Tough cyber-security rules for internet-connected devices laid before parliament

The Product Security and Telecommunications Infrastructure Bill (PSTI) introduces a raft of new protocols that manufacturers and distributors of tech will need to adhere to.

It will allow regulators to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.

The Bill will also speed up the roll-out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. The reforms will encourage quicker and more collaborative negotiations with landowners hosting the equipment, to reduce instances of lengthy court action which are holding up improvements in digital connectivity.

Last year, a £1bn deal was signed by all four major mobile network operators to expand rural mobile network coverage by sharing their infrastructure with one another.

Digital infrastructure minister Julia Lopez said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.

“Our Bill will put a firewall around everyday tech, from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

The ownership and use of connected tech products has increased dramatically in recent years. On average there are nine in every UK household, with forecasts estimating there could be up to 50 billion worldwide by 2030.

But while most consumers assume these products are secure, only one in five manufacturers have appropriate security measures in place for their connectable products, the Department for Digital, Culture, Media & Sport (DCMS) said.

A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.

In the first half of 2021, there were 1.5 billion attempted compromises of Internet of Things (IoT) devices, double the 2020 figure. This tallies with the ramping number of cyber-attacks against firms and employees after a dramatic rise in home working following the beginning of the Covid-19 pandemic.

This new cyber-security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10m or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

NCSC technical director Dr Ian Levy said: “I am delighted by the introduction of this bill, which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.

“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”