Brian Sims
Editor
Brian Sims
Editor
THE COUNTDOWN has begun in relation to a new regime designed to set the minimum security standards for all consumer products with Internet connectivity. That regime will come into effect in less than 12 months, thereby rendering the UK the first country in the world to introduce such protections.
The new Product Security and Telecommunications Infrastructure Act will come into force on 29 April next year, at which point consumers and businesses will benefit from “world-first protections” against potentially insecure tech. The telecoms and technology industries – and those manufacturers resident within – must now prepare for the implementation.
Measures outlined include requirements for manufacturers to implement minimum security standards on all consumer products with Internet connectivity – among them smart phones, smart speakers, games consoles and smart doorbells – before they can be made available for purchase.
In bringing forward this new regime, the UK becomes the first nation to require minimum protections for consumers and businesses using these devices in the face of cyber security risks. Interestingly, this new regime has only been made possible by the freedoms gained through Brexit, which grants the Government the ability to implement sector-specific regulations.
This new regime will help deliver on one of the Government’s five stated priorities to grow the economy by increasing consumer confidence and protection in the products those consumers buy and use.
Increased protections
Viscount Camrose, Minister for Artificial Intelligence and Intellectual Property, said: “These new regulations coming into force next April will transform how we protect and secure consumer devices with an Internet or network connection.
When this regime comes into force, every household and business in the UK buying a new connectable product will benefit from increased protections.”
Viscount Camrose continued: “We’ve laid the foundations for a new system to protect our consumers and businesses, while also supporting technological innovation. We’ll now work closely with industry over the next 12 months as we prepare for its implementation.”
The new measures will introduce a series of improved security protections to tackle the threat of cyber crime. These will include:
*the banning of universal default and easily guessable default passwords on consumer connectable products
*increased manufacturer transparency on how long products will continue to receive security updates, which will provide standardised security information to better inform consumer purchasing decisions
*manufacturers being required to make customers aware of a product’s security update support period before allowing product purchases on the manufacturer’s website
*device manufacturers being required to publish contact information, in turn allowing vulnerabilities relating to their devices to be reported
Heart of technology design
Lindy Cameron, CEO of the National Cyber Security Centre, commented: “The National Cyber Security Centre welcomes these new standards, which will put security at the very heart of technology design and ensure the connected devices that consumers rely on each day are secure from the outset.”
Further, Cameron noted: “Up until now, there has been an unreasonable expectation for ordinary users to shoulder the burden of cyber risk. The National Cyber Security Centre will continue to support manufacturers in implementing the necessary changes.”
When in effect, the new regime will result in visible changes for consumers as they move through the purchasing process, with new information on security updates and support periods being available to inform purchasing decisions. If a product is being purchased directly from a manufacturer’s website, the measures will require its support period to be clearly advertised alongside the usual product specifications.
Further, the Government is engaging with online marketplaces in preparation for the changes, exploring how they can work to complement these changes and further protect consumers.
Cyber security assurance
John Moor, co-founder and managing director of the Internet of Things (IoT) Security Foundation, explained: “The IoT Security Foundation welcomes this announcement as it brings important cyber security assurance to consumers and the networks they connect to worldwide. It’s the culmination of a lot of hard work and determination by many stakeholders, over several years, including consultations with our members.”
Moor stated: “It’s notoriously difficult to make sure that regulation is completely right, and notably so as the nature of cyber attacks change and new vulnerabilities are discovered over time. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations, and the new regime as a whole, not only includes requirements that help to address immediate challenges, but the underpinning method also anticipates the need for new requirements to be added without stifling innovation or adding unwelcome business costs.”
In conclusion, Moor enthused: “This is truly a milestone moment in the support of global digital transformation, making connecting to the digital world much safer. We applaud its introduction and encourage policymakers worldwide to work with this new regime as it’s in our common interest to avoid fragmentation and minimise complexity.”
Offering individuals and businesses across the country point-of-access protection in accessing online services through connectable devices does indeed stand as a watershed moment and, according to the Government, will firmly establish the UK as “a global leader” in the field of consumer-focused cyber security.
