United Kingdom | Proposals for regulating the cyber security of consumer smart products

Title of document
N/A

Description
Notice is hereby given to inform WTO Members that the UK are currently carrying out an early-stage call for views on a proposed policy. An addendum to this notification will be issued alongside a draft text, expected in early 2021. DCMS published a Call for Views (alongside two research reports and an online feedback form) on 16 July 2020 which represents the UK’s proposals for regulating the cyber security of consumer smart products.  This includes the  scope of regulation and the products included, the proposed definitions, the technical security requirements, how the requirements translate into obligations on producers and distributors of these products and the proposed enforcement approach. DCMS wish to notify WTO Members of the Call for Views document and invite feedback before 6 September 2020, either: -          As part of the Call for Views process via our online feedback form -          In response to the WTO notification process via TBTEnquiriesUK@trade.gov.uk (Supportive comments or NIL returns are also welcome). Background: DCMS are proposing new legislation that will  mandate important cyber security requirements to protect citizens and the wider economy from the range of harms that could arise from vulnerable internet-connected products. The legislation would be UK wide.  The security requirements are consistent with the principles first published in the 2018 C ode of Practice for Consumer IoT Security and is based on aspects of key provisions within the globally-applicable standard European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1, which has undergone two years of feedback and reviews from industry, academics and national standards organisations.

Notifying member: United Kingdom

Notification: G/TBT/N/GBR/36

Objective tag
Prevention of deceptive practices and consumer protection

Objective
Internet of Things (IoT) devices are becoming commonplace in millions of homes around the world and while forecasts vary, research suggests that there could be as many as 75 billion connected smart devices in homes around the world by the end of 2025. Many of the  devices on the market still have basic flaws, such as universal default passwords, which leave the devices vulnerable to DDoS (Distributed Denial of Service) attacks. Similarly, a 2019 report by the IoTSF showed that 87% of manufacturers surveyed did not maintain a coordinated vulnerability disclosure policy, representing an inability to properly respond to vulnerabilities that can have real world consequences. Forecasts of the number of IoT devices being attacked are set to increase, with Kaspersky identifying 105 million attacks on IoT endpoints in 2019, increasing significantly from the 12 million detected in the first half of 2018, highlighting that urgent intervention is needed to protect the security and privacy of UK consumers. What the UK government is proposing represents widely recognised good practice, and regulation was strongly supported in a 2019 consultation on regulatory options. An updated landscape map was designed to ease international implementation, and also to illustrate the level of consensus on these core principles from international standards bodies and other governments. The UK government has worked in partnership with other countries and international organisations. Since 2018, DCMS have worked in partnership with ETSI (European Telecommunications Standards Institute), to develop Technical Specification 103 645 in February 2019, and European Standard (EN) 303 645 v2.1.1  in June 2020. These outputs are the product of intense feedback from representatives from up to 65 countries. In addition, the UK government has worked in partnership with other governments to raise the profile of this issue and seek to deliver alignment and avoid fragmentation. In 2019, representatives from the UK, USA, New Zealand, Canada and Australia published a‘five country ministerial statement’ outlining their shared commitment to improving the security of IoT products in their respective domestic markets. Through the IoT Security Platform the UK government works foreign governments and industry members including Arcep (France), ISED (Canada), MCTPEN (Senegal), AGESIC (Uruguay), METI (Japan), New Zealand, NIST (USA).

Documents

• en_303645v020101p.pdf
• Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf
• Evidencing_the_cost_of_the_UK_government_s_proposed_regulatory_interventions_for_consumer_internet_of_things__IoT__products.pdf
• www.io

Agency responsible
Department for Digital, Culture, Media and Sport (DCMS)

Timing:

• Submission: 20/08/2020
• Reception: 20/08/2020
• Distribution: 25/08/2020
• Final date for comments: 17/09/2020
• Proposed date of adoption: N/A