On 27 January 2020, the UK Government published its policy position on security in consumer IoT. It has decided to regulate more prescriptively to mandate the requirements included in the Code of Practice of 2018, in order to foster the security of products purchased in the UK. In deciding not to launch a voluntary labelling scheme, the Government recognised it wouldn't have the intended effect to improve customers’ awareness about the security of the IoT products they purchase. This is in line with what is taking shape at the European level, where the European agency for cybersecurity has also found the need for more specific legislation, and voiced concerns that certification schemes may be insufficient to provide the necessary transparency. As such, industry should brace themselves for regulatory measures in response to the lack of consumer awareness and information on how secure products are.
Communicating security to consumers is the key problem
There are two motives (both linked), to the UK Government’s initiative to mandate security requirements in consumer IoT devices. The first is the need to raise and guarantee security standards. Here, the Government refers to a review carried out in 2018, which found that over 90% of 331 manufacturers supplying the UK market did not have a comprehensive vulnerability disclosure programme to the level the Government would expect. The second is to ensure that the public are well informed about IoT security, since there is an asymmetry between what consumers think they are buying and what they are actually buying. A survey conducted for the Government between January and February 2019 highlighted that (among those who didn’t rank security as one of the top four considerations), 72% of respondents said this was because they expected security to already be built into devices that were already on the market.
The combined effect of these two findings led the Government to consider legislation and go beyond the voluntary, industry-led approach it had previously endorsed. As a result, it launched the consultation in May 2019 on possible legislative options to turn the top three security guidelines in the Code of Practice (and in the relevant ETSI Technical Specification) into mandatory requirements. These included creating unique passwords for each device; implementing a vulnerability disclosure policy; and keeping software updated through an end-of-life policy for each product. To facilitate the identification of secure products and facilitate informed purchase decisions, the Government also proposed a labelling scheme, which would initially be voluntary and then lead to one of the three options set out in the consultation, as follows:
Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self assess and implement the security label on their consumer IoT products.
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with manufacturers to self assess that their consumer IoT products adhere to the top three guidelines of the Code of Practice for Consumer IoT Security and the ETSI Technical Specification.
Option C: Mandate retailers to only sell consumer IoT products that have the IoT security label which evidences compliance with all thirteen guidelines of the Code of Practice for Consumer IoT Security and the ETSI Technical Specification, with manufacturers expected to self assess and implement the security label on their consumer IoT products.
The Government intends to take a staged approach in mandating requirements from the Code of Practice
On 27 January 2020, the Government published its response to the input it received through the consultation. The submissions highlighted broad consensus for regulation to protect from harm, since devices on the market still have basic flaws such as default passwords, and too many manufacturers do not communicate transparently to consumers how long the device will be supported by security updates or who to contact in the event of a vulnerability being identified. The responses also backed the Government’s initial stance that the three key principles in the Code of Practice should be those that form the initial mandatory baseline in the staged approach the Government intends to pursue. Further requirements would be mandated at a later stage, as and when necessary, so that regulation keeps pace with changes in technology.
The consultation feedback also highlighted the need for the Government to consider additional options to assess the security of products as part of the objective to encourage transparency across the supply chain. To address this need, the Government will consult on whether it is feasible for manufacturers to provide retailers with information on whether their products adhere to the additional ten guidelines in the Code of Practice and in the ETSI TS. Certain guidelines will not be applicable to all consumer IoT devices and therefore there needs to be flexibility in how the remaining measures in the Code are met. While the Government has now decided it will legislate, it is yet to set out a detailed proposal. To this end, it will conduct further stakeholder engagement to develop regulatory options based on the top three guidelines in the Code of Practice it intends to mandate. As part of its staged approach, the Government will review the Code of Practice every two years. A final stage regulatory impact assessment is expected later in 2020.
The Government pulls the labelling scheme, but will now think of other options
Another key part of the Government’s consultation related to the adoption of a labelling scheme, with the purpose to help consumers recognise secure products at the point of purchase. While most respondents agreed to some extent with the concept of labelling, many added caveats to their answer. For example, a common view was that respondents agreed with positive labelling, but not negative labelling. One reason for this was that respondents felt that negative labels could stifle innovation and create market barriers, as retailers would be less likely to stock negatively labelled products. Others suggested that negative labelling could lead to consumers buying non-labelled foreign products, rather than those manufactured or sold in the UK with a negative label. Another point made was that, due to the dynamic nature of the cybersecurity environment, a ‘live’ label (e.g. an online label) would better serve the intended purpose than a static label.
Respondents’ feedback also questioned whether manufacturers would be willing to place a negative label on their products, and highlighted the difficulty for retailers to take necessary steps to validate the manufacturer’s claims in a voluntary scenario. As a result, the Government decided not to proceed with the voluntary labelling scheme it was planning to launch, and will now undertake further policy development based on the feedback. Despite the concerns raised about the proposed labelling scheme, the Government still finds ample evidence that consumers should not be expected to assess the security of the devices they purchase. The information may not be readily available or easily accessible, and many consumers incorrectly assume that all devices are already safe because they are sold through trusted marketplaces. Since the responses to the consultation strengthened the Government’s view on this aspect, it is expected that the Government will seek a different solution to the problem. Such a solution is likely to involve retailers in conveying security information to the end user.
The Government’s concerns are mirrored at the European level
The relationship between consumers and IoT security is an issue with which regulators are grappling in several countries. In September 2019, the European Cybersecurity Agency ENISA issued an opinion paper on ‘Consumers and IoT security’, which mirrors many of the concerns at the heart of the UK Government’s initiative. For example, ENISA notes that cybersecurity by design and by default is a concept introduced in the EU Cybersecurity Act, but not defined in detail; and that it is unclear whether a certification scheme for consumer IoT will be developed. A general legal obligation for the cybersecurity of IoT products currently does not exist in the EU. The concept of safety on which product safety legislation is based seemingly only covers physical safety risks which can have a direct impact on the health and safety of their users. As a result, consumers cannot trust that the connected products they buy are ‘cyber-secure’. Also, even if a certification scheme were developed, it would be of voluntary nature due to the approach adopted in the Cybersecurity Act. The paper therefore calls on the new European Commission to propose a horizontal mandatory legal “security by default and by design” rule, to ensure the EU’s framework is fit to enable trust and appropriate consumer protection for IoT devices.
The paper highlights the need for intervention in areas similar to those covered by the UK consultation – life cycle of products and security updates, consumer awareness, labelling, and vulnerability disclosure, among other issues. In the absence of legislation, the paper suggests some actions ENISA can take to foster consumer awareness and their involvement in the policy process. These relate to three areas of intervention: to ensure regular representation of consumer groups in discussion forums; to set out the criteria for an EU Code of Conduct on consumer IoT security; and to co-operate with organisations and national authorities to train consumers and businesses, for example in qualitative testing of labelling or similar schemes, in order to check their effectiveness in fostering consumer awareness.