NCC Group welcomes UK Product Security and Telecommunications Infrastructure (PSTI) Bill
The UK Government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill to Parliament, paving the way for new security requirements on ‘consumer connectable products’ to better protect UK home devices from hackers.
The security requirements, to be set out in regulations at a later date, will:
- Ban default passwords
- Require products to have a vulnerability disclosure policy
- Require transparency about the length of time for which a product will receive important security updates.
The Bill requires manufacturers, importers and distributors (including online marketplaces) that trade consumer connectable products to meet these new requirements. The Bill will also place duties on these traders to ensure products are accompanied by a statement of compliance and that action is taken where there has been a compliance failure.
Firms that fail to meet these new regulations could face fines of up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. The regulator, who is yet to be appointed, will also be able to issue notices to companies to ensure they comply with requirements, recall their products, and in severe cases stop them from selling or supplying a product altogether.
Consumer connectable products are defined as an internet-connectable or network-connectable product. This means that the regulations will apply to a wide range of products, including smartphones, connected cameras, TVs and speakers, smart home assistants, connected home automation and alarm systems, and wearable connected fitness trackers.
The government intends to exempt some products where it has concluded that they would be subject to double regulation or not lead to material improvements in product or user security. This includes vehicles, smart meters, electric vehicle (EV) charging points and medical devices. Second-hand connectable products will also be exempt; however, the Bill gives ministers powers to extend the scope of the Bill as cyber threats and risks change in future.
Following Royal Assent of the Bill, expected next year, the government will provide at least 12 months’ notice to enable traders to adjust their business practice before the legislative framework fully comes into force.
The new legislation follows similar moves in other jurisdictions across the globe. The European Commission recently adopted a delegated act that covers ‘devices capable of communication via the Internet’. Meanwhile, earlier this year the Australian Government indicated it will introduce mandatory security requirements for smart devices, and the US Government published its Internet of Things Cybersecurity Improvement Act of 2020, setting out guidelines for the federal government‘s use of IoT devices.
Kat Sommer, Head of Public Affairs at NCC Group, said: “NCC Group recently supported an investigation by Which?, referenced in the announcement of the Bill, which found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks in a single week. This highlights an urgent need for better security across connected devices.
“NCC Group welcomes the introduction of this new Bill, which will undoubtedly strengthen the safety and security of smart products. We look forward to seeing more detail around the Government’s proposed requirements in forthcoming regulations, and hope that the requirement for a vulnerability disclosure policy is accompanied with better legal protections for cyber security researchers, through reform of the UK’s Computer Misuse Act 1990.
“The UK is one of several global jurisdictions looking to strengthen the cyber security of smart consumer devices, and manufacturers and distributors across the globe need to ensure they are prepared for this and compliant ahead of time.”
Image: Shutterstock. Royalty-free stock illustration ID: 1662237379