The Product Security and Telecommunications Infrastructure Bill (PSTI) is divided into two parts by the UK government.
The first section, as the name suggests, consists of product security measures designed to protect consumers and businesses from cyberattacks. The second section contains telecommunications infrastructure guidelines designed to speed up the installation, use, and upgrade of such equipment.
The first section of the bill outlines three requirements for achieving the bill’s goal: prohibiting default passwords, requiring products to have a vulnerability disclosure policy, and providing transparency about how long products will receive critical security updates.
Smartphones, connected consumer electronics and appliances, connected safety-relevant products and alarm systems, IoT hubs, smart home assistants, and home automation products are among the devices covered by the security requirements. Surprisingly, computers are not included on the list.
Once accepted, the government will give manufacturers, importers, and distributors at least a year to adapt to the new legislation.
The telecommunications infrastructure measures seek to accelerate the deployment of new gigabit-capable broadband and 5G networks.
These rules will encourage the use of alternative dispute resolution rather than going to court, allow operators to share and upgrade buried infrastructure components, and simplify the renewal process after agreements have expired.
The bill has yet to receive Royal Assent, the final step before becoming law. We haven’t heard of any other region enforcing similar legislation as of yet, but it wouldn’t be surprising if others followed suit. Google and Microsoft have already announced some of their own security measures.
Google, for example, made two-step verification the default for accounts and improved password security in Chrome 88, while Microsoft added a passwordless option for its accounts.