The U.K. government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill in Parliament to strengthen consumers’ Internet of Things (IoT) against rising hacker intrusions. The new legislation requires IoT manufacturers, importers, and distributors to meet certain cybersecurity standards. The Bill supports the introduction of gigabit-capable broadband and 5G networks to protect citizens against the risks associated with insecure consumer-connected devices.
Risks with Unsecured IoTs
Consumer IoT devices like smart baby monitors, smart bulbs, smart speakers, smart TVs, fitness trackers, smartphones, etc., provide easy access to vast information, making lives easier and more connected. According to the Department for Digital, Culture, Media, and Sport (DCMS), it’s estimated that there could be up to 50 billion IoT devices across the globe by 2030, and on average, there are nine in each U.K. household. But the implementation of necessary cybersecurity measures within these IoT devices is poor, with only one in five manufacturers embedding basic security requirements. Millions of users’ data could be exposed to cybercriminals due to these unsecured connected devices.
The PSTI Bill requires manufacturers to:
- Ban default passwords as they are an easy target for cybercriminals
- Require products to have a vulnerability disclosure policy
- Need transparency about the length of time for which the product will receive important security updates
- Require manufacturers, importers, and distributors to comply with new security requirements relating to consumer connectable products
- Create an enforcement regime with civil and criminal sanctions aimed at preventing insecure products from being made available on the U.K. market
- Ensure that consumer connectable products, such as smart TVs, internet-connectable cameras, and speakers, are more secure against cyberattacks, protecting individual privacy and security
- Amend the Electronic Communications Code to support the quick and efficient rollout of gigabit-capable broadband and 5G networks in a way that balances the interests of landowners, telecoms operators, and the public
- Align the process and framework for renewal agreements with those for new agreements and encourage more collaborative negotiations; and
- Introduce measures that will help optimize the use of existing infrastructure
The PSTI Bill Address IoT Risks by:
- Providing Ministers with powers to specify and amend minimum security requirements in relation to consumer connectable products
- Placing duties on the manufacturers, importers, and distributors that must be complied with in relation to these products
- Giving powers to allow breaches of these duties to be enforced against
The new regulations, jointly developed by DCMS and the National Cyber Security Centre, are intended for companies that manufacture, import, and sell consumer IoT devices in the U.K.
Following Royal Assent of the Bill, the U.K. government will provide at least 12 months notice to enable manufacturers, importers, and distributors to adjust their business practices before the legislative framework comes into action. The government also informed that non-compliance might lead to a fine or penalties.
“A primary aim of this approach has been to ensure that interventions in this space are maximally effective whilst minimizing impact on organizations involved in the manufacture and distribution of consumer connectable products,” the DCMS said.