The use of smart devices, such as smart phones, fitness trackers and connected household appliances, has increased both in the UK and globally and the trend is expected to continue. Agile and remote working arising from the COVID-19 pandemic and the adoption of 5G technologies have only accelerated the process. As a result, the UK government are looking to parallel this evolution of technology by increasing the cyber security measures in place in relation to internet connected consumer technologies.
UK Government Proposals
Cyber security of network-connected products has been on the UK government legislative agenda for a number of years and, in January 2020, the government announced its intention to introduce legislation to ensure stronger security is built into such connected products. This was followed by a call for views on the proposed legislation in July 2020 and the government has now published a response to the views received, along with an outline of its key policy positions which will underpin the upcoming legislation.
The proposed legislation is intended to place on a statutory footing the international security standards accepted by the UK and set out in previous government guidance, rather than to impose entirely new requirements. The security requirements, as further detailed below, will therefore be familiar to manufacturers and other actors across the industry.
The proposed legislation will establish a baseline security level for smart products to meet before they can be made available to consumers on the UK market. There are three key technical security requirements set out in the proposed legislative framework that must be implemented for consumer smart products to meet the security baseline, namely:
- not using universal default passwords;
- implementing a means to manage reports of vulnerabilities; and
- providing transparency on how long, at a minimum, the product will receive security updates.
In addition, there is an emphasis on flexibility to make changes to the requirements. Cyber security is a rapidly developing area so the intended legislation will need to be adaptable and fluid enough to keep up with the continuing development of technology and the connected products market, the evolving techniques employed by malicious actors, as well as the broader regulatory landscape.
What will the proposed legislation do?
As mentioned above, the proposed legislation will set a minimum baseline level of cyber security for smart devices. If a device does not meet the minimum security level, it may not be sold or otherwise made available to consumers in the UK. The legislation will be relevant to manufacturers, authorised representatives and importers as well as wholesalers and retailers of consumer connected devices.
The proposed legislation will apply to network connectable products and associated services supplied to consumers. This includes devices which already are a feature in many people’s homes such as: smart speakers, smart televisions, connected doorbells and smartphones. Certain products will be exempt from the proposed legislation – initially this is planned to include desktop computers, laptops and smart meters, however the government will be able to make changes to the exempt product classes.
What are the security requirements?
The focus of the proposed legislation will initially be on the following security requirements:
- Banning universal default passwords: this will include all device passwords, including passwords used in the build / architecture of the device and passwords on pre-installed apps.
- Vulnerability reporting: providing for a mechanism for manufacturers to be made aware of security vulnerabilities, so that fixes can be implemented.
- Provision of information to consumers on how long the device will receive security updates: this is to promote consumer awareness about cyber security issues and to enable informed purchasing decisions.
There will be two possible ways to meet the security requirements - either through meeting the requirements as set out in the legislation (these will align closely with the key points of the government’s Code of Practice for Consumer IoT Security and the ETSI European Standard (EN) 303 645) or by meeting an equivalent designated security standard.
Based on the consultation responses received, the security requirements set out in the proposed legislation may not be straightforward for those affected to implement and are likely to require changes to the product design process, resource requirements and could result in increased time to get the products to market.
Under the proposed legislation, the government will also have flexibility, both in terms of security requirements and designated standards (which may be updated to meet specific challenges) as well as enabling additional product assurance obligations to be implemented for specific product categories in the future.
How will the legislation be enforced?
An enforcement authority will be set up with powers to investigate non-compliance, take enforcement action and impose sanctions if required. The authority will also provide support to organisations to enable them to meet their obligations regarding cyber security.
What happens next?
The UK government is currently drafting the legislation, though there are no definitive timescales for when it will be introduced into Parliament. While the detail outlined in the above policy positions provides a good indication of the key structure and content of the proposed legislation, the final legislation may differ from the proposals. Manufacturers, importers and distributors of consumer connected devices should therefore watch this space.
How can we help?
If you have queries in relation to Cyber Security, please get in touch with a member of our specialist Data Protection & Cyber Security team.
This article was written by Clare Tuohy, Trainee Solicitor.