Published in March 2018, the Department for Digital, Culture, Media and Sport’s Secure by Design report is the result of over a year’s engagement with industry, academia, civil society more broadly, and international partners, with significant input from the NCSC. It lays out the current state of IoT technology, and centres around a proposed code of practice, primarily aimed at manufacturers of consumer IoT products and associated services.
This code of practice consists of thirteen guidelines, set out in order of priority:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
For the time being, these are to be guidelines rather than legislative measures; however, according to the report, the government “has begun exploring where we can further leverage existing legislative measures to place selected guidelines from the Code of Practice on a regulatory footing”. It is also “monitoring regulatory action taken by other countries” – for example Germany, where regulators have banned sale and recommended destruction of various internet-connected products aimed at children, including smartwatches and the My Friend Cayla doll.
The report also states: “The Government’s preference would be for the market to solve this problem – the clear security guidelines we set out will be expected by consumers and delivered by IoT producers. But if this does not happen, and quickly, then we will look to make these guidelines compulsory through law.”
A primary focus in the report is the need for manufacturers and retailers of consumer IoT products to take responsibility for the security of these devices, rather than requiring consumers to act on this themselves (in cases where securing the device is even possible, that is). As it is, manufacturers often take a ‘ship and forget’ approach – as the report points out, manufacturers are unlikely to face immediate economic costs borne by a DDoS attack conducted through their devices, and for most consumers security is a secondary, tertiary or even lower priority when compared to factors such as ease of use or price.
Further, the lack of clear metrics for security measures contributes to their being overlooked during the design process in favour of more profitable features. Accordingly, manufacturers and retailers, at present, “do not face sufficient commercial incentive to invest in a secure by design approach” – something the government is hoping to change, it seems.
The government’s involvement in IoT is not new, but part of its ongoing Digital Strategy, as well as the National Cyber Security Strategy for 2016-21. This covers the security aspects of IoT, but also innovation more broadly, as the report emphasises the opportunities IoT provides for the UK economy as well as for individual consumers. In 2016, digital sectors contributed £116.5 billion to the UK economy – almost 7% of the UK’s gross value added – and UK household ownership of smart devices could rise to approximately 15 devices per household by 2020. Government projects in this area include the three year £30 million IoT UK Programme, which covers (among others):
- The Cityverve smart cities demonstrator in Manchester
- NHS projects to help people with dementia in Surrey and people with diabetes in the West of England
- Academic research by the PETRAS IoT Research Hub
The opportunities also come with security risks – again, not just for consumers but for the UK more widely, as the exploitation of connected devices can not only result in the theft of personal data, but also be utilised in large-scale cyberattacks, as seen with Mirai and Reaper. These risks, the report says, will only grow as adoption of connected devices does, and “need to be addressed through joint government and industry action as a matter of urgency”.
From a security-specific standpoint, the government has commissioned work to assess the magnitude of the smart cyber security risk up to 2030, including considering the impact of the increasing use of IoT devices across the electricity system on the stability of the grid. They are also working with Trustmark to create online training and provide guidance to local tradesman and installers on IoT security – hopefully helping to avoid breaches like one in Dubai last year, which was attributed to installation by tradesmen who “were ignorant about their job and lacked experience”.
However, the report emphasises that the guidelines are “not a silver bullet”, and that the only way to truly secure the Internet of Things and ensure security by design is by shifting to a security mind-set and investing in a secure development life cycle.