Product Security & Telecommunications Infrastructure Bill

We’ve got gadgets and gizmos aplenty …..

At the end of November, the UK government introduced their new, updated Product Security and Telecommunications Infrastructure Bill (PTSI). The Bill is in two parts: product security, which provides a minimum baseline for compliance with security requirements to IoTs (Internet of Things) and telecommunications infrastructure.

Part 1 essentially means that manufacturers of IoTs ((e.g. smart TVs, smart speakers, toys, wearables, smart appliances and other connectable gizmos and gadgets) will have to ensure that internet connected devices are more secure against cyber attacks and protect your privacy.

Default, factory set, weak password will no longer be allowed and all relevant devices will have to have unique passwords that cannot be reset to the factory default.

If products that are sold in the UK do not meet the baseline security requirements, then they cannot be sold. This includes transparency about security flaws and fixes and the creation of a better public reporting system for vulnerabilities found in those products.

Heavy fines will be issued to those companies that fail to comply – these have been set at £10million or up to four per cent of an organisation’s global revenue. In addition, manufacturers of internet connectable devices must provide a point of contact so that anyone can report a security vulnerability and be assured that it will be acted on in a timely manner. These reports of security vulnerabilities must be published publicly.

Manufacturers must also explicitly state the minimum length of time for which the device will receive security updates at point of sale, either in store or online. If the device cannot receive updates or patches, this must be declared.

These product security measures come after talks and engagement with several groups, including the National Cyber Security Centre, tech and retail industry stakeholders, consumer groups and academia.

The DCMS has set out how it sees Part 2 of the Bill, Telecommunications Infrastructure tackle many of the issues with the Electronic Communications Code through a range of measures that are designed to foster more collaborative and quicker negotiations and better working relationships between mobile operators and landowners.

This includes:

• A new requirement for telecoms operators to consider the use of Alternative Dispute Resolution (ADR) – a way of resolving disputes that does not involve going to court such as mediation or arbitration – in cases where there are difficulties in agreeing terms. Operators will also be required to explain the availability of ADR as an option in their notices to landowners.
• New automatic rights for operators to upgrade and share underground infrastructure – such as fibre optic cables – which were installed prior to the 2017 Code reforms and are not currently covered. This is in cases where there will be no impact on private land or burden on the site provider.
• New rules to allow operators to apply for time-limited access to certain types of land more quickly where a landowner does not respond to repeated requests for permission.
• New provisions to speed-up negotiations for renewal agreements. Operators who already have infrastructure installed under an expired agreement will have the right to either renew it on similar terms to those for new agreements, or request a new one.

The legislation is the first step in shoring up security on smart devices and is designed to be adapted over time so that it remains effective. We’ve got gadgets and gizmos aplenty, whozits and whatzits galore – and now, finally, they may be much more secure than before!