New Clause 4 - Requirement to consult on imposition of minimum periods of time for which products would need to receive security updates

Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee am 9:25 am ar 22 Mawrth 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

“(1) Within three months of the date on which this Act receives Royal Assent, the Secretary of State must publish the text of draft regulations exercising the power in subsection (1) of

(2) The Secretary of State must consult—

(a) representatives of all relevant persons (as defined in section 7 (Relevant persons)), and

(b) any other person the Secretary of State thinks appropriate on the draft regulations.

(3) Within three months of the final date for receipt of responses to the consultation, the Secretary of State must lay before Parliament a report on the responses.”—

Brought up, and read the First time.

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport)

I beg to move, That the clause be read a Second time.

During the oral evidence session last Tuesday, we heard a number of concerns about part 1 of the Bill, which were outlined particularly eloquently by Madeline Carr, professor of global politics and cyber-security at University College London, who tellingly stated that she does not currently own an Alexa due to a lack of trust, and that the Bill as it currently stands would not give her sufficient confidence to go out and purchase one. Her Majesty’s Opposition value the contribution and knowledge of experts such as Professor Carr, and we have tabled new clause 4 on that basis.

The clause would require the Secretary of State to undertake a consultation on the imposition of a minimum period during which relevant connectable products would need to receive security updates. That would allow the Secretary of State to consult with academics such as Professor Carr, among others in the field, to establish the best way of making those connectable products, which have the potential to bring huge benefits to our lives, as safe as possible for as long as possible.

I presume the Minister might retort by saying that increased regulation of this sphere might stifle innovation, but that is exactly the opposite of what we heard last Tuesday. What we heard was that without strong, strategic Government intervention, there is not much desire for, or a market for, cyber-security. That is why introducing a minimum period for which connectable products would be subject to security requirements is so important: without Government intervention, increased security for British consumers will not come about.

Another reason that implementation of the new clause is so vital is that it relates to the digital divide and the ability of those who are the most financially vulnerable to have access to secure products. We do not want the less well off to be purchasing items that are subject to security updates for a much shorter period, thus making them more vulnerable to cyber-attacks than those who are more financially secure. I raised that issue on Second Reading and, dare I say it, there was some pushback from Members in the Chamber, but the issue was highlighted by Professor Carr and David Rogers, who was the lead editor during the process that is the basis for the Bill.

The party that I am deeply proud to represent was founded to represent the interests of working people, and it is ultimately my responsibility to ensure that working people across the country do not lose out with respect to the pace of technological change and as the threats facing that technology continue to increase. We acknowledge that no Bill can anticipate all threats that we will face in the future and the varying types of product that will come to the market, but we do have control over ensuring that we do our utmost in legislation to best protect the citizens of the United Kingdom. As we heard from a number of industry experts, one of the best ways to do that is to introduce a minimum period for which these products should be subject to security updates. For that reason, I hope the Committee will support the new clause.

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State

Again, I thank the hon. Member for his suggestions, and I always appreciate the intention behind what he is trying to do. On this matter, we have been consulting with experts throughout the development of the legislation. As he will be aware, a lot of the details about how we shall regulate these products will come in secondary legislation. Here, we are taking broad powers so that, as the technology develops, we can tweak them as things change. We are also considering a wide number of products that will be in scope.

We do not want to take specific powers at this stage, and, as I mentioned in relation to the hon. Gentleman’s amendment 6, which we debated last week, it is important that the legislation retain the flexibility to adapt to and reflect the changing threat and technological landscapes. We have consulted widely on the legislation, and will continue to do so where new requirements are appropriate, but committing the Government to working on requirements framed using terminology that may seem appropriate today could limit the security benefits of such a requirement in the future.

As I reassured the hon. Member last Thursday, we are committed to introducing security requirements based on the first three guidelines of the internationally recognised code of practice for consumer internet of things security. Those will include a requirement for manufacturers to be transparent about the time for which products will be supported with security updates. At its core, that approach demonstrates a shift towards clear transparency that can inform the consumer when purchasing a relevant device. We know that many consumers are security conscious, but, as things stand, not enough manufacturers make that information readily available to them.

Data from Which?, which the Committee heard from last week, highlights that less than 2% of assessed products had clear information on the length of time for which they would receive security updates. We are using legislation to increase the availability of information to UK consumers, so that they can make their own purchasing choices with a clear understanding of security. As consumers learn more, they will expect more, and we hope that that will drive the market approach to embedding minimum periods for security updates. Last week, the Committee heard from Which? that some consumers might be continuing to pay for their devices even after security updates are available to them. That is exactly the kind of thing we want to avoid, and we think that transparency is the key to raising consumer awareness.

As manufacturers raise the bar to the appropriate level, we anticipate that more and more will do the same as a result of that shift to transparency. Should manufacturers fail to respond in that way, the Government may, in the future, consider that there is a case for setting out a requirement for certain products to be covered by minimum security periods. That is all part of the flexible approach we are keen to take to legislation to ensure that our requirements reflect the realities of technologies and the wider market.

Additionally, I have concerns that the new clause would commit the Government to unnecessary work that would only need to be repeated following the implementation of the initial requirements, before a substantiated case for this additional requirement could be made.

For those reasons, I am not able to accept the new clause. We are taking broad powers and a lot of details will be looked at when we consider secondary legislation. We will be looking at this issue as these products develop. If we think that a requirement for the hon. Member’s minimum period comes about, we will look at the issue again. At this stage, though, I hope he will consider withdrawing his new clause.

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport) 9:45, 22 Mawrth 2022

I have listened carefully to what the Minister has said. For the record, I agree with her about increasing the availability of security information for consumers. I am concerned that the figures are so low regarding the public’s understanding of the cyber-security arrangements when buying goods, whether that be a smart toothbrush—that was an education to me a few months ago when I was being lobbied on the Bill—or what data our smart fridges hold on us. Such information is a revelation, although I should probably know better as the shadow Minister.

The new clause is about a consultation for minimum periods and I accept that there is secondary legislation linked to that. However, as the Opposition, we have an obligation, particularly following the evidence from Professor Carr, to make clear what we think should happen regarding a simple consultation by the Secretary of State on the imposition of minimum periods for purchasing; and the Committee can make that clear in a separate decision.

Question put, That the clause be read a Second time.

Rhif adran 8 Product Security and Telecommunications Infrastructure Bill — New Clause 4 - Requirement to consult on imposition of minimum periods of time for which products would need to receive security updates

Ie: 4 MPs

Na: 10 MPs

Ie: A-Z fesul cyfenw

Na: A-Z fesul cyfenw

The Committee divided: Ayes 4, Noes 10.

Question accordingly negatived.

Question proposed, That the Chair do report the Bill, as amended, to the House.

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport)

On a point of order, Ms Nokes. I thank all Committee members for a constructive and cordial debate throughout, including in the evidence sessions. I thank the Clerks, particularly for answering my team’s never-ending questions. As new members of staff for me who have been flown into a new Bill, James Small-Edwards and Alex Williams have been superb. I thank you, Ms Nokes and Mr Stringer, for your chairpersonship across the sessions—and, of course, the Doorkeepers, who have spent all their time running through the room as I am calling for Divisions.

Question put and agreed to.

Bill, as amended, to be reported.

Committee rose.

Written evidence reported to the House

PSTIB17 Dan Patefield, Head of Programme, Cyber and National Security; and Sophie James, Head of Programme, Telecoms and Spectrum Policy, techUK (supplementary submission)

PSTIB18 Palo Alto Networks

PSTIB19 CyberUp Campaign

PSTIB20 Protect & Connect