Today - April 29th - the UK’s Product Security and Telecoms Infrastructure (PSTI) Act comes into effect. If you are doing business in the UK and are either a manufacturer or retailer of consumer smart products, or a telecommunications operator, this will likely have implications for you. If so, hopefully you already know all about the new law, which you can read here. There are also implications for security professionals and consumers of technology, who may be less familiar with the law, so I thought I’d provide a short overview.
As the name suggests, the law is really in two halves; “Part 1 Product Security” and “Part 2 Telecommunications Infrastructure”. The two parts address completely different goals, focus areas, and stakeholders. Since the Center for Cybersecurity Policy and Law is, as the label indicates, primarily concerned with cybersecurity and thus I suspect that’s what readers of this blog are interested in, I’m going to focus on Part 1 Product Security here.
A brief history
The UK government stated that its goal with Part 1 was to ensure that, “Consumer connectable products … are more secure against cyber attacks, protecting individual privacy and security.” There was a desire to do this in a way that applied a consistent standard that enables consumers to become better educated and know what to ask for over time. This needed to be balanced with the desire to continue to support innovation and choice in the market; in other words, the policy could not be so stringent as to drive vendors away from selling or developing in the UK.
This concern around product security and its impact on consumers has been ongoing for many years. The UK government first started engaging on it around ten years ago. In 2016, this engagement turned into a more serious degree of focus, with work commencing on a set of voluntary principles that manufacturers could adopt to advance the security of their products. In 2018, the UK’s Department for Digital, Culture, Media and Sport (DCMS) published a Code of Practice for Consumer IoT Security - a set of 13 principles designed to help technology manufacturers develop consumer products that are “secure-by-design.”
This set of principles was then slightly refined and adopted by the European Union as a standard from the European Telecommunications Standards Institute (ETSI). ETSI EN 303 645 was published in June 2020, and as an EN, it is adopted by all EU member states. In much the same timeframe, either the Code of Practice or the ETSI standard was adopted by a number of other countries around the world, including Australia and India.
Becoming a law
Despite this international recognition of the value of the principles, research revealed that adoption among manufacturers was very limited. The UK government ran another series of consultations, investigating possible options to drive better outcomes for consumers. This included exploring the merits and challenges of a product labelling scheme, which was eventually dismissed.
Instead, it became clear that in order to drive adoption of even the most fundamental of the principles, the UK Government would need to mandate them through legislation. In fact, many of the manufacturers that responded to the consultations indicated that they would prefer to be regulated on this issue rather than competing on security. Thus drafting began on the Product Security part of the PSTI bill.
The draft legislation had its first reading before Parliament on Nov. 24, 2021. After going through the lengthy full review and voting process of both the Houses of Commons and Lords, and all relevant Committees, the PSTI Act received Royal Assent and passed into law on December 6, 2022. This was a huge effort involving collaboration between a great many folks in the policy, retail, tech and security communities, and led by Peter Stephens at DCMS and David Rogers MBE, CEO of Copper Horse. Members of the Cybersecurity Coalition were highly engaged through the process, providing feedback on both security best practices and business realities.
As with many laws of this kind, the PSTI Act had a grace period built in to give those covered by the law a window in which they can make any changes necessary to comply. That window has now closed and as of today, the law is in effect.
What does the law require
The specific security requirements are detailed in “Schedule 2 Security requirements for manufacturers.” In the interests of keeping this blog to reasonable length, I’ve provided a highly abridged copy/paste below; I recommend reading the relevant section of the legislation itself for full details.
Passwords
(2) Passwords must be—
(a)unique per product; or
(b)defined by the user of the product.
(3) Passwords which are unique per product must not be—
(a) based on incremental counters;
(b) based on or derived from publicly available information;
(c) based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;
(d) otherwise guessable in a manner unacceptable as part of good industry practice.
Information on how to report security issues
(2) The following information must be published—
(a) at least one point of contact to allow a person (“P”) to report to the manufacturer security issues relating to the categories listed in sub-paragraph (1) for any of the manufacturer’s relevant connectable products for which they have an obligation under section 8 (duty to comply with security requirements); and
(b) when P will receive —
(i) an acknowledgment of the receipt of a security issues report; and
(ii) status updates until the resolution of the reported security issues.
(3) The information in sub-paragraph (2) must be accessible, clear and transparent, and must be made available to P—
(a) without prior request for such information being made;
(b) in English;
(c) free of charge; and
(d) without requesting the provision of P’s personal information.
Information on minimum security update periods
(2) The defined support period must be published.
(3) If a manufacturer extends the minimum length of time for which security updates will be provided, creating a new defined support period, the new defined support must be published as soon as is practicable.
(4) The information in sub-paragraphs (2) and (3) must be accessible, clear and transparent, and must be made available to a person (“P”)—
(a) without prior request for such information being made;
(b) in English;
(c) free of charge;
(d) without requesting the provision of P’s personal information; and
(e) in such a way that is understandable by a reader without prior technical knowledge.
The law requires manufacturers of covered connected technologies to provide a self-attestation that they are compliant with these measures. It also mandates that UK retailers and distributors of these technologies verify that manufacturers they represent provide these statements.
Implications for security professional and consumers
The UK Office for Product Safety and Standards (OPSS) will be responsible for enforcing the PSTI Act. OPSS sits within the Department for Business and Trade and it is the entity tasked with enforcing the UK’s existing product safety regulations, so it’s a pretty natural home for this additional authority. OPSS will conduct research to identify where the requirements of the law are not being met, which is no small task.
A survey revealed that 76% of the 446 IoT manufacturers reviewed still did not have a way for researchers to report product vulnerabilities to them, according to research conducted by Copper Horse with support from HackerOne on behalf of the IoT Security Foundation. This research was published in November 2023, only months before the law was due to come into effect. It feels optimistic to believe all those companies will have introduced a reporting method in the interim.
While 446 companies is a lot, it is probably only a fraction of the manufacturers that are selling consumer smart products in the UK and thus are covered by the requirements of the PSTI Act. For OPSS to keep track of them all is a fairly herculean task. So this is where security professionals and technology users can help, reporting any non-compliance with the PSTI Act that they come across.
To clarify, if you discover a security vulnerability in a product, we still strongly recommend that you disclose your finding to the manufacturer or any agent they have designated – e.g. a bug bounty company. However, in the event that you find there is no way to report a vulnerability to them, and if that product appears to be sold in the UK, that would be a great time to reach out to OPSS.enquiries@businessandtrade.gov.uk and let them know that the manufacturer has no way of reporting vulnerabilities. This does not preclude you from also reporting the bug to any vulnerability reporting or coordinating authority you may typically engage in these scenarios.
The same goes with the use of universal default passwords - it would be ideal to first lodge your concerns with the manufacturer themselves, but either way, if it’s a consumer smart product being sold in the UK, OPSS wants to hear from you about it. And you might also consider reporting it to this open source project which tracks the use of default passwords. It might be a little less obvious whether a company is living up to its commitments in terms of providing security updates for its stated support period, but if you suspect they are not or there is no indication of what the support period will be, it might be worth reaching out to OPSS.
In other words, the message we’re hearing from the UK government is that, going forward, they actively want to hear from users and security researchers with any concerns they have over compliance with the PSTI Act. For all other information about the Act, check out this helpful webpage.
Read Next
The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)
In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.
Counter Ransomware Initiative Adds Private Sector Members
Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.
Singapore International Cyber Week 2024: Striving for Digital Trust Amid U.S. Election Uncertainty
Governments from across the globe descended on Singapore for its Ninth Annual International Cyber Week (SICW)to talk cyber and tech policy and meet one another bilaterally and in various multilateral groupings.