The Product Security and Telecommunications Infrastructure (PSTI) Bill, says the Department for Digital, Culture, Media & Sport, “better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products.”
The ‘consumer connectable products’ include ‘Internet of Things’ or IoT devices: smart speakers, smart TVs, connected heating, lighting and door entry devices etc. But the UK is going further than the US and EU (who are introducing similar laws) by including smartphones and ‘wearables’ (i.e., fitness trackers) in the scope of the legislation too.
The law will require manufacturers of these products to comply with a set of standards, expected to include:
- prohibiting the use of ‘default passwords’ (where all devices are shipped with the same password, and the consumer is expected to change it);
- ensuring that manufacturers have a means for vulnerabilities discovered to be reported to them; and
- requiring manufacturers to provide commitments to consumers around how long devices will receive security updates for.
These are good steps forward; our May 2021 home router cyber attack article, based on an investigation by Which?, explained that up to 7.5 million people in the UK could be using a router that hadn’t been updated since 2018 or was using a weak default password. Whilst routers aren’t specifically mentioned in the DCMS list, they’ll hopefully be covered by the ‘Internet of Things base stations and hubs to which multiple devices connect’ product group.
In a broadly similar approach to data protection legislation, there will also be a strong enforcement approach taken; a UK government statement said: “this new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or 4% of their global turnover.”