Cookies on Legislation.gov.uk

The cookies on legislation.gov.uk do two things: they remember any settings you've chosen so you don't have to choose them on every page, and they help us understand how people browse our website, so we can make improvements and fix problems. We need your consent to use some of these cookies.

Search Legislation

Advanced Search

Product Security And Telecommunications Infrastructure 2022

Contents

Policy background

  1. The Government is committed to improving connectivity and ensuring all premises can achieve a good broadband speed. Gigabit-capable broadband is enabling infrastructure that will drive UK economic growth. It is the backbone of 5G mobile connectivity, which allows quick digital transactions and services which, in turn, will encourage innovation and enable personalised, efficient delivery of public services. The Covid pandemic showed that being connected helped businesses to run, families to stay in touch, allowed children to keep up with their education and supported society to function at a time of crisis.
  2. Greater connectivity will increase the demand for consumer connectable products such as smart speakers, smart TVs and wearable technology and the digital services they enable. In 2021, the average UK household had nine consumer connectable products in their home, with many lacking basic cyber security protections. Poorly secured consumer connectable products threaten individuals’ online security and, subsequently, their privacy and safety.
  3. When security flaws of products in the home are exploited, significant problems can ensue. Devices with weak security can be compromised, and be used in large-scale cyber attacks, such as Distributed Denial of Service ("DDoS") attacks. The impact of such attacks can reverberate across the wider UK, and global, economy.
  4. The Government is committed to protecting UK consumers from cyber threats and preventing the economic loss that results from attacks of this kind (estimated at over £1 billion per annum). To protect consumers, legislation to improve connectivity is paired with legislation to improve consumer-facing cyber security. The Product Security and Telecommunications Infrastructure Act 2022 has been designed to improve the UK’s resilience to cyber attacks, and improve connectivity for individuals and businesses across the UK.

Part 1: Product Security

  1. Consumer connectable products are consumer products that can connect to the internet or other networks, and can transmit and receive digital data. Examples of these products include smartphones, smart TVs, smart speakers, connected baby monitors and connected alarm systems. They are also known as consumer "Internet of Things" devices ("IoT") or consumer "smart" devices. In 2020, there were an estimated 12.9 billion consumer connectable products worldwide.
  2. As electrical products, they are subject to product safety regulation including the Consumer Protection Act 1987 and the General Product Safety Regulations 2005. To ensure these products do not create radio interference, many of them are also subject to the Radio Equipment Regulations 2017 (SI 2017/1206). The existing regimes, however, do not create minimum security requirements.
  3. Insecure products can be used in ways not intended by the consumer, such as the case of security cameras being compromised in Singapore. In addition, insecure products can act as the "point of entry" across a network, enabling attackers to access valuable information, such as the attackers who were able to access a US casino’s customers’ details via a connected thermometer in a fishtank.
  4. Devices can be compromised at scale as part of DDoS or "botnet" attacks. For example, in 2016, cyber criminals compromised 300,000 products with the Mirai malware. The attackers utilised the collective computing power to successfully disrupt the service of many news and media websites including the BBC and Netflix. The Mirai malware was able to penetrate so many devices due to widespread weak security features (such as default passwords).
  5. In 2017 and 2018, a range of vulnerabilities were identified in the web service that connected to a smart watch brand that is marketed at children. The vulnerabilities allowed an attacker to access personally identifiable information including the linked mobile phone number and GPS coordinates for each watch.
  6. UK consumers are rarely able to make security conscious choices at the point of purchase due to a lack of information and so cannot easily protect themselves from cyber threats. A 2020 UCL study surveyed 270 common consumer connectable products and found that consumers were not given clear information outlining how long their connectable product would be supported with security software updates. Without clear information, consumers overwhelmingly assume that a product is secure because it is for sale, so vulnerable devices see continued use in homes where the consumer has no idea that the product represents a risk.
  7. In response to growing concerns about the vulnerability of baby monitors and domestic CCTV cameras to hacking, the National Cyber Security Centre issued a warning and guidance for consumers to adjust the security settings of products they purchase.
  8. The Government committed to ensuring that "the majority of online products and services coming into use become "secure by default" by 2021" in its 2016 National Cyber Security Strategy. In March 2018, the Government consulted on its Secure by Design Report and this was followed with the publication of the voluntary Code of Practice for Consumer IoT Security in October 2018, which recognised the ever growing number and types of consumer connectable products. The code shifted the approach to securing devices by moving the burden away from consumers and instead used policy to encourage security features to be built into products at the design stage.
  9. The Government sought to find an international consensus on how to better secure consumer connectable products. Following a partnership with both countries, Australia’s Department of Home Affairs (2020) and India’s Department for Telecommunications (2021) have both published Codes of Practice that are consistent with the 13 principles that the UK first published in 2018.
  10. The Government has also worked with the European Telecommunications Standards Institute ("ETSI") to create a new globally applicable standard ETSI EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements, which is consistent with the 13 principles of the UK’s Code of Practice. ETSI has over 900 members from 65 countries. Adopted in June 2020, ETSI EN 303 645 is the first globally-applicable technical standard for the cyber security of consumer connectable products.
  11. While the Government encouraged industry to adopt the guidelines in the UK’s Code of Practice for Consumer IoT Security, voluntary compliance was slow, and poor security practices remain commonplace. At the time of its publication in 2018, the Internet of Things Security Foundation estimated that 9 per cent of manufacturers maintained an adequate vulnerability disclosure programme. By 2019, the figure was still only 13 per cent.
  12. In May 2019, the Government launched a consultation on legislative proposals for the cyber security of consumer connectable products. Responses to the consultation demonstrated widespread support for the introduction of a mandatory cyber security baseline aligned with priority security requirements as outlined in the Code of Practice.
  13. The Government published detailed proposals for regulating the cyber security of consumer connectable products as part of a Call for Views in July 2020. Responses to this Call for Views further supported the Government’s position, that widespread compliance to priority security requirements from ETSI EN 303 645 will have the greatest impact in protecting UK consumers purchasing connectable products.
  14. The Act creates powers for ministers to specify security requirements relating to consumer connectable products. Businesses involved in making these products available to UK customers will need to comply with these requirements. The Government intends to use these powers to place requirements based on three of the original guidelines in the 2018 Code of Practice, and provisions in ETSI EN 303 645, on a statutory footing. These new statutory security obligations will include a ban on the use of universal default passwords and easily guessable default passwords, a requirement for manufacturers to enable the reporting of security vulnerabilities, and a requirement for manufacturers to make publicly available the minimum period of time that the product will receive security updates.

Part 2: Telecommunications Infrastructure

  1. The Government’s Future Telecommunications Infrastructure Review in 2018 established the importance of the UK telecommunications market to future economic growth. The review concluded that, while the UK is a world leader in "superfast" connectivity, there were several barriers to deployment that inhibit widespread access to the next generation of gigabit-capable broadband. Gigabit-capable broadband coverage is currently at 72 per cent. The Government pledged to review the relevant policy and legal framework to identify ways to overcome any administrative and legal obstacles delaying broadband deployment.
  2. The 2019 Conservative Party Manifesto pledged to ensure that everyone across the UK gets to enjoy the benefits of greater connectivity and promised to legislate to speed up UK digital connectivity. In November 2020, the Government committed to delivering gigabit-capable broadband to 85 per cent of UK premises by 2025 to support digital growth and innovation.
  3. The Government is working with industry to target a minimum of 85 per cent gigabit-capable UK coverage by 2025 and to get as close to 100 per cent as possible. The Government is also aiming to ensure that 95 per cent of the UK’s geographic landmass has 4G coverage from at least one mobile network operator by 2025 and that the majority of the UK population has 5G coverage by 2027.
  4. Rights to install, maintain, upgrade and share telecommunications apparatus are regulated by the Electronic Communications Code ("the Code"). The Code was substantially reformed in 2017, with changes intended to make it cheaper and easier for operators to deploy, upgrade and share their apparatus. While improving the situation in some parts of the industry, subsequent Government engagement highlighted that the 2017 reforms have not been working as intended in a number of key areas.
  5. In January 2021, the Government therefore ran a consultation on further reform of the Code. Through this process, the Government identified that a number of reforms to the Code were needed to support delivery of the digital communications services that UK consumers and businesses need. These include:
    • amendments to operator rights to upgrade and share their apparatus, to optimise the use of existing networks and reduce the need for additional installations;
    • changes to support the renewal of certain code agreements that are due to expire or have expired, to bring the process and renewal terms closer to those for new Code agreements;
    • promotion of faster and more efficient negotiations by measures promoting the use of alternative dispute resolution ("ADR"), to encourage collaboration and remove any incentive to delay the completion of Code agreements; and
    • introduction of a streamlined process for cases where a relevant person, as described in paragraph 20 of the Code, fails to respond to operator requests for Code rights.
  1. In June 2020, DCMS ran a call for evidence on possible reforms to The Communications (Access to Infrastructure) Regulations 2016 (SI 2016/700). Having a power to amend the Regulations would make them more useful for the digital infrastructure sector so that the impact achieved by the 2016 legislation keeps pace with innovation in the sector and the original policy intent. In light of this, the Act includes a power through which the Secretary of State can amend the Regulations by statutory instrument. Any such instrument will be subject to the affirmative resolution procedure.

Back to top