The United Kingdom may soon have stronger regulations in place governing the security of IOT and smart devices.
The House of Commons sent an amended “Product Security and Telecommunications Infrastructure Bill” over to the House of Lords that would permit the Department for Digital, Culture, Media and Sport (DCMS) to regulate the Internet of Things and smart devices in the UK, including through specifying certain security standards to meet and being able to levy fines of the greater of £10 million or 4% of worldwide revenue. The bill also changes how the UK manages telecommunications providers paying for and using physical infrastructure.
One may reasonably ask why a lawyer from the United States (U.S.) concerns himself with technology policy developments in other nations. This may strike some in Washington as strange. In response, I would suggest that how other countries decide to tackle the same problems before the U.S. Congress and President can help illuminate possible paths forward and alternates to what are often deeply entrenched battle lines in Washington. Often the granite-like positions in Washington can seem like the only options when, in fact, there are often multiple ways forward. Of course, parliamentary governments have advantages not present in the U.S. system, namely that the prime minister’s party almost always controls the levers of power and have a greater ability to act. However, regarding the matter in today’s article, surprisingly, the U.S. has acted before the United Kingdom.
In this vein, the UK is moving towards enactment of a bill that would address, in part, the security of smart devices and the Internet of Things (IOT.) As you might recall, the U.S. Congress managed to enact the “Internet of Things Cybersecurity Improvement Act of 2020” (P.L. 116-207) that seeks to use the buying power of the U.S. government to drive better cybersecurity for IOT (see here for more detail and analysis.) Of course, that can only work if the law is implemented, and thus far the Office of Management and Budget has not issued the necessary guidance directing agencies to comply with new standards even if the National Institute of Standards and Technology (NIST) has fulfilled its responsibilities. It should be noted that this pertains only to the IOT U.S. agencies buy and use and not all the IOT available in the U.S. market, leading to the very real possibility of a two-tiered IOT security landscape in the U.S. much in the same way some platforms have one product for the U.S. government and another for the U.S. public. Moreover, there is very little urgency I see in Washington to address IOT generally even though it increases the ways hackers and malevolent and reckless actors can penetrate systems and networks.
The UK is taking a more broadly gauged approach and is looking to regulate IOT generally. The “Product Security and Telecommunications Infrastructure Bill” was one of the few bills held over when Parliament prorogued this spring. Late last month, the House of Commons moved the bill through the committee stage and the second and third readings with a handful of amendments added. The bill is now before the House of Lords and may soon get passed, bringing the two houses to a point of negotiating conflicting language to arrive at a final bill. As such, now is an opportune time to examine the legislation that would also address obstacles and problems in the rollout of telecommunications networks in the UK, especially those that will be critical for 5G.
It seems like the introduction of the “Product Security and Telecommunications Infrastructure Bill” is an admission that the government’s 2018 “Code of Practice for consumer IoT security” did not have the effect intended by the drafters. This was a list of best practices IOT developers and manufacturers would ideally take, but they were not legally required to do so.