UK introduces cybersecurity bill to harden standards for IoT devices
The United Kingdom (UK) government has introduced a new cybersecurity bill to bring in tough standards with heavy fines for those who fail to comply. The bill will also eradicate default passwords and force companies to be more transparent to customers regarding security fixes.
According to the proposed law, companies could face fines up to £10 million or 4% of their global turnover if they fail to meet the standards. The bill follows a 2019 consultation and a 2020 call for views. Noting the importance of the step, it observes that the notorious ‘Mirai’ botnet left much of the US East Coast without Internet after infecting 300,000 products such as routers and smart cameras and using them to attack major internet platforms and services.
The Proposed Law
The bill in the discussion here is the Product Security and Telecommunications Infrastructure (PSTI) Bill. The Department for Digital, Culture, Media & Sports (DCMS) introduced the bill in Parliament on Wednesday.
At the moment, device makers only have to ensure that devices don’t cause harm to people because of overheating, electric shock, or sharp components. The new bill proposes to extend that responsibility and force device makers to protect consumers from cybersecurity/ data breaches.
The new bill will ensure that:
- internet-connected devices such as smart TVs, cameras, speakers, etc. are resilient to cyber attacks.
- require manufacturers, importers, and distributors to comply with new security requirements.
- create an enforcement regime with civil and criminal sanctions in order to prevent availability of insecure products in the UK market.
- give powers to ministers to lay down minimum security standards.
- ban default passwords such as ‘admin’ and ‘password’.
- require products to have a vulnerability disclosure policy.
- require manufacturers to tell consumers about the length of time for which the product will receive important security updates.
The proposed bill will bring within its purview smartphones, connected cameras, TVs, speakers, children’s toys and baby monitors, connected door locks, IoT base stations and hubs, wearable devices, connected appliances like washing machines and fridges, as well as smart home assistants.
Product Security Factsheet
A product security factsheet accompanies the UK cybersecurity bill. Besides recognising the impact of the Mirai botnet, it also makes the following observations:
- Connected products with lowest standard of security represents the most-likely entry point for an attacker to access data across the network.
- The growing adoption of IoT devices, with microphones and cameras embedded in them can be used for fraud and may also cause domestic harm.
- An average UK houehold and nine consumer connectable products. The number is growing as 67% of the households purchased two additional products during Covid.
- Less than 20% of consumers take action to address security of their device. Consumers often think that the prroduct is secure. Further, only 1 in 5 manufacturers maintained systems to disclose security vulnerabilities.
Do subscribe to our Telegram group for more resources and discussions on tech-law & policy. To receive weekly updates, don’t forget to subscribe to our Newsletter.