Over a hundred technology, cybersecurity and consumer organizations have signed a joint statement of support for recognizing an emerging consensus around key principles for Internet of Things security, addressing passwords, vulnerability disclosure and software.
“Gathered together initially through the World Economic Forum’s platform for multistakeholder cooperation, we are a community reflecting the interests of security researchers, technology providers, and consumers, alarmed by rising threats stemming from insecure consumer IoT devices,” according to a statement spearheaded by Tech Accord, Consumers International and I Am the Cavalry and issued on Tuesday.
“We welcome the global consensus forming around three key capabilities that can begin setting a clear baseline for consumer IoT security -- (1) No universal default passwords; (2) Implement a vulnerability disclosure policy; and (3) Keep software updated-- and support these as an immediate priority for respective manufacturers and vendors to implement in order to improve consumer IoT device security,” the groups said.
“In addition, our community recognizes the importance of two other capabilities related to securing data -- (4) Secure communications; and (5) Ensuring that personal data is secure,” they said
Signatories include Google, Microsoft, NTT, Deloitte, Consumer Reports, the Global Cyber Alliance, Cyber Threat Alliance, the Center for Internet Security, Rapid 7, SCYTHE, ICS Village and IoT Village, and Luta Security.
“Software is eating the world and IoT is the plate it's being served on,” SCYTHE founder and CEO Bryson Bort told Inside Cybersecurity. “We came together to establish a baseline for better security. The next steps will be working with manufacturers to adopt these features.”
Center for Internet Security CEO John Gilligan said, “The speed of evolution of modern information technologies can result in new products that lack adequate cyber protections. The World Economic Forum recognized this gap in the Internet of Things (IoT) space and coordinated the development of an international, multi-stakeholder consensus of five effective, common-sense best practices to serve as a global baseline for IoT security. The result is intended help manufacturers and vendors identify and implement the most important device security that can help ensure that IoT devices can be relied upon by consumers around the world.”
The 103 entities that signed represent “more than 400 organizations globally [that] collaborated to recognize an emerging consensus on baseline cyber security provisions for consumer IoT devices,” according to Tech Accord.
The signatories explained, “While all stakeholders -- manufacturers, distributors, vendors, regulators, even consumers themselves -- have respective roles to play in the safe development, deployment and use of IoT products, device security requires manufacturers and vendors who place devices on the market to adhere to best practices to ensure products are designed with security in mind. With connected devices today having supply chains that reach around the world, establishing a recognized global baseline for consumer IoT security is a critical step toward a more resilient and trusted digital future.”
They said, “One standard that champions these capabilities is EN 303 645, developed by the European Telecommunications Standards Institute (ETSI) as the first globally applicable industry specification that establishes a baseline for consumer IoT security. We support the collaborative and rigorous multistakeholder process that went into the creation of this standard, which was first developed by ETSI in 2019, before being published in its current form in 2020. Since then, increasing numbers of governments have been developing guidance, regulations, and labelling schemes that reflect the 13 provisions in this standard, showing an important consensus emerging.”
The groups said governments should:
- Take immediate action to ensure the implementation of these five baseline capabilities and develop a comprehensive plan to adopt the mandatory elements of all 13 ETSI EN 303 645 provisions or equivalent IoT baseline standards, guidelines, or best practices.
- Take steps to ensure consumers are aware of security information, either through product labelling or other forms of communications and/or documentation.
“This document is intended to serve as a jumping off point to continue building consensus and promoting robust device security,” the groups said. “Those of us endorsing this statement come from across stakeholder groups, including members of industry at various stages of adopting these best practices. We recognize that implementing these capabilities poses different challenges to manufacturers and vendors around the world.”
Further, “We also recognize the broad range of stakeholder activity relevant to this work. Therefore, we plan to continue working together through the World Economic Forum’s Council on the Connected World and Centre for Cybersecurity on technology governance and other spaces to share resources and provide guidance for doing so. This includes working to track and highlight which businesses are implementing these provisions, to show progress and showcase different practices and approaches for the benefit of others.” -- Charlie Mitchell (firstname.lastname@example.org)