The UK Government has introduced new legislation which will improve the security of smartphones, IoT devices and connected appliances.

The Product Security and Telecommunications Infrastructure (PSTI) Bill will require the manufacturers, importers and distributors of consumer connectable products to comply with cyber security good practices. According to the Government the regulations that flow from the new law will:

Ban default passwords. Products that come with default passwords are an easy target for cyber criminals.

Require products to have a vulnerability disclosure policy. Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged.

Require transparency about the length of time for which the product will receive important security updates. Consumers should know if their product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue.

The average UK household currently has 9 consumer connectable devices, many of which lack basic cyber security protections. The government estimates that the UK economy loses £1billion a year through cyber attacks such as DDoS – and poorly secured consumer and IoT devices make up much of the botnet infrastructure that powers these attacks.

This new legislation has just started being considered by Parliament and is not yet in force, and the Government has said at least 12 months’ notice will be provided for the precise regulations to give suppliers time to comply.

Failure to comply with the new regulations could be costly, attracting fines of up to £20,000 per day.  This new legislation applies only to consumer products, not those aimed at businesses.

Another new piece of legislation which has now come into force (in November 2021) is the Telecommunications (Security) Act 2021.  This new law places a duty on telcos to take security measures both in terms of following good practice and specific instructions defined by the NCSC. It also requires them to take action in the event of a security compromises – including the ability to require them to take specific actions through new regulations.   OFCOM is the regulator with the powers to monitor and enforce this new law and fines for non-compliance can reach £100,000 per day or 10% of turnover for the business.

While any reasonable Security Manager may shake their head in wonder that telcos need a law to force them to follow appropriate cyber security practices – the resulting regulations may end up defining a useful benchmark of ‘the minimum cyber security required’ that other large organisations may be able to use to help justify their own cyber security budgets.