UK’s Secure By Design Plan Now Includes Smartphones
The UK's Department for Culture, Media and Sport (DCMS) has added smartphones to its Secure by Design plan. Makers of Internet of Things, including smartphones, tablets, and other gadgets will be required to disclose when the plan to stop providing security support for devices when they are introduced to market. Makers of smart devices will also be prohibited from publishing default admin passwords for those devices. They will also have to offer a single point of contact for reporting vulnerabilities and obtaining updates. DCMS is pushing for Secure by Design to become law.
The intent is to drive a consistent security standard across Europe. The disclosure of product support duration is supposed to happen at the point of sale, and now is expanded to include Smartphones. The challenge is for consumers and small businesses, who may be unaccustomed thinking about support end dates, to add this to their lifecycle planning, including sufficient lead time to plan and test replacements.
These are sensible requirements that shouldn't be too hard to comply with. In particular, the idea of publishing an "end of support" date is important. Some software and hardware manufacturers already do so, but usually only for more professional devices. It may also lead to longer support time frames if customers are able to verify the expected time the device will be supported.
We expect Microsoft to publicly state how long versions of Windows will be supported; the same should be true of everything else with software that can be updated. The software industry has long evaded any possibility of being required to provide warranty for software; regulations like this are needed.
No other infrastructure, from food to finance, has gone three generations without government safety regulation. It is ironic that cyber is the only exception, since it is now used to operate all the others. One necessary measure will be to hold suppliers accountable for the quality of their output.
William Hugh Murray
Read more in
gov.uk: Government response to the call for views on consumer connected product cyber security legislation
gov.uk: Secure by Design
ZDNet: Easy-to-guess default device passwords are a step closer to being banned
The Register: UK.gov wants mobile makers to declare death dates for their new devices from launch