New law could turn UK into a hacker's playground

It looks as if people are at last waking up to a second extraordinarily dangerous requirement buried within a UK government bill designed to promote the nation as a surveillance state. It means bureaucrats can delay or prevent distribution of essential software updates, making every computer user far less secure.

This incredibly damaging limitation is just one of the many bad ideas buried in the UKs latest piece of shoddy tech regulation, the Investigatory Powers Act. What makes the law doubly dangerous is that in the online world, you are only ever as secure as your least secure friend, which means UK businesses will likely suffer by being flagged as running insecure versions of operating systems.

I’ve written about the bill before, of course. The proposals are so appalling that Apple, WhatsApp, Meta, and others are quite prepared to shutter messaging services for UK customers if need be.

I expect Apple will make good on this threat; it is not prepared to negotiate the safety of its users. You can read its nine-page statement on the matter for more insights.

Make no mistake, the proposals from the UK Home Office will make the internet less secure. UK users will become magnets for complex attacks as hackers, rogue governments, and well-organized criminals exploit any newly revealed threats in the UK as they know the law will automatically generate a delay before software updates ship.

The rest of the world might have patched any such flaws, but the UK might not. That means if you want to create a botnet, spread phishing attacks, or design complex multi-stage attacks, you’ll target UK computer users first, because they will be less well-protected by design.

Given the dangers of phishing, ransomware and every other kind of genuine online harm, the impact of that will be to threaten business interests on a global basis. The repercussions will be felt as high-profile attacks against UK targets take place, even as international partners begin to avoid online connections with the nation.

No one wants to expose their corporate systems to ransomware from dealing with a poorly protected UK IP address.  

Under the proposed laws, tech firms will be obliged to share any security updates they need to publish with the UK government before they are released. The government can then delay or even forbid release of the software — and there is no review system companies can turn to if they think the decision is wrong.

In addition, the government can forbid software updates that repair security gaps the government itself is using for surveillance. “Together, these provisions could be used to force a company like Apple, that would never build a backdoor, to publicly withdraw critical security features from the UK market, depriving UK users of these protections,” Apple has warned.

The laws as proposed aren’t even in line with international agreements, such as the EU’s GDPR or US CLOUD Act, which means Apple and others will be unable to follow them, even if they choose to do so.

Given that the digital sector contributed around 7.7% of the total value to the UK economy in 2022, it seems uniquely stupid to attempt to put these regulations in place. Not only will they make UK users far less secure while generating a proliferation of malware, they also threaten to damage an already weak economy.

Passing a regulation like this has major implications, and within the context of the tight digital relationships between the nation and its allies, will impact internet security on a global basis.

It is, to coin a UK expression, utterly and completely bonkers, a dangerously stupid act of economic self-harm.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss