The British legislature is currently interested in a law about its so-called PSTI, Shortage Product security and telecommunications infrastructure.
If you’ve seen this acronym before, it’s almost certainly in PSTI Act. (A sort of bill Is the proposed new legislation that has not yet been agreed; if it eventually becomes law, it will become behavior.)
When you hear the proposed laws on computer products and telecommunications, your first thought may be to know, “What new surveillance, interception and encryption cracking capabilities are they looking for now?”
Fortunately, for those who can Remember the past And learned Encryption backdoor Usually it is good for the enemy and the good guys are at a disadvantage, or for those who have made an intellectually blameless assumption, if you deliberately weaken it, network security is unlikely to become stronger…
…That is It’s not about what.
This is a more moderate regulatory proposal, which is different from those aimed at undermining security and cryptography, “just in case we lock the key in the car”. Its goal is to require a moderate increase in security and basic network reliability. sex Products such as Temperature sensors for cell phones, fitness trackers, webcams, cloud doorbells and pet fish.
Internet of Things Cyber Security Party-You are invited
In short, the British government hopes to establish at least some basic minimum standards for the following:
- default password. If the council gets what it wants, there won’t be any. You will not be allowed to pre-configure a password in your device, so you cannot flood the market with products that every crook knows how to enter.
- Vulnerability disclosure. You need a reliable way for security researchers who believe in responsible disclosure to contact you, and (we hope) make some obvious promises to close the security vulnerabilities you already know before the scammer finds out.
- Renew the commitment. You need to tell the buyer in advance how long you will provide the security repair for the product they buy today.
Presumably, the third item in this list will be used at the same time as the second item to prevent you from unilaterally denying difficult security issues. As long as it suits you, immediately give up support and leave your users and environment! – Landfill equipment became useless long before they reasonably expected.
We mentioned pet fish above because the British government document discussing the bill Include an example How the default password causes trouble: “In 2018, an attacker was able to compromise a thermometer connected to a fish tank with a default password. The fish tank was in the lobby of a casino in the United States. Attackers used this vulnerability to enter the network and access sensitive information, such as bank information.”. Watch out for the aquarium!
Too little too late?
On the one hand, you can easily criticize this entry-level regulation, on the grounds that its requirements may be considered “too little, too late”, and as long as experts are urged to be more active in naming, consumers will get better Good protection and humiliating devices that do not meet reasonable standards, so consumers know to avoid them.
In other words, let the market force the problem.
On the other hand, you can also support such basic rules well, because they may make even the worst offenders start to do at least some things about network security in their product management and product development processes.
Suppliers who completely reject the Cyber Security Party risk taking their inferior products off the shelves at once and being returned by unmoved retailers for batch refunds.
Sometimes, those who support such low-level cybersecurity rules say that the hardest part about cybersecurity in electronics companies with high prices and low prices is to put this topic on the agenda, let alone make it top on the list.
Consumers are very price sensitive and usually reasonably unaware of the issues involved, so you first need to ask the government to force the market to solve the problem.
What’s next?
As the government announcement says, we think this is a completely satisfactory example of cybersecurity discussed in plain English:
[C]Ybersecurity is still an afterthought for many connectable product manufacturers, and consumers generally expect products to be secure. In a 2020 report by the IoT Security Foundation, only one-fifth of manufacturers maintain a security vulnerability disclosure system. This threatens citizens’ privacy and network security, and increases the growing risk of harm.
There is a paragraph at the end of the document that we found to be less readable:
Since the government first announced its Code of Practice In 2018, it deliberately adopted a method of consultation and collaboration with industry, academia, subject matter experts, and other key stakeholders. One of the main purposes of this approach is to ensure that interventions in this area are as effective as possible while minimizing the impact on organizations involved in the manufacture and distribution of consumer-connectable products.
We have never accepted jargon such as “intervention in this space”, which reminds us of businessmen squeezing into narrow attic areas and trying to install modern insulation materials for poorly designed old houses.
But we understand why Her Majesty’s Government made this point, and we translate it as “We intend to promote change, which will undoubtedly leave IoT vendors no choice when it comes to joining cyber security.”.
Understandably, the manufacturer’s lobbying groups did their best to prevent legislation that could increase costs, but did not persuade consumers to accept higher prices as a result.
The best way to avoid such lobbying activities may be to ensure that no one in the process will face unexpected or unreasonable changes, thereby effectively making these changes non-exceptional…
…At the same time, even the most stubborn manufacturers must take measures against at least some of the potential cybersecurity issues they themselves confide in the market.
In the proverb, “The journey of 1,609,344 meters starts with one step.”
Perhaps some suppliers who would have avoided the first step forever may end up having no choice but to do so.
