British ‘Code of Practice for Consumer IoT Security’ draws on Atlantic Council report
Consumer Internet of Things (IoT) products are notoriously insecure. In October 2016, the Mirai botnet amassed a massive botnet army of IoT-connected devices, eventually used in a distributed denial of service (DDoS) attack that overwhelmed the capabilities of some of the largest Internet providers in the world and took down the Internet across the US East Coast. Mirai’s authors began building their tool as teenagers, amassing an IoT zombie horde using techniques known (and easily preventable) for decades. Unfortunately, the norm for IoT devices is lax security—simple, hardcoded (unchangeable) passwords, and operating systems that can’t be patched or updated with security protection.
Thus, on October 14, 2018, the United Kingdom’s department for Digital, Culture, Media, and Sport (DCMS) published its “Code of Practice for Consumer IoT Security.” Developed through a two-year effort, in conjunction with the National Cyber Security Centre (NCSC), the Code seeks to “support all parties involved in the development, manufacturing, and retail of consumer IoT” and create an environment where products are “secure by design.”
To this end, the Code sets out thirteen practical, outcome-focused steps that organizations can follow to implement appropriate security solutions for their products. Importantly, in developing the guidelines the DCMS leveraged existing standards and guidance from the private sector, government, and academia, including the Atlantic Council’s 2016 issue brief, “Smart Homes and the Internet of Things.”
Mapping the Atlantic Council’s issue brief to the Code of Practice
The Code highlights its first three guidelines—unique passwords, implementing a vulnerability disclosure policy, and keeping software updated—as priorities. Similarly, the Smart Homes issue brief signposted these three principles as they offer the largest security benefits in the short term.
The Atlantic Council has long been a proponent of organizations implementing a vulnerability disclosure policy and recently collaborated with HackerOne on a CVD comic. The issue brief further maps to Code guidelines to: “keep software updated,” “ensure that personal data is protected,” “make installation and maintenance of IoT devices easy,” “minimize exposed attack surfaces,” and “make systems resilient to outages.”
Finally, at the broader policy level, a core philosophy from the Smart Homes issue brief that is apparent in the Code is that future IoT products should follow the “secure by design” philosophy. The issue brief outlined that security that isn’t “baked in” must be “bolted in” after the fact, and security that is “bolted on” is more expensive and less effective than security that is built in from the beginning of a product’s lifecycle. A secure-by-design philosophy thus gives greater control to the consumer, increases trust between consumers and producers, and facilitates the continued development of the industry. The Code echoes these sentiments and explains in its executive summary that the aim of the Code is to “ensure products are secure by design and to make it easier for people to stay secure in a digital world.”
What’s next – implementation by the UK government
DCMS’ broader “Secure by Design” ambitions show intent to implement the Code, through voluntary and regulatory means. Importantly, industry partners HP and Centrica have already formally signed onto the Code, and many devices already implement some or all of these elements. Under a voluntary labelling scheme, producers would supply consumers with the important information that they currently lack. Continuing the trend of consumer education, the UK government plans to support consumer organizations by using the Code as the bedrock for product ratings, buying guides, and security guidance against which to test IoT products at each stage of their lifecycle.
Moreover, like the United States, the United Kingdom has identified a significant shortage of trained cyber security professionals. This, compounded by the rapid development of IoT technology, means there is a lack of capability to protect IoT products and services from increasingly complex cyber security threats. Through its CyberFirst summer courses, the British government intends to educate the next generation of technology professionals in IoT security.
While non-binding schemes are useful, the British government also plans to place certain guidelines on a regulatory footing. Guideline 8, “ensure that personal data is protected,” is already legally enforceable through the Data Protection Bill. The Code can also be used as a basis to take regulatory action against specific products, such as Germany banning children’s smartwatches, which it viewed as unsecured spying devices.
Finally, the British government intends to engage with international partners in industry, standards bodies, and governments. In the United States, we may see a harmonization through laws such as the similar proposed bill, Internet of Things (IoT) Cybersecurity Improvement Act of 2017, which applies to government procured IoT devices.
- The Code of Practice is a well-researched list of security capabilities to be built in.
- Many of the Code elements are already legally binding through GDPR, industry partners have signed on, and many of the elements are already standard practice in reasonably secure devices.
- The British government has a plan to implement the Code and seems dedicated to following through, with voluntary global support, awareness and education, and through government action if/where necessary.
Beau Woods is the Cyber Safety Innovation Fellow at the Atlantic Council’s Scowcroft Center for Strategy and Security, a leader with the I Am The Cavalry grassroots initiative, and founder/CEO of Stratigos Security. You can follow him on Twitter @beauwoods.
Jack Watson is an intern with the Atlantic Council’s Cyber Statecraft Initiative.