The government has announced new Security by Design laws which will require manufacturers of smart devices including, for example, phones, speakers, and doorbells, to tell customers upfront how long a product will be guaranteed to receive vital security updates. The plans aim to protect people from cyber attacks.
It has issued figures showing that 49% of UK residents have purchased at least one smart device such as smart watches or TVs since the start of the coronavirus pandemic. These products remain vulnerable to cyber attacks. The government points out that just one vulnerable device can put a user’s network at risk and gives the example of when attackers infamously succeeded in stealing data from a North American casino via an internet-connected fish tank in 2017. It also highlights cases where hostile groups have taken advantage of poor security features to access people’s webcams.
To counter this threat, the government is planning a new law which aims to ensure that smart devices meet new requirements:
- Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates;
- A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often pre-set in a device’s factory settings and are easily guessable; and
- Manufacturers will be required to provide a public point of contact to make it easier for anyone to report a vulnerability.
Scope of legislation
The intended legislation will apply to any network-connectable devices and their associated services that are made available primarily to consumers, except products that are designated as out of scope. It should be noted that the government does not currently plan to include Operational Technologies, such as industrial connected products, within the scope of the legislation. Some product categories that fall within the intended definition of consumer connected products, such as Smart Meters are already subject to regulation. Similarly, the cyber security of some other consumer connected products, such as certain categories of Automotive vehicles will be covered by future regulation particularly relevant to that product category. The government’s intention is to exempt these categories of consumer connected products from the scope of the planned legislation at commencement. The government also says that it would not be practical for those involved in the distribution of second-hand products to meet the obligations the intended legislation would place upon them.
Preventing consumer connected products coming onto UK market without relevant measures
A key objective of the intended legislation is to ensure that no consumer connected product enters the UK market unless it incorporates basic cyber security measures. The intended legislation will obligate manufacturers to not place consumer connected products on the UK market unless they comply with specific security measures, outlined in legislation through security requirements or designated standards. The legislation will also require manufacturers to publish a publicly available declaration of conformity, to take action if they place a product on the market that does not comply with the security requirements or designated standards, and to cooperate and comply with the appointed enforcement authority in such instances.
Keeping the legislation up to date
To ensure that the regulation continues to protect people and the economy from harm posed by insecure products, the intended legislation will allow ministers to update the products in scope, and security requirements and designated standards using an agile mechanism, such as secondary legislation. This might apply to issues such as user authentication, software updates and network resilience. In addition, the intended legislation will enable ministers to be able to mandate assurance for designated categories of consumer connected products.
Enforcement powers and appeal procedures
The government plans for the enforcement authority to have access to the tools it needs, including a range of corrective measures and civil sanctions. The enforcement authority will ensure that more stringent measures are only deployed when voluntary measures have failed to achieve compliance, or when necessitated by the seriousness of an infraction. The powers range from investigatory powers, including the power of search and entry, to information sharing powers. The necessary safeguards will be put in place to ensure powers are used with adequate oversight and to protect businesses from undue burden. However, sanctions will include forfeiture of goods and financial penalties. The intended legislation will incorporate an appeals process, aligned with those used in existing comparable product safety legislation, to ensure that there is a right to appeal any sanctions or corrective measures brought against them by the enforcement authority.