MPs are debating a new law that the government says will help keep consumers’ phones, tablets, smart TVs, fitness trackers and other devices secure from cybercriminals.
The Product Security and Telecoms Infrastructure Bill will place new cybersecurity requirements on the manufacturers and sellers of consumer tech which can connect to the internet or other devices.
Under the bill, easy-to-guess default passwords which come programmed into digital devices and present an easy target for cybercriminals will be banned.
Manufacturers will have to be more transparent to customers about the length of time products will receive security updates for connectable products and create a better public reporting system for vulnerabilities found in those products.
Failure to uphold the measures could result in fines of up to £10 million or four percent global turnover, plus up to £20,000 per day in the case of an ongoing breach.
“Every product on our shelves has to meet all sorts of minimum requirements, like being fire resistant or a choking hazard and this is no different for the digital age where products can now carry a cybersecurity risk,” said Digital Secretary Nadine Dorries.
If you liked this content…
Prioritising social housing with connected technology: for safer and more inclusive communities
Government announces new laws to secure IoT and smart devices
The rising risk of insider threats to the public sector in the AI-era 
Women make up a fifth of cybersecurity workforce
Most NHS staff not confident in current cyber defences
The new requirements
The bill will give ministers powers to put new requirements on the manufacturers, importers and distributors of consumer tech devices. They include:
- Banning universal default passwords which are pre-set on devices – such as ‘password’ or ‘admin’ – and are an easy target for cybercriminals. Any preloaded product passwords will need to be unique and not resettable to universal factory settings.
- Requiring device manufacturers to be transparent with consumers about how long they’ll provide security updates for products so people are clearer when they buy. If a product will not receive any security updates the customer must be informed.
- Ensuring manufacturers have a readily available public point of contact to make it easier for software flaws and bugs to be reported.
The bill applies to ‘connectable’ products. This includes all devices which can access the internet such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants, and smart home appliances such as washing machines and fridges.
It also applies to products which can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.
Faster, more reliable broadband
The government says the bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. The reforms will encourage quicker and more collaborative negotiations with landowners hosting the equipment with the aim of reducing instances of lengthy court action holding up the construction of infrastructure.
A regulator, to be announced at a later date, will oversee the new cybersecurity regime and ensure in-scope businesses comply with the measures in place. It will have the power to issue notices to companies requiring they comply with the security requirements, recall insecure products or stop selling or supplying them altogether.
Following its second reading the bill will advance to the committee stage where an assigned committee will scrutinise the bill in detail.
