Manufacturers, importers, retailers and other distributors of unsecure connected devices in the UK are set to face onerous laws (and the prospect of huge fines) under the Product Security and Telecommunications Infrastructure Bill, which has recently been introduced to Parliament. The Bill contains two parts – one covers product security, which we look at in this Passle. The other covers telecoms infrastructure. The Bill follows consultation in 2019 and 2020.
As the UK Government notes, the consumer connectable products sector is a huge growth area of technology: forecasts suggest that there could be up to 50 billion connectable products worldwide by 2030, and on average there are already nine in each UK household. The privacy aspects of connected tech have been widely written about. However, the Government is also worried that the adoption of cyber security requirements within these products is poor. Even though only 20% of manufacturers embed basic security requirements in consumer connectable products, consumers overwhelmingly assume these products are secure.
The product security measures in the Bill would:
- ensure that consumer connectable products, such as smart TVs, internet-connectable cameras and speakers, are more secure against cyber attacks, protecting individual privacy and security (some devices will be exempt due to the specific circumstances of how they are constructed and secured, such as desktop computers and laptops and others to avoid double regulations, such as smart meters, automated cars and medical devices);
- require manufacturers, importers and distributors to comply with new security requirements relating to consumer connectable products; and
- create an enforcement regime with civil and criminal sanctions aimed at preventing unsecure products being made available on the UK market.
The security requirements, which would be set out in secondary regulations, would:
- ban default passwords (as they are an easy target for cyber criminals)
- require products to have a vulnerability disclosure policy. Security researchers regularly identify security flaws in products but need a way to give notice to manufacturers of the risks identified, so as to enable manufacturers to act before criminals can take advantage. The Bill provides measures to help ensure that any vulnerabilities in a product are identified and flagged.
- require transparency about the length of time for which a product will receive important security updates. Consumers should know if a product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue.
The PTSI Bill allows for the creation of a Regulator with the power to fine companies for non-compliance up to £10million, or 4% of their global turnover, as well as up to £20,000 per day during ongoing breaches.
The proposed new Regulator could compel firms to recall their products or to stop selling them altogether. It is not yet known who the new regulator would be. Those involved in importing, distributing or selling consumer connectable products should keep a close eye on this proposed new law and also look to ensure that their supply/distribution chains can also comply.
The PSTI supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through unsecure consumer connectable products