A Bill to make provision about the security of internet-connectable products and products capable of connecting to such products; to make provision about electronic communications infrastructure; and for connected purposes.
It follows the UK Government’s Code of Practice published in 2018 (which in turn influenced the EU’s ETSI EN 303 645 cybersecurity standards for IoT devices). The Code sets out 13 guidelines for manufacturers to follow as good practice for ensuring greater cybersecurity of Internet of Things (IoT) products including designing products without default universal passwords, and timely software updates.
The PSTI is a key development in the UK’s commitment to improving the cybersecurity of products as detailed in its response to its calls for views on a proposed domestic legislation focusing on the cybersecurity of products (found here).
It also forms part of a series of proposed legislation in the UK and EU such as the proposed EU’s revised GPSD regulations (as discussed in our article, here).
The PSTI, however, promises to be more focused on cybersecurity than other more general legislation, as Part 1 of the draft Bill is dedicated to the cybersecurity of products whilst Part 2 concerns telecommunications infrastructure with the aim of expediting negotiations between land owners and mobile network providers to achieve the government’s 4G, 5G, and broadband coverage strategy.
Defining applicable products
The PSTI applies to consumer connectable products which the Bill defines in a rather convoluted fashion jumping between relevant sections of the Bill, but the explanatory note helpfully defines it as “consumer products which can connect to the internet or other networks, and can transmit and receive digital data” and clarifies that such products are also called Internet of Things devices.
Examples include smart TVs, security cameras, and alarm systems.
Proposed exempted products are second-hand consumer connectable products given the impractical obligations that businesses and consumers would face in complying with the PSTI’s requirements.
Granting powers to specify product requirements
The PSTI grants the Secretary of State for Digital, Culture, Media And Sport the power to specify requirements and ensure the minimum requirements are complied with, along with setting out how such powers can be exercised.
Initial security requirements are aimed towards achieving:
A ban on universal default passwords that are easy-to-guess.
A requirement to inform customers from the outset about the minimum amount of time until a product will receive crucial software updates. If the product does not come with these security updates, customers will need to be informed of this.
An implementation by product manufacturers of a process to allow security researchers (and other public users) to report design flaws or bugs in their products.
Duty of relevant persons
The PSTI defines relevant persons as:
Applicable duties include requiring statements of compliance to accompany a consumer connectable product before making them available in the UK market, investigating a potential compliance failure by an importer or manufacturer, and taking corresponding action to remedy such failure(s).
The principal enforcement powers and actions are:
The Secretary of State’s powers to enforce, and delegate enforcement functions.
Compliance and stop notices.
Fines of £10 million or 4% of global revenues (similar to the GDPR).
Why these proposals are deemed necessary
The government rationale for drafting the PSTI centres around the large number of IoT devices that continue to be reported as possessing inadequate cybersecurity which leaves consumers vulnerable to cyber-attacks. Poor cybersecurity allows for a point of entry for attackers to enter into the victim’s network and exfiltrate data as part of a ransomware attack.
Full article here