The Product Security and Telecommunications Infrastructure (PSTI) Bill

Posted on 7 Sep 2022

The past year has seen a record number of cyber attacks. To tackle this, the Government has recently announced the implementation of the Product and Telecommunications Infrastructure (PSTI) Bill, which aims to protect consumers from cyber attacks regarding fraud and identity theft. But what is the PSTI Bill? How have industry experts responded to it? And what impact will it have on IT departments?

What is the PSTI Bill?

The PSTI Bill was introduced on November the 24th this year in an attempt by the Government to ensure that products sold to consumers meet the security criteria they expect when they purchase a device.

The Bill only relates to “connectable” devices, such as phones, tablets, and smart watches, but does not extend to products such as vehicles, smart meters, or medical devices, as these are already subject to double regulation, or PC or Laptops, as these are currently subject to, as Computer Weekly describe it, “a mature cyber ecosystem”.

As reported by both Computer Weekly and IT Pro, the Bill prevents manufacturers from selling and retailing devices that are sold with universal default passwords, which makes them targetable to hackers, and ensures manufacturers are open and honest with consumers about the steps they are taking to fix security flaws in their devices. The publications also discuss how manufacturers will be obliged to establish a clear point of contact for consumers to report security vulnerabilities they discover in their products.

What next?

If a manufacturer fails to comply with these regulations they face the threat of high fines and the possibility of being asked to remove their product from general sale. But what has the response been to the Bill?

IT Pro reports that response to the new Bill has been mixed. In the article, they note how, whilst many have praised the prevention of pre-set passwords, others have criticised the contents of the Bill, claiming that it doesn’t go far enough. This includes Matt Middleton-Leal, managing director of EMEA North at Qualys, who questions the longevity of the Bill for technology without, to quote, an “automatic patching mechanism in place”. They argue the Bill will consequently hinder the majority of consumers who don’t understand the importance of, or lack the ability to implement, the security updates manufacturers require to continue protecting their devices.

David Clarke, head of security of QuoStar, further notes how the Bill brings into question the longevity of technology, as standard connectable devices typically only support security upgrades for the first 24 months of their lifespan. To quote Clarke: “Will that mean that new phones, doorbells, fitness wearables, and washing machines need to be bought new again after 24 months, just to ensure customers are continuously supported with updates?”.

The environmental concerns, therefore, are something consumers, but also IT departments, will need to consider going forward.

What impact will it have on IT departments?

As we have discussed in our blogs on changing technology in the workplace and technological developments during the pandemic, we have massively changed how we work and the devices we work from. However, even before the first lockdowns in March 2020, more and more of us were accessing emails and working from our phones or tablets, arguably without the awareness that these devices could be vulnerable. And, the sales of these connectable devices saw a sharp rise in sales in 2020, so more of us were potentially vulnerable to cyber attacks than ever before.

So, whilst many view the primary role of IT departments to be laptop and desktop-based, the rise in connectable devices will mean that the scope IT departments will need to widen to include transportable technology as part of their working routine. Whilst the PSTI Bill should help IT departments reduce the risk of cyber threats, the increased number of technologies means that IT staff will need to be just as, if not more, aware of the threats to different devices.

What are your opinions on the PSTI Bill? Will it support your IT department, or does it not go far enough? Get in touch with us to let us know your thoughts.