Potential Government changes to IoT regulations ‘need to strike balance between security and slowing innovation’

Government proposals to strengthen regulations regarding the Internet of Things (IoT) need to strike a careful balance between consumer security and hampering innovation, a specialist tech lawyer said today.

Georgia Shriane, from law firm Boyes Turner, was speaking as a consultation closed this week (June 5) into IoT security, aimed particularly at device manufacturers, IoT service providers, mobile application developers, retailers and consumer groups, academics and technical experts.

The Government has said it may regulate to ensure that strong cyber security is included in IoT devices by design, rather than it being left to the consumer to ensure that adequate security measures are in place.

A Code of Practice for IoT Security was published in October but ministers have now decided to move beyond that to the next stage of consultation on formal regulation.

Within the consultation, which closed this week, the Government said it wanted a trio of key security measures to be mandatory in the UK, which were identified as the top three guidelines in the Code of Practice:

• All IoT device passwords to be unique and not to be resettable to any universal factory default value;
• That the manufacturer should provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues, and;
• That manufacturers explicitly state the minimum length of time for which the product will receive security updates.

To implement these options, the consultation stage impact assessment includes three options:

• Mandate retailers only to sell consumer IoT products that have the IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products;
• Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self-declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645; or
• Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that the label is on the appropriate packaging.

Georgia Shriane, a senior associate - solicitor in the commercial and technology team at Boyes Turner, said: “Most households have seen an increase in IoT connected devices but not everyone appreciates that it also can increase the level of risks from hackers and bugs.

“Many consumers assumed that security features would be in-built and the majority of IoT users are not technologically savvy enough to put their own security in place, thus leaving their home networks vulnerable to hackers through their kettles or thermostats.

“There’s an obvious tension here between the desire for minimum levels of security for consumers, and what those measures might be, and the impact this may have on slowing innovation and adding expense for tech businesses.
“There will inevitably be an extra layer of cost to install security into IoT products and it may also stall innovation in the UK – not least as other countries such as the USA and China could have lower security requirements.”

Georgia said many consumers ignored the fact that many IoT devices already have a password reset option, leaving them instead on the factory default setting.

“Simply putting a good password (not just “kettle” for example, and not the same one you use for other items on your household network obviously!) will increase the protection and the difficulty for hackers to gain access,” she said.
Interested parties had until this week (June 5) to submit their views on the consultation, which will now be considered by ministers and officials before the next steps are published.