/cdn.vox-cdn.com/uploads/chorus_asset/file/23249791/VRG_ILLO_STK001_carlo_cadenas_cybersecurity_virus.jpg?w=932&resize=932,640&ssl=1)
With the update, manufacturers will have to make it easier for people to report security issues. PSTI also now requires them to provide clear expectations about when those filing reports can expect acknowledgment and status updates later. Violations of the law can result in fines of up to 10 million pounds (about $12.5 million) or 4% of your “qualified worldwide income,” depending on which is higher.
The law would apply to a wide range of products, but a big target here is likely to be IoT devices like smart TVs, smart plugs, or smart speakers. Many of them, especially the cheaper ones, end up as online targets thanks to lax security practices that have made them part of devastating attacks like the Mirai-based DDoS botnet seen years ago. This doesn’t necessarily address all of these practices, but incorrect default passwords are an easy problem that should be resolved.
In the US, the FCC is trying something similar with its next Cyber Trust Mark Program. Much like the federal Energy Star program, the Cyber Trust Mark logo indicates which products meet the program’s requirements, including strong default passwords.
But also like Energy Star, no one is forcing companies to accept it. And while Energy Star has clear, explainable benefits like lower utility bills, it’s a little harder to make clear that a smart bulb plugged into your router could be a security risk to your other devices, so it’s hard to know how effective it will be. when it comes into force.
