The Product Security and Telecommunications Infrastructure Act (PTSI), a new UK legislation designed to bolster cybersecurity, is now in effect, requiring manufacturers, importers, and distributors to secure digital products and telecommunication infrastructures. Although this law is greeted positively by experts, there is a shared concern that it might not sufficiently address the evolving security threats.

The Act, which first implemented on 6th December 2022 and now becomes fully operational on 29th April 2024, seeks to safeguard security and telecommunications infrastructures amid the growing threat posed by insecure digital devices. The law requires that digitally connected products or telecommunication infrastructure in the UK adhere to minimum cybersecurity standards.

David Emm, Principal Security Researcher at Kaspersky, expresses his appreciation for the new requirements for IoT devices. However, he believes there is room for more measures to protect consumers. "The new PSTI Act seeks to give teeth to the 2018 Code of Conduct for consumer IoT, which laid out 13 recommendations for manufacturers of IoT devices," Emm explained.

Items such as routers, cameras, and smart home devices, predicted by Statista to surpass 29 billion by 2030, were subject to these recommendations to ensure their security. However, the recommendations have not provided adequate motivation for manufacturers to secure these devices. Hence, the introduction of the Act. Unfortunately, only three have been given legal force from the original 13 recommendations.

The rise of connected devices means an increased need for protection against the two primary threats: brute-forcing weak passwords and exploiting vulnerabilities in network services. The Act prompts retailers to enhance password complexity by law and offers information on security issue reporting procedures. While this represents a significant step forward, more work is necessary.

Kaspersky's recent research discovered high demand for DDoS attacks coordinated through IoT botnets among hackers. The cost of these DDoS attack services ranges from £15 per day to £8,000 per month, according to numerous dark web ads identified by Kaspersky analysts. Concurrently, Kaspersky honeypots documented that 97.91% of password brute-force endeavours focused on Telnet, the popular unencrypted IoT text protocol.

Emm noted that it's a positive move for manufacturers to denote how long they will back their products with the upcoming legislation. Nevertheless, this information could be sneakily tucked away on their websites, overlooked by consumers. "This is something that should be available at the point-of-sale. We urge legislators to consider the implications of this in the light of a complex threat landscape," Emm urged.

Regardless of the new Act, it's crucial for consumers to take independent precautions to protect themselves against cyber threats. "Do not assume the new legislation is enough to protect your connected activities. We advise customers to use two-factor authentication on their connected devices whenever possible, in addition to enabling encryption on their home routers," Emm advised.

The introduction of the PSTI Act marks a new era of accountability and protection in the digital sphere. While welcomed, the new law does not lessen the personal responsibility of consumers to protect themselves from cyber risk.