Cybersecurity Tech Accord joins with Consumers International and I Am the Cavalry, launching joint statement for a global consensus around consumer IoT security priorities
The Internet of Things (IoT), a growing ecosystem of connected devices around the world, brings incredible benefits to consumers in everyday products – “smart” watches, doorbells, TVs, …etc. – but these new products also come with new cyber risks. Governments, IoT device manufacturers, security researchers and consumer groups alike are increasingly recognizing these risks, which require all stakeholder groups to assume new responsibilities. Understanding that this includes new responsibilities for device manufacturers, the Cybersecurity Tech Accord is joining with Consumers International and I Am the Cavalry in launching a new statement and partnership based on the global consensus forming around five baseline security capabilities for consumer IoT products. Widespread implementation of these security capabilities will be an important step towards a future where every consumer can expect basic security features in their connected devices.
Today, a coalition of more than 100 organizations – including industry members, security research firms, consumer advocates, and government agencies – collectively endorse the five highest priority security provisions for consumer IoT devices, which are found in over 100 standards, specifications and guidelines globally. In particular, the standard EN 303 645 champions these requirements, which was developed by the European Telecommunications Standards Institute (ETSI) as the first globally applicable industry specification for consumer IoT security. Based on these five capabilities, consumer-facing IoT devices must:
- Not have default universal passwords;
- Implement a vulnerability disclosure policy;
- Keep software updated;
- Have secure communication; and,
- Secure personal data.
We encourage governments worldwide to promote these provisions and urge manufacturers and vendors to take immediate action to implement them. Raising greater awareness of IoT security considerations among consumers will also be crucial to better protect these products from evolving cyber threats.
This effort builds on the years-long history of the Cybersecurity Tech Accord advocating for improved consumer IoT security, with our organization and signatories regularly engaging in associated discussions and initiatives. In 2019, in dialogue with Consumers International, we launched the “Stay Smart. Stay Safely Connected” campaign to bring consumers and manufacturers together, recognizing that both have critical and distinct roles to play in protecting IoT products from cyber threats. We have also previously endorsed ETSI’s Technical Specifications adopting the UK government’s Code of Practice for consumer IoT security as a standard. In 2021, we renewed our strong support for ETSI’s work and in particular, called for manufacturers to adopt the thirteen consumer IoT security provisions included in the EN 303 645 standard.
The joint statement we are releasing today, however, is not about the work of any one standard group, but rather about recognizing the growing global consensus around near-term priorities to advance consumer IoT device security. Other foundational multistakeholder efforts to define technical IoT security baselines (applicable to all sectors) include the National Institute of Standards and Technology NISTIR 8259 series (8259A) and the Council to Secure the Digital Economy (CSDE) ‘C2 Consensus on IoT Device Security Baseline Capabilities’. Since the release of these guidance documents, several technical standards (CTA 2088 and ETSI 303-645, among others) have been released, and the development of an international standard for IoT security baseline requirements continues with the International Organization for Standardization (ISO) (ISO/IEC 27402 (in draft, DIS)).
While we will continue to promote and implement industry best practices in IoT and other emerging areas of technology where cyber risks are spreading, we are also aware that no individual company or organization can address these threats alone. This is why we are excited to join today with hackers, consumer advocates and others in the technology industry under a common banner to advocate for a higher baseline for consumer device security.
We hope that more organizations will support and adopt these requirements for connected consumer products to help make the next generation of IoT devices more secure for consumers everywhere. Our signatories look forward to leading by example in this effort and continuing to highlight best practices for doing so.