Balancing Cyber Security Standards and Discretion
UK PSTI - we knew it was coming, and the buzz has followed
The UK has now enacted the Product Security and Telecommunications Infrastructure (PSTI) Bill, introducing significant regulatory changes aimed at enhancing consumer protection against cyber threats - the first country in the world to do so. While such measures are pivotal for maintaining a baseline of security, they also bring to the forefront an ongoing debate in cyber security circles: the efficacy of compliance to static standards versus the flexibility of discretionary, strategic approaches to security...
Understanding the UK PSTI Bill
The PSTI Bill targets a wide array of digital products, imposing stringent requirements on manufacturers, importers, and distributors to ensure higher levels of security right from the design phase. According to the government's announcement, these new laws are intended to thwart cybercriminals by mandating that products meet robust security criteria before they reach consumers. The BBC highlights that this move is part of a broader effort to curb the increasing incidents of digital attacks affecting consumers. But really, do we think this changes anything?
Decoding the Technical Requirements of the PSTI Bill
The PSTI Bill imposes several technical requirements on digital products. Here's a breakdown of what businesses need to comply with, along with a sprinkle of commentary on the more ambiguous aspects of the bill.
Ban on Universal Default Passwords: First up, the bill prohibits the use of universal default passwords. This means no more "admin" or "password123" to gain initial access. In practice, each device must come with a unique password, which, frankly, should be a no-brainer but here we are legislating common sense. This took way too long IMO.
Security Vulnerability Disclosure Policy: Companies must provide a public point of contact to facilitate vulnerability reporting. They are also required to be transparent about how they handle these reports. However, the term "timely manner" is used when referring to addressing security flaws. Not sure what "timely" means in this context - could be faster than a deliveroo delivery or as slow as getting a plumber on a Sunday?
Transparency on Software Updates: Manufacturers are required to inform consumers about the duration of security updates for their products at the point of sale. This is crucial, as it lets consumers know how long their product will be supported. Yet, the bill leaves us guessing how long is appropriate—six months, a year, until the next big comet sighting?
No Retained Vulnerabilities: The bill mandates that manufacturers cannot knowingly retain security vulnerabilities. While it's comforting on paper, one has to wonder about the enforcement. Will there be a cyber patrol team checking in, or is it more of a pinky promise?
Challenges with Standard-Driven Compliance
Compliance with standards offers a double-edged sword. On one hand, it provides organisations a clear, definable path to demonstrating security preparedness, particularly useful during audits. However, the pace at which these standards are developed and ratified often lags significantly behind the rapid evolution of cyber threats. This discrepancy not only diminishes the relevance of the standards but also emboldens a tick-box approach to security—doing just enough to meet the minimum requirements rather than striving for the best possible practices.
Advocating for Discretion in Cyber Security
The core of our argument lies in advocating for discretion over strict rule-following. A discretionary approach allows organisations to dynamically adjust their security practices based on current threats and individual circumstances, rather than rigidly adhering to potentially outdated standards. For instance, a company might opt to exceed the baseline security protocols dictated by the PSTI Bill by implementing advanced threat detection technologies that are tailored to their specific operational context.
The Real Impact of the PSTI Bill
While the PSTI Bill is a step in the right direction, its real-world impact hinges on rigorous enforcement and a cultural shift towards viewing compliance as a starting point, not an end goal. History shows us that regulations alone are seldom enough to foster genuine security improvements - often, it takes high-profile penalties or legal actions to catalyse real change. Until businesses witness significant consequences for non-compliance, such as hefty fines or publicised legal battles, the motivation to go beyond the minimum requirements may remain lacklustre.
Conclusion
In conclusion, while the PSTI Bill provides a necessary framework for enhancing product security (bravo to the UK government on this one!), it should not be seen as a remedy. True cyber resilience requires a mindset that values adaptive, discretionary measures over mere compliance. Businesses should not only strive to meet the set standards but should also continuously evaluate and enhance their security protocols to stay ahead of cybercriminals - the users/customers expect this. It is only through such proactive measures that we can hope to safeguard our digital ecosystems effectively.
Shameless plug - we recently published our paper on the threats to XIoT, and what we can do about it. Now of course we provide one solution to securing these technologies, but there are other methods detailed within! Take a read: https://research.qomodo.io/stopping-the-bad