Preparations for new product security regime
The countdown has begun for a new regime setting the minimum-security standards for all consumer products with internet connectivity to come into effect in 12 months – making the UK the first country in the world to introduce these protections.
Minister for Artificial Intelligence and Intellectual Property Viscount Camrose today confirmed the new Product Security and Telecommunications Infrastructure (Product Security) Regime will be introduced on 29th April next year, at which point consumers and businesses will benefit from world-first protections against potentially insecure tech. Telecoms and technology industries and manufacturers now have 12 months to prepare for the implementation.
The measures include requirements for manufacturers to implement minimum security standards on all consumer products with internet connectivity such as smartphones, smart speakers, games consoles, and smart doorbells before they can be made available for purchase.
In bringing forward this new regime, the UK becomes the first country anywhere in the world to require minimum protections for consumers and businesses using these devices from cyber security risks. It has only been made possible by the freedoms gained through Brexit, granting the government the ability to implement sector-specific regulations which would not have been possible as an EU Member State.
This new regime will help deliver one of the Government’s five priorities to grow the economy by increasing consumer confidence and protection in the products they buy and use.
Minister for AI and Intellectual Property, Viscount Camrose, said: “These new regulations coming into force next April will transform how we protect and secure consumer devices with an internet or network connection.
“When this regime comes into force, every household and business in the UK who buys a new connectable product, whether it’s a smartphone, a smart speaker, or a piece of wearable tech, will benefit from these increased protections, which are the first of their kind anywhere in the world.
“We’ve laid the foundations for a new system to protect our consumers and businesses while also supporting technological innovation, and we’ll now work closely with industry over the next 12 months as we prepare for its implementation.”
The new measures will introduce a series of improved security protections to tackle the threat of cybercrime including:
- The banning of universal default and easily guessable default passwords on consumer connectable products.
- Increased manufacturer transparency on how long products will receive security updates for. This will provide standardised security information to better inform consumer purchasing decisions.
- Manufacturers will be required to make customers aware of a product’s security update support period before allowing product purchases on the manufacturer’s website.
- Device manufacturers will be required to publish contact information to allow vulnerabilities relating to their devices to be reported.
National Cyber Security Centre CEO, Lindy Cameron said: “The NCSC welcomes these new standards which will put security at the heart of technology design and ensure the connected devices that consumers rely on daily are secure from the outset.
“Up until now, there has been an unreasonable expectation for ordinary users to shoulder the burden of cyber risk.
“The NCSC will continue to support manufacturers in implementing the necessary changes with advice like our recently published Secure by Design guidelines.”
When in effect, the new regime will result in visible changes for consumers as they move through the purchasing process, with new information on security updates and support periods being available to inform purchasing decisions. If a product is being purchased directly from a manufacturer’s website, the measures will require its support period to be clearly advertised alongside the usual product specifications.
We are also engaging with online marketplaces in preparation for the changes, exploring how they can work to complement these changes and further protect consumers.
Co-Founder and Managing Director of the IoT Security Foundation, John Moor, said: “The IoT Security Foundation welcomes this announcement as it brings important cybersecurity assurance to consumers and the networks they connect to, worldwide. It is the culmination of a lot of hard work and determination by many stakeholders, over several years, including consultations with our members.
“Regulation is notoriously difficult to get right, especially as the nature of cyber-attacks change and new vulnerabilities are discovered over time. The PSTI regime not only includes requirements that help address immediate challenges, but its method also anticipates the need for new requirements to be added without stifling innovation or adding unwelcome business costs.
“This is truly a milestone moment to support the global digital transformation, making connecting to the digital world safer. We, therefore, applaud its introduction and encourage policymakers worldwide to work with this ground-breaking regime as it is in our common interest to avoid fragmentation and minimise complexity."
Offering individuals and businesses across the country point-of-access protection in accessing online services through connectable devices represents a watershed moment and will establish the UK as a global leader in consumer cyber security when the regime takes effect next April.