Enforcing Cybersecurity Compliance in the UK: Can it be Done?

Regarding cybersecurity, we can rightly praise the UK government for its ongoing commitment to awareness and regulatory procedures. From the top down, cybersecurity is a priority and politicians in the UK don't shy away from highlighting the threat with ongoing campaigns and multiple cybersecurity bills. 

As part of its commitment to securing the nation against the growing threat of cyber attacks, the government has recently introduced a new bill, the Product Security and Telecommunications Infrastructure bill, that aims to tackle the security problems posed by IoT devices. 

IoT-connected devices have gone mainstream. In fact, by 2025, analysts predict there will be over 40 billion IoT devices in circulation, many of which will be incorporated into critical business processes. Yet, in the first half of 2021, according to Kaspersky, there were over 1.5 billion IoT breaches. The appetite for IoT is enormous, and this hasn't been lost on malicious actors. 

Of course, with such figures, it's no wonder the UK government is taking measures to focus on the security of IoT devices. However, there is a significant roadblock, compliance. This article will explore exactly what the Product Security and Telecommunications Infrastructure bill entail and why policymakers will struggle to enforce it long-term.

What is the Product Security and Telecommunications Infrastructure bill, and why does it matter?

The Product Security and Telecommunications Infrastructure bill has been under construction for a while and is a welcome addition to the UK's cyber security strategy. It covers three core areas that target the manufacturers of IoT-connected devices. 

The first is removing the requirement for default passwords. Often, devices, such as Smart TVs, have a default password that is rarely changed by users and is consequently easy to hack. 

The second provision is explicit confirmation regarding the frequency and length of security updates to a device. When devices aren't updated, they become an easier target for hackers that can exploit them using emerging cyber attack strategies.  

The final requirement the bill sets out is to disclose any known vulnerabilities publicly. Users can better prepare to protect their devices when they know how their devices are likely to be exploited.

Today, globally, there are no similar laws in place to safeguard users of IoT devices, and although they seem apparent, the measures outlined by the bill have largely been ignored by manufacturers. Many commentators believe that, while the bill is in place to protect UK consumers, there will be far-reaching effects for global IoT device users because solely including these measures for products destined for UK markets makes no business or financial sense. 

There is no doubt that these new measures should force the hand of IoT device manufacturers to provide better cyber security. However, trouble arises when it comes to enforcing these regulations. The National Cyber Security Centre (NCSC) has already hinted that it will leave much of the interpretation of the bill down to individual manufacturers, concerned that a prescriptive approach would stifle innovation, and this doesn't bode well for a consistent roadmap for regulatory oversight. 

Why is ongoing regulatory oversight an issue in the UK?

Today, there is no formal cybersecurity regulator in the UK. While organisations like the NCSC can provide provisional guidelines, there is no specific body that enforces cybersecurity regulations. 

The closest is the Department for Digital, Culture, Media & Sport secretary. However, the department has a vast remit and specifically enforcing cybersecurity bills, like the Product Security and Telecommunications Infrastructure bill, isn't a high priority. This ultimately means that while the laws are in place, it is challenging to enforce them. 

Without a trusted third-party regulatory mechanism in place, many believe that simply implementing new regulations is futile. Yet, it doesn't have to be this way.

What are other nations doing?

In the United States, several bodies enforce cybersecurity regulations. Perhaps the most significant is the Federal Trade Commission (FTC). Failure to comply with data and privacy regulations can result in huge fines. In one case alone, the Equifax data breach of 2017, the FTC and partners fined the company $425 million in damages. 

In the UAE, the UAE Data Office is the recognised regulator that monitors compliance with and enforces the region's various data protection and cybersecurity laws. 

The General Data Protection Regulation (GDPR) protects consumers from data misuse in the EU. In many cases, data privacy is neglected due to insufficient cybersecurity provisions, and EU policymakers regularly fine organisations for failing to protect data privacy in this way. However, this is just one of many cybersecurity regulations that govern how companies deal with EU citizens' data. 

Finally, one of the most comprehensive regulatory environments exists in China. Although the country's first cybersecurity law wasn't enacted until 2016, regulatory enforcement provisions are already well established. In total, three agencies enforce cybersecurity laws in China: the Cybersecurity Administration of China, the Ministry of Public Security, and the Ministry of Industry and Information Technology. 

Taking responsibility for the cyber health of your business

Although the UK government has a wide-ranging cybersecurity policy, the lack of enforcement is detrimental to its success. For this reason, organisations often need to ensure their cybersecurity infrastructure's health independently. Yet, knowing how to go about this is rarely easy, even with advice from the NCSC and other organisations. That's why the upcoming UK Cyber Week is so important. 

At the UK Cyber Week- Expo & Conference, business leaders from every sector will join hundreds of other attendees to learn about cybersecurity threats, including those to IoT-connected devices, and solutions from a range of industry experts. 

You'll learn about the latest threats and, more importantly, how to counteract them. Find out more on the UK Cyber Week website.