Industry experts have responded to the announcement of the Product Security and Telecommunications Infrastructure (PSTI) Bill with mixed views, with some identifying shortfalls in the legislation’s scope.
The bill has generally been greeted warmly by the industry with the common sentiment being that it’s a step in the right direction, working towards a more secure world of internet-facing, connectable devices.
But the bill’s scope has been described as “basic” by some industry experts, saying the laws are a good first step but still don’t go far enough and, in some cases, can potentially exacerbate existing issues.
One such issue is that of planned obsolescence regarding the bill’s rule that manufacturers must tell consumers at the point of sale about the product’s lifespan and for how it will receive security updates.
“Bringing more transparency to customers is valuable. However, if security updates are available for two years, similar to the approach offered with the typical Android phone, and if users are alerted when the end of the two years is up, will this become part of built-in obsolescence,” said David Clarke, head of security at QuoStar.
“Will that mean that new phones, doorbells, fitness wearables, and washing machines need to be bought new again after 24 months, just to ensure customers are continuously supported with updates?”
The PSTI also mandates a streamlined vulnerability reporting method must be available for each product’s manufacturer to decrease the time it takes to detect and ultimately patch cyber security vulnerabilities.
Matt Middleton-Leal, managing director of EMEA North at Qualys, argued that the new law is "a good idea in principle but not in practice since in some cases there is no automatic patching mechanism in place.
“This disclosure mandate is only valuable if there is an automated patching mechanism in place too,” said Middleton-Leal. “The majority of end-users won’t have the skills to carry out these updates themselves, nor will they understand the importance of remediating those vulnerabilities on their devices.
“Telling everyone about the vulnerability but not enforcing a fix before disclosure does not reduce risk,” he added. “If anything, this increases risk when the vulnerability becomes common knowledge, as bad actors then have a red flag to focus their efforts upon and find ways to exploit it.”
The thoughts were echoed by David Clarke who said it may be unlikely that manufacturers can keep up with changes once they are given notice of issues.
Others have expressed a view that the PSTI Bill’s scope is too narrow, not taking a ‘big picture' view of the cyber security landscape, with additional questions raised about the technical constraints associated with becoming compliant with the law.
“It is essential that governments’ understanding and policy approaches to improving IoT security evolve to keep up with the evolution of IoT threats, many of which can only be stopped at the network level,” said Carla Baker, senior director, government affairs UK & Ireland at Palo Alto Networks.
The best defence against ransomware
How ransomware is evolving and how to defend against it
“Policymakers must complement their focus on steps device manufacturers should take with policies that promote network-level security at scale centred around visibility of IoT devices and the ability to detect and stop devices’ anomalous behaviour.
“Network-level security addresses IoT security regardless of the type of device or its end-use, which is particularly key given that attacks on ‘consumer’ IoT devices can have ramifications in businesses and throughout economies,’ she added. “This approach can create resilient networks ready-made for IoT.”
The rules compelling hardware manufacturers to ship devices without default or hard-coded passwords have been met with unanimous praise.
It was one of the chief criticisms of the IoT industry and the fresh UK law will hopefully go a long way to securing the future of connected devices, experts agreed.
In some corners of the industry, there is nothing but praise for a “clever” approach to the legislation. Brian Higgins, a security specialist at Comparitech, said the three core pillars of the Bill ensure it lives up to the DCMS’ branding of it being ‘world-leading’.
“It’s been well established that no single nation-state can legislate the Internet. The clever approach by the U.K. government here is to realise the futility of trying and, instead, leverage achievable controls over what our citizens decide to plug into it,” he said.
“These requirements place some long-needed security responsibilities on the consumer, forcing them to implement the most basic of domestic security measures and giving them the necessary information to make informed choices about how they manage the very basics of their own digital lives.
“It’s worth remembering that this is just the first step in a planned programme to improve domestic Cyber Security, it’s actually quite clever if you stop to consider its scope, and it may very well be ‘world leading’ because I’m not sure anyone else is doing it yet,” he added.
But there are other approaches to the law that have been overlooked, according to one leading academic in the security of the Internet of Things.
John Goodacre, director of UKRI’s Digital Security by Design and Professor of computer architectures at the University of Manchester, said more should be done at the design level as it can prevent further vulnerabilities that fall out of the PSTI's scope from being exploited.
On the topic of the UK government-funded Digital Security by Design (DSbD) programme, he said: "the programme aims to limit the impact of these vulnerabilities by taking the next step to cyber security by strengthening the hardware foundation on which software runs.”
"PSTI will be able to place duties on the manufacturer of consumer connectable products to provide more secure solutions," he added. "DSbD is focused on increasing the security of the digital components used within these products.
"Therefore in addition to consumer products being designed and sold to be secure by default, many of the typical vulnerabilities that may still occur in a product can be blocked from exploitation by design."
