IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Practicality of UK government’s cyber bill criticised by industry experts

The Product Security and Telecommunications Infrastructure (PSTI) Bill falls short in several key areas

Industry experts have responded to the announcement of the Product Security and Telecommunications Infrastructure (PSTI) Bill with mixed views, with some identifying shortfalls in the legislation’s scope.

The bill has generally been greeted warmly by the industry with the common sentiment being that it’s a step in the right direction, working towards a more secure world of internet-facing, connectable devices.

But the bill’s scope has been described as “basic” by some industry experts, saying the laws are a good first step but still don’t go far enough and, in some cases, can potentially exacerbate existing issues.

One such issue is that of planned obsolescence regarding the bill’s rule that manufacturers must tell consumers at the point of sale about the product’s lifespan and for how it will receive security updates.

“Bringing more transparency to customers is valuable. However, if security updates are available for two years, similar to the approach offered with the typical Android phone, and if users are alerted when the end of the two years is up, will this become part of built-in obsolescence,” said David Clarke, head of security at QuoStar. 

“Will that mean that new phones, doorbells, fitness wearables, and washing machines need to be bought new again after 24 months, just to ensure customers are continuously supported with updates?”

The PSTI also mandates a streamlined vulnerability reporting method must be available for each product’s manufacturer to decrease the time it takes to detect and ultimately patch cyber security vulnerabilities.

Matt Middleton-Leal, managing director of EMEA North at Qualys, argued that the new law is "a good idea in principle but not in practice since in some cases there is no automatic patching mechanism in place.

“This disclosure mandate is only valuable if there is an automated patching mechanism in place too,” said Middleton-Leal. “The majority of end-users won’t have the skills to carry out these updates themselves, nor will they understand the importance of remediating those vulnerabilities on their devices. 

“Telling everyone about the vulnerability but not enforcing a fix before disclosure does not reduce risk,” he added. “If anything, this increases risk when the vulnerability becomes common knowledge, as bad actors then have a red flag to focus their efforts upon and find ways to exploit it.”

The thoughts were echoed by David Clarke who said it may be unlikely that manufacturers can keep up with changes once they are given notice of issues.

Others have expressed a view that the PSTI Bill’s scope is too narrow, not taking a ‘big picture' view of the cyber security landscape, with additional questions raised about the technical constraints associated with becoming compliant with the law.

“It is essential that governments’ understanding and policy approaches to improving IoT security evolve to keep up with the evolution of IoT threats, many of which can only be stopped at the network level,” said Carla Baker, senior director, government affairs UK & Ireland at Palo Alto Networks.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

“Policymakers must complement their focus on steps device manufacturers should take with policies that promote network-level security at scale centred around visibility of IoT devices and the ability to detect and stop devices’ anomalous behaviour. 

“Network-level security addresses IoT security regardless of the type of device or its end-use, which is particularly key given that attacks on ‘consumer’ IoT devices can have ramifications in businesses and throughout economies,’ she added. “This approach can create resilient networks ready-made for IoT.”

The rules compelling hardware manufacturers to ship devices without default or hard-coded passwords have been met with unanimous praise.

It was one of the chief criticisms of the IoT industry and the fresh UK law will hopefully go a long way to securing the future of connected devices, experts agreed. 

In some corners of the industry, there is nothing but praise for a “clever” approach to the legislation. Brian Higgins, a security specialist at Comparitech, said the three core pillars of the Bill ensure it lives up to the DCMS’ branding of it being ‘world-leading’.

“It’s been well established that no single nation-state can legislate the Internet. The clever approach by the U.K. government here is to realise the futility of trying and, instead, leverage achievable controls over what our citizens decide to plug into it,” he said. 

“These requirements place some long-needed security responsibilities on the consumer, forcing them to implement the most basic of domestic security measures and giving them the necessary information to make informed choices about how they manage the very basics of their own digital lives. 

“It’s worth remembering that this is just the first step in a planned programme to improve domestic Cyber Security, it’s actually quite clever if you stop to consider its scope, and it may very well be ‘world leading’ because I’m not sure anyone else is doing it yet,” he added.

But there are other approaches to the law that have been overlooked, according to one leading academic in the security of the Internet of Things.

John Goodacre, director of UKRI’s Digital Security by Design and Professor of computer architectures at the University of Manchester, said more should be done at the design level as it can prevent further vulnerabilities that fall out of the PSTI's scope from being exploited.

On the topic of the UK government-funded Digital Security by Design (DSbD) programme, he said: "the programme aims to limit the impact of these vulnerabilities by taking the next step to cyber security by strengthening the hardware foundation on which software runs.”

"PSTI will be able to place duties on the manufacturer of consumer connectable products to provide more secure solutions," he added. "DSbD is focused on increasing the security of the digital components used within these products.

"Therefore in addition to consumer products being designed and sold to be secure by default, many of the typical vulnerabilities that may still occur in a product can be blocked from exploitation by design."

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Government to boost AI data mining research in copyright law change
Policy & legislation

Government to boost AI data mining research in copyright law change

29 Jun 2022
Internet providers look to ease cost of living crisis with cheaper broadband
broadband

Internet providers look to ease cost of living crisis with cheaper broadband

29 Jun 2022
Government competition promises £12 million fund for UK tech startups
Business strategy

Government competition promises £12 million fund for UK tech startups

28 Jun 2022
New health data strategy to consult public on NHS data use
public sector

New health data strategy to consult public on NHS data use

13 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022