has asked the Department for Culture, Media and Sport whether any future financial penalties will be imposed if manufacturers are not compliant with the code, and if it intends to introduce regulation. We have not received a response.
Pen Test Partners' Ken Munro said the plans will change nothing. "Responsible manufacturers are already addressing IT security in devices, so that means this code will apply to fly by night ones that aren't. But because this standard isn't compulsory, there is no legislation, or kite mark. It will have no effect.
"This is such a quick and fast moving sector, the government really needs to grab the bull by the horns. Legislation is what is required, we do it with electrical safety, so why not IoT?"
Digital minister Margot James said the "tough new set of rules" will "ensure we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy."
Ian Levy, technical director at the National Cyber Security Centre, said: "Shoppers should be given high-quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cyber security of technology products."
The review is intended to outline practical steps for manufacturers, service providers and developers.
The code states that all passwords on new devices and products are unique and cannot be reset to a factory default; that vulnerability policies and public points of contact be made available so issues can be reported immediately; and that sensitive data transmitted over apps or products is encrypted.
It also says software should be automatically updated; that consumers can delete personal data on devices and products; and that installation and maintenance of devices is easy.
In addition, it proposes developing a product labelling scheme so consumers are aware of a product's security features at the point of purchase.
Munro added that the threat to national infrastructure via botnets was a "concerning threat" but said these measures alone would not be enough to prevent IoT attacks.
However, Raj Samani, chief scientist at McAfee, said the code was "a welcome step on the road to ensuring a standard level of security across these devices".
The government is asking for feedback on the draft proposals until 25 April. ®