Tech Insight : New UK Law To Eradicate Weak Passwords

Written by: Paul |

Here we look at the new UK cybersecurity law that will ban device manufacturers from having weak, easily guessable default passwords, thereby providing extra protection against hacking and cyber-attacks. 

The Problem 

With 99 per cent of UK adults owning at least one smart device and UK households owning an average of nine connected devices, but with a home’s smart devices potentially being exposed to more than 12,000 hacking attacks in a single week (Which?), the UK government has decided that protective, proactive action is needed. It’s long been known that easy-to-guess default passwords (like ‘admin’ or ‘12345) in new devices and IoT devices have provided access for cybercriminals. An example (from the US) is the 2016 Mirai attack which led to 300,000 smart products being compromised due to weak security features as well as major internet platforms and services being attacked and much of the US East Coast being left without internet. 

The New Laws 

The UK government has introduced the new laws as part of the Product Security and Telecommunications Infrastructure (PSTI) regime. This regime is part of a £2.6 billion National Cyber Strategy, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.  

The key security aspects of these new laws are that: 

– Common or easily guessable passwords (e.g. ‘admin’ or ‘12345’) will be banned to prevent vulnerabilities and hacking.  

– Device manufacturers will be required to publish contact details so bugs and issues can be reported and dealt with. 

– Manufacturers and retailers must be open with consumers on the minimum time they can expect to receive important security updates. 

– The government hopes that taking this action will increase consumers’ confidence in the security of the products they buy and use and help the government to deliver on one of its five priorities to grow the economy. 

– The UK’s Data and Digital Infrastructure Minister, Julia Lopez, said of these new laws: “Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.” 

The Major Role of Businesses 

NCSC Deputy Director for Economy and Society, Sarah Lyons, has highlighted the important role that businesses have to play in protecting the public by “ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks”. She has also advised all businesses and consumers that they can read the NCSC’s point of sale leaflet for an explanation of how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.  

What Does This Mean For Your Business? 

The issue of weak default passwords in devices enabling cybercrime is not new and the news that the government is finally doing something about via legislation is likely to be well-received. The new laws will have implications for businesses, consumers, and the overall UK economy. 

For example, for device makers (and importers), the requirement to eliminate default password vulnerabilities and to provide clear avenues for reporting security issues places a significant onus on manufacturers to enhance their security protocols. This may not only involve revising the initial security features but also maintaining transparency about the duration of support for security updates. Such changes could, however, require these businesses to invest in better security frameworks, thereby potentially increasing operational costs. That said, it should also improve the marketability and trustworthiness of their products. 

UK businesses stand to gain considerably from these heightened security measures. By bolstering the security standards of connected devices, the new laws may ensure that businesses that rely heavily on such technology, from retail to critical infrastructure, are less susceptible to the disruptions and financial losses associated with cyber-attacks. This enhanced security environment should help maintain business continuity and safeguard sensitive data, thereby helping to foster a more resilient economic landscape. 

The new laws may also mean that consumers, who are increasingly concerned about their digital privacy and the security of their data, may be able to make more informed choices about and experience greater confidence in the products they choose to integrate into their daily lives. With manufacturers required to adhere to stricter security measures and provide ongoing updates, consumers can expect a new level of protection for their connected devices, which translates into safer personal and financial data. 

Economically, by setting a new cybersecurity standard, the UK appears to be positioning itself as a leader in the safe expansion of digital infrastructure. This leadership could boost innovation in cybersecurity measures, potentially leading to growth in the tech sector and creating new opportunities for employment and development. Also, by fostering a safer digital environment, the UK may attract more digital businesses and investments, further stimulating economic growth.