UK Govt under Prime Minister Rishi Sunak rolls out new security laws to safeguard consumers from cyber criminals - Next in line after the Rwanda deportation order

 

 GOV                             

.UKUK government under Premier Rishi Sunak Cracks down on cyber criminals and cyber attacks rolling out new laws that prescribe the highest standards of security

By Ashe N Ayer

The British government under Prime Minister Rishi Sunak rolls out new security laws to safeguard consumers from cyber criminals. Called the World-first laws protecting UK consumers and businesses from hacking and cyber-attacks, the new law takes immediate effect from Tuesday April 30, 2024.

The UK government has warned manufacturers of products such as phones, TVs and smart doorbells to implement government prescribed protocols for ensuring minimum security standards against cyber threats.

According to a UK government press release issued to the media, consumers will benefit from banning of easily guessable default passwords, marking a significant leap in protecting individuals, society and the economy from cyber criminals. Consumer protections against hacking and cyber-attacks will come into force today, as all internet connected smart devices will be required by law to meet minimum-security standards. 

Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity - from smartphones to games consoles and connected fridges - as the UK becomes the first country in the world to introduce these laws.  

Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up. This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers. 

The move marks a significant step towards boosting the UK’s resilience towards cyber-crime, as recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. The new regime will also help give customers confidence in buying and using products, which will in turn help grow businesses and the economy, the UK government press release claimed.  

An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices. 

 Minister for Cyber, Viscount Camrose said:    As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater. 

From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.   

We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world. 

Data and Digital Infrastructure Minister, Julia Lopez, said:  Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.

Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.

OPSS Chief Executive, Graham Russell said:  The use and ownership of consumer products that can connect to the internet or a network is growing rapidly. UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices.

As the UK’s product regulator, OPSS will be ensuring consumers can have that confidence by working with the industry to encourage innovation and compliance with these new laws.

NCSC Deputy Director for Economy and Society, Sarah Lyons said:  Smart devices have become an important part of our daily lives, improving our connectivity at home and at work; however, we know this dependency also presents an opportunity for cyber criminals.  

Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy. 

I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely. 

With 57% of households owning a smart TV, 53% owning a voice assistant and 49% owning a smart watch or fitness wristband, this new regime reinforces the government’s commitments to addressing these threats to society and the economy head on.  

The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.    

The new measures will also introduce a series of improved security protections to tackle the threat of cyber-crime:  

Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking  

Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with  

Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates  

Rocio Concha, Which? Director of Policy and Advocacy, said:   Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information. 

The OPSS must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.

David Rogers, CEO of Copper Horse, said: We started this work many years ago so that people would not have to understand lots about the security of connected product in order to be secure. Getting rid of things like default passwords that are set to ‘admin’ or ‘12345’ are fundamental basics.   

Manufacturers should not be providing anyone with products like webcams that are so weak and insecure that they are trivial to hack into and takeover. This stops now and people can have greater confidence that the internet connected products that they buy have better security measures built-in to protect them.

The UK government has collaborated with industry leaders to introduce this raft of transformative protections, which also include manufacturers having to publish information on how to report security issues to increase the speed at which they can address these problems. In addition, consumers and cyber security experts can play an active role in protecting themselves and society from cyber criminals by reporting any products which don’t comply to the Office for Product Safety and Standards (OPSS).   

The government is beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will be covered by alternative legislation.   

This new regime intends to increase consumer confidence in the security of the products they buy and use, delivering on one of the government’s five priorities to grow the economy. The new laws are part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online.

Background : Lloyds Banking Group suffered 48-hour online attack this month as cybercriminals attempted to block access to 20m UK accounts.

The denial of service attack ran for two days from Wednesday 11 January to Friday 13 January, as Lloyds, Halifax and Bank of Scotland were bombarded with millions of fake requests, designed to grind the group’s systems to a halt. Usually in a denial of service (DOS) attack the criminals demand a large ransom, to be paid in bitcoins, to end the onslaught.

However, no accounts were hacked or compromised during the attack, and Lloyds did not pay a ransom.

Tesco Bank fraud: key questions answered

Read more

In a cat-and-mouse game across the planet, IT security experts at Lloyds “geo-blocked” the source of the attack. This effectively drops a portcullis over the server launching the attacks, but also stops legitimate customer requests from that area too. The cybercriminals then move to another server, and the geo-blocking game begins again.

Inputs : UK government press release & industry association statements.