The Internet of Things (IoT) represents a new chapter of how technology is becoming more common in our homes, making people’s lives easier and more enjoyable.
Forecasts vary, but some suggest that by 2025, there will be an estimated 75 billion internet connected devices worldwide. Closer to home, it is also estimated that ownership of smart devices could rise from 10 to 15 devices per UK household this year.
As these devices become a more integral aspect of daily lives for more people, there is a risk that any compromised vulnerability within a device could result in real harm. Therefore urgent joint Government and industry action is required to address these challenges.
The cyber security of these products is now an integral component of both the physical and online security of our homes. People want to trust their devices and how their data is being used. But we can only ensure widespread trust in the adoption of these new products if we demonstrate to the world that these technologies are built with the security and privacy of their users in mind. The most effective way to do this is to make sure the products that manufacturers produce are secure by design.
Many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions. Over 90% of 331 manufacturers, supplying the UK market, reviewed in 2018 did not possess a comprehensive vulnerability disclosure programme up to the level we would expect. Breaches involving connected devices are increasingly becoming common, simply because manufacturers had not built important security requirements, such as using unique credentials, into their products.
Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.
This is why we launched our consultation on regulation to secure consumer IoT in May 2019 to identify the best options to increase the cyber security baseline for consumer IoT. This built on the extensive work that we have done with industry to design a Code of Practice for Consumer IoT Security. The Code of Practice is a collection of best practice security principles for connected devices, which my department published last year.