The UK Government has this morning announced that new laws, which are designed to help protect consumers from cyber criminals, such as by requiring that network devices, like broadband ISP routers, receive greater protection (e.g. regular security updates and stronger default passwords), have finally come into force.
The related Product Security and Telecommunications Infrastructure Act (PSTI) received royal assent in late 2022, which among other things included measures to make broadband and mobile infrastructure sharing, as well as network upgrades and related dispute resolution, easier to deliver (see our summary). But those elements, which involve changes to the Electronic Communications Code (ECC), are being implemented separately via Ofcom.
The PSTI also included measures to implement many of the original Secure by Design proposals (i.e. ensuring connected devices are better able to resist cyberattacks), which introduces tougher security standards for device makers and the ability to hit those that fail to comply (both retailers and manufacturers) with financial penalties.
Some examples of the changes include banning easily guessable default passwords (“admin“, “123456” etc.), as well as prompting users to change the default password, not to mention improved support for security issues and a requirement for related network products to state how long they will be supported by vital security patches (firmware updates) etc.
Some of the Improved Security Protections
➤ Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking.
➤ Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with.
➤ Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates.
The changes touch everything from consumer broadband routers to phones, TVs, game consoles, internet-connected fridges and smart doorbells etc. However, the government allowed the industry a couple of years to adapt to all this, but from today the manufacturers of all such devices will now be required, by law, to implement minimum security standards against cyber threats.
The hope is that these measures will help to prevent threats, like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features – included routers from various ISPs, like TalkTalk and KCOM etc. (here and here) – and used to attack major internet platforms and services. Since then, similar attacks have occurred on UK banks including Lloyds and RBS, leading to disruption to customers.
The government claims that the new regime will help to give customers confidence in buying and using products, “which will in turn help grow businesses and the economy.”
Julia Lopez, UK Data and Digital Infrastructure Minister, said:
“Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.
Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”
The government added that consumers and cyber security experts can also help by playing an “active role in protecting themselves and society from cyber criminals” by reporting any products which don’t comply to the Office for Product Safety and Standards (OPSS). But take note that the government is also beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will instead be covered by alternative legislation.
The changes might also have an impact on cheaper imported products, which might not normally adhere to UK rules as closely as they perhaps should. In addition, it’s possible there may be some problems around retailers that need to sell older stock, which might not offer the same length of support to those who buy them.
The UK Product Security and Telecommunications Infrastructure (Product Security) regime
https://www.gov.uk/../the-uk-product-security-and-telecommunications-infrastructure-product-security-regime