The National Cyber Security Center (NCSC), a part of the United Kingdom government, wants retailers to stop selling connected devices that do not adhere to their cybersecurity guidelines. The guidelines, while not required by law, state a code of conduct necessary to secure devices like pacemakers, webcams, and smart cameras.
A task force of security experts created the code, which includes thirteen recommendations for manufacturers. The NCSC recommends that manufacturers provide consumers with a disclosure vulnerability policy and that they stop using default passwords. They also recommend that devices have the capacity to perform security updates. While the code is voluntary, legislation is imminent, although the exact date of drafting or execution remains unknown.
Many businesses remain indifferent to the code of conduct and do not implement its recommendations. While the code is “a step in the right direction…it’s unlikely that the industry will act upon it, given that it is voluntary,” says John Sheehy, vice president of strategy at IOActive. Only two companies have adhered to the code so far: Centrica Hive and HP.
Unlike most of its competitors, HP holds security at the core of its operation, designing products “with security built-in not bolted on, not only designed to protect, but also to detect and self-heal from cyber-attacks,” says George Brasher, HP’s UK managing director.
Consumers in the UK are not the only ones who are vulnerable to cybersecurity issues. Last month, California passed the first internet of things (IoT) cybersecurity law. Bill SB-327. The law aims to protect consumers from unauthorized parties who could gain access to their smart home devices. Manufacturers must provide “reasonable security features,” mostly determined by password requirements. On a federal level, multiple bills regarding cybersecurity standards have been drafted. As technology rapidly expands, the legislation necessary to protect consumers’ privacy has lagged behind. Governments around the world are facing an uphill battle in the fight against cybersecurity.