 Good afternoon and welcome to policy at DEF CON. This talk is how do you solve a problem like Mariah given by Cat Megas and Peter Stevens a Few announcements. So this talk is being hosted on the record, I believe As a courtesy to speakers, please keep your cell phones on silent If we have time for Q&A at the end, please use the mics. You can hear you Please speak close to this this mic. I'm in order to be you need this a little the mic's a little soft So try to get close to it when you speak As a reminder the photo policy prohibits taking pictures without the permission of everyone in the frame and With that, let's get started. Please welcome our speakers. Shall we go ahead and get started? Introduce ourselves I'm Cat Megas. I work at NIST for those of you that don't know NIST is the National Institute for Standards and Technology. We are part of the Department of Commerce We are a non regulatory agency Pretty much everything we do is voluntary with the exception of when it comes to providing cybersecurity guidance to federal agencies, but All right, I'm usually pretty loud. Okay But Outside of that most of our work is Non-regulatory we worked very closely with private sector. We consider ourselves a research institute and We publish publications of recommendations based on input that we receive via our research and through engagement with the public Hello So my name is Pete Stevens at the OECD and so previously I was head of the Secure by Design initiative in the UK So that included the team of works who on the product security and telecommunications infrastructure act so a lot of work on consumer IoT and The purpose of this session really is for us to talk through some of the work that we both did both the United Kingdom And the USA about how we reacted within our gun within the government To situations like Mirai, but also how that was a cult was sort of a galvanizing experience To enable ministers to focus on IoT and to make a difference and to see what happened next So the purpose of this session and the flow we're going to follow is I think we're both going to take a few minutes to talk through some of the experiences that we had about that period of time And then open up for a few discussions Really really happy to have some questions as well I know it's a really important topic that people are very interested in and of course Iterating as we go. So that's something that's important So cat positive to you Okay So I will try not spend too much time talking about policy But I assume since you all are coming to a talk given in policy village You're interested at least remotely in what is the policy landscape. So as as kind of you know, Peter mentioned Mirai was a big catalyst and Coming out of the Mirai botnet in 2017 the White House issued an executive order 13800 directing the Department of Commerce and DHS to look at the issue of botnets and DDoS And what can be done to make the country more resilient? Surprise surprise the cybersecurity of IoT devices was identified as kind of critical and along the critical path to securing our nation's Infrastructure coming out of 13 800. We've had a couple of other things that have happened since then US Congress enacted the IOT cybersecurity improvement Act of 2020 that was legislation that was passed in 2020 Which requires federal agencies to only procure and use IoT devices that comply with minimum cybersecurity guidelines Those guidelines were published by NIST and agencies as of December 2022 Yes Are required to be compliant with those guidelines Let's see outside of that also I like to highlight if you're not familiar There is legislation on the books in Oregon and as well as in California that require minimum cybersecurity for IoT devices sold both in Oregon and California and while you may not think of the impact in that if you look at the size of California's economy As you might know or not might not be aware of if California were a country in itself It would be the fifth largest economy in the world So the idea of California establishing a minimum requirement for cybersecurity and saying that any IoT device that's sold to a consumer in California needs to meet reasonable cyber security guidelines it had a pretty significant impact and For those who were actually building IoT products They paid quite a bit of attention to this and that legislation was recently amended To say if you do comply with NIST guidelines for IoT there will be a presumption of conformity with that legislation and you will not have to be concerned about the state of California Looking at your device and being and asking you what have you done to build reasonable cyber security? Something I like to talk about as well It's an opportunity for feedback and for this community to engage There was another piece of legislation you may have heard of the NDAA that gets passed every year Which includes a lot of requirements for federal agencies that go beyond just defense and DoD in the NDAA of 2021 Department of Commerce was directed to stand up both a public group that consists of non governmental stakeholders as well as an IoT Federal working group that consists of all the federal agencies that have equities or touch on IoT We are on the hook to deliver a report to Congress laying out for Congress What are the actions that the US federal government should be taking? To enable IoT adoption understanding that IoT is so important to other emerging technologies such as AI As well as kind of understanding all of the socio-economic benefits as well as things like climate change and other Benefits that IoT can actually bring No surprise One of the pillars that have been identified is related to trust if we cannot ensure The people can trust in the technology whether you're a consumer whether you're a farmer Who's actually adopting IoT technologies whether you're a healthcare provider if they cannot trust the product It is likely going to impact the adoption of this technology so Heads up that is a public group They meet every month if you want to come in and address this public group and say hey I think it's really important that the following XYZ be adopted and if it isn't I think there is going to be some long-term disadvantage to the US You should feel free to Come in and give that comment. You can give it in person. You can submit it in writing And then of course kind of the the executive order 14 0 28 Which is the most recent executive order that the White House issued amongst lots of other Cyber security requirements it directed NIST to develop and identify Minimum cybersecurity criteria for IoT for consumer IoT products And also pilot those as a label I'll talk about it a little bit later exactly what constituted the piloting and what that those minimum requirements were And of course in the most recent US national cybersecurity strategy The commitment is kind of further demonstrated in that the the White House kind of called out the importance in objective 3.2 of Ensuring their security and IoT So when we first started our work when the botnet roadmap came out So the the process was the executive order came out Department of Commerce and DHS kind of consulted with non-governmental stakeholders about what can be done to address the botnet Threat coming out of that the report identified IoT devices So subsequently there was a road map that was issued that said here are the actions We are going to take to implement the the botnet report and the findings in the botnet report So one of those was that NIST should identify what are the core minimum cybersecurity that IoT devices should have and I can talk about the the existential Issue around coming up with a minimum set of guidelines for for security for IoT devices when we recognize that Brisk is so dependent on context risk is not about the device risk often is about Where's the device being used? What else is on the network where that device resides? so the idea of coming up with a single set of Requirements that should be the baseline and apply across the board was quite challenging Especially because we have experienced in the past when we do publish minimum guidelines it becomes a race to the bottom Because really at that point everybody feels like the minimum guidelines are probably all I have to do So coming out of that what NIST did is we published two types of Requirements that we recommended or capabilities for IoT Half of those are technical and they're focused on the actual device and they say here's kind of the minimum Technical cybersecurity you should build into any device that you are planning to sell in the marketplace That should be do you have the appropriate authentication mechanisms in place? Do you protect data both at rest as well as in transit? But what we really introduced when we started talking about the baseline was this idea of the non technical capabilities and I'll be honest when we first introduced the idea of non technical capabilities It did not get a lot of people excited, but we felt that identifying only Minimum cybersecurity requirements without talking about you must have a vulnerability disclosure process How do you disseminate information about your product to people who need to know and how do you collect? Information about the security of your product like vulnerabilities. We talk about things. Do you have a? Documented secure software development process. We don't define What process you need to have in place? But we do define that you need to have a process it has to have certain elements to it and you need to have it documented We don't necessarily tell you you have to disclose it But we felt that just the discipline of going through and documenting What is your secure supply chain management process will really open the organization's eyes to potential cyber security risks And how to like manage that over the lifetime of the product Yeah So it was everything from I mean, I'll be honest. It was everything from well if I have it documented Then I might be asked to share it with somebody And there were concerns around kind of being that open and transparent It was Concerns around I mean on the other flip side we heard Where is the demonstrated proof that this is something that actually leads to better cyber security, right? Just the fact that you have a system, you know a supply chain, you know risk management plan in place Is there any demonstrated proof that that actually produces a more secure product? We kind of felt there was enough evidence there that it was reasonable to ask for it And again, I think that was this was already seven years ago I think now everybody's talking about it. Everybody seems to recognize Hey is secure software development process is a good thing, but seven years ago People really just wanted a checklist just tell me what I have to build into the product and tell me if I do these ten things I'm good to go And we felt strongly. No, you need to have a risk assessment. You need to do all those other things Yeah Yeah, yeah, it's true. It's true. And I think I Do think that part of it is a concern around not so much doing it, but who do I share that information with right? There were also some practical concerns, right? So we say hey one of the first things you need to do is you need to identify the use case. Who's your user? What is the context of the use you have to know that in order to be able to do a risk assessment in order to ensure that you're actually appropriately addressing risk and on the manufacturer side They had some legitimate concerns where they said hey, I built the device I don't know what my customer does with it, right? So you cannot hold me responsible for imagining every possible way this customer may misuse this product I Can only say hey, I'm building the product because this is the use case. I imagine it's going to be used in so like in many cases the devil's in the details and And and again, I do think there's some legitimacy and that is why I'll talk about a little bit later We talked about having the capability in place If you're a small, you know two guys in a garage and you are building your first IOT product If you at least just write down on the back of a napkin This is what I'm going to do when somebody reports a vulnerability to me You've at least taken a step further than where I think we were before But that is part of the reason we didn't go into very Prescriptive details. We wanted to kind of give that flexibility to the to the market. Let me see. Sorry. Sorry. Sorry. Oh, sorry Yes, so just real quick because I think these are at the core of some of the conversations We're interested in having I'm used to joking about the fact that I am always worried about like crossing a dark parking lot because I know I Somebody's gonna run me over one day Because we do tend to try to kind of like push the envelope and some of our recommendations so After the executive order 14 028 that told us take the core baseline and adapt that to Consumers since the core baseline was intended to address federal government agriculture health care It was intended to address energy any sector But we were challenged with taking that and tailoring it to the consumer market So coming out of that we made some changes to how we approached kind of the the baseline the core baseline So one of the things we changed was Most of the conversations up to that point had all been about the IOT device We just need to secure the IOT device. It's just about the IOT device as We started thinking about the device being part of a product We recognize that very often that product is bought and becomes Integrated with a an enterprise system But that product is that IOT device is still part of a vendor System and often we lose sight of the fact that that product is also part of a vendor system So as part of what we did under executive order, we said well There is an IOT device and the other product components that go with the device and all those other product components The mobile app the back end and the device all need to support minimum cybersecurity requirements, right? I understand Implementing that practically may be difficult because Sometimes you buy unbundled products sometimes somebody sells you a hub separately then they sell you a device separately Sometimes they use a third-party IOT platform. So I understand that reality is messy But we felt that focusing only on the IOT device would give the consumer a false sense of Kind of security because a consumer buys a product They think this is they don't realize that there are pieces of this product that are in the cloud or that you know Hey, if I can control this through my mobile app and that mobile app isn't well protected Then all my information is at risk So that was one one pivot we made There were a lot of conversations when we did our open stakeholder process I'd say it was a 50-50 split between the lovers and the haters And in the end we felt kind of it was important that we would go out with this and sure enough Right now is part of kind of the FCC program that they are pursuing I know that industry is thinking about how can we how can we look at? Componentizing this idea of certifying a system and Pre-certify components so that when you assemble those components you can actually say this product is end-to-end secure But make it repeatable and reusable so they are they're still working on it and innovating We can probably talk about the NPRM a little bit later The other thing we did is we talked about the criteria as cybersecurity outcomes and you know part of the reason We did this as we said Coming up with requirements for every IOT device out there would be impossible Also, we didn't want to get too rigorous in our requirements because we feel that's very brittle We feel like it would be best to rely on standards and since I do belong to nest and the S stands for standards We have articulated what the government desires in terms of cybersecurity outcomes because we recognize There can be multiple standards your front door lock may implement security different than your smart refrigerator So we don't expect there to be one standard We don't think there should be one standard to rule them all but we do think every single product needs to meet the cybersecurity outcomes and of course the The last thing that we did highlight as we said over and over this is a baseline. This is a minimum requirement There is going to be There is going to be instances where something goes beyond this minimum baseline that may be higher risk And you may have to tailor those cybersecurity outcomes and you may have to either constrain them and say yes You do need to protect data at rest But guess what you can only only use a hardware root of trust any other type of kind of encryption will probably not be Sufficient and we also said you may have to go beyond the 10 There may be some cybersecurity outcomes that are go beyond that and in fact Again, I'm not sure if I mentioned it here but the White House recently directed nests to look at developing minimum requirements for consumer grade routers and They basically said hey cat We think this might be one of those situations where a consumer grade router is actually a higher risk Product than your typical device and we are we're just kicking off that public process So we will be engaging on that but that was that was kind of one instance of where we keep saying it is just a baseline That does not mean that it is going to be secure for every type of product And we do think that it is important for the manufacturer to do a risk assessment and ultimately They are responsible for knowing if they need to go beyond the baseline All right now we can flip the slide. All right This is my last slide and then I will be turning it over to to Peter I did just want to share since we do want to talk about kind of and contrast kind of The labeling efforts or the non labeling efforts that are going on around the globe as well as kind of what we're doing here in the U. S. I do have to caveat I do not speak for the FCC the FCC has graciously agreed to become the program owner for the U. S. National Mark The NPRM, which is kind of the public rulemaking process was just launched Yesterday or two days ago So they the FCC just came out and invited people invited Anybody is welcome to comment In fact, I don't even think if you need to you know Provide your comments in any sort of format But these were the requirements or at least these were the recommendations that we made at the end of piloting a consumer label and we made in our recommendations to the the the APNSA We made the following require the recommendations about what should be included. So First of all, we said there needs to be a consistent design for the actual label, which means you cannot expect a customer to buy one product that has been through one certification process the same type of product from a different Certification process and expect the consumer to be able to understand that those two labels mean the same thing So we said there could be different different like certification programs and schemes But ultimately we all have to have a consistent label But also that that label needs to be layered it needs to be binary because your average consumer There was a lot of talk about this idea of a nutritional label And when we looked at our research that we did and we also invited obviously comments from the public they felt that Cyber security for your average consumer was still might not be something that real time standing at Best Buy They're going to be able to compare two different nutritional labels and decide which one of the two products is appropriate for their risk But we did recognize that there may be some individuals who want that detail So what the layer design does is on the product? It's binary you either meet the requirements or you don't meet the requirements But then you are able to go to some some websites hosted TBD that can actually provide whether you're a security researcher or whether you are an individual who just wants to know more about The cyber security of that product you can find additional detail And that would all be part of if you sign up for this voluntary labeling program as a manufacturer of a IOT product You are signing up to do all of these things consumer education is critical We don't want the burden to be completely on the consumer to be responsible for security But we do also recognize the consumer actually does have a role in securing the product We think there has to be flexibility as I mentioned your front door lock your refrigerator are not the same There should be multiple ski motors in the US already There's quite a burgeoning market of IOT certification. I'm not sure if you guys are familiar UL has one There's another group called the connectivity standards Alliance. You may have heard of them They're working on the standard of the matter standard and they are like extending a cyber security Specification into that now as well There's quite a burgeoning existing marketplace of these schemes and we said The government should not be setting up something separate What we should be doing is we should kind of be setting a certain bar and then allowing these different schemes to operate and Use what's already out there Liability considerations were huge. This is one of the things we heard from manufacturers and we said their concern is This is voluntary and you're telling me I'm going to make certain assertions about my product Nobody's breaking down my door right now Nobody's breaking down my door from the consumers that are saying I need a more secure product and all I'm doing is taking on Liability by making certain claims about my product so what exactly is kind of the motivation for me to actually join this voluntary program and The the feedback we received is there needs to be some sort of liability consideration so that if somebody voluntarily does join the program and does do everything that we have recommended that they do that they would be held somewhat You know not liable if something were to occur We talked about outcome based We talked about standards International considerations and mutual recognition. That's why we've talked to the UK and we're talking to others and of course Our recommendation was this needs to include both third-party certification as well as self attestation We do not want to stifle and inhibit innovation We want to be able to provide that flexibility and it's not only to address kind of the smaller companies There are also some large companies Samsung has come out and announced Samsung has been certifying products that attach the Samsung What is it the the things cloud? I'm not sure what they call their back-end again? I forgot but they've been certifying products and saying if you are attaching to the Samsung IOT platform Your device has to be certified for certain cybersecurity minimum requirements So Samsung said was saying well, we are happy to self attest because we have our own robust certification process So I probably talked for a little too long, but So Kat thank you so much and it's a real pleasure to hear and just there are many of the the points there that can be echoed from my side as well about the the role of the consumer and the importance of maintaining a an awareness of the spectrum of Manufacturers who exist in the space. Sorry. I'm moving because my microphone is not strong and long enough So I'm just what I'm gonna do now is just give you a bit of an overview of what we did in the UK because following on from Mirai, I mean a lot of context from my side is that I used to work for DCMS Which is the Bumper digital culture media and sport which is a strange abbreviation But it was where the department which was called the Ministry of Fun And but then of all of a sudden they gave all of the digital and cybersecurity and data privacy in one go So it could have all entered that department. So The approach that we took here was to really be aware of the spectrum of manufacturers that exist and I can appoint a principle that we like to take on following from Mirai was saying as Kat pointed out You know, you have multi-billion dollar companies on one end But also, you know, the the two people in the garage Trying to sort of make a small I2 device So we wanted to make sure that we were creating something to support innovation Whilst also at the same time trying to make sure that we were protecting consumers in a market where we know that they just aren't able to differentiate between What's secure and what's not and what we found in the UK was that people overwhelmingly assumed that it already was secure because it Was available on the market and why would it be available if it was insecure? so What I can have thought about in this little silly graph here is is really the spectrum of Two axes one of which is how much took organizations know about cybersecurity and then I was how much they care So, you know to Kat's point about the two people who are creating something in their garage If they care a lot and they want to do the right thing, but they don't know how Then the government's response is going to be different To if someone is in a different position when there's someone who knows a lot but doesn't seem to care very much And of course, that's the relationship between the carrot and stick So what we did in DCMS and again a bit of context is DCMS does have ministers who are capable of Introducing legislation and the way legislation works in the United Kingdom is that for every roughly year You have a parliamentary session and the the legislative agenda for that session is outlined in what's called the Queen's Speech Which is done by the Queen now the King and that sort of outlines all of the agendas now in order to get into that speech You either have to be one of two things you either have to be included within the manifesto of the winning party At which is clearly a called out to saying that we will do this piece of legislation Or there are a number of small options for someone who can kind of fight to get the right into that into the speech And just to be clear we were not concluded and it's explicitly called out in the manifesto So the challenge for us as a team was if we thought this was a significant issue We needed to try and make sure that we were pushing ourselves to get into that second category So I guess how did we think about it as an approach was you know? I thought that maybe the way to do it is you basically have to cut out worth practice at your first objective and Inc at Cat's Point have an inter have a baseline of Hard baseline whilst also supporting through assurance schemes and also legislation So quickly going through the secure by design approach which was from 2018 to 2023 We would codify just to find what we mean by good practice share it support it We used to talk about this idea of having just something that we could constantly be be sharing and be asking for feedback on and constantly iterating our approach whilst also building partnerships with you know different countries and learning from what their experience was of course Recognizing that they exist in a different legislative agenda in a different way of running governments Whilst also seeking to try and seek insights and I can't over stress this enough How valuable it was for us to get engaged with members of a security research community many of whom are involved in the DEF CON policy Community here so huge huge eternal. Thanks, and there's a constant attempt to get more engagement with that community so 2018 we published what was called the code of practice The code of practice to Cat's point again 13 points outcome focused very general But sort of points which would be defining you know had mirror I happened or in order to try and prevent mirror from happening again these things need to be in place and What we tried to do was try and push it and make sure it was available In as many languages as we could we know of course the UK is a relatively small market compared to the United States and other areas as Well, so we tried to say well by no means will be saying is this The best possible solution and this is the perfect fix But here is an option and if you like it Please feel free to use it in whatever way you want and you can share that input with us So we shared it in definitely lots of different languages and try to make sure that we could We could get that done so pushing work with partnerships We worked with a lot of different organizations whether that's through standards development organizations such as Etsy and ISO I'm also working with assurance scheme providers and other governments and other government departments And I'm sure so another challenge that faces government departments in the United Kingdom is that you have ministerial Portfolios which are defined by the Prime Minister and can change and so what you end up with is historic and legacy departments which have an existential interest in that policy area and so you end up with sort of many multiple different sort of Ministers that you have to gain engagement with so it's important to have a cross-government approach which can slow things down But again if you if you're open and transparent with what your approach is and how you're hoping to deal with it We I think that actually helped to accelerate the process Of course we have to engage a lot with industry and also making sure engaging with consumers and consumer associations So one piece of work that we worked very heavily with was helping to support the development of international standards so he worked closely with a standards bodies based in Europe called Etsy and They created a piece of work with distilled Etsy 303645 and Really that was for me the learning was that It's it's not just about you know I think that geopolitically it can get quite tense if you're saying we've got the perfect solution in the United Kingdom And you should all do that when actually we should just share something and ask for feedback ask for comments and help make that idea more robust and develop it further and I think Enabling this process to go over to those kinds of organizations was incredibly empowering to support the development of those standards So what that also meant was we were creating that shared common language Which we could then be used through assurance schemes and through legislation through other different approaches as well Something else that we realize is to cat's point as well. It's not as though we want one standard to rule them all Because but there is a lot of commonality and consensus I felt as though in the engagements that we were having that this idea that there are multiple standards was almost simple math as it's a symptomatic of Government or industry does not quite knowing what to do Whereas actually I think What we could see from the multiple different outputs in standards bodies was there was a lot of consensus and it was incredibly important to Have this sort of mapping of that process to show that actually yes You had all these different, you know I say 27402 and Etsy 30645 and many many others But actually there's a vast majority of overlap and Agreement and that's something to be celebrated rather than something that we should just try and point to these different outputs as well So I found that really important for us And that's something that I think was was helpful to to help not just frame this as a UK approach But frame is something which you know, we had published the code, but now we wanted to try and see how we can make this go further So in 2019 we held a consultation where we asked the series of questions which were you know Should we do legislation if we did legislation what kind of level would that look? Like and we also developed a potential consumer labelling scheme to ask for feedback on And what was really interesting is? yep So what was really interesting Was that it showed? near universal support for legislation But an interesting Deology between those who supported and didn't support the label which sound like 5050 was a similar kind of split You had the one organize one school of thought which was this is a really helpful way to break through And raise awareness and to make sure that you don't get it that you are getting ready for password once and for all But also there's this idea that actually it would could give people the full sense security that it's much more secure than it really is And if you make it voluntary it also would be challenging for us to have that because you would end up with Potentially organizations that were going far further already And if we were now saying the minimum baseline was you needed to just have a coordinated vulnerability disclosure program and have a no default password Then actually the quality of security might go down And that was definitely something that we didn't want to see in the UK and that was some of the feedback that we heard in that approach So that again that was in 2020 We had a we had the call for views on the legislative approach and we talked through the various approaches of what the Potential enforcement approach might look like and what the obligations would be on the organizations what security requirements would be and We made sure that we were we were pushing that but as I was saying back to the sort of the graph with the caring and knowing We wanted to make sure we were supporting Assurance schemes as well and training so we invested some grant funding for small and medium-sized enterprises who were you know Wanting to enter this space once for the first time So they could learn a bit more about what it meant to implement a coordinated vulnerability disclosure program And they made them all free of charge. We supported a third party to create that And also we created through grant funding a series of assurance schemes for smart televisions and children's toys And also for a self-assessment framework that organizations could use for themselves to assess against that So again trying to at the same time communicate that we were on the one hand looking to raise the bar looking to develop legislation but also to Be supporting companies to help face it sort of to help drop that hurdle So something again that we were doing a lot in the government and I'm sure you know all government So this is to try to track and assess you know Is this a threat? Is this an issue that we definitely need to solve through legislation because in an ideal world? You know when we first started we thought we'd publish the code and companies would just immediately do it and because we'd published Good practice and that we thought would be helpful I think we had to make sure that we tracked and assessed and through surveys and through other engagements to see How prevalent is bad practice and how how much of it is it changing over time? So there was an organization called the Internet of Things security foundation Which could look at the adoption of coordinated vulnerability disclosure programs to say you know it was about you know 8 to percent 10 percent 12 percent which in the market was just you know We were looking at maybe closing the gap by about two thousand two hundred So we thought this wasn't really working in the way we needed to which helped us to really amplify the need for legislation So in 2021 we had our another call for views where we shared the approach and we were able to gain ministerial feedback So we then went to ministers and said this is a really important issue And we have solicited feedback from us wide range of organizations and we think they would clearly there is a need for legislation here Again engaging directly with a security community in some cases It was so helpful for me to be able to have some some clear examples That may be some in the press some of me worked in the press to be able to share and say you know These are things the kinds of harms that could be existing for citizens if we're not doing something about this Which was really empowering to help us to engage with ministers and we were successful in securing that That support in both in February and then in May through that engagement able to actually get secure into the Queen's speech And then introduced into Parliament Something that's probably worth mentioning and I know we're running short of time is when you'd introduce something into Parliament You have to have what's called an impact assessment, which is an assessment of the financial Cost and benefits associated with delivering legislation as opposed to just leaving things as they are And those are very very challenging to exhibit in a world where you know information sharing isn't commonplace And so that was something that we had to Consult and secure some information, but also have some assumptions So I guess plea to all of you is you know this there is Active engagement to try and secure more support and secure more on how we can collect evidence to support the future development legislation So just back to the story and we developed so parliamentary we got royal assent December 2022 Which meant that it's now an act and what that has meant is that we have a framework which enables Parliament to define the minimum requirements for this category of devices and in April 20 in July 2023 we Or the UK government introduced a series of regulations Which are the definitions of what the minimum requirements are so no default passwords Making sure that you have a coordinated vulnerability exposure program and making sure that the point of sale the mat the product Has clear information about how long that product be supported with security software updates So what that means is that by the 29th of April 2024? We in the UK that will then become law and it will be enforced and will be enforced by an enforcement authority Who will be able you can report if you think there's any of these products Which are not meeting that requirements and that will then be including a fine if they if they continue to To not do that. So I think that's that was I know so in the UK that was the process We went through to get to legislation At a very high level. I think in the UK as well There's a lot of work and cat was mentioning about the work on routers There is work that's happening on enterprise devices and the devut these devices used within Enterprises and businesses and I think that's a really important topic And I'm looking forward to seeing how that how that work develops So just back to here and I think we talked a little bit about the work of labels and interoperability versus alignment But cat do you have any particular views that you'd like to talk about maybe on the interoperability side? You'd like to mention that So I will try to be brief which us seems to be a problem for me We hear consistently and I think it's a valid concern from the producers of products who say hey All of you got to get together because it is a global marketplace We cannot be having product a for the US product B for Singapore product C for the EU Product D for for the UK you all have to kind of get on the same page at the same time though We are all so different right some countries like the European Union have very top-down Regulatory approaches very prescriptive requirements right in the US We tend to take more of a voluntary approach and we provide Broad guardrails and we tell private sector as long as you kind of stay within these guardrails We let you manage your own risk. It's only when you step outside of those guardrails that there's enforcement And also we all have such diff manufacturing bases right in the US. There's a different sort of spirit of innovation and you know small businesses Again, everybody's very different. So how can we all agree on exactly the same requirements? So we hear a lot you all need to align you all need to like say the same thing and do the same thing And I I think that's such a challenge. I think also in a world where there's inevitably the geopolitical tensions of countries not wanting to be seen to ceding that responsibility, but also I think that so how can So and so we have Parliament's opportunity to respect that and also recognizing that these country that every country wants to be Enabling that approach to be interoperable with what the other countries are also doing So I really feel as though the more we can support and signpost the fact that it's great work here And if you're doing this that's interoperable, but I also feel as though it's it's inevitably from a political standpoint It's always going to be problematic to aim for Overarching kind of alignment exactly exactly so to me I think the key is as long as we don't actually conflict on requirements and as long as you know daresay, you know Somebody say you have to build XYZ you know Legal enforcement access into your process and another country says we don't We don't have that requirement. We require just the opposite. I think this could work But I do think that I think yes, we've got questions here. We've got five minutes left. So please sorry question So I think that you're right that the Delta is important But I think so too is the commonality and I think again Much of the regulatory approaches have been designed to not be over burdensome And so focusing on getting the you know the core principles the core basics, right? So actually I do think that you know often the difference is about the implementation as opposed to the expectations So the expectations I think are we quite similar so tools like standards mapping tools Perhaps regulatory mapping tools would be a helpful approach as well to see like how these regulations Expertises within them do differ that could be a helpful tool as this matures. Yeah. Yeah, yeah I I do want to call attention to the connectivity standards Alliance Which some of you are nodding so you've obviously heard of them They are undertaking an effort where they are coming up with what you know You might call it like a super super specification and it takes the requirements of Singapore's label It takes the requirements of Germany's label the EU What the UK is doing? What the US is doing and they are actually creating a Set of requirements where they overlap is the same requirement. They're adding anything that goes beyond it I don't think they have found anything that conflicts and what their dream is that when they finish with the specification If you meet the specification You are guaranteed to meet every single country's requirements And they're hoping that you'll actually be able to build a certification program out of that and say you go through The testing process once but that test report can then meet every single country's requirements So while we are not completely aligned there can be interoperability. I hope Even between ourselves it depends Depends. I mean with the US and the US and the UK I think we have a very strong collaboration of going back and so we are able to share a lot of information I Think countries like the EU You know, they have their CRA if you're all tracking that right which is coming down the path, which is It's quite IoT and all the IoT back-end components kind of connected. They tend to have a more rigorous process I don't think they have as much flexibility to engage because they are very regulatory So it depends I think, you know, and then you've got the quad and you've got all the you've got these different fronts And I think everybody wants to to engage But I think some countries are more constrained than others And if I sorry if I may highlight the other challenge as well is the way mist works we engage with our stakeholders We don't ever unilaterally say we believe this is a requirement and we don't negotiate And I don't sit down with Peter and say yeah, my stakeholders told me this is really important But because you guys don't have it. Yeah, I'll go ahead and drop it even though I've got two and a half thousand comments that I got during the public comment period that said cat you need to add This so it is hard to stay in lockstep. Yep Because we have our processes to follow But I do think that it has been so helpful to hear and listen to what kind of what you have been hearing and to see how it aligns with us And also, you know, how you know, we talked about consumer labeling. We talked about the importance of consumer you know consumer awareness and I Do I do feel that there is an incredibly empowering tool But also the sense of information sharing as much as possible You know, how can we signpost when we we do publish information? Of course all government employees are very focused on their own countries and what they're doing But actually it has been really helpful for cat to send us email saying hey, we just published this new report Please you know just just so it's on your radar so that I can review it But also I can share it to communities in the UK and every now and then we can say you know These are the kinds of consultation process were taking place to try and maximize the impact for where it's appropriate We can do so so again, I think that's helpful But I'm I'm feeling waving at me that we are running short of time So I'm very very sorry for that if you'd like to continue the conversation Please do and feel free to give us a card and can I say huge. Thank you to Kat megas as well for joining today We're great to come in and thank you very much all for taking part. Thank you