Clause 1 - Power to specify security requirements

Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee am 11:30 am ar 17 Mawrth 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport) 11:30, 17 Mawrth 2022

I beg to move amendment 6, in clause 1, page 1, line 17, at end insert—

‘(2A) The Secretary of State must exercise the power in subsection (1) so as to specify security requirements which make mandatory each of the first three guidelines in the Code of Practice for consumer IoT security published by the Department for Digital, Culture, Media and Sport on 14 October 2018 (“no default passwords”, “implement a vulnerability disclosure policy” and “keep software updated”).”

This amendment would set out the three security requirements expressly in Part 1 of the Bill rather than it being defined in future regulations.

Photo of Graham Stringer Graham Stringer Llafur, Blackley and Broughton

With this it will be convenient to discuss the following:

Clause stand part.

Clauses 2 and 3 stand part.

New clause 3—Report on security risks to UK consumer connectable products—

‘(1) The Secretary of State must prepare a report on the security risks to UK consumer connectable products—

(a) within the period 3 months beginning with the day on which this Act receives Royal Assent, and

(b) every 12 months thereafter.

(2) Any report prepared under subsection (1) must be laid before Parliament.’

This new clause would require the Secretary of State to lay before Parliament a report on the security risks to UK consumer connectable products.

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport)

It is a pleasure to serve under your chairmanship, Mr Stringer.

This important legislation establishes, through regulations, three core security requirements for “connectable products”. The requirements derive from the voluntary 2018 “Secure by Design” code introduced by the Department for Digital, Culture, Media and Sport. The inclusion of these three requirements is, without doubt, a step that the Opposition welcome. However, we believe that the legislation can be improved, and that the three security requirements, rather than being defined in future regulations at the discretion of the Secretary of State, should be expressly set out in the Bill. That would be beneficial for two reasons. First, it would give manufacturers and distributors a greater understanding of the legal obligations that they face, thus speeding up the entire process. Secondly, it would ensure that the consumer was better protected, which I am sure we all agree would be a good thing. The consumer rights group Which? emphasised that when it gave oral evidence on Tuesday.

New clause 3 would require the Secretary of State to publish a report on the security risks to UK connectable products. On Tuesday, Madeline Carr, professor of global politics and cyber-security at University College London, said that she does not have an Alexa in her house because of the security risks that those devices, and others like them, pose. Tellingly, she also said that the Bill as constituted would not give her sufficient confidence to purchase one. Given that, and given the tragic scenes unfolding following Russia’s invasion of Ukraine, and the willingness of that rogue regime to engage in state-sponsored cyber-warfare, the Opposition believe it is in the public and national interest to understand how secure our connected products really are. We are becoming more reliant on smart devices in our daily life, both professionally and personally. It is imperative that the security of these devices is routinely monitored and reported on.

As I stated on Second Reading, the Opposition support the Bill, but believe it can be strengthened. Amendment 6 and new clause 3 would ensure that consumers were better protected and more aware of the threats facing their connected devices. As such, I believe that all Committee colleagues should support amendment 6 and new clause 3.

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State

It is a pleasure to serve under your chairmanship, Mr Stringer. I apologise for giving you a dilemma about the advice on jelly babies. I will start with a few words about the importance of the Bill. As we heard from our panels of witnesses this week, and as we know from our increasing dependence on technology, improving protection for consumers and networks from a range of harms associated with cyber-attacks is incredibly important. In the first half of last year, there were 1.5 billion attempted compromises of internet of things devices—double the 2020 figure for the same period. Voluntary standards, such as the 2018 code of practice for consumer IOT security, are not being adopted quickly or consistently enough. That is why we need legislation to progress security in the design of consumer connectable products.

Before turning to amendment 6, I thank the hon. Member for Ogmore for the constructive and helpful way that he has approached the legislation and for the Opposition’s broad support of it. As this is the first Bill that I am taking through the House in its entirety, I am particularly grateful for that constructive approach. It may reassure him that the Government are committed to introducing security requirements based on the first three guidelines through regulations at the earliest appropriate opportunity. We have consulted on those security requirements and have communicated them extensively.

We have not been vague on the matter. In April 2021, we published our response to the call for views on consumer connectable product security legislation. We stated in detail how the three security requirements would work. When the Bill was announced by Her Majesty at the start of the Session, we repeated that commitment. Indeed, as hon. Members will see in the Bill’s explanatory notes, we have again committed to those three requirements. We made that clear from the start for an important reason: we need industry to act and prepare for implementation. We do not want surprises for manufacturers, importers or distributors. They know what they have to do.

Amendment 6 is unnecessary, but might also be dangerous. We are keen to ensure that the legislation retains flexibility, so that it can adapt to and reflect the changing threat landscape, and the security requirements needed to address it. What might seem like a no-brainer security requirement today might become a security threat or barrier to security innovation in years to come.

Amendment 6 reaches back to 2018, when our code of practice was first published. Security requirements have developed since then. When the Bill is implemented, we do not think it should be constrained by what was appropriate five years ago. The requirements we will introduce are based on the first three guidelines in the code of practice, but they also contain necessary improvements. They are up to date, more detailed and have been translated into practical requirements that businesses can implement to get the right security outcomes without unnecessary burden. Stakeholder engagement and impact assessment work conducted since 2018 ensures that the guidelines are nuanced, and are in a robust and enforceable statutory framework that delivers optimal security outcomes.

Finally, hon. Members may not be aware that because this new legislation will impact on manufacturers globally, we have given notice of the Bill to the World Trade Organisation. We invited comments on our proposals two years ago, and when the Bill was introduced to Parliament, we gave notice again. We have worked to ensure that all manufacturers understand our intentions. Amendment 6, if accepted, would cause confusion by taking us back to 2018, and away from the more developed position we have reached on the three principles. That would cause market confusion, require new notification to the WTO, and potentially delay this vital regime from coming into force. With those reassurances, I hope the hon. Member will feel able to withdraw his amendment.

Clause 1 is needed to provide the Government with the necessary powers to specify and mandate security requirements, through secondary legislation, that businesses must comply with. There is a common notion that Governments are behind the curve when it comes to regulating technology. not in this case. By establishing a flexible and futureproof regulatory framework in this way, the Government can be agile and proactive in amending and introducing security requirements through regulations, in lockstep with tech innovation. Parliament will be able to scrutinise any future security requirements designated through the secondary legislation process and, as new threats emerge and international standards develop, we can act and set new security requirements, keeping consumer connectable product security up to date and fit for the future.

The purpose of clause 2 is to provide further detail about how the Secretary of State’s power to specify security requirements can be used. Clause 3 is essential because it provides the Secretary of State with powers to specify circumstances in which a person is deemed to have complied with the security requirements. The clause, when exercised, would provide more than one route to compliance and would provide the necessary flexibility to accommodate and recognise international standards and mutual recognition agreements where appropriate.

I turn to new clause 3. In practice, it would commit the Government to reporting on a fixed basis on the security risks posed by products affected by the Bill. Those reports would be laid before Parliament. Cyber-security is definitely not an area where the Government hold back on publishing information. If we are to raise the cyber-resilience of the nation, we need to ensure that everyone is clear about the threat. In December, we published our national cyber strategy. The Government will continue to publish regular reports on our progress on that strategy, as we did with regard to the previous strategy. The Government also publish an annual report that surveys cyber-breaches across the economy. This report, together with others, forms a key part of the evidence base used to inform organisations about action to take to raise security standards. Indeed, the breaches survey meets the quality threshold to be managed as a set of official statistics.

Our National Cyber Security Centre is also a model of transparency. It is there to advise businesses, and guide them towards better managing cyber-threats. It publishes an annual report, and for those who want to focus on consumer connectable products, it provides specific advice on those, too. Parliament is already regularly kept informed of cyber-security matters; our regular publications are placed in the Library. Our national strategy, implemented with £2.6 billion of investment, is overseen by the Public Accounts Committee. The Intelligence and Security Committee and the Joint Committee on the National Security Strategy provide further oversight. Also, there are mechanisms for holding the Government to account in the manner intended by the provision, such as regular parliamentary debates and questions.

Cyber-security is a fast-moving and sensitive topic. A fixed-period reporting clause that imposes an obligation to report on security risks may duplicate existing activity. Such a system would also lack the agility necessary to enable us to report quickly when threats are identified. It may reassure the hon. Gentleman to know that the Secretary of State will be required to review the effectiveness of the Bill’s enforcement regime; they, or the designated enforcing authority, will be required to report on that to the relevant departmental Select Committee after Royal Assent. The enforcement authority will also report its activity and findings, where appropriate. The measures already in place will likely meet the intention behind new clause 3. For the reasons that I have set out, I do not accept the need for the new clause.

I turn to the points that the hon. Gentleman raised about Dr Carr’s concerns about Alexa, which I also found eye-catching. A lot of secondary legislation comes with this Bill, and that will hopefully reassure Dr Carr. I also note the comment made by a lot of our witnesses: we can never have 100% security with those devices. I therefore commend clauses 1 to 3 to the Committee.

Photo of Kevin Brennan Kevin Brennan Llafur, Gorllewin Caerdydd

Good morning, everybody. Happy St Patrick’s day to everyone. I congratulate the Minister on her first Bill. I have been through the process many times, and it is an exciting and proud moment to lead on a Bill for the Government for the first time. When I did it, my father, who was from West Cork, said, “Not bad for someone from the peat bogs of West Cork.” I am sure that the Minister’s family are equally proud of her achievement.

I want to raise a couple of general issues, as we are debating the first three quarters of the Bill in this grouping. I congratulate the Minister for providing such a comprehensive impact assessment on the Bill. I was slightly confused by the figure for the cost of business, which is set at net present value, and is put at “£1,246.9.9” million. That figure looks like a typo. I wondered what the correct figure was, and if the Minister could provide it. I suggest it is just the one “point nine”.

This is a very significant piece of legislation, given the impact it will have on consumers and business. It is very technical. Page 8 of the impact assessment details the Government’s key assumptions about how the Bill will impact on businesses. Businesses will have to dispose of devices that no longer satisfy the criteria that the Minister is likely to set. The impact assessment’s optimistic assessment of what percentage of devices will have to be disposed of is 5%. Its working assessment is 45%. The figure it is using, however, for the impact on business is that 10% of devices will have to be disposed of by businesses.

I know that making impact assessments is not a precise science—to a certain extent, it is about trying to look into a crystal ball—but there seems to be quite a difference between the assumption that the Government are making of 10%, their best case scenario of 5%, and the worst-case scenario of 45%. Can the Minister explain to the Committee why there is such a wide range of figures? As far as business is concerned, those figures are very different. If the Government have got this wrong, and we are in the worst-case scenario, businesses will dispose of four times as many devices as the Government thought. I would be very grateful if the Minister could fill the Committee in on how there can be such a difference between those figures.

I have another point on the impact assessment; my hon. Friend the Member for Ogmore raised similar issues. It is about smart speakers and an exchange that took place in the evidence session. It is not the first time that I have asked someone whether they would regard it as safe to have one of these devices in their home—smart speakers; an Alexa-type device. Nevertheless, it seems extraordinary that a cyber-security expert giving evidence to this Committee should say that they would not have such a device in their home, because they do not trust them. That is basically what the witness told the Committee. I then asked her, “Well, following the passage of this Bill, would you have one in your home?”, and her response remained no; she still would not trust them. A cyber-security expert giving evidence to the Committee said that even if the Bill contained the measures that the Minister is proposing, she still would not have such a device in her home.

The Minister might be interested to know that I asked the same question of the outgoing Information Commissioner when she appeared before the Digital, Culture, Media and Sport Committee, and she gave exactly the same answer; she, too, did not trust these devices sufficiently to have one in her home.

The Minister gave reassurances to my hon. Friend the Member for Ogmore, but how much further can she go to reassure this Committee that the Bill, and the subsequent regulations, will mean that consumers can safely have these devices in their home, and trust them? How can she ensure that security experts, the Information Commissioner and others will be able to say to the public, “It is largely safe to have these devices in your home”?

I say that because page 13 of the Government’s impact assessment says that smart speakers are present “in 22% of households” in the UK, which means that over one in five households in the UK already have devices of this kind. I presume that in general we would want a roll-out of safe connectable devices, because of the benefits that they can bring; they have huge benefits for people who are disabled, who use them to improve their quality of life hugely. It is worrying, is it not, to be told that they are not to be trusted. Could the Minister give us any further reassurances on that point?

Finally, I understand that at a later date, a new clause may be introduced on the issues that were raised with Which? in the evidence session. Which? was keen to emphasise that it would like something done to alleviate inappropriate minimum periods for security updates in support of these connected devices. I will not pursue that further at this point, because I understand that there may well be an opportunity to debate a new clause on that at the end of our proceedings.

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State 11:45, 17 Mawrth 2022

I thank the hon. Member for Cardiff West for his contribution and his kind comments. I will have to get back to him on the precise figures that he identified in the impact assessment. However, in relation to the breadth of the impact assessment, he will know from this legislation that we are taking a broad range of powers. As we debated earlier, that is very deliberate because this is a fast-moving area. Technology is developing faster than Parliament can regulate it, which is a major challenge for Governments around the world. The Bill will help us to be nimble and agile in how regulate that technology.

A lot of the issues that the hon. Gentleman has concerns about will be something for secondary legislation, which we will be developing hand in glove with businesses so that we understand what is changing in the technological world and what impact that will have on matters such as the disposal of devices. I share his concerns about the environmental impacts if we get the regulations on that wrong—none of us wants to see a lot of technology become redundant.

We are trying to help consumers have more information so that if someone buys a device, they do not necessarily have to dispose of it simply because the period for which the manufacturer says it is covered has expired. It will be up to the consumer to decide whether to keep that device if they think it is less secure than it otherwise might be. It has been controversial to take these broad powers. We understand the concerns that any Parliament would have about the level of scrutiny it will have. However, the Government think that this is right because, as I say, we have to maintain that agility.

The hon. Member for Cardiff West referenced the points raised by Dr Carr. As I said earlier, I share those concerns. What we are trying to do is raise the level of security overall; we want to help consumers and manufacturers to understand this as an issue. This was initially a voluntary code, which did not do enough to make manufacturers take the cyber obligations seriously. There was an interesting discussion on the panels earlier this week when one contributor—I cannot remember who it was exactly—said that the legislation will give boards the spark or impetus to discuss and get funding for these kinds of cyber-security requirements for their products. If it is voluntary, it is very hard for anybody to make the case within their company that they need to take cyber-security seriously.

We hope that the secondary legislation will allay some of Dr Carr’s concerns. We will never have 100% security, but we hope that these provisions will raise the bar overall and help to raise consumer and manufacturer awareness of cyber as a whole. I hope that those comments will reassure the hon. Gentleman. I also assure him that we will look at how to get the balance right in the secondary legislation, and we will be in close contact with businesses as we do so.

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport)

I listened to what the Minister had to say, in particular in relation to amendment 6. I take her at her word; it is a probing amendment, so I will withdraw it on the basis that she will bring forward secondary legislation in relatively short order. As she mentioned, cyber-security is a fast-paced and changing environment, so it is important that we do not wait a number of years for additional improvements to legislative competence.

On the basis of what the Minister said, I am also happy not to move new clause 3. However, I wonder whether she could write to me setting out the reporting periods that she mentioned, particularly in terms of the DCMS Committee, following Royal Assent—assuming that the Bill gets Royal Assent, which I am sure it will—as well as the other reporting obligations that she says the Secretary of State or reporting officer will have. The new clause seeks to place a requirement on the Secretary of State specifically in this new legislation. If the Minister feels that those things are already in train or are part of the reporting process, that is fine, and I am happy not to move the new clause. However, it would be good to have that list for future understanding—particularly if reporting does not take place, in which case the Opposition will hold the Government to account.

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State

I am happy to write to the hon. Gentleman and offer those assurances. A new body will also be set up, which will probably have its own reporting requirements in relation to this legislation. These things will be developing, but I am happy to offer him the assurances he requested.

Amendment, by leave, withdrawn.

Clauses 1 to 3 ordered to stand part of the Bill.