The UK has introduced the Product Security and Telecommunications Infrastructure (PSTI) bill to protect IoT devices. The new law will require manufacturers, importers and distributors of digital tech which connects to the internet or other products to make sure they meet tough new cyber security standards – with heavy fines for those who fail to comply.
The PSTI will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.
“Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards,” says Julia Lopez, Minister for Media, Data, and Digital Infrastructure.
The Bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. The reforms will encourage quicker and more collaborative negotiations with landowners hosting the equipment, to reduce instances of lengthy court action which are holding up improvements in digital connectivity, says an official release.
With increases in devices vulnerable to attacks, the PTSI bans on easy-to-guess default passports that come preloaded on devices – such as ‘password’ or ‘admin’ – which are a target for hackers. Manufacturers will be mandated to alert customers at the point of sale, and keep them updated, about how long a product will receive vital security updates and patches. If there are no security update plans in place, that must also be disclosed. New rules require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.
This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The Bill applies to ‘connectable’ products, which includes all devices that can access the internet – such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges.