The Product Security and Telecommunications Infrastructure Bill – an important development in UK IoT cybersecurity law
The UK Government has recently introduced the Product Security and Telecommunications Infrastructure Bill (PSTI), which aims to protect consumer connectable devices from cyber-attacks.
It follows the UK Government’s Code of Practice published in 2018 (which in turn influenced the EU’s ETSI EN 303 645 cybersecurity standards for IoT devices). The Code sets out 13 guidelines for manufacturers to follow as good practice for ensuring greater cybersecurity of Internet of Things (IoT) products including designing products without default universal passwords, and timely software updates.
The PSTI is a key development in the UK’s commitment to improving the cybersecurity of products as detailed in its response to its calls for views on a proposed domestic legislation focusing on the cybersecurity of products (found here).
It also forms part of a series of proposed legislation in the UK and EU such as the proposed EU’s revised GPSD regulations (as discussed in our article, here).
The PSTI, however, promises to be more focused on cybersecurity than other more general legislation, as Part 1 of the draft Bill is dedicated to the cybersecurity of products whilst Part 2 concerns telecommunications infrastructure with the aim of expediting negotiations between land owners and mobile network providers to achieve the government’s 4G, 5G, and broadband coverage strategy.
This article focuses on Part 1.
Definitions of technical terms
Internet of Things (IoT): A network of separate but interrelated devices that have unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
Exfiltrate: An unauthorised transfer of data from a computer or other device.
Ransomware: A type of malware that encrypts data which is then used to demand a ransom from the victim.
The primary points for consideration in Part 1 of the draft Bill are:
Defining applicable products
The PSTI applies to consumer connectable products which the Bill defines in a rather convoluted fashion jumping between relevant sections of the Bill, but the explanatory note helpfully defines it as “consumer products which can connect to the internet or other networks, and can transmit and receive digital data” and clarifies that such products are also called Internet of Things devices.
Examples include smart TVs, security cameras, and alarm systems.
Proposed exempted products are second-hand consumer connectable products given the impractical obligations that businesses and consumers would face in complying with the PSTI’s requirements.
Granting powers to specify product requirements
The PSTI grants the Secretary of State for Digital, Culture, Media And Sport the power to specify requirements and ensure the minimum requirements are complied with, along with setting out how such powers can be exercised.
Initial security requirements are aimed towards achieving:
- A ban on universal default passwords that are easy-to-guess.
- A requirement to inform customers from the outset about the minimum amount of time until a product will receive crucial software updates. If the product does not come with these security updates, customers will need to be informed of this.
- An implementation by product manufacturers of a process to allow security researchers (and other public users) to report design flaws or bugs in their products.
Duty of relevant persons
The PSTI defines relevant persons as:
Applicable duties include requiring statements of compliance to accompany a consumer connectable product before making them available in the UK market, investigating a potential compliance failure by an importer or manufacturer, and taking corresponding action to remedy such failure(s).
The principal enforcement powers and actions are:
- The Secretary of State’s powers to enforce, and delegate enforcement functions.
- Compliance and stop notices.
- Fines of £10 million or 4% of global revenues (similar to the GDPR).
Why these proposals are deemed necessary
The government rationale for drafting the PSTI centres around the large number of IoT devices that continue to be reported as possessing inadequate cybersecurity which leaves consumers vulnerable to cyber-attacks. Poor cybersecurity allows for a point of entry for attackers to enter into the victim’s network and exfiltrate data as part of a ransomware attack.
Consumers often assume that all IoT devices are secure because they would not be for sale otherwise, and their lack of understanding concerning cybersecurity features in devices is another underlying reason for the PSTI.
The Bill’s stage and how companies can prepare
As of the date of this article, the PSTI is entering the second reading stage in the House of Commons which is only the second of the twelve stages required for legislation to be passed. Although these are very early stages, manufacturers, in particular, should start to prepare by ensuring their products are broadly aligned with the Code of Practice 2018 guidelines and the EN 303 645 to ensure compliance and a smooth transition for when the final Act is passed.
This Bill has the potential to be hard-hitting to parties throughout the product lifecycle should it be passed in its current form. Legal advice on the development, and applicability, of this Bill and other similar legislation is recommended.