Cyber Security Practitioner
Back to Contents

Volume: 4 Issue: 3
(March 2018)

dcms proposes draft code practice iot developers uks department digital culture media sport (‘dcms published report 7 march


Share This Page

DCMS proposes draft Code of Practice for IoT developers

The UK’s Department for Digital, Culture, Media & Sport (‘DCMS’) published a report on 7 March 2018 entitled ‘Secure by Design: Improving the cyber security of consumer Internet of Things Report,’ which proposes a new voluntary draft Code of Practice for the manufacturers of consumer Internet of Things (‘IoT’) products and associated devices for implementation into development processes in order to improve the cyber security of the IoT. The Report heralds the opportunities presented by the IoT for citizens and the UK’s digital economy, however it states that many connected devices lack even basic cyber security provisions and that this, paired with the proliferation of the IoT, has led to risks to consumer security, privacy and safety, and threats to the wider economy through large scale cyber attacks to large volumes of insecure IoT devices.

“My initial reaction to the Report is positive, the aims and suggested measures are laudable, well thought out and explained in plain succinct language - but on deeper reflection my reaction is that this voluntary Code of Practice would not assist where there was negligence or hostility on the part of the manufacturer, developer, retailer or service provider,” comments Dan Hyde, Partner at Penningtons. “The key takeaways are the intention to instil best practices and reduce the burden on the consumer by shifting the security responsibility to the manufacturer, service provider, app developer and retailer. The intention is that cyber security should be embedded in the product from the point of design so that consumers are better protected. This, it is hoped, will be achieved through the 13 recommended measures of the Code of Practice.”

The 13 measures put forward in the draft Code of Practice include: that all IoT passwords must be unique and not resettable to factory settings; that all companies must provide a public point of contact for vulnerability disclosure; that all IoT software updates, stored credentials, security-sensitive communications and personal data must be secured; that software verification systems should be verified using secure boot mechanisms; that customers should be able to easily delete personal data and easily install and maintain their devices; and that input data via user interfaces and apps must be validated.

“The Report makes great play of the UK consumer being the best protected in the world, but unfortunately the IoT and the products we seek to design cyber security in to are global,” adds Hyde. “Consumers are purchasing products that are manufactured, developed or supported by actors in a plethora of countries. In order to control that process, we must accept two things: that a voluntary Code will be ignored or abused by some; and that a compulsory Code will be difficult to enforce in certain reluctant nations where regulation is lax and there is resistance to what is regarded as an alien jurisdiction/governance. There also needs to be a scheme of compulsory labelling, one that sets out the information that must be included on the product label. This way consumers would be better able to judge the design security of a product and it would potentially expose those products that do not meet best practice standards.”

The Report states that it is the Government’s preference for the manufacturers of IoT products to solve the cyber security problems identified, but “if this does not happen, and quickly, then we will look to make these guidelines compulsory through law.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed