In the Queen’s Speech delivered on 10 May 2022 at the House of Commons by HRH The Prince of Wales, the Government announced the Product Security and Telecommunications Infrastructure Bill (“Product Security Bill”). The Government subsequently released a high-level overview of 38 proposed laws, including the Product Security Bill, which can be accessed here.
The Product Security Bill follows the UK Government’s Code of Practice 2018 and is a key development in the Government’s ongoing commitment to improving cybersecurity in a diverse range of smart-products. The proposed Bill will be split into two parts: Part 1 will focus on the cybersecurity of products, while Part 2 will focus on telecommunications infrastructure with regard to mobile and broadband network expansion.
- The Product Security Bill is set to improve cyber resiliency and digital connectivity for individuals and businesses across the UK in order to “create further growth for the economy.”
- The Bill’s aim is to ensure that “smart consumer” products – smartphones, televisions, Internet of Things devices (IoT) etc – are designed more securely at the manufacturing stage against cyber-attacks.
- Along with cyber-related improvements, the Government is set to accelerate the expansion of networks throughout the UK, both mobile and broadband, which technological devices rely upon.
- The Bill aims to protect consumers from cyber-attacks by ensuring that device manufacturers, importers and distributors develop and market devices which meet more stringent cybersecurity standards. This new security standard will need to be regularly updated and manufacturers will be required to have an appointment person for reporting software vulnerabilities with the goal on increasing consumer confidence.
- The Government wants to reduce the number of new sites and installations needed to meet the Government’s digital connectivity targets “by utilising existing equipment”. They hope this will provide cheaper and easier solutions to install updates and provide more funding to operators in invest in digital products. The Government did not provide any further information on how they would be utilising existing equipment.
- The Bill will mandate that device manufacturers must guarantee that their products meet minimum security standards during the initial design stages and the Bill will introduce duties on businesses to investigate and take action in circumstances of non-compliance.
- A new regulatory framework is set to be introduced which the Government anticipates will keep pace with cyber threat actors, hostile states and the broader global technological regulation.
- The Product Security Bill will extend and apply across all of the UK once it reaches Royal Assent later this summer.
- KEY FACTS
- The Government reports that in the first six months in 2021, there were 1.5bn attempted compromises of connectable products which is double the equivalent figure from 2020. This figure stems from the increase in smart devices now installed in the average UK household which was estimated to be nine or more in 2020.
- The Government has set a goal to provide gigabit-capable coverage to at least 85% of the UK within the next 3 years to enable a faster and more reliable connectivity network. Additionally, the Government wants to increase 4G coverage to 95% in the UK by 2025 while also attaining at least 51% 5G coverage in the UK by 2027.
- If IoT and smart devices continue to be developed with poor security standards, it is anticipated that cyber-attacks from threat actors will only increase in the future. Low standards of cybersecurity in such devices will allow threat actors to enter into a victims network via a simple point of entry.
- With the increase in smart devices being implemented across the UK, the Government’s rationale with the Product Security Bill is to increase the adequacy of cybersecurity in smart devices now, in order to prevent a future onslaught of cyber incidents in the future.
- The proposed Product Security Bill is currently at the Reporting stage in the House of Commons and the latest draft can be accessed here. As the Product Security Bill moves its way through the House of Commons, the Cyber team here at DAC Beachcroft will provide a comprehensive update in respect of the Bill’s impact on clients once it is published in its final form later this summer.