UK Gov makes bold steps to tackle long-ignored security problem

The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have jointly released new guidelines for the manufacture of smart devices, intended to build security into the foundations.

The issue of digital security is one which has been long-running and frequently brushed aside. While it is now generally accepted 100% secure is an impossible ambition, embedding security into the building blocks of every product or service is a way to mitigate as much risk as possible. This idea has also been aired numerous times, with little apparent action, though new Code of Practice aims to correct this oversight.

“From smartwatches to children’s toys, internet-connected devices have positively impacted our lives but it is crucial they have the best possible security to keep us safe from invasions of privacy or cyber-attacks,” said Minister for Digital, Margot James. “The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices.”

“With the amount of connected devices we all use expanding, this world-leading Code of Practice couldn’t come at a more important time,” said Ian Levy, the NCSC’s Technical Director. “The NCSC is committed to empowering consumers to make informed decisions about security whether they’re buying a smartwatch, kettle or doll. We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime.”

As it stands, the digital world is not secure. Innovation is progressing at an exciting speed, though advancements in security or even investments in security departments and products, are not keeping pace. The world is currently sleep-walking into a digital environment tailor made for hackers and other nefarious actors to thrive in. These individuals might be in the vast minority, but that does not make the threat any less real.

The new guidelines are as follows:

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimise exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for users to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

Should the UK Government and the NCSC be able to nudge manufacturers into maintaining these principles, protections will certainly increase. This is not to say everything will be rosy, but by ensuring security is more than an afterthought in the design and manufacturing process, the right foundations are set.

“This government initiative is exactly what many in the industry have been craving for years,” said John Smith of CA Veracode. “Manufacturers have not really felt any market pressure to improve the security of these devices because consumers still have a lack of understanding of the security implications of IoT devices. Providing concrete guidance to manufacturers while also raising public awareness of these issues can only help address the gap that currently exists. It’s not just about the hardware anymore, it’s about the software behind it, and it’s really encouraging to see that the UK government wake up to the potential vulnerabilities in consumer IoT devices.”

These ideas are not new, more it is promising to see proactive action from the Government. Security experts have long discussed the merit of building security into the foundations of products, for example, Rik Ferguson of Trend Micro has previously suggested an official badge or certification for products which have been designed with the right security protocols and concepts in mind, similar to batteries. People don’t need to know the process of achieving the validation, but a properly audited process can provide peace of mind for the consumer.

However, it is critical the process is embraced by the majority and soon becomes an industry standard. Energy company Centrica has become one of the first to embrace the guidelines with its Hive smart energy devices, while HPE has also committed. This is a good start, and potentially sets the ball rolling for a process which is more official. Right now, the Code of Practice is voluntary.

Security has long been an ignored issue in the industry, mainly because it is incredibly difficult to deal with. If companies were honest with consumers about the threats of the digital economy, many would be turned off from taking more of their lives online. At least there is some positive action to addressing the significant problem of cybersecurity.

Government research suggests digital divide plans might actually be working

When you compare the digital divide to other countries around the world, it looks like nothing more than a minor crack in the UK. That said, it is still there and new research suggests it is getting smaller.

Before you give the mish-mash-of-no-one-wants-jobs Department for Digital, Culture, Media and Sport too much credit, you have to bear in mind this is research which has been funded and influenced by the department itself. That said, government initiatives do seem to have spurred on the lethargic Openreach/BT into action in the countryside taking the number of households which are able to access superfast broadband across the UK to 95.39%.

“Our rollout of superfast broadband across the UK has been the most challenging infrastructure project in a generation but is one of our greatest successes,” said Minister for Digital, Margot James. “We are reaching thousands more homes and businesses every week, that can now reap the clear and tangible benefits that superfast broadband provides. We are helping to ensure the downfall of the digital divide.”

In terms of closing the digital divide, it is worth reminding ourselves every now and then what this actually means. It is more than simply cat videos streaming faster than a laser pointer on the carpet, but accessibility to education and employment opportunities. With businesses increasingly reliant on the internet for everyday processes such as cloud-based services and infrastructure, connectivity decides whether a company opens up an office in one place or another, or the competitiveness of a regional. Functional companies create jobs, which dominos success throughout the local economy.

The initiative was first launched 2010/11 in response to concerns commercial deployment of superfast broadband would fail to reach areas which were not deemed commercially attractive. Backed by £530 million of subsidies (and an additional £250 in 2015), telcos were enticed to rollout out relevant infrastructure, though early years were plagued with claims BT was rebuilding its monopoly with public funds as it won the majority of early contracts. While the criticism of BT’s dominance continues to be an issue for some, it is worth noting £500 million in subsidies has been returned to the public purse due to uptake being higher than expected.

In terms of the impact on local firms, the report estimates postcodes benefitting from subsidised coverage saw employment rise by 0.8% and turnover grow by 1.2% in response to improved infrastructure. This has resulted in an additional 49,000 jobs for local economies, plus an additional £9 billion in annual revenues. When looking at productivity gains, better connectivity essentially means each employee makes an additional £1,390 per year on average for the firm.

Government Table One

As you can see from the tables above, the ‘other’ regions are still growing at a faster rate, though you have to question how big the digital divide would be today without the telcos being ‘encouraged’ to invest in rural areas with government subsidies. Growth is a positive, as it would be a fair assumption the statistics would be in decline without improved connectivity.

Education and health and social work were the sectors which really benefited here (worker turnover increased 4.7% and 3.7% respectively), though subsidised coverage raised turnover per worker in the manufacturing sector by around 0.8%. With improved connectivity now in place in the manufacturing space the opportunity to demonstrate further benefits through IoT and smart-factory environments is much more apparent. The manufacturing segment might be a slow-burner with the next wave of technological advancements proving to be the gamechanger.

With a benefit to cost ratio of £1.96 per £1 of gross public sector spending, it is difficult to argue with the success here. Yes, the numbers could be better, though as the report states the net benefits of the programme does not include any value associated with the future use of the infrastructure, you could conclude the value has been considerably underplayed. Governments do not often earn plaudits, but this does genuinely seem like an initiative which has been well managed, delivering on the stated promises.

Work is not complete on closing the digital divide, the South West for instance is still underserved for example, though it is difficult to argue that the government hasn’t done a bad job overall.

Is the Department of Digital, Culture, Media and Sport the real life DOSAC?

Under-qualified Ministers, photo-ops with minimal media presence and a mash-up of policy areas which don’t really align, it’s like government is taking advice from the writers of The Thick of It.

For those who haven’t seen the show, the Thick of It is a BBC series which satirizes the inner workings of modern British government. There are calamities, botched policies, a lack of funding and Ministers who seem to be making it up as they go along. The series focuses around the fictitious Department of Social Affairs and Citizenship (DOSAC), and could easily be likened to the real-life  Department of Digital, Culture, Media and Sport (DCMS).

The most obvious similarity is the departments themselves. Both DCMS and DOSAC seem to be a collection of briefs which have (at best) tenuous links. In the TV show, one of the characters jokes that while the Minister is on holiday staffers were helpless to prevent a garbage truck being driven down White Hall, while Ministers chucked in policy areas they couldn’t be bothered to deal with. This was how DOSAC came to be as a department, and some might assume it was a similar situation at DCMS.

Whoever though that Digital, Culture, Media and Sport belonged in the same department must surely have been joking. But seeing as most public sector organizations are void of a sense of humour the memo was taken seriously. It might be farcical, but this could be a serious problem.

This is supposed to be the department which readies the country for the cut-throat digital era, making sure our infrastructure is ready to compete with the world on the connected stage. The internet and mobility will define commerce over the coming decades, so some would argue ensuring the UK has a suitable foundation for British businesses to compete would be a critical task. Yet the Digital proposals will be put in the same pile as applications to hold the next Badminton World Championships.

Considering the importance of digital initiatives and infrastructure, why aren’t these policies more closely aligned with the Department for Business, Innovation & Skills say, or the Department for Business, Energy and Industrial Strategy? These would perhaps make more sense.

We suspect that as no-one in government seems to be suitably qualified to lead a technology orientated area, no-one really wants to take responsibility. MPs might sell their grandmothers for a good publicity shot, but perhaps the risk of being known as the person who messes up the digital potential of the UK outweighs the PR benefits of being the face of British digital ambitions?

Talking of MPs, our new Secretary of State for Digital, Culture, Media and Sport Matt Hancock is starting to do an excellent impersonation of The Minister for Fun. On his first day on the job, Hancock managed to find his way onto the guest list at a London Fashion Week after party, cosying up to stars such as Rita Ora. And this work-hard-play-hard attitude seems to be filtering down to his minions.

Yesterday we spotted one of the new Ministers in the department, MP Michael Ellis, visiting the Tate Modern, and today he’s been out seeing a heritage museum in Walworth. The department still hasn’t managed to figure out who is doing what yet, but who needs the MPs in the office to actually do that.

We also assumed that while Minister for Fun Hancock and Minister for Tea and Biscuits Ellis were parading around the capital, the other new appointment, Margot James, would the buzzkill doing the work. We hoped there might at least be one person in the department who was at their desk doing work. Alas, we were wrong, as you can see below.

We fully understand that politicians will be out in the field meeting people and helping raise awareness for good causes, but surely this can wait a couple of days. We would like to see these people who are supposedly responsible for our digital capabilities sit down for a couple of hours, hand out the responsibilities and have a bit of a read up about the policies which are in place. But this all seems too much when there is a camera on the horizon.

Who knows what this means for the UK digital ambitions, as while the world moves towards agility, flexibility and power, we seem to be stuck. Quips and witty remarks can only get you so far, as we will need to see some action before too long. Ofcom CEO Sharon White conceded during a stakeholders meeting this week that the UK lags behind the digital powerhouses of the world, but correcting this will be a challenge is our Minister for Fun is coming into the office every day nursing a hangover after a night of chumming up with celebs.

The UK is losing ground in the digital race, and considering the current set-up, we’re not entirely convinced there is a way back to the front of the pack.