UK gov introduces cyber bill designed to clamp down on unsecure devices

Law could prevent sale of smartphones, TVs, speakers, toys, and other digital devices that fail to meet minimum security requirements

Companies could be fined up to £10 million or 4% of their global turnover if they sell digital products that fail to protect consumers from being hacked.

Manufacturers, importers, and distributors of digital tech will be required to make sure the devices meet new security standards under a new law proposed by the UK government - with heavy fines for those who fail to comply.

The Product Security and Telecommunications Infrastructure (PSTI) Bill, introduced to Parliament on Wednesday, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.

At present, digital device manufacturers must comply with rules to stop them from causing people physical harm from issues such as overheating, sharp components, or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.

The bill will give the government new powers to bring in tougher security standards for device makers.

The tougher standards include a ban on easy-to-guess default passports that come preloaded on devices - such as ‘password’ or ‘admin’ - which are a target for hackers. All passwords that come with new devices will need to be unique and immune to resets from universal factory settings.

The new law will also require connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches. If a product does not come with security updates, that must be disclosed to the customer.

This will increase people’s awareness about when the products they buy could become vulnerable so they can make better-informed purchasing decisions, according to the government. It's believed nearly 80% of the firms targeted by the bill do not have any such system in place, the government said.

There will also be new rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.

This new cyber security regime will be overseen by a regulator, which will be designated once the bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation.

Related Resource

The Okta digital trust index

Exploring the human edge of trust

Woman types on a laptop, image is faded purple with title text beside it on white backgroundFree download

NCSC technical director Dr. Ian Levy said the bill would “ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security”.

“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice,” he added.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021