A new law that mandates ‘baseline security requirements’ for consumer devices has been announced by government - and it will be enforced by a regulator.

The Product Security and Telecommunications Infrastructure Bill (PSTI) aims to protect consumers from attacks by hackers on devices from phones to smart TVs to fitness trackers.

As the professional body for the IT industry, BCS said the bill was an opportunity to embed ‘trustworthy and maintainable’ cyber security standards across all consumer devices. It was also a chance to help companies innovate responsibly.

The regulatory landscape in tech is growing increasingly complex with Ofcom‘s oversight role in the Online Safety Bill, growing calls for dedicated AI regulation and government reviewing GDPR legislation, BCS added.

Key points in the PSTI Bill include:

  • A ban on easy-to-guess default passports that come preloaded on devices - such as ‘password’ or ‘admin’.
  • A requirement for connectable product manufacturers to tell customers and keep them updated about the minimum amount of time a product will receive vital security updates and patches.
  • New rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products
  • This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

Balancing innovation and consumer trust

Dr Bill Mitchell, Director of Policy at BCS, The Chartered Institute for IT said: “This is a welcome first and necessary step in developing high quality professional practice in the internet connected consumer device market.

For you

Be part of something bigger, join the Chartered Institute for IT.

“Going forward it will be important that the new regulator can work with companies, consumer groups, and other organisations such as professional bodies, to ensure companies are embedding trustworthy and maintainable cyber security safeguards in their products.

“The trick is going to be striking the right balance between allowing companies as much freedom and autonomy as possible to innovate, whilst also making sure they are innovating responsibly.”

The passwords debate

On passwords, Adam Leon Smith, Chair of BCS’ Software Testing Specialist Group said: “I like the requirement for unique passwords. It doesn't seem appropriate to have specific requirements around actual passwords in legislation though. Sure, ‘password’ and ‘admin’ are bad. But there are grey areas - Infosec professionals do seem to be regularly debating whether it is better for users to use special characters and numbers in passwords.

“One reason for this is that people tend to do the same thing repeatedly, for example adding ‘00!’ at the end of all their passwords, which creates vulnerability.

“Some believe it is better to have passwords which have a minimum length, others believe the only secure password is one that you can't remember! 

“So it is important that the new bill doesn't specify too much around this, and references technical standards which can evolve with the industry thinking.”