Enhanced threat landscape
The outbreak of the COVID-19 global pandemic has forced many countries into lockdown and in turn many businesses have had to turn themselves inside out and implement work from home (WFH) on a scale not seen before. Cyber criminals have been quick to try and exploit what they see as a "golden moment" - the massive scale of WFM and the uncertainty of a rapidly changing pandemic allows the bad actors greater opportunities for attack, due to factors such as:
- Poor security of home WIFI and shared devices when connecting to office systems;
- Greater physical threats from theft or loss of equipment;
- Stretched IT helpdesk and other internal support services;
- Utilisation of authentication methods not designed with high assurance in mind;
- A lack of a robust and common digital identity infrastructure; and
- Increased pressure on detection systems and personnel.
The target for of cyber criminals during the pandemic crisis has not been limited to businesses and individuals, with researchers at Check Point (an Israeli cyber security company) discovering suspected state-backed hackers using a booby-trapped coronavirus update to try to break into an unidentified Mongolian government network. More recently, the UK and US issued a joint advisory1 stating that they are investigating a number of incidents in which state-backed hackers have targeted pharmaceutical companies, medical-research organisations, and universities, looking for intelligence and sensitive data, including research on the virus.
Regulating the Internet of Things
The Internet of Things (or IoT) refers to a network of connected devices which are able to collect and exchange data without requiring human-to-human or human-to-computer interaction. Typical consumer IoT devices include smart televisions, cameras, temperature control, home assistants, and wearables such as fitness trackers, Wi-Fi speakers and home robots. According to some forecasts, by 2025 there will be an estimated 75 billion internet-connected devices worldwide (some 10-15 devices per UK household).
However, many devices currently on the market lack even the most basic cyber security despite frequent warnings from experts of the relative ease at which (so called) smart toys such as Hello Barbie and Furby Connect and other connected devices, from heart monitors to webcams and even a Jeep, can be hacked.
Shifting away from a voluntary approach
The Code of Practice for Consumer IoT Security2 for manufacturers and retailers published by the Department for Digital, Culture, Media & Sports (DCMS) is widely seen as good practice in IoT security. The voluntary Code, which was launched in 2018, advocates for stronger cyber security measures to be built into smart products at the design stage.
The Code puts the implementation of a vulnerability disclosure policy second on its list of thirteen outcome-focused guidelines that manufacturers need to implement in order to improve the cyber security of their consumer IoT products. Research carried out by the IoT Security Foundation3 (published in December 2018) found that of the 331 consumer product companies examined during August 2018, only 32 (less than 10%) published some form of online vulnerability disclosure scheme and only three operated a hard deadline of 90 days for fixes to reported issues.
Although DCMS recognises pockets of best practice, naming manufactures Centrica Hive, HP Inc., Geo (Green Energy Options) and Panasonic as having backed the Code, it is clear that a different approach is needed. Following a consultation4 last year, DCMS recently announced5 that it will introduce new legislation to improve the security standards of internet-connected household devices, with the Government's response6 to the consultation being laid before parliament on 27 January 2020.
Announcing the new approach, Digital Minister Matt Warman said the new rules would help "make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology" and "robust security standards...built in from the design stage and not bolted on as an afterthought."
Security by design - top three guidelines
The new law will aim to ensure that internet-connected products are secure by design, and to protect users from the threat of cyber-attacks. It will require that, for all consumer IoT devices sold in the UK:
- passwords are unique and are not resettable to any universal factory setting;
- manufacturers provide a public point of contact for vulnerabilities to be reported and respond to such reports in a timely manner; and
- manufacturers explicitly state at the point of sale (in store or online) the minimum length of time for which the device will receive security updates.
Staged approach to regulation
The Government is taking steps to mandate what it sees as the most important security requirements (i.e. the top three guidelines mentioned above) in order increase the basic level of security within connected products. The Government aims to deliver the new legislation as soon as possible, as part of a staged approach to regulation as necessary to keep up with technological change and innovation.
Other work will see DCMS publishing a final stage regulatory impact assessment later in the year and continuing to review the Code every two years. The Government will also continue to collaborate with other governments and industry partners in the field of IoT security, such as playing a significant role in the development of the new ETSI European Standard 'Cyber security for Consumer Internet of Things'7 which is based on the Code and other industry publications.
Originally published Wednesday 6 May 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.