Source · Select Committees · Culture, Media and Sport Committee
Recommendation 13
13
Accepted
Paragraph: 108
Require providers to adopt network, storage, and cloud security standards for connected tech.
Recommendation
Improving cybersecurity of consumer connected devices is an important and positive step, but the proliferation of connected tech in enterprise settings and the gap in the regime regarding network, storage and cloud security still present likely attack vectors that will continue to allow devices to be compromised. The Government should close the gaps for both consumer and enterprise connected tech in the product security regime by requiring that providers adopt network-level, storage and cloud-based security to the same standards as it requires for connected devices.
Government Response Summary
The government claims existing security requirements already apply to relevant software, including off-device elements, and highlights current initiatives like NCSC principles and ongoing work to understand risks in enterprise devices.
Paragraph Reference:
108
Government Response
Accepted
HM Government
Accepted
We partially accept this recommendation. The Government is thankful to the Committee for highlighting the importance of addressing vulnerabilities in off-device elements of a product’s software stack. It is not, however, correct to suggest that network, storage, and cloud security are a “gap” in the product security regime. Where appropriate, the security requirements that manufacturers of consumer connectable products will need to comply with apply not just to the physical device itself, but also software used for, or in connection with, the manufacturer’s intended purpose of the product, whether it is installable on the product or not. Indeed, many enterprises will benefit from the Product Security & Telecommunications Act, as they purchase the same devices used by consumers. The Government will shortly publish our response to the recently held call for views on software resilience and security, setting out a policy approach that incorporates the evidence and views submitted by businesses and organisations. Different categories of technology face different cyber risks, and require a different set of practices to keep them secure. We also want to make sure that the requirements are proportionate, neither placing unnecessary burdens on manufacturers, nor setting too low a bar for a certain device. As such, we take a risk-based approach to cyber policy. For example, where devices are used in critical national infrastructure, providers are required to adopt network-level security, as required by the Network and Information Systems (NIS), Telecommunications Security Act, or other CNI Regulations. Where these regulations do not apply, the NCSC recommends organisations follow the Cyber Assessment Framework, Cyber Essentials plus, Cyber Essentials or 10 Steps to CyberSecurity to secure their environments, including devices. Further, DSIT, in cooperation with the National Cyber Security Centre (NCSC), is building a robust evidence base highlighting the cyber security risks that are present in these devices. This evidence base includes various publications, ranging from a literature review to product testing, in an effort to better understand the cyber security of these products and to examine how the Government and industry, particularly manufacturers, Connected tech: smart or sinister?: Government and Information Commissioner’s Office Response 11 can support organisations in their secure usage of enterprise connected devices. As part of this work, NCSC published a set of Device Security Principles in 2023 for enterprise connected device manufacturers. Further work is underway in DSIT to explore next steps and possible future interventions to help drive better cyber security for these devices.