In context: It's not uncommon to see consumers using the default password of their devices, leaving themselves vulnerable to possible cyberattacks. To remediate this situation, the UK government passed a bill that will ban tech companies from using default passwords on their devices, among other requirements.
The UK government's Product Security and Telecommunications Infrastructure Bill (PSTI) is divided into two parts. As the name implies, the first part comprises product security measures to protect consumers and companies from cyberattacks. The second part includes telecommunications infrastructure guidelines created to accelerate the installation, usage, and upgrading of such equipment.
The first part of the bill presents three requirements to achieve its objective: ban default passwords, require products to have a vulnerability disclosure policy, and transparency about how long the products will receive essential security updates.
The list of devices covered by the security requirements includes smartphones, connected consumer electronics and appliances, connected safety-relevant products and alarm systems, IoT hubs, smart home assistants, and home automation products. Oddly, the list doesn't include computers. Once accepted, the government will provide at least 12 months for manufacturers, importers, and distributors to adapt to the new legislation.
The telecommunications infrastructure measures aim to streamline the implementation of new gigabit-capable broadband and 5G networks. These rules will encourage the use of alternative dispute resolution instead of going for legal proceedings, allow operators to share and upgrade buried infrastructure components, and streamline the renewal process after agreements have expired.
The bill has yet to receive the Royal Assent, the last step before becoming an actual law. For now, we haven't heard of any other region enforcing similar legislation, but it wouldn't be surprising to see some follow the example. Google and Microsoft have already presented some of their own measures to increase user security. Google, for example, defaulted accounts to use two-step verification and improved password security on Chrome 88, while Microsoft added a passwordless option for its accounts.