Jeff Watkins, CPTO of xDesign, discusses what UK government legislation under Liz Truss’s cabinet can take from the EU Cyber Resilience Act proposal
As you may have read, the European Commission dropped the cyber security mic last week with the publication of its proposed Cyber Resilience Act, in an attempt to ensure more secure hardware and software products for EU citizens. This is likely in recognition that both the digitisation of services has accelerated post-pandemic; and that IoT adoption continues to grow at pace — meaning both organisations’ and citizens’ attack surfaces are also expanding at an alarming rate. The UK has had its own Product Security and Telecommunications Infrastructure (PSTI) Bill in development since 2019, but it took until 2021 to get a first reading in the House of Commons.
Secure by default
Sadly, as with the AI Act and the UK’s more permissive AI toolkit, governments move far slower than the pace of change and adoption in the world of tech. The existing approach to cyber security in many organisations delivering digital products across the world is to be reactionary, patching and asking for forgiveness, rather than taking a “secure by default” approach. That was clearly never going to be a long-term solution, and those days are coming to an end, with these new pieces of legislation introducing much more rigour and requirement to suppliers.
Both the Cyber Resilience Act and the PSTI Bill are an attempt to move the burden of cyber security left in the supply chain, further away from the user — who is responsible for their own security in many cases, but largely unaware of how to maintain it. Both will provide requirements on how long any products covered under these pieces of legislation must be supported and patched, which is a step in the right direction. However, the PSTI Bill is largely there to allow the government to specify statutory security requirements, whereas the Cyber Resilience Act seems to be much broader aiming at digital products in general.
Reading the room
Of course, where you add legislation and potential criminal repercussions, you have to read the room and not make matters worse. The House of Lords have intervened and are seeking to amend the proposed PSTI Bill to provide security researchers, penetration testers and ethical hackers with a valid defence, as such activities could currently be legally spurious under the Computer Misuse Act. Hopefully, the EU will make the same kinds of assurances, because the last thing we want is to discourage our security professionals from doing their jobs.
As the Cyber Resilience Act is in its early stages, it’s likely the PSTI Bill (which is already part way through the House of Lords) will beat it to the punch. It remains to be seen if the Act will be diluted as the real costs of implementation become clear. If the Act is too strict, it will result in delays to product launches (potentially putting the EU behind other developed countries) and increased costs, which will likely be passed on to the customer.
A high priority for a newly anointed PM
In my opinion, our new PM would be wise to ensure the PSTI Bill passes with appropriate amendments, but also moves towards implementing statutory security requirements, as well as ensuring the Bill broadens to cover all digital devices and services. We should keep a collective eye on what the EU includes in its Act, and strongly consider if we’re really maintaining parity. After all, if we’re going to be more permissive on the use of AI than our EU colleagues, then we at least need to ensure we’re keeping pace on security, as the consequences of not doing so could be damaging to our industry and reputation as leaders in technology.
Differences in approach and remit aside, what is encouraging is that we’re moving in the right direction on mandating “secure by default” products in our markets. The knock on effect is that it will almost certainly create jobs in the product security field, as well as more traditional application and corporate IT security roles. This means that there’s an opportunity — and indeed a requirement — for us to act now (and I do mean right now), to address the cyber security skills gap. After all, those new roles won’t fill themselves.