Inside the New UK Law to Improve IoT Cybersecurity
In a landmark move, the UK has become the first country in the world to introduce stricter security standards for consumer IoT and smart devices. This new law, part of the Product Security and Telecommunications Infrastructure (PSTI) regime, aims to bolster the UK’s cybersecurity defenses and empower consumers with greater control over their smart devices, with one of the most significant changes involving the elimination of weak, easily guessable passwords like “admin” or “12345.”
Under the law, manufacturers operating in the UK will be legally obligated to implement more secure defaults and prompt users to create strong passwords during device setup. This simple step addresses a major vulnerability, as weak passwords have been a key entry point for cybercriminals in past attacks, officials say.
According to the UK government, this is designed to prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services.
Manufacturers will also be required to publish clear information regarding security updates. Consumers will have the right to know for how long their devices will receive critical security patches, allowing them to make informed purchasing decisions.
Additionally, manufacturers must provide contact details for reporting security vulnerabilities, facilitating a faster response when flaws are discovered.
According to the country’s technology and cybersecurity officials, this is a significant step towards boosting the UK’s resilience towards cyber-crime, as recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices.
In addition, 57% of UK households own a smart TV, 53% own a voice assistant and 49% own a smart watch or fitness wristband.
The government hopes these regulations will instill greater confidence in consumers when purchasing and using smart devices, ultimately stimulating economic growth.
Consumer advocacy groups have praised the new laws, highlighting their potential to significantly reduce cyberattacks and data breaches. Industry leaders have also welcomed the regulations, acknowledging the importance of robust security measures.
The UK government says it collaborated with industry leaders to implement these changes. The National Cyber Security Centre (NCSC) encourages consumers to report any irregularities or suspected non-compliance to the Office for Product Safety and Standards (OPSS).
The U.S. government is taking similar steps, such as the U.S. Cyber Trust Mark, a voluntary cybersecurity labeling program designed to certify that a consumer IoT product meets baseline standards for cybersecurity. The program has been approved by federal officials and is expected to be put in place later this year. The Connectivity Standards Alliance (CSA) has also come out with its own cybersecurity certification that factors in international standards and practices, as well as industry best practices, to expedite product certifications for international companies.
However, while those programs are voluntary, the new UK measures are enforceable laws. Given how many smart home manufacturers operate on an international scale and how international law, such as the European Union’s General Data Protection Regulation (GDPR) has influenced business practices in the past, it will be interesting to see how this UK law might begin to influence cybersecurity practices in the United States as well.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!