A Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to Parliament, is proposing a cyber security regime to be overseen by a regulator.
It’s proposed by the Department for Digital, Culture, Media & Sport (DCMS) that the regulator will be able to issue notices to companies requiring that they comply with security requirements, recall their products, or stop selling or supplying them; among other powers. The Bill applies to ‘connectable’ products, which includes all IoT (Internet of Things) devices that can access the internet – such as smartphones, smart TVs, games consoles, and networked security cameras and alarms, and in the ‘smart home’ voice-activated assistants and appliances. Not included are laptops and desktop computers; nor second-hand products.
DCMS Minister for Media, Data and Digital Infrastructure Julia Lopez said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
Comments
George Papamargaritis, MSS director at Obrela Security Industries, said: “This is a significant step forward in improving the security of household IoT devices. Many consumers are completely unaware of the risks smart devices can present and often connect them into their homes without any consideration on security. However, research has shown that attackers are using smart technology as a gateway onto home networks, to spy on internet activity, steal confidential information and, in some cases, even identities.
“One of the most commonly used attack vectors is through default passwords, which are easy to guess and preloaded on multiple devices. The fact that this new legislation bans default passwords is a huge step forward and it will encourage device manufacturers to consider security before marketing products, otherwise they could face business destroying fines.”
Prof John Goodacre, Director of UKRI’s Digital Security by Design and Professor of computer architectures at the University of Manchester, said: “Technology is relied upon by nearly everyone in today’s society in all aspects of our day to day lives. It reaches our children’s toys, our in home entertainment systems, speakers and of course our smartphones. This policy provides a basis for the security requirements of those goods to be considered by manufacturers and distributors of goods.
“However, the policy accepts that vulnerabilities can still exist in even the best protected consumer technologies with security researchers regularly identifying security flaws in products. In today’s world, we can only continue to patch these vulnerabilities once they are found, putting a plaster over the wound once damage may have already been done. Further initiatives are needed for technology to block such wounds from happening at the foundational level. One such initiative, funded by the UK Government through UK Research and Innovation (UKRI) is the Digital Security by Design Programme. Working with industry and academia, the programme aims to limit the impact of these vulnerabilities by taking the next step to cyber security by strengthening the hardware foundation on which software runs.”
Brett Beranek, Vice-President & General Manager, at the biometric product company Nuance Communications described the proposed legislation as welcome and necessary. “The Product Security and Telecommunications Infrastructure Bill serves as a reminder that PINs and passwords are an archaic tool, no longer fit for purpose. Passwords are being sold on the dark web, exploited for fraudulent activity and have even cost businesses and individuals vast sums of money. New global research from Nuance has found that on average victims of fraud lost over £3,200 each in the last 12 months – three times higher than two years ago.”
And Rodolphe Harand, Managing Director at YesWeHack, said: “Recent stories involving the hacking of IoT devices have demonstrated that criminals will look for any opportunity to extort money from victims. Many of these devices lack basic security measures, making them an easy target. It only takes one device to have a weakened defence for an attacker to infiltrate the entire network and take hold of personal data.
“Basic cyber hygiene, such as changing default passwords and regularly updating software, can go a long way to improving the security for these types of devices. With a new unique password needing to be provided by manufacturers, this will essentially offer an additional layer of protection. What’s more, it’s great that the new bill mandates that security researchers are given a public point of contact to highlight flaws and bugs.
“Vulnerability Disclosure Policy (VDP) should be considered an essential asset for every organisation. It provides a secure and structured channel for researchers to contact you with vulnerabilities that they have come across, which could result in severe consequences if not remediated. A VDP is also a strong indicator of your brand’s commitment to security and will provide renewed confidence to customers and partners about the importance of protecting their data.”
