legislation

The Long Road to a Law on Product Security in the UK

mobilephonesecurity936843331Leave a comment

As the UK’s Product Security and Telecommunications Infrastructure Bill entered Parliament today, I had some time to reflect on how far we’ve come.

I was reminded today that today was a long time coming. The person who triggered this was someone that I worked with when I was at Panasonic and he was at Nokia. Twenty years ago, we were sat in one of the smallest meeting rooms at Panasonic Mobile, next to the smoking room as it was the only one available – the Head of Security Research from Vodafone, the Head of Security of GSMA, plus the Security Group Chair of GSMA and me.

The topic was hardware (IMEI) security and more broadly mobile phone security and how to deal with embedded systems hacking at an industry level. What kind of new measures could be brought in that would genuinely help to reduce the problem of mobile phone theft and make phones more secure? As they say, from small acorns, mighty oaks grow. I’d also argue it is probably quite a bit about persistence over a very long time.

It takes a very long time to make meaningful changes and while it’s easy to point out flaws, it’s harder to build new technology that addresses those in a game-changing way with complete industry buy-in. That’s pretty much what recommendations and standards bodies do, with the aim of seeking consensus – not complete agreement, but at least broad agreement on the means to effect large scale changes. Gradually and over a long period of time.

So we did that. Both in the Trusted Computing Group (TCG) and through the work of OMTP’s TR1: Advanced Trusted Execution Environment which led to chip-level changes across the industry and ushered in a new era of hardware security in the mobile phone industry, providing the foundation of future trust. All of this work nearly complete before an iPhone was on the market, I might add and well before Android! From our published work, we expected it to be in phones from around 2012 onwards and even then it took a little while before those OS providers hardened their systems sufficiently to be classed as really good security, but I should add that they have done a really good job of security leadership themselves since then.

With saturation in the smartphone space, around 2013/2014 the industry’s focus moved increasingly to the M2M (machine-to-machine) or IoT (Internet of Things) space, which had existed for a while but on a much smaller scale. A lot of things were coming together then – stuff was getting cheaper and more capable and it became increasingly viable to create more connected objects or things. But what we also saw were increasing numbers of companies ‘digitising’ – a washing machine vendor worried that they would be put out of business if they didn’t revolutionise their product by connecting it to the internet. That’s all well and good and I’m all for innovation, but the reality was that products were being put on the market that were really poor. With no experience of creating connected products, companies bought in ready-made solutions and platforms which came with little-to-no security measures. All the ports were exposed to the internet, default passwords were rife and never got changed, oh and software updates, what are they? It was and still is in many parts of the market, a mess.

Remember that this was new products being put into a market that was already a mess – for example, most webcams that had been sold for years were easy to access remotely and lots of tools had been created to make it even easier to discover and get into these devices, allowing intrusion into people’s private lives, their homes and their children.

Work began in organisations like the GSMA on creating security requirements for IoT that would force change. At the same time, hardware companies started to transfer their knowledge from the smartphone space into the hardware they were creating for the growing IoT sector. The IoT Security Foundation was established in late 2015 and the UK’s National Cyber Security Strategy from 2016-2021 stated that “the UK is more secure as a result of technology, products and services hacking cyber security designed into them by default”, setting us down the path that led us to the legislation introduction today. All of that work was an evolution and reinforcement of the growing body of product security recommendations that had already been created over a long period of time. Another thing I’ve observed is that in any particular time period, independent groups of people are exposed to the same set of issues, with the same set of tools and technologies at their disposal to rectify those issues. They therefore can all logically come to the same conclusions on things like how best to tackle the problem of IoT security.

In 2016, the Mirai attack happened (more info in the links below) and that helped to galvanise the support of organisations and politicians in understanding that large-scale insecurity in connected devices was a big and growing problem. A problem that was (mostly) easily solvable too. Other news stories and issues around IoT just added to this corpus of information that things weren’t well. You can also read more about the Code of Practice we created in the UK in the links below, but the key takeaway is this – there are small but fundamental changes that can raise the bar of cybersecurity substantially, reducing harm in a big way. This ranges from taking a firm stance on out-of-date and dangerous business practices e.g. companies and individuals being lazy, taking the easy route about things like default passwords and the hardware and software you use in your product development, to modernising the way that companies deal with security researchers – i.e. not threatening them and actually dealing with security issues that are reported by the good guys. So creating meaningful change is also about taking a stand against baked-in poor practice which has become endemic and so deeply entrenched throughout the world and its supply chains that it seems impossible to deal with.

I’ll never forget one meeting I was in where I presented a draft of the Code of Practice, where a guy from a technology company said “what we need is user education, not this”. I felt like I was on really solid ground when I was able to say “no, that’s rubbish. We need products that are built properly. For over 20 years, people have been saying we only need user education – it is not the answer”. I was empowered mainly because I could demonstrably show that user education hadn’t worked and perhaps that’s depressingly one of the reasons why we’re finally seeing change. Only in the face of obvious failure will things start to get better. But maybe I’m being too cynical. A head-of-steam was building for years. For example I was only able to win arguments about vulnerability disclosure and successfully countering “never talk to the hackers” because of the work of lots of people in the security research community who have fought for years to normalise vulnerability reporting to companies in the face of threats from lawyers and even getting arrested in some cases. And now we’re about to make it law that companies have to allow vulnerability reporting – and that they must act on it. Wow, just let that sink in for a second.

In the hacking and security research community, are some of the brightest minds and freest thinkers. The work of this community has been the greatest in effecting change. It may not be, in the words of someone I spoke to last week ‘professional’, when what I think they mean is ‘convenient’. The big splash news stories about hacks to insecure products actually force change in quite a big and public way and sadly the truth is that change wouldn’t have happened if it wasn’t for these people making it public, because it would have been mostly swept under the carpet by the companies. It is that inconvenient truth that often makes large companies uncomfortable – fundamental change is scary, change equals cost and change makes my job harder. I’m not sure this culture will ever really change, but uniquely in the tech world we have this counter-balance when it comes to security – we have people who actively break things and are not part of an established corporate ecosystem that inherently discourages change.

Over the past 10 years, we’ve seen a massive change in attitudes towards the hacking community as cyber security becomes a real human safety concern and our reliance on the internet becomes almost existential for governments and citizens. They’re now seen as part of the solution and governments have turned to the policy-minded people in that community to help them secure their future economies and to protect their vital services. The security research community also needs the lawyers and civil servants – because they know how to write legislation, they know how to talk to politicians and they can fit everything into the jigsaw puzzle of existing regulation, making sure that everything works! So what I’ve also had reinforced in me is a huge respect for the broad range of skills that are needed to actually get stuff done and most of those are not actually the engineering or security bit.

A lot of the current drive towards supporting product security is now unfortunately driven by fear. There is a big ticking clock when it comes to insecure connected devices in the market. The alarm attached to that ticking clock is catastrophe – it could be ransomware that as an onward impact causes large-scale deaths in short order or it could be major economic damage, whether deliberate or unintended. A ‘black swan of black swan events’ as my friend calls it. Whatever it is, it isn’t pretty. The initial warnings have been there for a while now from various cyber attacks and across a range of fronts, positive work has been taking place to secure supply chains, encourage ‘secure by design / default’ in the product development lifecycle and to increase resilience in networks – which is the right thing to do – the security should be commensurate with usage and in reality the whole world really, really relies on the internet for literally everything in their lives.

This is another factor in the success of current cyber security work around the world. I work with people from all corners of the earth, particularly in the GSMA’s Fraud and Security Group. Everyone has the same set of issues – there are fraudsters in every country, everyone is worried about their family’s privacy, everyone wants to be safe. This makes this topic less political in the IoT space than people would imagine and every country’s government wants their citizens to be safe. This is something that everyone can agree on and it makes standards setting and policy making a whole lot easier. With leadership from a number of countries (not just the UK, but I have to say I’m incredibly proud to be British when it comes to the great work on cyber security), we’re seeing massive defragmentation in standards such that we are seeing a broad global consensus on what good looks like and what we expect secure products and services to look like. If you step back and think about it – thousands and thousands of individuals working to make the world a safer place, for everyone. So the acorn twenty years ago was actually lots of acorns and the oak tree is actually a forest.

So to everyone working on IoT security around the world I raise a glass – Cheers! and keep up the fantastic work.

My RSA talk on the UK’s Code of Practice for Consumer IoT Security in 2019.

Further reading:

Stepping up action on IoT insecurity – new laws and regulation

David RogersLeave a comment
Minister for Digital and the Creative Industries, Margot James launches the consultation

Time moves quickly in the IoT world. It seems like only five minutes since we launched the Code of Practice on Consumer IoT Security.

The staff in the Secure by Design team at DCMS have been working incredibly hard to move forward on the commitments to explore how to identify to consumers what good looks like when it comes to purchasing a connected product. Alongside this, there have been many discussions on the various different possibilities for regulation.

The Minister for Digital, Margot James has launched a consultation on new laws around the first three items in the Code of Practice – elimination of default passwords, responding to reported vulnerabilities and ensuring that software updates are provided, to a transparent end date for consumers.

The consultation is open until the 5th of June 2019 – views can be emailed to: securebydesign@culture.gov.uk or via post to Department for Digital, Culture, Media and Sport, 4th Floor, 100 Parliament Street, London, SW1A 2BQ.

The consultation states:

“We recognise that security is an important consideration for consumers. A recent survey of 6,482 consumers has shown that when purchasing a new consumer IoT product, ‘security’ is the third most important information category (higher than privacy or design) and among those who didn’t rank ‘security’ as a top-four consideration, 72% said that they expected security to already be built into devices that were already on the market.”

Importantly and one component of what we need to work to solve is this issue:

“It’s clear that there is currently a lack of transparency between what consumers think they are buying and what they are actually buying.”

Identifying products that have been designed with security in mind

As the cartoon below demonstrates – explaining security to consumers is difficult and could confuse and scare people, so a balance needs to be found. What the government is proposing in its consultation is to provide a label that explains some measurable elements about the security design approach of that product.

So how do you go about identifying how secure something is?

The answer is – with great difficulty. Even more so in the modern world, because the security properties of a device and service are not static.

To explain this a bit further – all technology will contain vulnerabilities that are not known about yet. These could be issues that are known types of security vulnerability, but that are buried and haven’t been caught during the design and testing process. When you have thousands, maybe even millions of lines of code, written by multiple people and from different companies, this isn’t unexpected. For every piece of software there will be a certain number of bugs, some of these will be security vulnerabilities and a smaller sub-set of these will be “exploitable” vulnerabilities – i.e. those that an attacker can use to do something useful (from their perspective!) to the system.

So this shows why software updates are critically important – in fact even some of those bugs that are not exploitable could in the future become exploitable, so deploying software updates in a preventative manner is a hygienic practice. It is a form of inoculation, because we all benefit from systems being patched, it reduces the number of systems that will be impacted in the future and therefore reduces the potency of attacks which have a major global impact. This of course is paramount in the internet of things, because everything is connected and the onward impact on peoples’ lives could become safety-impacting in some way. We have moved past the time where systems being disabled or unavailable were an inconvenience.

So what does a label give us? Well at this stage – what we can do is help a consumer make an informed purchasing decision. Answering questions like “how long does this device get security updates for?” is really useful. It also means that those companies that have no interest in providing updates (even though they’re critical to provide) can no longer hide behind anything. It’s there for the buyer to see – if you don’t provide the updates, the consumer is free to choose not to buy your product. Not really good business to ship rubbish anymore is it?

Regulation of the Code of Practice security measures

The intention by the government is to pass the Code of Practice measures into law over time. On the regulatory side of the top three from the Code of Practice, the government has boiled down the consultation to three potential options:


● Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products.
● Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645.
● Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging.

From a personal perspective, I find it fantastic that we’ve reached the point where we can get rid of a lot of the products that are blighting the market with blatant insecurity. Good riddance I say and let’s celebrate the companies that are really paying attention to consumer security.

The security label will be run on a voluntary basis by retailers until regulation comes into force and legislative options are taken forward. The consultation also includes example designs that could be used. Interestingly when DCMS carried out a survey into what types of icons would be best, a padlock option was selected by less than 1% of participants. To me, what this reflects about the state of browser and web security and how we communicate security to users is somewhat depressing, but it serves as a reminder that trust is hard to earn, but easily lost.

This work is just another step down the road for globally improving IoT security. Again, it’s not the be all and end all, but it is a positive step and yet another example that the UK is leading the world by taking action, not just talking about IoT security.