If you can't charm someone into doing the right thing, you can always force them. That seems to be the UK government's approach as it heads towards the deadline for a consultation on IoT regulation in June.
The government has long been concerned about insecurity in IoT devices and has done its best to guide the companies who make and sell these products. Last October, it released a Code of Practice for IoT Security, with 13 guidelines it hoped that companies would be reasonable enough to follow.
So much for that. The IoT security flaws keep coming thick and fast. Instead, it decided some tough love was in order and released a consultation document for IoT regulation in the UK. The deadline for submissions is June 6.
“Our ambition is therefore to restore transparency within the market, and to ensure manufacturers are clear and transparent with consumers by sharing important information about the cybersecurity of a device, meaning users can make more informed purchasing decisions,” the document said.
If the Code of Practice was the carrot, then the consultation document is the stick. It suggests a series of regulations that vendors and distributors would have to follow. These include making all device access credentials unique.
Under the proposed rules, companies could no longer ignore security reports, as they have repeatedly done in the past. Not only would they have to provide a contact person to deal with security researchers, but they'd also have to tell customers how long they'd support a product with security patches.
How well is this likely to work? One perennial problem is that many IoT vendors are half a world away in China, and difficult to regulate. However, the government can regulate companies retailing the products in the UK.
It might do this by making retailers sell the products with an IoT security label, it said. It has been planning an IoT security labelling scheme, a sort of safety seal for connected devices, for months.
However, all the stated enforcement options in the consultation document allow manufacturers to self-declare their compliance with the labelling scheme. This eliminates the need for government-approved testers, but also seems to leave the fox running the henhouse. Presumably, manufacturers on another continent can say what they like about their compliance. Who's going to check?
We'll know more after the consultation period ends, but one thing is certain: the UK government will be regulating the IoT somehow, and everyone in the supply chain should take notice.
The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
