Comment on new UK smart device cyber security laws
April 2021 by Joseph Carson, chief security scientist at Thycotic
Following the news that the UK will be implementing ground-breaking new cybersecurity laws to protect smart devices, including manufacturers being required to inform consumers when their device will stop getting security updates and a ban on easy-to-guess default passwords, the comment from Joseph Carson, Chief Security Scientist at Thycotic.
“The new UK law to improve security on smart devices is a welcome step in the right direction, however, it must go further to ensure that it includes security best practices that are part of the solution. Transparency is critical, so when purchasing a new smart device it MUST be clear on how long the vendor continues to provide security updates, just like a manufacturer warranty period or an expiration date. This type of approach will provide consumers with a clear choice when choosing smart devices comparing one vendor that only provides 2 years of security updates versus another that will provide 5 years.
Regarding easy to guess default passwords, this has been the bane of the security industry and I believe the need to push passwords into the background should be the focus of the solution rather than pain for consumers to remember complex passwords for all devices. Vendors should work with best-in-breed security vendors who help provide solutions for features such as integration with strong password security solutions rather than leaving that responsibility with the consumer. Solutions that help reduce the need for users to choose passwords such as password managers can help move them into the background and remove the pain of cyber fatigue that comes with remembering and changing them. Responsible public disclosure is critical and must focus on the ‘do no harm’ concept to reduce risks. Public disclosures tend to set the race to create exploits for vulnerabilities which can cause bigger problems for customers. However, responsible disclosure should not be just based on the vulnerability but the actual risk, as vulnerabilities are not all equal.
We focus too much on the vendor rather than the customer. Responsible disclosure should prioritize that notification of a vulnerability to customers with the intention of reducing the risks by either making the vulnerability public or applying a vendor patch. Difficulty to patch systems should also be taken into consideration as even with public vulnerability disclosures, most systems remain unpatched for much longer, sometimes even years. Responsible disclosure is too broad today and needs to really put the customer first.
All of these new UK laws regarding smart devices are very welcome but the UK government must continue to work with the security industry to ensure it is possible to implement and achieve these with genuinely usable security as the priority.”