Internet of Things (IoT) devices are becoming commonplace in millions of homes around the world and while forecasts vary, research suggests that there could be as many as 75 billion connected smart devices in homes around the world by the end of 2025.
Many of the devices on the market still have basic flaws, such as universal default passwords, which leave the devices vulnerable to DDoS (Distributed Denial of Service) attacks. Similarly, a 2019 report by the IoTSF showed that 87% of manufacturers surveyed did not maintain a coordinated vulnerability disclosure policy, representing an inability to properly respond to vulnerabilities that can have real world consequences.
Forecasts of the number of IoT devices being attacked are set to increase, with Kaspersky identifying 105 million attacks on IoT endpoints in 2019, increasing significantly from the 12 million detected in the first half of 2018, highlighting that urgent intervention is needed to protect the security and privacy of UK consumers.
What the UK government is proposing represents widely recognised good practice, and regulation was strongly supported in a 2019 consultation on regulatory options. An updated landscape map was designed to ease international implementation, and also to illustrate the level of consensus on these core principles from international standards bodies and other governments.
The UK government has worked in partnership with other countries and international organisations. Since 2018, DCMS have worked in partnership with ETSI (European Telecommunications Standards Institute), to develop Technical Specification 103 645 in February 2019, and European Standard (EN) 303 645 v2.1.1 in June 2020. These outputs are the product of intense feedback from representatives from up to 65 countries.
In addition, the UK government has worked in partnership with other governments to raise the profile of this issue and seek to deliver alignment and avoid fragmentation. In 2019, representatives from the UK, USA, New Zealand, Canada and Australia published a‘five country ministerial statement’ outlining their shared commitment to improving the security of IoT products in their respective domestic markets. Through the IoT Security Platform the UK government works foreign governments and industry members including Arcep (France), ISED (Canada), MCTPEN (Senegal), AGESIC (Uruguay), METI (Japan), New Zealand, NIST (USA).