A new regulatory body may be needed to ensure businesses follow the growing volume of cybersecurity legislation in the UK, MPs heard today. New laws such as the Telecommunications Infrastructure bill, which will govern the security of connected devices, will put an additional compliance burden on device manufacturers.
The hearing was part of a Department for Digital, Culture, Media & Sport (DCMS) committee inquiry, Connected Tech: Friend or Foe, which is investigating security issues in connected devices used by businesses and consumers.
On average, companies in the UK will have 100-250 connected devices within their networks. For larger companies that number will grow. Thirty-six per cent of larger companies have more than 1,000 connected devices. According to figures released by the DCMS, 57% of these are vulnerable to medium or high-severity cyberattacks.
New regulatory body for cybersecurity?
The Product Security and Telecommunications Infrastructure Bill was introduced to the House of Commons in May and has been written to address such issues. It puts new responsibilities on device manufacturers to provide security updates to fix flaws, and to notify users when these flaws are uncovered.
At an evidence session today, MPs heard from Matt Lewis, research director at cybersecurity vendor NCC, who said that drawing up regulations and making sure they are implemented are two different things.
"I think there might still be a broad assumption that when regulations dictate certain requirements, those will actually get enacted," Lewis said. "What may be missing is some sort of mandated independent third-party validation of security product systems."
At present, enforcement of the new rules will be the remit of the DCMS secretary. The National Cyber Security Centre also offers advice to businesses on security matters, but Lewis said a formal regulator could also advise companies who are trying to abide by new regulations. “Having some sort of guidance to push manufacturers through, so they get that independent validation of the systems they are developing, would be good,” he added.
The legislation is one of a number of new pieces of guidance businesses are having to absorb when it comes to cybersecurity. The Telecommunications Security Act came into force last month, while the government also released a new cybersecurity strategy earlier this year.
Telecommunications Infrastructure Bill does not address human failings
Other experts told MPs that there were problems with the rules themselves. Professor George Loukas, professor of cybersecurity at the University of Greenwich, said the bill addresses practical risks in the hardware and software of connected devices, but does nothing to address the human risk element.
“In the vast majority of actual cybersecurity breaches in the real world, there is an element of human deception,” he said. “In almost all cases, you receive a phishing email, and some people, say one out of three, will click on that email, go to a website and get infected by malware. This is how most attacks happen in the real world.”
Verizon’s 2022 breach survey states that 82% of breaches in the last year started with human error. When it comes to connected devices, guarding against these is difficult, Loukas said, particularly as manufacturers have not been active in discussing risks.
“Education is limited at the moment because you don’t have the basic research to know what to teach people,” Professor Loukas said. “The actual manufacturers do not say anything about their products, like what the cyber risk is or what they are secure against,” he says.
While some of this will be addressed by the new laws, Lewis added that a wider view is needed. "Product security is important, but we need to think about those products in the context of the deeper, wider systems in which they interoperate," he said.
- What do you think? Does the UK need a cybersecurity regulator? Email firstname.lastname@example.org with your comments.