DCMS confirm plans for smart product security laws
DCMS confirms plans to introduce legislation for smart product security
The Department for Digital, Culture, Media and Sport have confirmed plans to introduce legislation for smart product security. Simultaneously, DCMS has also published Government’s response to the latest Call for Views, part of a process beginning in 2018 with the Code of Practice.
New figures commissioned by the government show almost half (49%) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. Just one vulnerable device can put a user’s network at risk. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.
To counter this threat, the government is planning a new law to make sure virtually all smart devices meet new requirements:
- Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates
- A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often preset in a device’s factory settings and are easily guessable
- Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
Smartphones are the latest product to be put in scope of the planned Secure-By-Design legislation. The government continues to urge people to follow NCSC guidance and change default passwords as well as regularly update apps and software to help protect their devices from cyber criminals.
The government intends to introduce legislation as soon as parliamentary time allows.
Digital Infrastructure Minister Matt Warman said:
“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.
We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.
Security updates are a crucial tool for protecting people against cyber criminals trying to hack devices.
Yet research from University College London found none of the 270 smart products it assessed displayed information setting out the length of time the device would receive security updates at the point of sale or in the accompanying product paperwork.
By forcing tech firms to be upfront about when devices will no longer be supported, the law will help prevent users from unwittingly leaving themselves open to cyber threats by using an older device whose security could be outdated.
Just one in five global manufacturers have a mechanism in place to allow security researchers - firms and individuals who find security flaws in devices - to report vulnerabilities.
These moves have been supported by important tech associations across the globe including the Internet of Secure Things (IoXT), whose members include some of the world’s biggest tech companies including Google, Amazon and Facebook.
National Cyber Security Centre Technical Director Dr Ian Levy said:
Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.
DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.
It is also important to support uptake of good practice and provide industry with opportunities to innovate. I’m pleased to see the pilots, funded by DCMS, begin to test ways in which customers will be able to gain confidence in the security of these devices.
techUK has continuously engaged with DCMS on the Secure-By-Design agenda since the start of this process in 2016, with industry playing a key role in the development of the initial Code of Practice. Indeed, the vast majority of industry have robust security practices in place, in many cases far exceeding the security requirements outlined in this legislation. The success of these proposals depends on that collaboration between Government and industry continuing, both with regards to the practical implementation of this legislation and the wider standards efforts ongoing.
In techUK’s response to the Call for Views we outlined several areas which industry believes need further thought, clarification or discussion. We welcome the fact that Government’s response recognizes a number of these and will continue to constructively engage as the legislation progresses. There are a number of areas where further clarity is needed to understand how these new rules will work in practice, ranging from the scope of the regulations, key definitions and the proposed enforcement regime. techUK looks forward to engaging further with DCMS on these issues as the proposals progress.
Latest News from
techUK joins other UK trade organisations to urge the Government to hold out for a comprehensive UK-India deal12/08/2022 13:05:00
The UK-India FTA talks began in January this year. The fifth round of negotiations was finalised last week, and both countries are working towards the October 24 deadline that Prime Ministers Johnson and Modi set a few months ago.
techUK responds to Parliamentary inquiry on the UK semiconductor industry11/08/2022 14:05:00
techUK welcomes the confirmation in the recent Digital Strategy that the Government will bring forward a Semiconductor Strategy.
MWC Barcelona, February 27th-March 2nd, 202311/08/2022 09:10:00
We would like to invite our members to join a trade show to Barcelona between February 27th-March 2nd, 2023
A healthy start to the year: Review of the techUK H&SC Programme10/08/2022 14:15:00
The first half of 2022 has been full of activities for the techUK Health and Social Care programme and the members working closely with the team. This August, we therefore wanted to provide an overview of key areas of focus and the work done for the past six months. None of this would be possible without the involvement and support of our members, therefore we'd like to take this opportunity to say thank you!
NPCC led review: operational productivity of policing10/08/2022 13:15:00
The Home Office has announced plans for an operational efficiency review of policing including a focus on further uses of technology.
NATO Innovation Challenge?10/08/2022 12:10:00
This Challenge is co-organized by NATO Allied Command Transformation (ACT), the NATO Communications and Information Agency (NCIA) and the Ministry of Defense of Romania, who will host the finale. Participants can submit their Solution by September 19th, 2022 (12:00 a.m.).
Guest blog: I’ve got the key; I’ve got the secret – unlocking cryptocurrency control08/08/2022 16:25:00
Guest blog by Prakash Kera, lead partner of Fintech at Shoosmiths.
techUK joins global industry letter on China Standard Contract Provisions08/08/2022 11:25:00
techUK, together with several other organization from different regions, co-signed a letter on China’s Standard Contract Provisions for the Exit of Personal Information (“Standard Contract Provisions”).