The UK legislature is currently interested in a law about what it calls PSTI, short for Product Security and Telecommunications Infrastructure.
If you’ve seen that abbreviation before, it’s almost certainly in the context of the PSTI Bill. (A Bill is proposed new legislation that has not yet been agreed upon; if ultimately enacted into law, it turns into an Act.)
Your first thought, on hearing of a proposed law about computer products and telecommunications, might be to wonder, “What sort of new surveillance, interception and encryption-cracking powers are they hunting around for now?”
Happily, for those who can remember the past and have learned that encryption backdoors generally favour the enemy and disadvantage the Good Guys, or for those who have already made the intellectually unimpeachable assumption that cybersecurity is unlikely to get stronger if you go out of your way to weaken it on purpose…
…that’s not what this is about.
It’s a much more modest regulatory proposal, and unlike those proposals that aim to disrupt security and cryptography “just in case we ever lock the keys in the car”, its goal is to demand a modest increase in security and basic cyber-reliability in products such as mobile phones, fitness trackers, internet webcams, cloud doorbells, and temperature sensors for your pet fish.
The IoT cybersecurity party – you’re invited
Very simply put, the UK government wants to set some basic, minimum standards for at least the following:
- Default passwords. If Parliament gets its way, there won’t be any. You won’t be allowed to have pre-configured passwords in your devices, so that you can’t flood the market with products that every crook already knows how to get into.
- Vulnerability disclosures. You’ll need a reliable way for security researchers who believe in responsible disclosure to contact you, and (we hope) some visible commitment to closing off security holes that you already know about before the crooks figure them out.
- Update commitments. You’ll need to tell buyers in advance how long you are going to provide security fixes for the product they’re buying today.
Presumably, the third item in this list will be used hand-in-hand with the second one to stop you unilaterally disowning a tricky security problem by simply abandoning support as soon as it suits you, leaving your users – and the environment! – with a landfill device that became useless long before they might reasonably have expected.
We alluded to pet fish above because the Gov-dot-UK documents discussing this Bill include an example of how default passwords cause trouble: “In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details”. Beware the aquarium!
Too little, too late?
On one hand, you can easily criticise this entry-level regulation on the grounds that its demands could be considered a case of “too little, too late”, and that consumers would be better protected simply by urging experts to get more aggressive about naming and shaming devices that don’t meet reasonable standards, so consumers know to avoid them.
In other words, let the market force the issues.
On the other hand, you can equally well support basic rules like this on the grounds that they are likely to make even the most egregious offenders start doing at least something about cybersecurity in their product management and product development processes.
Those vendors who spurn the cybersecurity party altogether risk having their shoddy products simply swept off the shelves at a stroke, and returned for bulk refunds by unimpressed retailers.
Sometimes, say those who support cybersecurity rules of this low-level sort, the hardest part about cybersecurity inside a pile-’em-high-and-sell-’em-cheap electronics company is to get the topic onto the agenda at all, let alone to get it high up on the list.
Consumers are price conscious and often quite reasonably unaware of the issues involved, so you first need to get the government to force the market to force the issues.
What next?
As the government’s announcment puts it, in what we think is an entirely satisfactory example of cybersecurity discussed in plain English:
[C]ybersecurity continues to be an afterthought for many manufacturers of connectable products, and consumers often expect that a product is secure. In a 2020 report by the Internet of Things Security Foundation, only 1 in 5 manufacturers maintained systems for the disclosure of security vulnerabilities. This threatens citizens’ privacy, the security of a network, and adds to the growing risk of harms.
The document ends up with a final paragraph that we found rather less readable:
Since the government first published its Code of Practice in 2018, it has intentionally adopted a consultative and collaborative approach with industry, academia, subject-matter experts, and other key stakeholders. A primary aim of this approach has been to ensure that interventions in this space are maximally effective whilst minimising impact on organisations involved in the manufacture and distribution of consumer connectable products.
We’ve never warmed to jargon such as “interventions in this space”, which makes us think of tradespeople squeezing into cramped loft areas in an effort to fit modern insulation to poorly-designed older houses.
But we understand why Her Majesty’s Government has made this point, which we translate as “we intend to push through changes that unarguably give IoT vendors no choice about coming to the cybersecurity party”.
Manufacturers’ lobby groups understandably go out of their way to head off legislation that might increase their costs without persuading consumers to accept higher prices as a result.
Sidestepping that sort of lobbying altogether is perhaps best achieved by ensuring that no one in the process is faced with unexpected or unreasonable changes, thus effectively making the changes unexceptoinable…
…while at the same time forcing even the most recalcitrant manufacturers to do at least something about some of the underlying cybersecurity problems that they themselves have tipped into the marketplace.
In proverbial words, “A journey of 1,609,344 metres starts with a single step.”
Perhaps some vendors who would otherwise have shirked that first step forever might eventually have no choice but to do so.
Richard
As someone once said, “Insecurely Designed Internet of Things” has a handy acronym “IDIoT”.
Paul Ducklin
An old joke, not my own, but the “S” in IoT stands for “Security”.
Bill Justesen
I hope they will take the time to define “important security updates.” Are vendors going to haggle over the word ‘important’ to mean that only CVEs with a vulnerability score of 5 and up deserve to be pushed out to devices? Will Her Majesty’s Government push for security updates that are only affected by remote, instead of hands-on, access to the device? Some type of combination?
I am curious to watch how this process unfurls.
Paul Ducklin
Sadly, I suspect that a lot of people would be happy simply to see some vendors get as far as haggling. That would at least imply they perceived there was some sort of “cybersecurity awareness” line that existed at all.
I assume that requiring security updates of any sort to be possible might also help to put an end to devices that were built without an update process of any sort.
Simon
This is not a criticism – we all make typos. I just wanted to say how much I enjoyed ‘algotether’, which leads me to think of some process that’s tied to its algorithm.
Paul Ducklin
Sounds like a new sort of cryptocurrency. Or it could itself be a typo for “allgotether”, meaning “fully interconnected via a wired network”.
Fixed it, thanks!
Cassandra
We’ve never warmed to jargon such as “interventions in this space”, which makes us think of tradespeople squeezing into cramped loft areas in an effort to fit modern insulation to poorly-designed older houses.
But we understand why Her Majesty’s Government has made this point, which we translate as “we intend to push through changes that unarguably give IoT vendors no choice about coming to the cybersecurity party”.
I would like to read it as that but it is the final bit of that quote that makes me think that there is a politically inserted get-out clause:
… maximally effective whilst minimising impact on organisations involved in the manufacture and distribution of consumer connectable products.
To me this seems to give “organisations involved in the manufacture …” carte-blanche to plead to an IT ignorant minister that the impact is “too high” – and with this government which wants a “bonfire of regulations” I can see a lot of organisations getting exemptions – particularly if they are in countries where the UK is trying to negotiate a trade deal.
Much of this bill has the imprint of reasonably savvy civil servants operating with integrity; the “minimising impact on organisations” however smells to me of an insertion by politicians interested in deregulation.
Paul Ducklin
There is indeed the risk that the House will water down what the public servants intended, but that’s always a problem when laws of this type are bouncing around the legislature.
I fear you may be right, give the choice of the word “minimising” (which admits of a lower bound of “doing nothing”). But I will suspend my cynicism long enough to see what happens, givem that this process started in 2018 and will apparently include a “year before sunrise” even after the law gets Royal Assent.
After all, as you suggest, if the goal of the law is to push sloppy vendors to do *something*, then it cannot strictly *minimise* its impact on those vendors without forcing them to do nothing…
…but it’s a start. As I said, I’ll suspend my cynicism for a while and see where this goes. In the meantime, I’ll try to advise people on how to make good choices by themselves, without waiting for HMG to start the party.
John
It seems that law makers are, in their own time, seeking to legislate the wild west of the digital world. However it seems to me that the major gap here is the requirement to provide updates which will point the less than scrupulous to an easy work around – simply assign your product to a separate company. Then, if you don’t like what is happening simply fold the company having extracted any earnings and profits to the parent and leave the users with a ‘guarantee’ they cannot enforce.
To make this work may need more than a bill about IoT I think
Paul Ducklin
I guess this depends how responsibility is assigned. If the warranty rules require the retailer to take responsibility for the sale, then a customer who finds that updates are not avaiable due to the manufacturer letting the retailer down (or, for that matter, for any reason at all) should, IMO, be able to return the product as not fit for purpose (no updates!) and receive a refund from the retailer. That might also puch retailers to stop selling shoddy products and glibly saying “dont’t worry, she’ll be right” without needing to care whether it’s OK or not.