UK Government Set to Introduce New Cybersecurity Laws
21-05-2021 | By Sam Brown
Recently, the UK government announced its intention to introduce a range of new cybersecurity laws targeting smart devices' makers. So why have IoT and smart devices left millions vulnerable, what will the new legislation requirements, and could the law be expanded in the future?
How has the engineering community failed the consumer world?
When the concept of IoT became well known it resulted in a surge of energy throughout the engineering world. The availability of low-cost RF SoCs that allowed even the simplest projects to connect to the internet resulted in a surge of IoT devices that allowed for gathering data such as temperature and pressure, which would then be transmittable over the internet for remote processing and control.
Such products took the consumer world by storm, and it would not be long before most homes had some form of smart device whether it was a home assistant, heating control system, or even an intelligent toaster. Unfortunately, however, the development of such products was done without considering the implication of a world full of insecure IoT devices.
A designer creating an intelligent thermometer may consider their device to be inherently safe as all it does is gather temperature readings then send this information to a remote server. As such, the designer may not bother to password protect the device, utilise a trusted platform mechanism to prevent the execution of malware, and or even encrypt its messages.
By itself, it has no real processing power, and its inability to record conversations or take private images means that it would be of no interest to a hacker, right? Well, one IoT device on its own may be of no importance, but when a million of these devices are hacked and controlled simultaneously they can be used to perform devastating DDoS attacks.
However, it is not just simple IoT devices that face serious security flaws; many mainstream products include abhorrent security practices including simple default passwords, no software updating mechanism, use of unencrypted messaging protocols, and lack of security hardware. Overall, engineers rushed into the IoT industry without prioritising security, and the result has been hundreds of millions of devices potentially leaving users vulnerable to cyberattacks.
UK Government Plans to Introduce Legislation
Recognising the need for increased cybersecurity and the lack of response from the engineering community, the UK government has finally decided to announce that it will be perusing new legislation that will improve cybersecurity laws. According to the UK Government, the COVID-19 pandemic has seen 49% of UK residence introduce a new smart device into their home whether it be a new phone, assistant, or controller.
However, while consumers purchase new smart devices at an alarming rate, the vast majority of products do not indicate how long they will be supported (i.e. receive updates), most include basic default passwords that are easily cracked, and most manufacturers do not have an official channel for receiving security warnings. The new legislation being proposed by the government looks to solve these insecurities by making such practices illegal.
So far, the government announced that the new legislation will require manufacturers to state exactly how long their products will be supported, will be required to use unique default passwords, and for manufacturers to set up a dedicated communication channel that allows members of the public to report potential security threats to their products.
Could the new legislation be a stepping stone to regulated products?
There is no doubt that the introduction of such legislation will lead to a series of additional laws that will restrict what devices are allowed to be sold to the public. While such restrictions can harm technological development, the nature of the laws is to make it harder to hack devices, and this can only be an overweeningly positive force.
The need to implement strong security features may give engineers a headache initially (as they try to use existing platforms to create a secure system). However, manufacturers of SoCs and hardware platforms may see this as an opportunity, and offer more secure products to engineers which automatically handle complex tasks such as key generation and encryption. Therefore, devices would become more secure at the hardware level while simplifying the software level.
The lack of security in many commercial products demonstrates a systemic lack of care for digital information. Of course, many companies focus on creating strong secure products. Still, these products are generally more expensive as a result, and the large number of far east devices flooding the market either omit security out of laziness or intentionally needs to be addressed.
Read More