Why policing digital security is a bridge too far for UK legislators to achieve alone

I sympathise with UK digital infrastructure minister Matt Warman, who’s been lumped with the thankless task of ensuring legislation keeps pace with the security challenges facing tech. In such a fast-evolving environment, this must feel very much like painting the Forth Bridge.

Consequently, it’s not surprising that some key elements of the government’s new ‘secure by design’ smart device legislation are in danger of being out of date or irrelevant by the time they become law.

There are some aspects of the proposals that may have a positive, albeit probably limited, impact. It’s possible that forcing tech manufacturers to be upfront about the security software that is built into their devices will increase awareness among consumers of the vulnerabilities their phone, tablet or smart device is susceptible to later on in its life.

It’s also feasible that this will facilitate conversations about security at point of sale that boost general understanding of the cyber risks associated with the digital world.

But should we expect people to start reconsidering purchases because they find out their new device will only have security updates for the first two of the four years, on average, they will use it? In short, we shouldn’t.

Smart devices, particularly phones, rarely get bought outright – handsets come free as part of a new contract or upgrade agreement so, a lot of the time, consumers aren’t put in that traditional ‘to buy, or not to buy’ situation.

Making bug and fault reporting mechanisms mandatory is also a common-sense part of the legislation that should be relatively easy to implement. Most Apple or Android phone users will be familiar with their device asking whether they want to report a fault, but there are a lot of low-cost gadgets on the market that don’t offer this functionality or provide researchers with contact information to submit findings to.

Some might argue that this is a direction of travel the industry is heading in by itself, but those creating cheap commodity smart devices are unlikely to get in line without some sort of enforcement.

Where the proposed legislation really falls down, however, is in how it addresses security requirements such as passwords. There are several issues with requiring manufacturers by law to ditch simple or ‘factory setting’ passwords.

In principle the idea sounds great, but correctly implementing a secure password form or advanced authentication scheme is still a relatively specialist skill that needs to be backed by a technical standard.

Most car makers would laugh if a new law just asked for ‘a bumper’ without some sort of specification that indicates how it is made and what safety benefits it is expected to deliver – the same level of detail is needed, but is currently lacking, from the government’s password law. A vendor who removes default passwords because of a legal requirement, but still has a poorly implemented password system, appears to be legally compliant but secures nothing.

The second issue is that we are one, perhaps two, smart device generations away from passwords being obsolete. Many of us already use our fingerprint, retina, or facial features to unlock our smart devices and these more convenient and, ultimately, far more secure methods of authentication are the future.

As a result, the government’s carefully crafted password legislation, without a sensible standards-based enforcement process, will be obsolete at launch.

These shortcomings are not necessarily because the policies are themselves poorly conceived. But rather, they highlight a far more general problem with taking a legislative approach to enforcing complex cyber security requirements. 

Putting to one side the glacial pace at which laws are passed – which makes it a wholly unsuitable system for governing information security standards – legislation should only ever be used to set expectations. It must be uniformly understood and widely applicable and, as a result, cannot account for the vastly complex engineering problems the digital world presents.

Instead, cyber security legislation should focus on the consumer information and standards, while the time and money invested in this well-meaning set of policies could have been far better invested in engaging with the existing infrastructure in place to tackle cyber-security challenges. Better defined partnerships need to be established with the IoT industry and more funding provided for organisations with the expertise to police it – the ICO, NCSC and ISO, for example.

I would like to see a 'kitemark' system introduced, where new devices are ratified against an evolving set of standards, created by the industry regulators that understand the infosec environment. If consumers knowingly purchase a device that doesn’t meet the security standard, then they do so at least informed of the risk – or the extra effort they’ll need to put into securing the device. 

While the ‘security by design’ bill shows the government’s heart is in the right place, policing the ever changing and expanding internet of things is a bridge too far for our legislative system to cross alone.

Andy Barratt, UK managing director at international cybersecurity consultancy Coalfire.