What do the UK’s cybersecurity plans mean for companies?
by Hannah Fuchs on 20 Dec 2021
With an increasing number of internet-connectable and interconnected devices, also known as the Internet of Things (IoT), being used in the UK, the Government has introduced the Product Security and Telecommunications Infrastructure Bill to protect these products. This blog will examine the bill, its potential impact, some criticisms of it, and the next steps in the legislative process.
In the first half of 2021 alone, there were 1.5 billion attempted compromises of IoT devices, double the amount in 2020. The UK Government has now introduced the Product Security and Telecommunications Infrastructure Bill, requiring companies to put in place stricter cybersecurity measures. These include stricter cybersecurity requirements for manufacturers, importers, and distributors, such as disclosing possible vulnerabilities, banning default passwords, and increased fines for non-compliance. Once the bill comes into force, the UK Government will designate a regulator with the power to fine companies for non-compliance up to £10 million or 4% of their global turnover.
New requirements for businesses throughout the supply chain
The bill has far-reaching implications for a range of businesses, many of which may not have thought about keeping their products protected from cyber-attacks. Product manufacturers will be required to inform customers about the product’s lifespan, for how long it will receive security updates, and disclose possible vulnerabilities. They must provide a public point of contact more easily to report discovered flaws and bugs, known as the product vulnerability disclosure policy. Manufacturers must ensure users are protected against cyber threats and will be held accountable for breaches. If the bill is passed, companies will need to invest in additional skills and knowledge to incorporate these new measures.
The new law will not only affect manufacturers but also importers and distributors of devices as they will also be held accountable to import and distribute products that meet the new cybersecurity requirements. Retailers will be forbidden from selling devices that do not meet the security standards. That means a significant number of companies which previously did not have to consider whether their supply chain products were cyber secure will now be impacted by the bill. Additional requirements could be added via amendments during the legislative process.
Potential impacts and reactions
Across the cybersecurity and technology industries, the bill has been welcomed in light of increasing cyber threats in connected consumer products. Cybersecurity firms and technology companies particularly appreciate the ban on default passwords. Insecure passwords are one of the key security threats and the ban is easy for companies to implement. While the bill is perceived as an important first step, there appears to be a consensus that additional measures will be needed to successfully target security threats.
The bill has been criticised by cybersecurity companies for being too narrow and reflecting a lack of understanding of cybersecurity threats. “It is essential that governments’ understanding and policy approaches to improving IoT security evolve to keep up with the evolution of IoT threats, many of which can only be stopped at the network level,” said Carla Baker, Senior Director for Government Affairs UK & Ireland at Palo Alto Networks.
The feasibility of the bill has been questioned. It includes many technical constraints that make it difficult for companies to comply. This includes the possibility that some threats can only be stopped at the network level, as mentioned by Ms. Baker above, and the requirement to hire dedicated cybersecurity engineers who are in short supply. Smaller tech firms and start-ups could face difficulties complying with the requirements, causing them to be competitively disadvantaged.
According to the bill, companies are not required to include automated patching mechanisms. Quals, an IT security company, has argued that this could leave machines vulnerable to threats. It would require consumers to make changes manually on a machine-to-machine basis, which could prove difficult and defeat the purpose of ensuring products are protected against cyber threats.
The mandatory product vulnerability disclosure policy enables users to inform companies about bugs or flaws but does not require those flaws to be fixed by the company before being disclosed to users. This could create a loophole where risks become common knowledge, allowing fraudsters to exploit them, making smart devices less secure.
Finally, the bill seeks to address cyber threats in smart consumer products, but there are notable exclusions, including laptops, smart meters, and medical devices, which must either comply with other security measures or have a mature antivirus software market available. However, computers and hospitals continue to be the target of cyber-attacks despite other measures already being in place. The exemption does not seem fit for purpose and could compromise the bill’s effectiveness while creating an uneven playing field for companies producing and selling smart consumer products.
While the UK attempts to be one of the first countries to make IoT products cyber secure by law, some only see it as a first step to address the ever-more pressing issue of cybersecurity in connected consumer products.
The European Commission is currently reviewing its own rules on network security, which were first published in 2016. Given that the Internet does not recognise borders, the UK Government should seek alignment with the EU and the United States to comprehensively tackle cyber threats. This would avoid a patchy legislative landscape where loopholes can easily be detected, and where companies would find it increasingly difficult to abide by different cybersecurity measures. Failing to align with international partners would make it less attractive for companies to sell their products in the UK.
The legislation has just started its legislative passage through Parliament so now is a good time for companies to engage with policymakers to share their views on the legislation. As the bill reaches committee stage, there will be opportunities to table amendments to the bill.
The UK Government will want to listen to stakeholders to better understand rapidly evolving cybersecurity matters and pass a bill that ensures IoT products are cybersecure while making it feasible enough for companies to comply with the new law.
Inline will be following the next steps of the Product Security and Telecommunications Infrastructure Bill closely and see which amendments the UK Government introduces and accepts from others as it aims to internationally spearhead legislation on consumer product cybersecurity. The bill is part of the recently published National Cyber Strategy.
If you have any questions about the UK’s or EU’s cybersecurity policies, or are interested in an informal chat, please contact us at firstname.lastname@example.org.