New smart device cybersecurity laws One step closer

Digital Secretary Nadine Dorries is set to open the debate on a new law to boost cyber protection for smartphones, TVs, speakers, routers and digital devices.

MPs are set to debate a world-famous new law to protect consumers’ phones, tablets, smart TVs, fitness trackers and other devices from cybercriminals.

It will place new cybersecurity requirements on manufacturers and vendors of consumer technologies that can connect to the internet or other devices.

Under the bill, easy-to-guess default passwords that are programmed into digital devices and present an easy target for cybercriminals will be banned.

Manufacturers will need to be more transparent to customers about how long products will receive security updates for pluggable products and create a better system for public reporting of vulnerabilities found in these products.

Failure to comply with the measures could lead to fines of up to £10 million or 4% of global turnover, plus up to £20,000 per day for ongoing breaches.

Before introducing the Bill to the House of Commons, Digital Secretary Nadine Dorries said:

Whether it’s your phone, smart speaker, or fitness tracker, it’s essential that these devices are protected from cybercriminals.

Every product on our shelves has to meet all sorts of minimum requirements like being fire resistant or choking hazard proof and that’s no different in the digital age where products can now carry a cybersecurity risk.

We legislate to protect people across the UK and keep pace with technology transforming our daily lives.

The bill will give ministers the power to impose new requirements on manufacturers, importers and distributors of consumer technology devices. They include:

  • Disallow universal default passwords that are preset on devices – such as “password” or “admin” – and are an easy target for cybercriminals. All preloaded product passwords shall be unique and non-resettable to universal factory settings.
  • Require device makers to be transparent with consumers about how long they will provide security updates for products so people are clearer when buying. If a product does not receive any security updates, the customer should be notified.
  • Ensure manufacturers have an easily accessible public point of contact to facilitate reporting of software defects and bugs.

The bill will also accelerate the deployment of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. The reforms will encourage faster and more collaborative negotiations with landowners hosting the equipment in an effort to reduce instances of lengthy lawsuits delaying the construction of infrastructure.

A regulator, to be announced later, will oversee the new cybersecurity regime and ensure that affected companies comply with the measures in place. It will have the power to issue notices to companies asking them to comply with security requirements, recall unsafe products, or stop selling or supplying them altogether.

The bill applies to ‘connectable’ products. This includes all devices that can access the internet such as smartphones, smart TVs, game consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants, and smart home appliances such as washing machines and refrigerators. .

This also applies to products that can connect to several other devices but not directly to the Internet. Examples include smart bulbs, smart thermostats, and wearable fitness trackers.

Matthew Evans, Markets Director, techUK said:

The industry has long supported the shared ambition to improve the cyber resilience of devices and has worked with the DCMS under the Secure-By-Design program for the past five years.

Most providers already adhere to the principles of the legislation and, if implemented in practice, this will protect consumers and ensure they have access to a wide range of connected devices.

techUK also welcomes the government’s efforts to reform the electronic communications code, which is essential to accelerate the deployment of gigabit and 5G infrastructures. The industry is eagerly awaiting clarification on changes to the Code to ensure we can deliver the connectivity consumers and businesses need.

Hamish MacLeod, Managing Director of Mobile UK, said:

Mobile operators need a strong legal framework to meet UK connectivity ambitions. The Electronic Communications Code as it stands does not work.

Mobile operators welcome the measures contained in this bill which will tackle this problem and will engage closely with Parliament to ensure that it achieves this goal.