Myth-busting with DCMS: "Cybersecurity standards are not as fragmented as you think"

Listen on Your Platform of Choice


#beyondthenow IoT Security Podcast


Peter Stephens, Head of Secure by Design Cybersecurity at DCMS, joins us on the #beyondthenow IoT security podcast to discuss consumer attitudes towards IoT security. He also provides the governmental perspective on cybersecurity standards and shares how DCMS is working to make the UK and its devices more secure.

Listen to a Sneak Peek

There is this narrative that consumers just don't care about security. Consumers really do care about security, but the problem we find is that consumers assume it's safe - because it's for sale.
Peter Stephens


Key talking points in this episode:

  • Introducing Peter Stephens and the Department for Culture, Media and Sport (DCMS). [00:45]: “So DCMS is the Department for Digital, Culture, Media, and Sport. I work in the digital arm and particularly aiming at the cybersecurity aspects of that. I work within the national cybersecurity strategy, which has got an objective. The majority of products and services coming into the UK and then used by consumers aren't secure by default. The prime minister and the UN general assembly speech talked about the importance of making sure that emerging technologies are built with the right safeguards in place to protect our people. My team is based in London. We also work in close partnership with the national cybersecurity center or the NCSC. For the last three years, we've really thought about how we can prioritize an area of technology. Consumer-connected devices really called out to us as that perfect storm of a category that is in wide distribution, but in many cases, security is still an afterthought. We've been working quite quickly to try and think about how we can either codify and make it easy to implement good practice as we did in the code of practice, which we published in 2018, but also thinking about how can we make sure that we are having the right balance of sharing good practice, but also thinking about legislation in the future.”
  • What is the current perception from consumers and IoT, what actually is an “IoT device?” [02:18]: “The trends have been that consumers are adopting these IoT products. I think that they offer a range of really amazing benefits to consumers in their homes. And they think about these devices being used for health trackers or enabling people to reduce their carbon footprint. I think people are embracing these devices. Something that we've always been interested in is I think people don't necessarily know what an IoT device is. So whenever I say the average home has about nine or 10 connected devices, people say ‘no, that doesn't sound like me. I haven't got a smart cattle or a smart fridge.’ But then if you actually start to think about it, if you have a television that has Netflix, that's a smart TV. Do you have a personal assistant Alexa or Echo? That's a smart speaker, that's a smart device as well.”
  • Debunking the myth that consumers don’t care about security. [03:13]: “Something that I find interesting is perceptions of security in these IoT devices. And I think that there's this narrative that consumers just don't care about security. They just want something that they can do what they want to for the price they pay for it. We actually did quite a few studies into this. And one of the pieces of insight that we got from that was saying that consumers actually really do care about security. It's actually one of the most important characteristics they look for, but the problem we find ourselves is the consumers sort of already assume that it's safe because it's for sale. And I think that's a Testament to trading standards and other existing legislation. The scary thing that we're finding ourselves in is that these devices, given where they are in the home and what they do, can be used for some really malicious purposes.”
  • Discussing the relationship between technology, security, and insurance. [04:41]: “One of the other areas that kind of love to explore and talk about in the podcast was around the relationship between technology and insurance as well. And the fact that if you insure something you have to perceive the risk. And I guess the role of the government regulation industry and also consumer awareness all fits into that. Its sort of you buy a device because of its capabilities, but actually, the cost of failure is perhaps something that is not yet widely understood by the consumer.”
  • Consumers should only need to see the top of the “supply chain iceberg”. [05:11]: “There are just so many organizations who at varying levels of depth should be made aware of just how much under the bonnet do I need to look at? If you have this iceberg and I think consumers really should be only facing the tip of it. They should only be looking at how does this organization, this manufacturer's device take my safety, security, and privacy. But then as you say, like insurers or procurers who make much bigger orders of these devices, and if they are buying sensors that are used at scale, they need to be given the right level of information about that. And I think the challenge that we've always faced here is security is never going to be a hundred percent fixed. And so we'll never get to a point where there's a really clear right answer and it's in the back of the book and everyone's needs to do that.”
  • Regulation is not as fragmented as you might think: there is consensus in the market already. [05:55]: “But what we've tried to do is to propose our own sort of vision of what we think that good practice looks like, but also try and show how much consensus there already is. Especially if you're entering into a new market, whether that's insurers overwhelmed by different standards, bodies, different guidelines. How can we show just how much consensus there is? Something that we shared was the IoT security landscape map. And that's something that's that we need to keep updated on because there isn't going to be one simple answer that solves all of this. But I think that the more we can do to try and overcome that friction is always really helpful.”
  • Why is IoT security regulation needed? [06:55]: “When we published the code, the initial hope was the industry would upscale all adopted practices. Let's not forget that there are lots of really good manufacturers, lots of good retailers who do take this really seriously, who are very aware of the risks these devices can pose. And so they do want to make sure they do the right thing, but it is such a diverse spectrum. You've got so many different manufacturers all engaging the sector and the spectrum of how much they know about it and how much they care varies. We didn't come in thinking we would definitely regulate. We hope that we would see the adoption of good practice as we said but we haven't seen that happening as quickly as we'd like. And this sector is continuing to grow and as that grows faster than the adoption of good practice, the attack surface grows.”
  • Introducing the three components in the code of practice. [08:05]: “When you think about the risk of DDoS and botnets as well as just the individual harms that can be caused by these sort of cyber-attacks, we do feel the need to do something. We've always been keen to make sure that the legislation that we put through would be proportionate and pragmatic. We've had a number of consultations. We had a consultation in 2018 about our code, and then we had a consultation in 2019 about legislation. And that came down to prioritizing the top three aspects of our code of practice. Which really did boil down to; make sure that you don't need a default password, make sure that you have transparency at the point of sale about how long security updates are available with that device, and also make sure you update and maintain a coordinated vulnerability disclosure program.”
  • Manufacturer transparency: it’s key for success. [08:55]: “I think vulnerability disclosure programs, my hope is they will maintain a similar approach to security updates. I think I know that most consumers know that those are important for the long-term success and safety of the device. So transparency there around how long these devices will be looked after in the same way that people are transparent about how long manufacturers warranties last for are the kinds of things that we need to start to push in the right direction.”
  • How smooth is the flow of conversation on IoT security between territories? [09:59]: “Standards bodies play a really big part in that. And that's why in parallel to our development and legislation work, we've always been engaging with ETSI. For the last two and a half, three years, we've been working with them to develop ETSI, initially 103 645, and also 303 645, which came out in June this year. That enables us to sort of put out initially the code and also makes sure we can build on feedback from that. How can we benefit from ETSI memberships and all of the manufacturers that are included, who've been able to feed into that? How can we make sure that the academics can feed into this and how can we be open to the risk of the wrong incentives being put in place? And I think that's important. Getting back to the point about the landscape and the map. Whilst we have been seeing things like SB 327 in California, which is now sort of being adopted, I think in a number of other states in the US there is a lot of consensus and agreement in what good practice looks like. I think that there won't be, I think there won’t be legislation out there that will say default passwords are good and we should use them. We've been trying to make it pro-tech. And also, we're going to be pro-innovation as well.”
  • The consumer does understand the importance and the notion of a security lifecycle. [12:00]: “I would like to see consumers go in and see a product on sale and see that it has a minimum support period of two years and say, ‘okay, that roughly aligns with how long I expect to have this product for’. What I don't want to do is that government higher up in the chain, say to the manufacturer you have to put it out for two years. And then the consumer has no information at the point where they made that decision. I think as you say consumers see these updates as a slight annoyance, as opposed to actually being kind of critical for making sure that their devices keep being protected.”
  • What is the balance between the electronics industry and the regulation? [13:25]: “If there's more that we can be saying about where should liability be, where can we make sure that we are embedding good practice in the right places for our use case. Government should only intervene, where there is market failure, when we start to see that things are not being done in the right way, that does happen sometimes in emerging technologies. This is an area where we do think that there is an intensive market failure because right now people are being put really at risk without knowing it. The biggest challenge that we’ll face is that we'll always have to be raising the bar moving forward. And we'll always have to be making sure that we allow space for industry players, like yourselves to make sure that you are showing good practice, that you can be aware of the direction that we're going in so that you can keep ahead of the curve. And then I think that we have a responsibility to capture those worst offenders.”
  • Where does liability lie in the supply chain? [16:26]: “When we first thought about this we were thinking about retailers and manufacturers. Then we start thinking this is a lot more complicated than that. So, there's already existing regulation, which talks about this kind of thing. I think global product safety is an example of that, which might differentiate between producers and distributors, which we've always been thinking about. And we published our proposal in July this year, which calls out where we think the liability should lie between those two bodies, producers and distributors, also being aware of the fact that lots of these devices at least some aspect of that supply chain is beyond the UK. So, I think we have to be aware of how can we make sure that we can develop enforceable legislation. How easy is it to call out someone for just doing something that clearly isn't right? It's very easy to tell that someone doesn't have a coordinated vulnerability disclosure program because there’s no way to report the vulnerability. I think that retailers and distributors have a responsibility for that space.”
  • The shift in consumer buying habits, protecting the high street and making it fair. [18:15]: “Buyers who are very often responsible for stocking the retailers have to be aware of what kind of questions they should be asking. Another big question is lots of these devices, we think about 75% of them bought online. So that's a big shift global product safety regulation is 15 years old. So there's been a shift in, in the last 15 years about where we see these devices being bought and sold. How can we make sure that we're capturing those devices as well? I think that what we don't want to do is put ourselves in the position where the high street is at a difficulty relative to online retailers because I think that consumers need to be given the right information and also need to be able to trust both sides. Especially now that COVID has shown that these devices are just a crucial part of how we're living.”
  • How the DCMS open-door policy works. [21:14]: “I think, you know, we've had a very open-door approach, whether in terms of consultation with industry, since even before the code was produced, we had to work in groups and engage at that stage. Every major landmark that we have done has come with consultation and a corporate view and sort of asking for evidence and for sharing information. I think that we are always welcoming of advice from a perspective that we can't gather. And I think sometimes that's difficult because quite often data can be sensitive. It's been immensely helpful for us to flesh out and think about these ideas. Because I think that, as we all know, this is a fast-moving area and we are all making sure that we are feeding into it, having feedback from that, and learning from what organizations are included in that as well as with the CyberTech Accord. And I think the work you did with ETSI is a great example of that. Just to be clear on how the process works. We have a cool view. Quite often some things have templates that people can fill in and share with us. And we have email addresses. People can feed into us on our approach. And it's through that we can learn. Another area where we've been trying to gather more is through evidence collection and sharing. There's a great community of security researchers who really want to see this work, who can see the benefits associated with this adoption of technologies and have just an unbelievable level of knowledge and resources that have been immensely helpful for us.”
  • Artificial intelligence and the effects on security. [22:30]: “We are keen to make sure that, whilst it's a different issue, trying to think about how we can apply a similar sort of approach. I think that government, from my perspective has a responsibility to make sure that we're always trying to take pragmatic steps. And I think it's quite uncomfortable sometimes because normally there is a case of an answer, you can write the wrong through legislation and make sure that issue doesn't come back. We have to be comfortable with the idea that we'll never make everything completely safe. We'll never make everything completely perfect. That's a tension point, which is always quite difficult. You have to make sure that you make that first step to be able to protect and move in the right direction.”
  • One piece of advice from Peter. [26:25]: “What I would love is a world in the future where people go into shops and are looking to buy connected devices. And they're asking just one question- how long is it going to be supported for? I would love there to be a sense of importance to those updates, the updates don't just mean that annoying email you get in the morning saying, please update your device. I would love to see people really kind of appreciate the benefits that come with this because so much thought goes into them. The more transparent you can be with your consumer, I think then that is just really setting us up for a better relationship between consumers, manufacturers, retailers, and regulators.”

Related Links

Discover more about the regulatory landscape

Find out the true cost of IoT insecurity

Share this page

The PSA Certified name, PSA Certified logos, PSA Functional API Certified logo featured on this website are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned on this website may be the trademarks of their respective owners.

Copyright © 2021 Arm Limited (or its affiliates). All rights reserved.

Sign Up To Stay Up to Date With Our Latest Podcasts Episodes