What Experts Say On New UK IoT Legislation

All Internet of Things and consumer smart devices will need to adhere to specific security requirements, under new government proposals.

The aim of the legislation is to help protect UK citizen and businesses from the threats posed by cyber criminals increasingly targeting Internet of Things devices.

The proposed measures from the Department for Culture, Media and Sport (DCMS) have been developed in conjunction with the UK’s National Cyber Security Centre (NCSC) and come following a consultation period with information security experts, product manufacturers and retailers and others.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” said Matt Warman, minister for digital and broadband at DCMS.

It is currently unclear how these rules will be enforced under any future law. While the government has said that its “ambition” is to introduce legislation in this area, and said this would be done “as soon as possible”, there is no detail on when this would take place.

EXPERTS COMMENTS
Alun Baker, CEO,  Clario
January 28, 2020
A vital step forward in the battle to get companies to protect consumers
It is predicted that the number of IoT devices worldwide will grow from 22 billion in 2018 to 38.6 billion in 2025 and this forthcoming law will a big step forward in the battle to force industry to develop the robust security standards desperately needed to protect consumers. All hackers need is one poorly protected smart device like a fridge to gain access to the wider network.
[Read More >>]
Fennel Aurora, Security Adviser,  F-Secure
January 28, 2020
The three Cyber Security rules are even more basic protections
This new legislation is a step in the right direction from the UK Government. When you buy electronics, you know they won't set your home on fire and that they won't give your children lead poisoning due to legislation enforced by the government. The three Cyber Security rules are even more basic protections so there is no excuse for a manufacturer to put an IoT product on the market that does
[Read More >>]
Ilkka Turunen, Global Director of Solutions Architecture,  Sonatype
January 28, 2020
No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products.
While the UK government's IoT security legislation is definitely a big step in the right direction, there are major oversights it doesn't address: When 1 in 10 software components downloaded by UK developers contains a known security vulnerability, increasing the occurrence of supply chain infiltration attacks, it's not enough to just offer a point of contact to whom vulnerabilities
[Read More >>]
Alan Grau, VP of IoT ,  Sectigo
January 28, 2020
PKI has stood the test of time as one of the most venerable and ubiquitous computing paradigms we have.
Connected device security stands to benefit from well-considered legislation and guidelines, and we applaud recent activity in California, Australia, and now the UK in this area. But while these laws are a good start, we must not fall into the trap of believing that they are sufficient to address the full set of identified gaps in IoT security. High volumes of devices with known passwords have
[Read More >>]
Stuart Sharp, VP of Solution Engineering,  OneLogin
January 28, 2020
While the government's announcement of new security requirements for vendors of IoT devices are a welcome first step.
While the government's announcement of new security requirements for vendors of IoT devices are a welcome first step, they fail to address the core problem. For standard forms of authentication, there are well established and scrutinised protocols such as SAML, OAuth and OIDC. IoT lacks any such standards, and the proposed regulations do nothing to ensure that the mechanisms underpinning IoT commu
[Read More >>]

