The UK’s National Cybersecurity Centre (NCSC) has released a set of device security guidelines to encourage security by design in the manufacture of internet-facing products.
The recommendations have been outlined in a report, released jointly with the US cybersecurity department CISA and other national watchdogs. As the advice has no teeth, however, the guide is not likely to be followed by the bulk of product manufacturers, researchers warned.
The guidelines have been released as part of a report entitled ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default’, in a joint endeavour by the UK, the US, Germany, the Netherlands, Canada, New Zealand and Australia.
NCSC and CISA release device security guidelines for manufacturers
The NCSC has released recommendations for manufacturers of internet-facing products, such as Internet of Things devices, to encourage them to place security at the centre of product design. Treating security as an afterthought for vulnerable devices “can leave customers open to malicious cyber intrusions and safety risks”, says the security centre in a release.
The guidelines are broken down into two sections: Secure-by-Design and Secure-by-Default. Secure-by-Design means that technology products are built in a way that reasonably protects against cybercriminals. Secure-by-Default helps products to be resilient against prevalent exploitation techniques out of the box, without additional charge.
The recommendations outlined in the report are written to take the burden of optimising device security off the shoulders of the customer. “The authoring agencies recommend software manufacturers implement the strategies outlined in the sections to take ownership of the security outcomes of their customers through Secure-by-Design and Default principles,” explains the NCSC in the report.
To do this, a manufacturer should “embrace radical transparency and accountability” by taking up strong authentication mechanisms by default or making sure CVEs are complete and accurate. The report also encourages Secure-by-Design tactics, such as the use of memory-safe programming languages, secure software components and vulnerability disclosure programmes, among others.
“As our lives become increasingly digital, it is vital technology products are being designed and developed in a way that holds security as a core requirement,” explains Lindy Cameron, the CEO of the NCSC. “Our new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer,” she says.
“We call on technology manufacturers to familiarise themselves with the advice in this guide and implement Secure-by-Design and by-Default practices into their products to help ensure our society is secure and resilient online.”
How effective will these recommendations actually be?
However, calling on manufacturers to implement costly changes in their design processes will probably not herald much valuable change, explains Bharat Mistry, technical director UK and Ireland at security company Trend Micro, to Tech Monitor. “Unless a manufacturer has got some serious intent behind them and they want to become a proper player in the market, I don’t think these standards or guidelines will be enforced,” he says.
The bulk of manufacturers will not impose costly changes unless they are forced to via legislation, he continues. “I can’t see that mindset changing of the people in the market who want to make a buck quickly, because ultimately, it means that their costs are going to go up. It needs to be legislation and it needs to have some kind of certification around it,” says Mistry, who warned it was particularly true for start-ups building these devices.
“If you look at everything from small things like light bulbs to things in fridges, these products are not made by big manufacturers. They’re made by really small companies that can get something out to the market very quickly,” and they’re not long-term manufacturers. “They may not be around in a year’s time, they might be looking to be acquired,” he said. “But certainly, they’ll be looking to make a fast buck rather than do anything long term.”
He said the fact so many companies came together to create a set of guidelines “is a good first step” in getting agreement as it shows some intent, “maybe not enforced intent, but intent is there” Mistry added.