The UK government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill to require consumer tech companies to stop using default passwords for their devices, instate vulnerability disclosure policies, and disclose how long they plan to release security updates for their products after their debut.
The Department for Digital, Culture, Media & Sport (DCMS) says the bill "supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products." It split PSTI in two parts: Product Security and Telecommunications Infrastructure. Both update the Electronic Communications Code overhauled in 2017.
PSTI's Product Security measures apply to smartphones, internet-connected toys, and Internet of Things devices, among other products. (Desktops and laptops are notably absent from the list.) "Following Royal Assent of the Bill," DCMS says, "the government will provide at least 12 months notice to enable manufacturers, importers and distributors to adjust their business practices before the legislative framework fully comes into force."
The bill's Telecommunications Infrastructure measures are more focused on hastening the rollout of new infrastructure by encouraging "the use of alternative dispute resolution (ADR) rather than legal proceedings where possible," creating "a new process enabling operators to obtain Code rights over certain types of land quickly," and otherwise streamlining the processes through which telecom providers can upgrade their networks.
The BBC reports that PSTI will also be overseen by a regulator that "will have the power to fine companies up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions." This should give companies some extra motivation to improve the security of their products by honoring the bill's requirements.