The UK has taken a historic step by becoming the first country to legally mandate cybersecurity standards for Internet of Things (IoT) devices. These new laws, effective immediately, are designed to safeguard consumers against cyber threats and enhance the nation’s resilience against the increasing incidence of cybercrime.
Under the Product Security and Telecommunications Infrastructure (PSTI) regime, manufacturers are now legally obligated to integrate security measures into any product with internet connectivity. This includes banning easily guessable default passwords like “admin” or “12345,” aiming to prevent vulnerabilities exploited in past attacks such as the significant 2016 Mirai botnet incident.
Viscount Camrose, Minister for Cyber, emphasized the significance of these laws, stating, “From today, consumers can rest assured that their smart devices are shielded from cyber criminals, as we introduce groundbreaking legislation to safeguard their personal privacy, data, and financial security.”
The necessity for such protections is evident. According to the consumer advocacy group Which?, a typical smart home faces over 12,000 hacking attempts in a week, with nearly 2,700 attempts to guess weak passwords on just five devices. Given that 99% of UK adults own at least one smart device and households average nine connected products, the risks posed by unsecured IoT technology are substantial.
Sarah Lyons, Deputy Director for Economy and Society at the NCSC cybersecurity agency, stressed the role of businesses in protecting the public, affirming that the new Act will empower consumers to make informed decisions.
In addition to prohibiting easily guessable passwords, the new regime mandates that manufacturers:
- Publish vulnerability disclosure policies for reporting security flaws
- Specify minimum periods for providing security updates
- Establish mechanisms for securely updating software
Rocio Concha, Policy Director at Which?, acknowledged the group’s contribution to advocating for these laws, emphasizing the importance of brands prioritizing consumer protection.
These cybersecurity standards are part of the UK’s £2.6 billion National Cyber Strategy, demonstrating the government’s commitment to establishing Britain as the world’s safest environment for online activities amidst the rising prevalence of cyber threats alongside IoT adoption rates.
While the automotive industry was initially included, the government is now pursuing alternative cybersecurity regulations tailored specifically to internet-connected vehicles.
David Rogers, CEO of consultancy Copper Horse, welcomed the standards, asserting that manufacturers must cease providing products with glaring security vulnerabilities.
Officials highlighted industry collaboration as instrumental in developing these transformative protections, with consumers encouraged to report non-compliant products to the regulator. However, effective enforcement will be vital.
Rocio Concha emphasized the importance of clear guidance and robust action from the Office for Product Safety and Standards (OPSS) against manufacturers flouting the law.
The UK’s pioneering legislation in this area may serve as a model for other nations seeking to enact similar consumer cyber safeguards for IoT devices.