In January of this year, the UK Government set out plans to introduce legislation, aimed at reducing the risk of internet-connected smart devices being subjected to cyber-attacks. Internet-connected devices, including smart doorbells, virtual assistants and security cameras, all contribute to the Internet of things ("IoT") – interrelated computing systems, aimed at unifying smart devices and objects under a common infrastructure. The UK Government's latest move follows worldwide cybersecurity concerns related to IoT devices, and several high profile cyber and data breach incidents.
The plans were drawn up by the Department for Digital, Culture, Media and Sport ("DCMS"), and the aim is to ensure that all internet-connected devices sold to UK consumers will adhere to the following three security requirements:
- all consumer internet-connected device passwords must be unique and not resettable to any universal factory setting;
- manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner; and
- manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.
The latest measures were developed following a 2019 consultation with the National Cyber Security Centre ("NCSC"), and stakeholders in the tech industry. Commenting on the plans, Digital Minister Matt Warman said: "we want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology".
"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety." "It will mean robust security standards are built in from the design stage and not bolted on as an afterthought."
The move follows the Government's 'Secure by Design Code of Practice for consumer IoT security', a voluntary code of practice, published in 2018, backed by several businesses in tech industry, and advocating for stronger cyber security measures to be built into internet-connected devices at the design stage.
The Government has stated that it intends to deliver the new legislation 'as soon as possible', but as of yet has not set out any concrete timeline.