Product Security and Telecommunications Infrastructure Bill

Written evidence submitted by NCC Group (PSTIB08)

Submission to the Product Security and Telecommunications Infrastructure Bill Committee

1.1. NCC Group is delighted to have the opportunity to engage with the Product Security and Telecommunications Infrastructure Bill (PSTI) Committee and offer our expertise as a UK-headquartered global cyber security and software resilience business. As security experts, with specific expertise in connected device security, our comments relate to Part 1 of the Bill.

1.2. NCC Group’s mission is to make the world safer and more secure. We are trusted by more than 14,000 customers worldwide to help protect their operations from ever-changing cyber threats. In support of our mission, we continually invest in research and innovation as an intrinsic part of our business model to match the rapidly evolving and complex digital environment. Indeed, in FY2021, we delivered 3,400 research days.

1.3. Consumer IoT device security is one of our core research specialisms. We are proud to be a close security partner to consumer group Which? as part of an ongoing campaign to improve the security of consumer devices. In the last year alone, we have:

· Set up a smart home ‘honeypot’ which detected more than 12,000 scanning or hacking attempts in one week [1] – as referenced in the UK Government’s announcement introducing the PSTI Bill [2] ;

· Identified security issues in c.1,700 smart products listed on online marketplaces [3] ; and,

· Researched the safety and security of nine e-scooter brands, finding multiple flaws that could enable hackers to access users’ data, increase e-scooters’ speed and activate their brakes remotely [4] .

1.4. Through our work and our research, we are acutely aware of the urgent need for better security across connected devices. Whilst we welcome the introduction of the PSTI Bill, which will undoubtedly improve the safety and security of smart products, we believe that the legislation (and subsequent secondary legislation and regulations) should be strengthened in the following ways:

1.5. Require third-party verification of compliance:

1.5.1. As the Committee will be aware, manufacturers will be required, under the new law, to provide a "statement of compliance" in order to make a consumer connectable product available. However, as the Bill is currently written (Clause 9 (3)), assessing whether a manufacturer has, indeed, complied with the security requirements will be based on "the opinion of the manufacturer" – or, in other words, manufacturers will self-assess whether they have implemented the security requirements correctly.

1.5.2. We note that the Bill’s Explanatory Notes state that the detailed security requirements may mandate specific conformity assessment procedures in respect of certain products. We interpret this to suggest that the Government is already thinking about how to improve and strengthen assessments beyond the current self-assessment approach which, we believe, outlines an existing concern that the proposed light-touch approach could be insufficient materially to improve the security of devices that consumers will rely on for critical tasks of their everyday lives. We believe that it would be more honest and decisive to design a stringent regulatory regime from the outset that avoids manufacturers marking their own homework, not least because they might often lack the technical capabilities truly to understand potential vulnerabilities and security and safety risks.

1.5.3. By way of comparison, as set out in the recently published Government’s Cyber Security Strategy [5] , government departments will be subject to independent auditing and assessment against the NCSC’s Cyber Assessment Framework (CAF) – not least to help them truly understand their risk profile. We believe the approach to securing home devices – with very clear safety risks if not secured adequately – should be held to the same standards, with mandatory third-party assessments introduced. This could be overseen by the Office for Product Safety and Standards, who are already overseeing EV chargepoint cyber security.

1.6. Extend the scope of the Bill to cover e-scooter security:

1.6.1. Through our aforementioned research, undertaken in partnership with Which?, we found multiple security flaws in several e-scooter brands, including:

· Skilled cyber attackers potentially being able to activate the brakes remotely while a victim is travelling at speed;

· E-scooter owners/riders being able to modify the e-scooter to increase the speed above the legal speed limit;

· Outdated software in apps potentially exposing users’ data and privacy and enabling malicious actors to manipulate the apps in different ways;

· A lack of encryption of users’ data; and,

· An exposed ‘Serial Wire Debug (SWD) port’ which malicious hackers could use to bypass an e-scooter’s security.

1.6.2. The results of our investigation do, we believe, raise the question around whether regulators should introduce stricter security and safety controls and practices, or whether e-scooters should fall under the PSTI Bill.

1.7. Align the PSTI Bill with a reformed Computer Misuse Act 1990:

1.7.1. The Computer Misuse Act, which was written over three decades ago and remains the primary law governing cybercrime in the UK, inadvertently criminalises a significant proportion of the type of vulnerability research cyber security professionals are capable of carrying out. This is because the Act, as it is currently written, blanketly prohibits all unauthorised access to computer material, irrespective of intent or motive. It means that researchers can face legal action for reporting a vulnerability to an organisation, even if the affected organisation has a vulnerability disclosure policy in place. We believe this undermines the PSTI Bill’s aims to encourage greater vulnerability reporting, and that the Government should take a more holistic look at its cyber security laws to ensure that they are fit for purpose. Specifically, the Computer Misuse Act should be updated – as a matter of urgency – to put in law a basis from which cyber security researchers can defend themselves. Failure to do so puts the objectives of the PTSI Bill at risk.

1.7.2. A Call for Information on a review of the Computer Misuse Act 1990 concluded in June 2021. 66% of respondents stated that they did not believe that the current Act offered sufficient protections for legitimate cyber security activities. As policy proposals to address the current shortcomings are developed, we believe it is crucial to promote a joined-up approach to ensure the wider legislative environment supports the ambitions for future secure by design technology development.

1.8. NCC Group is passionate about sharing our expertise and insights with policymakers and parliamentarians who are legislating on critical issues such as this one. We would be delighted to give oral evidence to the Committee’s inquiry to help explore the proposals we raise in our submission in more detail.

March 2022

 

Prepared 16th March 2022