The 2022 IoT clamp down: how impending UK regulations are influencing the market
Governments are becoming increasingly aware of the importance of IoT security, not only because of the potential impact on the individual, but because IoT security is fast becoming an integral part of global infrastructure. Hacking an individual’s device is one thing, but the potential for hackers to exploit entire ecosystems associated with smart cities for example poses an entirely new kind of threat.
To this extent, the proposed Product Security and Telecoms Infrastructure Bill received its second reading in the House of Commons at the end of January 2022, taking a big step forward to becoming enshrined in law. The bill mandates improved cyber protections for smartphones and other smart or connected internet of things (IoT) devices, with the origins of this bill dating back to 2018. The aim of introducing tough new cyber security and compliance measures to better protect the consumer market was at the foundation of the 2018 proposal, but this new bill takes it to a whole new level. If it passes, the new bill will place strict new requirements on vendors and manufacturers of connected consumer technology, prohibiting problematic default passwords programmed onto devices, forming a stringent vulnerability-reporting system, and obliging manufacturers to be fully transparent in regard to how long their products will receive security updates. Crucially though, failure to comply could result in fines of up to a staggering £10m, or 4% of annual turnover, and up to £20,000 every day in the case of continuing breaches.
As a result of impending tough legislation here in the UK, global tech giants are beginning to take note. As of November 2021, Xiaomi's AIoT platform has linked more than 400 million devices (excluding smartphones and laptops) and there are in excess of 8 million users with 5 or more Xiaomi IoT devices around the world. At the start of this year, the British Standards Institution (BSI) confirmed that Xiaomi Mesh System AX3000 (an alternate to booster systems with multiple Wi-Fi access points you can situate around your home) had acquired the BSI IoT Kitemark Certificate for this Mesh System. The British Standards Institution is the national standards body of the United Kingdom, with the BSI IoT Kitemark Certificate launching in 2018, closely aligned with early government proposals in the UK as outlined above. The Kitemark “Provides a quick and easy way for consumers to identify IoT devices they can trust”. They also provide “ongoing rigorous and independent assessments to make sure the device both functions and communicates as it should, and that it has the appropriate security controls in place”. It means manufacturers of IoT devices can display the Kitemark to reassure consumers of their product and in their marketing collateral.
So how does this all connect?
The act of Xiaomi obtaining the BSI Kitemark led to the company publishing guidelines namely the "Cyber Security Baseline for Consumer Internet of Things Device Version 2.0". According to the press release the guideline “aims to protect security and user privacy with a comprehensive set of requirements covering guidelines from device hardware, device software to device communication. It also states the requirements on data security and privacy, which include communication security, authentication and access control, secure boot, data deletion, etc. It is a security baseline that all Xiaomi smart devices should follow.” Crucially, the published guidelines come at a time when no such general standard exists. They meet the requirements of the consumer IoT industries demand for these types of guidelines, which can be publicly queried and implemented. It means businesses can use this guide to avoid some basic security and privacy protection threats, quickly improve the security and privacy protection capabilities of their IoT product lines, and thus avoid the substantial sanctions such as those outlined in the proposed Product Security and Telecoms Infrastructure Bill.
So what does all this mean?
What this clearly demonstrates is not a synergy between UK & Chinese business and/or governments, which have had its own set of challenges, especially regarding cyber security. It instead demonstrates there is now an ever-growing reliance on synergy between impending government legislation, approval from professional bodies and institutions such as the BSI, and companies wanting to be at the forefront of this trend by producing official guidelines to be used as a benchmark for other IoT manufacturers to follow. Trust between manufacturers, governments, and the consumer in IoT is becoming crucial to success and it means all companies globally should be working from the same set of regulations. Gone may be the days where companies can overlook minor security vulnerabilities or cut even the smallest corner in the name of profit, pathing the way to a much more structured and organised IoT security landscape, one which so far has not fully taken shape. It points to a brighter future for IoT security and for companies and governments to work together to provide better outcomes for consumers. A win-win hopefully for all involved. If it passes of course. Watch this space.