The Product Security and Telecommunications Infrastructure (PSTI) Bill is the latest in a series of Bills designed to improve the security of broadband networks across Britain. Its proposed measures will require manufacturers, importers and distributors of connected devices to meet minimum security requirements. The Bill also sets out a regulatory framework designed to cope with the rapid evolution of cyber threats.
In recent years, the government has paid increasing attention to telecommunications security. In my last blog, I discussed the implications of the Telecommunications Security Bill, which recently received royal assent after more than a year of debate, consultations and revisions. Another item on the parliamentary agenda right now, the Online Safety Bill, could have ramifications that are just as big for internet content providers – and we’ll return to this in the near future. We’re seeing a recognition that cyber security should be end-to-end, from the networks that keep everyone online, to the devices they use to connect, and the content they consume.
The PSTI Bill is a key part of this story. It has only just started its parliamentary journey, so it is liable to change, but it’s important to understand what this Bill means for businesses and why it is needed in the cyber security threat landscape of today.
The PSTI Bill is split into two halves, one part focusing on product safety and the other on infrastructure roll out. Product safety, in general, is nothing new. Existing legislation mandates protections around hazardous products such as chainsaws, carving knives, or cigarettes, but such protections have not kept up with the dangers of today’s hyper-connected world. Namely, there are currently no legal requirements to protect consumers from the hidden dangers posed by internet-connected devices. While businesses are required to prevent these devices from causing physical harm, such as overheating or environmental damage, no such requirement exists for cyber threats that originate online. This is a significant gap in the law that the PSTI Bill seeks to address.
In terms of national scale threats, an attack on one device is less significant than one targeting a core network. However, these connected devices, once compromised, act as vehicles for distributed denial-of-service (DDoS) attacks. These attacks pose a significant risk to wider infrastructure and networks, and they are on the rise. In the first half of 2021, Microsoft Azure reported a sharp increase in DDoS attacks to an average of 1,392 per day, up 25% from the average in Q4 of 2020. 5G networks, which are enabling increased use of connected devices through low latency and enhanced connectivity, are particularly threatened by this form of attack. As these threats increase, regulation is needed to ensure basic security protections are in place.
Faced with further regulation, businesses and their CISOs might have concerns about this Bill and its implications. There is conjecture that mandating security regulations for devices will push consumers towards unsupported devices, which are cheaper. Yet, the true cost of ownership of a device includes its associated risks. Cheap devices simply push that cost onto the rest of society. Legislation around product security creates transparency around the cost of risk and ensures that risk is not displaced elsewhere.
The measures provided for in the PSTI Bill – including barring default passwords, ensuring more regular updates, and providing transparency on vulnerabilities – all serve to bolster device security. However, legislation alone is not enough. More education on the risks associated with connected devices is also needed to raise awareness of the dangers they pose. Businesses should ensure their consumers are well-informed on the risks associated with connected devices when purchasing them. Providing sufficient information on risks to customers is not only responsible, but it is also advantageous for the business; knowledgeable customers are more loyal in the long run.
Businesses need a defined strategy to comply with these regulations. As I discussed in my last blog, a ‘sticking plaster’ approach – involving only incremental and additive changes – will not suffice. Instead, businesses should invest in the transformation of their security practices, developing a framework that accounts for the fast evolution of security threats. It’s not enough to make small tweaks. These regulations call for real change in decision making processes and governance throughout the business, from the supply chain through to customer delivery.
It’s vital that businesses create a portfolio for the management of regulatory change to ensure they are prepared as further legislation is introduced and as the threat landscape develops. Rather than simply reacting to new bills and laws in an ad hoc manner as they arise, businesses should develop a clear strategy to address all security legislation. This will put organisations in the strongest possible position to manage the challenges that accompany regulatory changes and will increase their capability to absorb changes while minimising disruption to business operations.
Ultimately, businesses have a duty of care to protect consumers and to secure networks with appropriate measures. Rather than viewing further legislation as a burden to be shouldered, businesses should see these measures as an opportunity to centre their customers by prioritising their safety and security.
Security is no longer a ‘nice-to-have’ for businesses. We’re seeing a major push from the UK government to mandate security standards for businesses, with potentially far-reaching implications across today’s digital-first economy.
Businesses face a choice in how to approach this wave of legislative change. Embracing transformation and going beyond the measures mandated within legislation is the most advantageous route to take, but this requires a clear end goal. Businesses can draw on the expertise and guidance of partners such as NTT DATA to understand the opportunities and challenges within their organisations, and to develop a strategy for security transformation that can be implemented rapidly. Those businesses that make the necessary infrastructure changes now will be best-placed to handle the unexpected security threats of tomorrow.