Exclusive: British Intelligence calls for 'Security by Design'

By Ciaran Martin

Ciaran Martin, Chief Executive of the UK’s National Cyber Security Centre, shares his view.

We’ve all seen the Hollywood doomsday scenarios around technology, and understand that for lots of people cyber security can be daunting.

But fear should never be a barrier for people using the best technology available – and I’m delighted that yesterday Singapore and the UK took a positive step into improving the security of our nations’ internet-connected devices.

As Chief Executive of the UK’s National Cyber Security Centre (NCSC), I am signing a joint statement with David Koh, Chief Executive of the Cyber Security Agency of Singapore, that we hope will drive improvements in the security of smart consumer products in our respective countries. It is fitting that the joint statement was signed during Singapore International Cyber Week.

Since setting up in London three years ago, the NCSC and the UK’s Department for Digital, Culture, Media and Sport have led the programme to make Internet of Things (IoT) devices to be ‘Secure by Design’.

This means security should be built into a product before devices are taken home, rather than putting the burden of expectation on the general public to bolt on measures to make it safe to use.

This is needed because a worrying number of people do not change the manufacturer’s default password. Not only are these passwords often universal, they are easily guessed because of how obvious they are.

The password ‘password’ is one such amusing but also troubling example. Our analysis has found that 23.2 million accounts that have been breached had been ‘protected’ with that easy-to-guess password.

The growth of internet enabled devices poses a serious security risk. Without a way for consumers to judge the security of the products they buy, millions of inter-connected devices and the data they contain could be vulnerable to cyber attacks.

The Security-by-Design UK-Singapore IoT Statement will drive improvements in the security of smart consumer products.

Together, we are recommending that manufacturers implement industry best practices such as:

1. Discontinuing the most blatant security short comings, such as the use of universal default passwords.

2. Making vulnerability disclosure processes across the IoT industry become the norm. If it becomes standard to report security vulnerabilities, manufacturers can respond accordingly. The challenges faced are not specific to a device or a manufacturer so this sharing of knowledge and problem solving expertise will benefit everyone.

3. Encouraging the development and deployment of software security updates for the entire lifetime of IoT products so that consumers and the wider technical ecosystem are protected today and into the future. All devices need to have a defined support period within which the manufacture guarantees they will fix the problems.

Together, we endeavour to take a leading role in driving improvements in the security of smart consumer products.

We want to ensure that internet-connected devices have security built in by design and the public and industry are protected against related security threats, such as cyber attacks, theft of personal data and risks to physical safety.

At the same time, we will ensure the IoT industry can continue to grow and innovate and the public can fully benefit from these products and services.

We will work together to explore ways to help consumers gain confidence in the security of the products they choose.

Singapore and the UK have a shared interest in enhancing our cooperation in cybersecurity as we develop our national approaches.

We are committed to strengthening our dynamic partnership for the 21st Century and will continue to work together closely to ultimately make the internet easier to use safely.