New Cyber LawsBy Simon Lincoln | 30 Nov 2021
New Cyber Laws
New cyber laws to protect people’s personal tech from hackers
Consumers will be better protected from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices thanks to a new world-leading law introduced this week by the government.
Bill to better protect people’s smartphones, TVs, speakers, toys and other digital devices from hackers
Will prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements
Comes as research shows four in five manufacturers of connectable products do not implement appropriate security measures
Includes plans for fines up to £10 million or up to 4 per cent of global revenue for firms failing to comply
A new law will require manufacturers, importers and distributors of digital tech which connects to the internet or other products to make sure they meet tough new cyber security standards - with heavy fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to Parliament this week, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.
Cyber criminals are increasingly targeting these products. A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
And, in the first half of 2021, there were 1.5 billion attempted compromises of Internet of Things (IoT) devices, double the 2020 figure. The UK’s National Cyber Security Centre last week revealed it had dealt with an unprecedented number of cyber incidents over the past year.
The PSTI Bill will counter this threat by giving ministers new powers to bring in tougher security standards for device makers. This includes:
A ban on easy-to-guess default passports that come preloaded on devices - such as ‘password’ or ‘admin’ - which are a target for hackers. All passwords that come with new devices will need to be unique and not resettable to any universal factory setting.
A requirement for connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches. If a product does not come with security updates that must be disclosed. This will increase people’s awareness about when the products they buy could become vulnerable so they can make better informed purchasing decisions. Nearly 80 per cent of these firms do not have any such system in place.
New rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products
The Bill places duties on in-scope businesses to investigate compliance failures, produce statements of compliance, and maintain appropriate records of this.
The new laws will apply not only to manufacturers, but also to other businesses including both physical shops and online retailers which enable the sale of millions of cheap tech imports into the UK.
The Bill applies to ‘connectable’ products, which includes all devices that can access the internet - such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges.
It also applies to products that can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.
Just one vulnerable device can put a user’s network at risk. In 2017, attackers infamously succeeded in stealing data from a North American casino via an internet-connected fish tank. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.