In a press release from the UK government on January 27th 2020 called “Government to strengthen security of internet-connected products”, the new law and its implications are clearly outlined. The measures taken and plans going forward are indeed promising for the security of consumers of IoT devices in the UK.
One implication of this law is the introduction of a new labeling system. The idea is that similar to how bluetooth and wifi labels help consumers feel confident their products will work with these wireless communication protocols, a Security label will instill confidence in consumers that their device is safe and secure according to standards.
Following the UK release, Singapore this week released their Cybersecurity Labelling Scheme. In the announcement it reads:
“Despite the growth in number of IoT products in the market, many consumer IoT products have been designed to optimise functionality and cost over security. As a result, many of them have little to no security features built-in. This poses cybersecurity risks such as the compromise of consumers’ privacy and data.”
More information about the Labelling scheme can be read here.
and it continues to emphasize how a labeling hopefully will use the consumer purchasing power to drive the industry to take security more seriously:
“While consumers may want to choose a more secure product, information on the amount of security built into a device is often not made known by manufacturers. Thus, consumers are unable to make informed decisions.“
Both the UK and Singaporian approach start off with a soft scheme hoping that the industry itself will find and join forces with regards to best practise for the labelling.
Unless the industry agrees, we can expect the governmental bodies to intervene and put in place stricter definitions on the actual labelling. In Singapore it has been decided that all products will have to go through a registration procedure and pay a small fee, whereas in the UK the labelling process remains more vague and work in process.
At Mender, given our vast industry insight and experience, we expect the industry to fail in any attempt to agree on the labelling as they still see these efforts as pure costs. The industry hopes the ignorance of the consumer will allow for their insecure and fragile connected devices to prevail. However, the governments around the world will find current practises unacceptable, so within the next couple of years we can expect strict and well defined rules. At Mender we believe that it is not unlikely we will see something similar to how CE-labeling works.
Both the United Kingdom and Singapore have aligned their IoT security plans and programs with the draft European Standard EN 303 645 ‘Cyber Security for Consumer Internet of Things’. Once this standard finalizes, lots of pieces will fall into place forcing great changes in the manufacturing world of connected devices.
The way EU has been able to drive and change industry behavior around privacy through their GDPR regulations, we can be confident this powerful body will be able to drive security more to the forefront of the digital era we are entering.
As a manufacturer of connected devices, there are two main approaches to embrace this tidal wave brewing.
Either one can assume consumers are ignorant of security and continue focus on low-cost and selling insecure products until it becomes forbidden, or one can assume consumers actually care and are prepared to pay a premium for extra security features.
Looking at other industries like automotive and insurance the consumers seem to appreciate and put value on security. However, the consumer needs to be educated in its choices and the pitfalls of buying insecure devices.
At Mender we strongly believe that manufacturers who lead with security by design products eventually will win out. Now is a great time to get a jump start ahead of the big crowd sleeping at the wheels of inexpensive, fragile, insecure devices.