A new law will require manufacturers, importers and distributors of digital tech which connects to the internet or other products to make sure they meet tough new cyber security standards – with heavy fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to Parliament, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.
The Bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. The reforms will encourage quicker and more collaborative negotiations with landowners hosting the equipment, to reduce instances of lengthy court action which are holding up improvements in digital connectivity.
Minister for Media, Data and Digital Infrastructure Julia Lopez said:
Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.
The ownership and use of connected tech products has increased dramatically in recent years. On average there are nine in every UK household, with forecasts suggesting there could be up to 50 billion worldwide by 2030. People overwhelmingly assume these products are secure, but only one in five manufacturers have appropriate security measures in place for their connectable products.
Cyber criminals are increasingly targeting these products. A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
And, in the first half of 2021, there were 1.5 billion attempted compromises of Internet of Things (IoT) devices, double the 2020 figure. The UK’s National Cyber Security Centre last week revealed it had dealt with an unprecedented number of cyber incidents over the past year.
Currently the makers of digital tech products must comply with rules to stop them causing people physical harm from issues such as overheating, sharp components or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.
The PSTI Bill will counter this threat by giving ministers new powers to bring in tougher security standards for device makers. This includes:
- A ban on easy-to-guess default passports that come preloaded on devices – such as ‘password’ or ‘admin’ – which are a target for hackers. All passwords that come with new devices will need to be unique and not resettable to any universal factory setting.
- A requirement for connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches. If a product does not come with security updates that must be disclosed. This will increase people’s awareness about when the products they buy could become vulnerable so they can make better informed purchasing decisions. Nearly 80 per cent of these firms do not have any such system in place.
- New rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products
The Bill places duties on in-scope businesses to investigate compliance failures, produce statements of compliance, and maintain appropriate records of this.
This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation.
The new laws will apply not only to manufacturers, but also to other businesses including both physical shops and online retailers which enable the sale of millions of cheap tech imports into the UK.
Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers.
The Bill applies to ‘connectable’ products, which includes all devices that can access the internet – such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges.
It also applies to products that can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.
NCSC Technical Director Dr Ian Levy, said:
I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.
The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.
Just one vulnerable device can put a user’s network at risk. In 2017, attackers infamously succeeded in stealing data from a North American casino via an internet-connected fish tank. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.
The government intends to exempt some products – for instance, where it would subject them to double regulation or not lead to material improvements in product or user security. This includes vehicles, smart meters, electric vehicle charging points and medical devices.
Desktop and laptop computers are not in scope because they are served by a mature antivirus software market, unlike smart speakers and other emerging consumer tech. Operating systems on laptops and PCs already include security features which means they are not subject to the same threats and risks.
Second-hand connectable products will be exempt due to the impractical obligations that including them would put on consumers and businesses disproportionate to the likely benefits. However, the Bill gives ministers powers to extend the scope of the Bill as cyber threats and risks change in future.
Owners of consumer connectable products are encouraged to take action to ensure that they are using their devices safely, including following Cyber Aware guidance on improving online security. NCSC has also published guidance on using smart devices safely in the home.
Rocio Concha, Which? Director of Policy and Advocacy, said:
Which? has worked with successive governments on how to crack down on a flood of poorly-designed and insecure products that leave consumers vulnerable to cyber-criminals – so it is positive that this Bill is being introduced to parliament.
The government needs to ensure these new laws apply to online marketplaces, where Which? has frequently found security-risk products being sold at scale, to prevent people from buying smart devices that leave them exposed to scams and data breaches.
Telecoms infrastructure reforms
Today the government also published its response to a consultation on proposed changes to the Electronic Communications Code (ECC).
Telecoms operators and landowners are experiencing difficulties when negotiating requests for rights to install, use and upgrade telecoms infrastructure. These issues have slowed down the roll out of better mobile and broadband coverage for some homes and businesses, with negotiations taking longer than they should and some cases ending up tangled in lengthy and costly court proceedings.
Further problems include landowners failing to reply to requests to access land for network deployment, and strict limitations on operators’ ability to upgrade and share their equipment which are stopping existing networks being used as efficiently as possible.
The PSTI Bill will tackle many of these issues through a range of measures designed to foster more collaborative and quicker negotiations, and better working relationships between mobile network operators and landowners. This includes:
- A new requirement for telecoms operators to consider the use of Alternative Dispute Resolution (ADR) – a way of resolving disputes that does not involve going to court such as mediation or arbitration – in cases where there are difficulties in agreeing terms. Operators will also be required to explain the availability of ADR as an option in their notices to landowners.
- New automatic rights for operators to upgrade and share underground infrastructure – such as fibre optic cables – which were installed prior to the 2017 Code reforms and are not currently covered. This is in cases where there will be no impact on private land or burden on the site provider.
- New rules to allow operators to apply for time-limited access to certain types of land more quickly where a landowner does not respond to repeated requests for permission.
- New provisions to speed-up negotiations for renewal agreements. Operators who already have infrastructure installed under an expired agreement will have the right to either renew it on similar terms to those for new agreements, or request a new one.
The measures are vital for the government-led £1 billion Shared Rural Network which will roll out fast and reliable 4G coverage to 95 per cent of UK landmass, as well as hitting the government’s target of 85 per cent gigabit-capable broadband coverage by 2025 and for the majority of the population to be in reach of a 5G network by 2027.