The government has published a new bill that aims to increase IT security by targeting a key weak point in cyber architecture – home smart devices.
Among the key elements of the Product Security and Telecommunications Infrastructure (PSTI) Bill are a ban on easily guessed default passwords, the creation of a public point of contact for security researchers to highlight flaws in systems, and a requirement that customers must be advised when they purchase a product when it will get important security updates and patches.
In the latter case, if there will be no update the buyer of the product must be informed of this.
The aim of the new bill is to make it harder for cyber criminals to hack into systems via domestic devices. As the BBC reports, past cases have included hackers using an internet-connected fish tank to steal data from a casino in the US, while the misuse of a hacked home wi-fi router to download illegal child abuse images led to an innocent couple being accused of the crime.
All this will now be overseen by a regulator, with stiff fines being levied for breaches of the new law once it comes into force. This could see companies being fined up to £10 million of four per cent of their global turnover, with additional fines of up to £20,000 a day for unresolved breaches. This applies both to makers and sellers of such items.
The new rules will apply to everything from smartphones to wi-fi routers, games, security cameras and ‘internet of things’ devices, noting that all of these are potentially vulnerable to being used in cyber attacks.
Many people needing IT support in Doncaster will have found to their cost that their security infrastructure has been compromised because failings in other devices such as smartphones have given hackers a way in to other systems, bypassing their main IT infrastructure and security.
The fact sheet on the bill notes that the new bill is being drawn up after consultation with the telecoms sector, landlords and the public, amid a widespread acceptance that this area of security needs to improve.
It went on to note: “Forecasts suggest that there could be up to 50 billion connectable products worldwide by 2030, and on average there are nine in each UK household.”
All this could make many people and wider IT systems vulnerable, as the sheet noted that at present, “the adoption of cyber security requirements within these products is poor”. It added that “while only one in five manufacturers embed basic security requirements in consumer connectable products, consumers overwhelmingly assume these products are secure”.
The nature of these attacks remains different from those aimed directly at companies. According to cyber security firm Cyren, phishing attacks remain the most common form of cyber attack aimed at companies.
That remained the case across different sectors, although there was some variance; phishing accounts for 76 per cent of attacks in the finance and healthcare sector, rising to 93 per cent for real estate.