Ban on easy to guess default passwords, plus obligation on manufacturers to be transparent about cyber, included in new government cyber bill
The British government has announced the bill, which it claims will ‘put a firewall’ around people’s smart devices, by banning easy default passwords, and forcing manufacturers to be transparent about security issues.
The government announced that its Product Security and Telecommunications Infrastructure Bill (PSTI) aims to better protect people’s smartphones, TVs, speakers, toys and other digital devices from hackers.
Essentially, the bill targets consumer technology and will ensure that goods that do not meet baseline security requirements, will not be allowed to be sold in the UK market.
So what measures does the government’s PSTI bill intend to make law?
According to the government, the new law require manufacturers, importers and distributors of digital tech which connects to the internet or other products to make sure they meet tough new cyber security standards – with heavy fines for those who fail to comply.
Indeed, the bill includes plans for stiff fines of up to £10 million or up to 4 percent of global revenue for firms failing to comply.
The main noteworthy goal of the bill is to ban easy to guess, universal default passwords, that have long been the bane of security professionals.
The Bill will also seek to speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure.
Essentially the bill will try to encourage quicker and more collaborative negotiations with landowners hosting the equipment, to reduce lengthy court action which is holding up improvements in digital connectivity.
“Every day hackers attempt to break into people’s smart devices,” said Minister for Media, Data and Digital Infrastructure Julia Lopez. “Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.”
“Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards,” said Lopez.
Connected tech threat
The government cited the increased uptake in connected consumer tech in recent years.
On average there are nine in every UK household, with forecasts suggesting there could be up to 50 billion worldwide by 2030.
The problem is that hackers and cyber criminals are increasingly targetting these products, said the government, and pointed to a recent investigation by Which? that found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
It comes after the UK’s National Cyber Security Centre last week revealed it had dealt with an unprecedented number of cyber incidents over the past year, including ongoing cyberattacks on Coronavirus vaccine research, distribution, and supply chains.
The government points out that currently manufacturers have to comply with basic safety laws to ensure consumers are not physically harmed, such as from electric shocks, overheating, or sharp elements that can injure people.
But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.
The PSTI Bill will counter this threat by giving ministers new powers to bring in tougher security standards for device makers.
This will mean easy-to-guess default passports that come preloaded on devices – such as ‘password’ or ‘admin’ will be banned.
Manufacturers will also need to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches.
The bill also includes new rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.
And the Bill places duties on in-scope businesses to investigate compliance failures, produce statements of compliance, and maintain appropriate records of this.
“I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security,” noted NCSC Technical Director Dr Ian Levy.
“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice,” said Dr Levy.
Just one vulnerable device can put a user’s network at risk. In 2017, attackers infamously succeeded in stealing data from a North American casino via an internet-connected fish tank.
In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.
Reaction from the cybersecurity industry has been quick, and one expert noted the use of connected devices has increased dramatically during the pandemic, but the use of default passwords remains an ongoing problem.
“During the pandemic my family, like many others, began using devices to communicate whilst we could not meet face to face,” said Laurie Mercer, security engineer at HackerOne.
“Today, the average UK household has nine products that connect to the internet. But most of these products are not designed to be secure: we still see that default passwords remain in use, 80 percent of companies lack a vulnerability disclosure policy, and most consumers don’t know how long their product will be supported by security updates. The result is a huge personal risk of a data breach to all of us,” said Mercer.
Mercer noted that the PSTI bill will force manufacturers, importers and distributors to meet minimum security requirements for all connectable products available to consumers.
If not adhered to, they could face up to £20,000 a day in fines. One of the key requirements is to have a formal method of receiving vulnerabilities, a Vulnerability Disclosure Policy.
“The recent IoT Security Foundation report reveals up to 80 percent of organisations lack a clear vulnerability disclosure policy,” said Mercer. “The simple action of having a process in place for identifying, reporting, and fixing vulnerabilities is going to be more than just a best practice and instead a legal requirement. We’re getting to a place where security by design will be a mandatory requirement and not an afterthought.”
“This is a significant milestone towards more secure consumer connectable products, and shows the UK is leading in creating a safe digital connected society,” Mercer concluded.
Safer online community
The government move was also welcomed by another security professional, and said the new requirements have been a long time coming.
“This is the start of a huge movement towards a safer online society but it won’t be changing overnight,” said Jake Moore, the former Head of Digital Forensics at Dorset Police and now cybersecurity specialist at global cybersecurity firm, ESET.
“These proposals are exactly what is required to help guide people in the right direction after typical security measures by design haven’t been strong enough to help those who desperately need it,” said Moore.
“Finally seeing an end to simple admin passwords has been a long time coming but these have often been in place for customer ease,” said Moore. “The balance between ease of use and security is a fine and difficult level to balance but with the right education it can be extremely effective.”
“Security updates are vital on IoT devices but people often see these as an inconvenient bore so although devices will soon come with an expiry date to patches, this might not affect the majority of people’s buying habits until they are fully aware of the reasons behind these proposals,” Moore concluded.