Cyber Up Campaign react to the introduction of the Product Security and Telecommunications Infrastructure (PSTI) Bill to the UK Parliament

The Product Security and Telecommunications Infrastructure (PSTI) Bill will enable the Government to require manufacturers, importers and distributors to make sure their consumer connectable products ( from smart TVs to smart phones) meet minimum cyber security requirements before they are placed on the UK market (including via online marketplaces), so as to minimise harm. Under regulations that will be introduced following the passage of the Bill, manufacturers will be required to provide a public point of contact to report vulnerabilities.

The CyberUp Campaign believes this is an important step forward in ensuring that vulnerability disclosures by cyber security researchers are encouraged, which will lead to improved cyber resilience across systems – indeed the Government response to the consultation on these proposals mentioned the importance of legal certainty for security researchers in the context of vulnerability disclosure. The legislation is a step in the right direction in this regard.

However, the CyberUp Campaign has been clear that, without a statutory defence in the Computer Misuse Act, cyber security researchers can still face spurious legal action for reporting a vulnerability to a company which can decide on a whim to ignore its vulnerability disclosure policy – a practice known as liability dumping. If, as the PSTI Bill seems to recognise, encouraging greater vulnerability reporting is an important part of cyber resilience, then the Government should go further to reform the Computer Misuse Act and put in law a basis from which cyber security researchers can defend themselves.