MPs to debate landmark IoT security law

The proposed Product Security and Telecoms Infrastructure Bill will receive its second reading in the House of Commons today in a debate to be opened by current digital secretary Nadine Dorries, as it takes a significant step forward towards becoming law.

The bill – which mandates improved cyber protections for smartphones and other smart or connected internet of things (IoT) devices – has been years in the making. Its scope has expanded over time to include new provisions that will supposedly spur the roll-out of full-fibre broadband services by making it easier for operators to upgrade and share infrastructure, and reform the process of how they go about negotiating with landowners to whose property they need access.

At its core it places strict new requirements on the manufacturers and retailers of connected consumer technology, banning easy-to-guess default passwords programmed onto devices, creating a vulnerability-reporting system, and forcing manufacturers to be upfront about how long their products will receive security updates.

Failure to comply could result in fines of up to £10m, or 4% of global turnover, and up to £20,000 for every day in the case of ongoing breaches.

“Whether it’s your phone, smart speaker or fitness tracker, it’s vital that these devices are kept secure from cyber criminals,” said Dorries.

“Every product on our shelves has to meet all sorts of minimum requirements, like being fire resistant or [noting if it’s] a choking hazard, and this is no different for the digital age where products can now carry a cyber security risk. 

“We are legislating to protect people across the UK and keep pace with technology as it transforms our everyday lives,” she said.

The bill will apply to any device that can access the internet, including smartphones and smart TVs, games consoles, security cameras and connected alarms, smart toys and baby monitoring kit, smart home hubs and voice activated assistants (such as Alexa) and connected appliances such as washing machines and fridges.

Also in scope will be products that, while they can connected to other devices, do not directly access the internet themselves – such as smart lightbulbs and thermostats, or wearable fitness bands.

Matthew Evans, director of markets at TechUK, said: “Industry has long supported the shared ambition to improve the cyber resilience of devices and has worked with DCMS across the secure-by-design agenda over the past five years. Most suppliers already adhere to the principles of the legislation and, if implemented practically, this will both protect consumers and ensure they have access to a wide range of connected devices. 

“TechUK also welcomes the government’s efforts to reforming the Electronic Communications Code, which is essential to speeding up the roll-out of gigabit and 5G infrastructure. Industry looks forward to further clarity on the amendments to the code to ensure we can deliver the connectivity consumers and businesses need,” he added.

Consumer rights organisation Which?, which has taken an active role in the bill’s development throughout various consultations and stakeholder engagements, welcomed news of its progress.

“Smart home products can bring huge convenience to our everyday lives, however time and time again we have uncovered security flaws that can leave people vulnerable to scams, data breaches and even put their safety at risk – which is why this new legislation is an important first step,” said Rocio Concha, director of policy and advocacy.

“However, it’s vital that new rules apply to online marketplaces, where Which? has frequently found insecure products being sold en masse. The government must also clarify how redress for products that fail to meet the security requirements will work within the existing consumer rights framework.

“The bill must be backed by a strong and well-resourced enforcement regime that reflects the many different ways that smart products are manufactured and sold to consumers,” added Concha.