Manufacturers face tighter rules on devices
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
Manufacturers are facing new pressure to make their internet-connected devices more secure as the UK and EU follow the lead of the US in publishing codes of practice and certification regimes. Though these are voluntary for now, the measures could be made mandatory if companies are slow to act, officials say.
UK: new code for manufacturers
The British government is bringing out a security code of practice for manufacturers this month, and has made clear that while it hopes companies will adopt this voluntarily, it is willing to make the guidelines compulsory through law if necessary.
“Security by design is fundamental if we are to progress with the internet of things,” says Margot James, UK minister for digital and the creative industries. “If consumers don’t have confidence in the safety of the products they buy, it will stymie growth in this sector.”
The code has 13 principles, including the need for IoT device passwords to be unique and not resettable to factory default, public disclosure of any device vulnerabilities and a requirement to update software through the device’s lifecycle.
The UK has created the code in consultation with other governments. “It’s a global issue,” says Ms James. “With so many of these products being made all over the world and ending up in the homes of British citizens, we have to work with other governments.”
US: market solutions
The UK approach mirrors that taken by the Department of Homeland Security in the US. “Much like the UK, we are prioritising market solutions,” says Christopher Krebs, undersecretary for the National Protection and Programs Directorate at the DHS.
“In 2016, the DHS issued strategic principles for securing the internet of things. We are tracking the same way as the UK. Our first principle is ‘incorporate security at the design phase’. The second is ‘advance security updates and vulnerability management’.”
The DHS is also working to strengthen the security of federal networks and critical infrastructure, and this year announced progress in reducing the risk of attacks from botnets, or networks of devices infected with malicious software. The Trump Administration’s National Cyber Strategy, unveiled last month, also addresses the risks posed by the proliferation of connected devices.
Co-ordinating action with other countries is also high on the priority list. “We are working on a common framework and set of principles with the UK, the other Five Eyes Nations [the intelligence alliance that also includes Canada, Australia and New Zealand] and, more broadly, to share what our concepts are,” says Mr Krebs.
“A regulatory scheme from one country is not going to bring the global change we want because the majority of stuff is not manufactured in any of our countries. It’s going to take collective action to get the security outcomes we’re looking for.”
EU: digital certification
In Europe, the EU Agency for Network and Information Security (Enisa), is creating an EU-wide certification regime for digital products.
The new mechanism is expected to be used to certify products such as connected cars and smart medical devices as “cyber secure”.
There are “billions of devices out there which are not secure”, says Udo Helmbrecht, Enisa’s executive director.
“The certification framework has been agreed but some details need to be added,” Mr Helmbrecht adds. “It should be . . . in place by around March next year.” To begin with, certification will be voluntary.
The proposal is part of the Cyber Security Act, which will also enlarge Enisa’s role, giving it a broader mandate and turning it into “a permanent EU agency for cyber security”. The organisation will organise annual cyber security exercises and set up centres for sharing threat intelligence across the bloc.
Enisa has also produced a 100-page guidance booklet for companies in critical industries such as transport, financial services and health, encouraging them to harmonise IoT security measures and clarify who will be liable if a security breach happens.