View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
October 11, 2022

Does the UK need a cybersecurity regulator?

New rules will compel connected device manufacturers to ensure their products are secure. But will they be implemented?

By Claudia Glover

A new regulatory body may be needed to ensure businesses follow the growing volume of cybersecurity legislation in the UK, MPs heard today. New laws such as the Telecommunications Infrastructure bill, which will govern the security of connected devices, will put an additional compliance burden on device manufacturers.

Parliament’s DCMS committee is investigating connected device security in the UK. (Photo by John Gomez/Shutterstock)

The hearing was part of a Department for Digital, Culture, Media & Sport (DCMS) committee inquiry, Connected Tech: Friend or Foe, which is investigating security issues in connected devices used by businesses and consumers. 

On average, companies in the UK will have 100-250 connected devices within their networks. For larger companies that number will grow. Thirty-six per cent of larger companies have more than 1,000 connected devices. According to figures released by the DCMS, 57% of these are vulnerable to medium or high-severity cyberattacks.

New regulatory body for cybersecurity?

The Product Security and Telecommunications Infrastructure Bill was introduced to the House of Commons in May and has been written to address such issues. It puts new responsibilities on device manufacturers to provide security updates to fix flaws, and to notify users when these flaws are uncovered.

At an evidence session today, MPs heard from Matt Lewis, research director at cybersecurity vendor NCC, who said that drawing up regulations and making sure they are implemented are two different things.

"I think there might still be a broad assumption that when regulations dictate certain requirements, those will actually get enacted," Lewis said. "What may be missing is some sort of mandated independent third-party validation of security product systems."

At present, enforcement of the new rules will be the remit of the DCMS secretary. The National Cyber Security Centre also offers advice to businesses on security matters, but Lewis said a formal regulator could also advise companies who are trying to abide by new regulations. “Having some sort of guidance to push manufacturers through, so they get that independent validation of the systems they are developing, would be good,” he added. 

The legislation is one of a number of new pieces of guidance businesses are having to absorb when it comes to cybersecurity. The Telecommunications Security Act came into force last month, while the government also released a new cybersecurity strategy earlier this year.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

Telecommunications Infrastructure Bill does not address human failings

Other experts told MPs that there were problems with the rules themselves. Professor George Loukas, professor of cybersecurity at the University of Greenwich, said the bill addresses practical risks in the hardware and software of connected devices, but does nothing to address the human risk element.

“In the vast majority of actual cybersecurity breaches in the real world, there is an element of human deception,” he said. “In almost all cases, you receive a phishing email, and some people, say one out of three, will click on that email, go to a website and get infected by malware. This is how most attacks happen in the real world.” 

Verizon’s 2022 breach survey states that 82% of breaches in the last year started with human error. When it comes to connected devices, guarding against these is difficult, Loukas said, particularly as manufacturers have not been active in discussing risks.

“Education is limited at the moment because you don’t have the basic research to know what to teach people,” Professor Loukas said. “The actual manufacturers do not say anything about their products, like what the cyber risk is or what they are secure against,” he says.

While some of this will be addressed by the new laws, Lewis added that a wider view is needed. "Product security is important, but we need to think about those products in the context of the deeper, wider systems in which they interoperate," he said.

Read more: UK telecom companies face tough new cybersecurity rules

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU