Opinion: The Product Security and Telecommunications Infrastructure Bill

AUGUST 24, 2021

DAVE MAREELS

Following “extensive engagement with the National Cyber Security Centre, tech and retail industry stakeholders, consumer groups and academia”, the UK Government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill. The Product Security measures, making up Part One of the Bill, focus on improving the security of “consumer connectable products”. Namely, the increasingly ubiquitous smart devices, including smart TVs, fridges, home security systems, speakers and even baby monitors. 

 

Research carried out by the government found that “the adoption of cyber security requirements within these products is poor, and while only 1 in 5 manufacturers embed basic security requirements in consumer connectable products, consumers overwhelmingly assume these products are secure”. The Bill aims to  ensure that these products “are more secure against cyber attacks, protecting individual privacy and security” by requiring “manufacturers, importers and distributors to comply with new security requirements relating to consumer connectable products” and introducing sanctions to enforce these new requirements.

 

This is a bold move by the government to start holding companies to account, and definitely a step in the right direction. Current practices could be seen as laughable but instead it should actually be seen as criminal. If a lock manufacturer created a lock that invited unsavoury characters into your house there would be an outcry, it is bewildering why society allows IoT consumer device manufacturers to do the digital equivalent.  This may be too little far too late. A notable security incident affecting consumer connectable products is a flaw in Amazon Ring Video Doorbells, which could have given hackers access to the user’s Wi-Fi network and from there, to other connected devices. Default passwords on devices and products can also pose a backdoor risk to the user’s network, and these standard passwords are one of the things that the PSTI Bill would prohibit manufacturers and producers from using.

 

I think security should be looked at in the same way as the CE Mark, a declaration from manufacturers that a “product meets all the legal requirements for CE marking and can be sold throughout the EEA”. Post-Brexit, a new UKCA (UK Conformity Assessed) product marking that is used for goods being placed on the market in Great Britain (England, Wales and Scotland). It covers most goods which previously required the CE marking, known as ‘new approach’ goods (UK Gov). Perhaps the product security requirements should have been wrapped up in the change to UKCA marking instead of adding new legislation? Security in products should not be seen as above and beyond the core safety measures in product benchmarking. Manufacturers will argue their devices are exempt from the new regulation, and the virtue it is an additional measure see it as an additional hinderance to getting their products to market.

 

The challenge of implementing legislation to govern IT security, is that the threat landscape is evolving so rapidly. New tactics, techniques and procedures are developing all the time, and as an example of the growing cybercrime industry, “In Q3 2021, Spamhaus Malware Labs identified 2,656 botnet C&Cs compared to 1,462 in Q2 2021. This was an 82% increase quarter on quarter!” The speed that IT security moves at is a difficult factor in keeping this legislation current, I reserve judgement whether the requirements will be relevant, or able to adapt, in a few years. 

 

This may cause a black market on popular shopping sites of cheap goods that don’t conform to regulations, a two tier of those that can afford products with appropriate security and those that cannot may emerge. Another factor is that many individuals do not consider themselves “important” enough to hack, or simply don’t consider cyber risks to be applicable to themselves. This means, that if the same product, minus the security controls, is available at a cheaper price, why should they not save the money. There’s another important aspect here – of the necessity of cyber awareness and education campaigns, but that is perhaps a subject for another blog…

About the author

BACK TO BLOG

For more information about SOC.OS, contact info@socos.io