New Clause 4 - Requirement to consult on imposition of minimum periods of time for which products would need to receive security updates

Part of Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee am 9:25 am ar 22 Mawrth 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Chris Elmore Chris Elmore Opposition Whip (Commons), Shadow Minister (Digital, Culture, Media and Sport) 9:25, 22 Mawrth 2022

I beg to move, That the clause be read a Second time.

During the oral evidence session last Tuesday, we heard a number of concerns about part 1 of the Bill, which were outlined particularly eloquently by Madeline Carr, professor of global politics and cyber-security at University College London, who tellingly stated that she does not currently own an Alexa due to a lack of trust, and that the Bill as it currently stands would not give her sufficient confidence to go out and purchase one. Her Majesty’s Opposition value the contribution and knowledge of experts such as Professor Carr, and we have tabled new clause 4 on that basis.

The clause would require the Secretary of State to undertake a consultation on the imposition of a minimum period during which relevant connectable products would need to receive security updates. That would allow the Secretary of State to consult with academics such as Professor Carr, among others in the field, to establish the best way of making those connectable products, which have the potential to bring huge benefits to our lives, as safe as possible for as long as possible.

I presume the Minister might retort by saying that increased regulation of this sphere might stifle innovation, but that is exactly the opposite of what we heard last Tuesday. What we heard was that without strong, strategic Government intervention, there is not much desire for, or a market for, cyber-security. That is why introducing a minimum period for which connectable products would be subject to security requirements is so important: without Government intervention, increased security for British consumers will not come about.

Another reason that implementation of the new clause is so vital is that it relates to the digital divide and the ability of those who are the most financially vulnerable to have access to secure products. We do not want the less well off to be purchasing items that are subject to security updates for a much shorter period, thus making them more vulnerable to cyber-attacks than those who are more financially secure. I raised that issue on Second Reading and, dare I say it, there was some pushback from Members in the Chamber, but the issue was highlighted by Professor Carr and David Rogers, who was the lead editor during the process that is the basis for the Bill.

The party that I am deeply proud to represent was founded to represent the interests of working people, and it is ultimately my responsibility to ensure that working people across the country do not lose out with respect to the pace of technological change and as the threats facing that technology continue to increase. We acknowledge that no Bill can anticipate all threats that we will face in the future and the varying types of product that will come to the market, but we do have control over ensuring that we do our utmost in legislation to best protect the citizens of the United Kingdom. As we heard from a number of industry experts, one of the best ways to do that is to introduce a minimum period for which these products should be subject to security updates. For that reason, I hope the Committee will support the new clause.