The Department for Digital, Culture, Media and Sport (DCMS) is consulting on regulatory proposals regarding consumer Internet of Things (IoT) security. This consultation complements the impact assessment “Mandating security requirements for consumer Internet of Things (IoT) products”.
As technological advances accelerate, consumers are bringing ever more ‘smart’ devices into their homes. The IoT is already delivering significant benefits to users, saving time, effort and money. However, many IoT devices lack basic cybersecurity provision. Such vulnerability can undermine user privacy and personal safety and pose a risk for the wider economy.
The UK Government recognises the urgent need to ensure that strong cybersecurity is built into consumer IoT products by design. The DCMS is consulting on proposals to ensure such smart devices adhere to a basic level of security, with the ambition that the following are made mandatory in the UK:
- All IoT device passwords shall be unique and not resettable to any factory default value.
- The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.
The DCMS consultation aims to listen to feedback on various implementation options, following which, the government will decide on measures to take forward into legislation.
We welcome your comments and feedback on all the proposals and evidence put forward within the consultation stage impact assessment.
Please reference which questions you are commenting on.
Consultation questions: feedback on the regulatory approach and labelling scheme
|1||Do you agree that the Government should take powers to regulate the security of consumer IoT products? If yes, do you agree with the proposed legislative approach?|
|2||Do you agree that the ‘top three’ security provisions set out in the Impact Assessment form appropriate mandatory baseline requirements for consumer IoT products?|
|3||Do you agree with the use of the security label (positive and negative) to communicate these requirements to consumers? Where possible, please provide evidence in support of your response.|
Do you agree with the wording of the labelling design?
If not, could you provide suggestions for alternative wording? Where possible please provide evidence alongside these suggestions.
Do you agree with our recommended option to mandate retailers in the first instance to not sell consumer IoT products without a security label (Option A)?
If not, could you state your preferred option, or provide suggestions for your alternative. Please provide evidence alongside these suggestions.
Consultation questions: feedback on the impact of our proposals
|6||The consultation stage Impact Assessment published alongside the consultation document explores the costs and benefits of the options considered for this policy. Do you agree with our analysis? In particular, please consider the following, and provide analysis to back up your views:|
|a||Direct costs determined to be in scope.|
|b||Assessment of the impact on competition.|
|c||Further evidence on the cost of cyber breaches to IoT consumers in the UK, and the incidence of attacks against IoT devices.|
|d||Data and research on the number of IoT manufacturers and retailers which sell their goods on the UK market.|
|e||Estimates for the number of hours and cost (e.g. consultants) it would take businesses of different sizes to familiarise with this legislation.|
|f||Potential methods of self-assessment and the relative costs to business.|
|g||Evidence on the average number of IoT products produced in the UK per business.|
|h||Evidence on types of labelling and their respective costs.|
|i||The likelihood that manufacturers would pass on labelling costs to consumers.|
|j||Additional costs of staff time and any other costs incurred, such as training, required to comply with the regulation.|
|k||Evidence on the cost of implementing each of the 13 Code of Practice guidelines and any evidence or estimates of how many of the IoT products available on the market currently comply.|
|l||On average, how often are existing IoT products redeveloped, how many new products IoT manufacturers produce per year, and the average number of products per manufacturer?|
|m||Evidence on IoT cyber-security breaches against UK consumers and their average cost.|
|n||Evidence on the potential reduction in breaches as a result of implementing the different code of practice guidelines.|
|o||Evidence on the predicted future path and nature of IoT attacks in the UK if nothing is done to increase security from its current level.|
|p||The risks and uncertainties identified within the impact assessment.|
Do you have a view on how best to approach issues associated with existing consumer IoT products on the market that, under these new proposals, will not have a label?
In particular, how could the proposed regulatory approach impact retailers who will have existing non-labelled consumer IoT in stock? Please provide evidence.
|8||We welcome your views on the cost to businesses of implementing this regulatory approach within the secondary market. Please provide evidence.|
|9||We welcome views on costs to small and micro businesses in the UK as a result of these regulatory proposals. In particular, consider how best to quantify the impact on profits of small and micro firms. Please provide evidence.|
Consultation questions: enforcement
|10||Do you have a view on how best to enforce the requirements set out in both regulatory options? In particular, consider which UK agency is best placed to undertake enforcement and whether additional penalties would need to be set out to ensure that companies correctly use the labels. Where possible, please provide evidence.|
The Institution of Engineering and Technology Trustees propose submitting a response to this consultation and invite comments from Members who have expertise in this area and have studied the consultation documents. In its capacity as a professional body, the IET will confine itself to only addressing those questions that are within its area(s) of competence.
For more information and a summary of the questions, please refer to the consultation document.
The deadline for responding to this consultation is 23 May 2019. Please send your responses to Ahmed Kotb with “Consultation on the Government’s regulatory proposals regarding consumer Internet of Things (IoT) security” in the subject line.