(2 years, 6 months ago)
Lords ChamberMy Lords, Her Majesty’s Government want the UK to be a science superpower. Two key planks in achieving this are security and digital connectivity. The UK already influences and shapes global cyber standards and we have committed huge investment to counter cyber threats and to meet our digital infrastructure targets. Back in 2016, we invested £1.9 billion to bolster our cybersecurity, setting up the National Cyber Security Centre and investing in economic resilience, innovation and skills. Now we have gone further, with an additional £2.6 billion being invested over the next three years. The National Cyber Security Centre has stopped 2.7 million online scams in the past year alone, and the new National Cyber Force will proactively counter cyber threats that we face.
Our investment in innovation has seen more than 40 tech unicorns—that is, start-up businesses now valued at over $1 billion—grow outside London, with 100 more in the pipeline. We have invested significantly in superfast broadband, bringing it to 97% of premises, and are now driving investment in gigabit broadband, with over 68% of premises now able to access this technology. But we need to keep investing in emerging technologies to secure ourselves against future threats and realise the opportunities of a digital economy. Monthly broadband use has doubled in four years and continues to rise every year. Cyber threats are proliferating and technology is not always secure by design. That is why we have introduced this Bill.
We want to fulfil our commitment to delivering faster digital connectivity and to ensure that, as we grow, our technology is secure. The Bill will facilitate the extension of futureproofed gigabit-capable broadband and 5G networks, and improve the protection of people, networks and infrastructure from the harms caused by insecure consumer-connectable products. I will start with the telecommunications measures, explaining why they are necessary and what their intended effect is. Following this, I will turn to the product security measures and outline why it is important to consider digital infrastructure and cybersecurity in conjunction.
The Government are committed to delivering digital growth by building a stronger, more connected and more secure UK. This is even more vital as we build back from the pandemic. We have seen rapid growth in the availability of gigabit broadband, from less than 11% of homes and businesses at the end of 2019 to more than 68% today, but, to deliver much-needed connectivity, we must have a legal framework which encourages and enables the deployment of digital networks.
To that end, we are making good progress through a package of measures. Last year we passed the Telecommunications Infrastructure (Leasehold Property) Act to address one of the key barriers to the deployment of gigabit-capable broadband in blocks of flats. We have also committed to legislate to mandate gigabit connectivity in new-build homes. These regulations will be laid as soon as parliamentary time allows. We continue to work closely with the Department for Transport to ensure that street works support deployment of broadband while protecting the road network.
We are working with industry to support its investment and have committed £5 billion of public funding to ensure that no part of the United Kingdom is left behind. We aim to reach a minimum of 85% gigabit-capable broadband coverage by 2025 and to get as close to 100% as soon as possible. We have also agreed a £1 billion deal with the industry to deliver the shared rural network, which is already delivering improved 4G coverage across the UK. The operators and the rest of the industry remain confident that their combined coverage is expected to be delivered to 95% by the end of 2025. We also aim for the majority of the population to have 5G coverage by 2027.
To improve connectivity, in 2017 we implemented reforms to the Electronic Communications Code, which regulates installation agreements between landowners and telecommunications operators. Some noble Lords here today will have been involved in the scrutiny of that legislation. The aim was to make it easier and more cost effective for digital networks to be installed, maintained and upgraded. However, there is still more to be done. We need to go further to realise the Government’s ambitions for digital connectivity and levelling up.
The Bill before us will update the Electronic Communications Code, among other pieces of connected legislation, to deliver these ambitions. Specifically, the Bill aims to optimise the use of existing infrastructure. It encourages collaborative relationships between telecommunications operators and site providers. It gives operators the ability to obtain new rights, which will enable them to take advantage of new technologies and pass the benefits on to customers. It builds on previous measures to tackle the issue of unresponsive landowners and ensures that the price paid to host telecoms apparatus is calculated in a consistent way across the country, preventing a digital divide.
Making optimum use of existing cable and fibre networks has a key role to play in upgrading services and increasing competition. The Bill introduces a new automatic right for operators to upgrade or share apparatus installed before the 2017 reforms. This will be subject to specific conditions to ensure that it will not adversely affect landowners. The measures have been considered carefully to deliver significant benefits to the public while ensuring that there will be little impact on landowners.
Furthermore, the Bill rationalises the way in which expired code agreements are renewed. Currently, an operator has to use one of three different statutory renewal routes. The Bill ensures that, whichever route an operator uses, the terms of the renewed agreement will more closely align with the code as it was reformed in 2017. As a result, there will be greater consistency in how agreements are renewed across the UK.
Making better use of existing infrastructure through upgrading and sharing, and a more consistent and efficient renewal process, will not only improve digital services but reduce the need for new installations. This means less disruption from street works and fewer mast installations in both rural and urban settings, which I am sure will be welcomed in all parts of your Lordships’ House.
We are also introducing measures to facilitate greater use of alternative dispute resolution when parties are negotiating the terms of an agreement to install telecommunications apparatus. This is to ensure that disputes are resolved more quickly and cost-effectively, and that litigation is used only where absolutely necessary. We anticipate that this will encourage constructive dialogue between network operators and potential and existing site providers. It will address situations where landowners may feel compelled to accept terms offered by operators by giving them alternative means of resolving disputes without the need for lengthy and costly litigation.
Finally, in situations where landowners are not responsive, we are creating a new court process. This process will provide a quick and inexpensive route for operators to gain time-limited rights to access certain types of land. Again, these measures have been developed to strike the balance between protecting landowners and ensuring that everyone across the UK has access to reliable and quick digital infrastructure.
I turn now to the product security provisions in the Bill, since the demand for faster broadband is driven by the increasing number of devices we are all installing in our homes. Increasingly, we are streaming more programmes on smart televisions and using telephones and tablets for video calling; half of all homes have a smart speaker, smart watches continue to rise in popularity and smart doorbells and cameras are appearing on every street. The average UK household now has nine internet-connected devices, and over 50% of all UK households purchased an additional consumer connectable product during the pandemic.
With this increased ownership and use of consumer connectable products, there comes a heightened risk of cyberattacks. Cybercriminals have taken advantage of consumer vulnerability during the pandemic, and increasingly target consumer connectable products. In the first half of last year alone, we saw 1.5 billion attacks on connectable products—double the figure of the year before. Thousands of people in the UK have been victims of cyberattacks, leaving many with significant losses of money or private data. As we have seen recently, cybercriminals can now use compromised connectable products to attack large infrastructure. In 2016, the Mirai attack disabled internet access across much of the east coast of the United States of America; we still see variants of Mirai-using botnets attacking businesses and infrastructure today. We have made significant progress to develop the UK’s cybersecurity to tackle threats such as these. In 2018, the Government published a code of practice for manufacturers to improve the security of consumer devices. The UK is a world leader in this area, and our code has since been used by Australia and India, among other countries.
Of course, this progress needs to keep up with the ever-evolving cyber landscape—hence the need to legislate now to ensure that our people and networks are better protected. Taken together, the telecoms and product security measures in the Bill work to create a reliable fast broadband network, and to support the growth of more secure consumer connectable products. The Bill will enable the Government to specify mandatory security requirements to ensure that manufacturers, importers and distributors of smart devices work harder to protect consumers from cyber risks. These requirements will be set out in regulations and are supported by experts, industry and our international partners, with whom we continue to work closely to ensure that everyone is well aware of the initial three requirements.
The first is a ban on universal default passwords. Too often, consumer connectable products come with an easy-to-guess password; this makes them vulnerable and risks compromising a user’s privacy and security. The second is that a manufacturer of consumer connectable products must have and maintain an accessible vulnerability policy, obliging them, as a minimum, to receive and respond to reports of security issues in their products. This is important to ensure that manufacturers can be made aware of, and quickly address, any shortcomings in their products, and to foster good practice to protect society as a whole. Finally, manufacturers will be required to be transparent about the minimum length of time for which a product will receive security updates. This should enhance consumers’ awareness, enabling them to consider the security of products before they purchase them and, in so doing, foster market competition towards enhanced security update periods. Where those three security requirements have not been complied with, businesses will not be allowed to make these products available in the UK. We will be able to monitor, investigate and take enforcement action where necessary.
These are the first steps towards a change in the security landscape for consumer connectable products. We have created this Bill to reflect the need for resilient and adaptive measures to protect consumers and our vital infrastructure. Both the product security and telecoms infrastructure measures in the Bill will be of benefit to the public. We have brought the Bill forward to ensure that, as our digital infrastructure evolves and as we become more connected to the internet, we protect consumers from the dangers which come with this. I hope that noble Lords from across your Lordships’ House will support the Bill, and I look forward to discussing it in detail as we scrutinise it.
My Lords, I am very grateful to all noble Lords for their contributions to what I agree has been a very enjoyable debate this afternoon. I am sure these contributions will form a prelude to some further interesting and enjoyable debates in Committee and later stages of the Bill. I am grateful, too, for the excessively generous compliments from my noble friends behind me, which I am sure are an illustration of the great harmony and mutual affection for which the Conservative Party is, today of all days, renowned.
As my noble friend Lady Harding of Winscombe rightly said, this is a technical but important Bill, and I am pleased that all noble Lords from all parts of your Lordships’ House are in agreement that people from across the country should be able to benefit from faster digital connectivity and the assurance that their technology is secure. The Bill therefore comes at an opportune time, when cyberattacks are on the rise and when digital connectivity is increasingly important for all the reasons that my noble friend Lady Hodgson of Abinger and other noble Lords set out. We have heard examples in today’s debate of the benefits which will accrue to communities, urban and rural, right across the country.
I am conscious that in Committee we will go into greater detail in some of the areas which noble Lords have alluded to, but I want to respond to some of the points which they have raised in today’s debate. The noble Lord, Lord Fox, began in general terms by asking whether we ought to set out a clear explanation in the Bill of what consumers can expect in terms of product security. The fundamental purpose of the Bill, as set out in its first clause, is to embed security requirements to protect and enhance the security of connectable products and their users. That is the measuring stick against which the impact of the Bill and future regulations will be assessed.
As I alluded to in my opening remarks, there are no silver bullets in cybersecurity. Thousands of people in the UK have been victims of cyberattacks, and cybercriminals are using connectable products to attack large infrastructure as well. Our approach to connectable products lies in both the UK and wider international expertise. Our own 2018 code of practice is the foundation of the first international standard for consumer security and there is an international consensus behind this standard. We are also, through the Bill, the first to embed these protections in legislation. At the moment, some security-conscious manufacturers address these threats, but through the Bill we will now make sure that all manufacturers follow best practice in future.
The noble Earl, Lord Devon, rightly spoke of our international standing. The UK has established global leadership in this area. We have worked closely with our international partners and have seen evidence of other countries and organisations embedding the approach that we have taken in their own codes. In my opening remarks I mentioned Australia and India, which have published codes of practice with the same 13 principles which we published in 2018, but Singapore, Germany and Finland among others have made their own domestic interventions which also align with the UK’s code of practice. The European Commission has also published its intention to explore regulation for connected devices through the cyber resilience Act.
On Part 2, the noble Lord, Lord Fox, in general terms asked why we were revisiting and changing the code again. As noble Lords noted, it was substantially reformed in 2017, following the important and substantial work undertaken by my noble friend Lord Vaizey of Didcot when he was the responsible Minister. A key aim of those reforms was to make it cheaper and easier for digital infrastructure to be deployed, maintained and upgraded. The Government recognised that this would mean telecommunications site providers receiving lower payments than had previously been the case. However, those changes were introduced only following an extensive period of consultation and research and were considered necessary to reduce operator costs and to encourage the industry investment required for the UK to get the digital communications infrastructure that it needs.
The Government intended that the 2017 reforms would speed up deployment and reduce operator costs, and indeed the changes have borne fruit. However, since the changes have come into force we have also received feedback about how they have worked in practice and about some of the ongoing challenges which people face. The Bill aims to tackle those problems and to ensure that the aim and the ambition of the 2017 reforms is realised. To give an example, both operators and landowners have pointed to problems regarding negotiations, with operators saying that they take too long and landowners saying that they face too much pressure to accept certain terms. This is one of the areas we will address through the Bill.
A number of noble Lords spoke about the valuation work which came from the 2017 reforms. The new pricing regime is more closely aligned to those for utilities such as water, electricity and gas, and we think that is the correct position. Landowners should still receive fair payments which, among other things, take into account any alternative uses that the land may have and any losses or damages that may be incurred. We think that the measures in the Bill will support greater collaboration between operators and landowners and help agreements to be completed more swiftly.
The prices being paid for rights to install communications apparatus before 2017 were too high and reflected the rapid explosion that was taking place in demand for digital services; it was right that they were addressed. The 2017 reforms were intended to strike a balance between ensuring that individual landowners are not left out of pocket and making network deployment and maintenance more cost-effective.
The noble Earl, Lord Devon, and others asked about reviewing the impact of the reforms made in 2017. We recognised when the 2017 reforms were introduced that the market would need time to adapt and settle, and it would be premature to carry out a full assessment of the 2017 reforms at this time. There is not enough evidence about agreements which were completed after they came into force for a properly robust and comprehensive analysis to be made—not least, of course, because of the impact of the pandemic. However, the evidence and feedback we have received provides a compelling case that the changes we are making in this Bill will ensure that the 2017 reforms have their intended effect. Making these changes now will help to deliver the Government’s 2025 connectivity target of at least 85% of homes and businesses having access to gigabit broadband. That is not to say that we think the 2017 reforms failed. Much progress has been made. We simply think that more can and must be done to maximise their impact.
The noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Merron, asked about impact assessments. The impact assessments which accompanied the 2017 reforms did not state that the Government would undertake a full economic review of the code’s impact on rents, but in that document the Government committed to reviewing the 2017 reforms as a whole by June 2022—this month. The Government have met this commitment through their continuing engagement with interested parties, including holding monthly access to land workshops. This engagement and the issues which have been highlighted through it prompted the 2021 consultation and the measures in the Bill, which we think are needed for the aims of the 2017 reforms to be fully realised.
That sounds a bit feeble. DCMS has had workshops but has not produced a review. That does not sound like any sort of review.
The noble Lord perhaps thinks we committed to more in 2017 than we did. We have met the commitments we made in 2017 through our engagement with the industry. The points it made have informed the Bill before us. I am sure we will debate—
May I suggest that if the passage of the Bill is to be smooth, any information the Minister is able to provide about the impact, past or expected, would be extremely helpful? Otherwise, we are all going to be arguing about suppositions.
Certainly. I pointed out that the time that has elapsed since 2017 has perhaps not given us as much real data as we would have had, were it not for the pandemic, but of course we will be influenced by what have seen as we scrutinise the Bill in Committee and later.
We have heard a range of views on multiple dwelling units. The Government are aware of calls from parts of the industry for greater automatic rights to upgrade existing infrastructure in multiple dwelling units. The Government are not convinced that granting those rights is proportionate, because we must strike the right balance between private property rights and public benefits. There are other ways that operators can arrange to upgrade equipment in multiple dwelling units. They can ask for those rights and if landlords fail to reply, they will be able to use the process created through the Telecoms Infrastructure (Leasehold Property) Act 2021. If landlords refuse, operators can ask the courts to impose additional rights to upgrade existing equipment if their agreement with the landlord does not already provide them with those rights.
Other measures in the Bill encourage the use of alternative dispute resolution to support more collaborative negotiations. The Government are also considering further changes through regulations to help code disputes be dealt with more quickly. Finally, it is important to stress that there is no consensus from the industry on this issue, just as there was no consensus in our debate today. In fact, many operators have opposed the proposal on the grounds that it would create an unfair advantage for operators who already have equipment inside buildings and could therefore have anti-competitive effects.
My noble friend Lady Harding of Winscombe asked about telegraph poles. It is important that any automatic rights in relation to apparatus on, under or over private land strike a fair balance between any interference with private property rights and any public benefits that can be delivered. We think that the measures in this Bill on rights to upgrade and share apparatus under land achieve that balance. However, we have seen some evidence that further public benefits might be achieved if telecommunications poles sited on private land could be upgraded and shared more easily. Operators already have statutory rights to fly wires between these poles and it is obviously important that the legislative framework supports the effective use of these rights; we are looking into this matter closely.
A number of noble Lords touched on what is and is not in scope of Part 1 of the Bill. The Bill sets out what types of products should be treated as “consumer connectable”. This includes products that can be connected to the internet, such as routers, smart TVs, smart home products and connectable toys. I can tell my noble friend Lord Arbuthnot of Edrom that toasters are indeed in scope, although the idea of an internet-connected toaster makes me think of Wallace and Gromit. I share his bafflement at why people might want to do it, but they are in scope.
The powers in the Bill will allow the Government to update products that are in scope where changes to the wider regulatory, technological or threat landscape render this appropriate. The Government also intend to remove some products from scope where their inclusion would subject them to double regulation or where that would be disproportionate to the level of security risk. An example of such an exception is automotive vehicles, which I can tell my noble friend Lord Vaizey of Didcot include e-scooters; other examples are medical devices and smart charging points.
My noble friend Lord Arbuthnot talked about the vulnerability disclosure process. Of course, manufacturers will not see every vulnerability in their own products. Increasingly, the people best placed to spot them are everyday users and designated security researchers; but the potential point of failure here is the process for reporting those vulnerabilities to the manufacturer, which is often difficult to navigate. The security requirement will mandate a clear point of contact and the policy for the manufacturer to receive such reports and take meaningful action to address them. That is an important step forward, which, I am pleased to say, has widespread industry and expert support.
The noble Lords, Lord Clement-Jones and Lord Bassam of Brighton, the noble Baroness, Lady Merron, and others asked about future-proofing. There is a common notion that Governments are behind the curve when it comes to regulating technology, but not in this case. As well as setting the stage to introduce the regulations to which we have already committed, this Bill establishes a flexible and future-proof regulatory framework so the Government can be agile and proactive in amending and introducing security requirements in step with technological innovation. That is exactly why we have not included the three security requirements on the face of the Bill. By design, the Bill not only addresses the current problem but looks beyond it to ensure that UK consumers can be protected no matter how technologies and threats change and emerge.
My noble friend Lord Holmes of Richmond asked about the Computer Misuse Act. Colleagues at the Home Office are currently taking forward work to identify whether the proposals made in response to the review of that Act, which was launched in May last year, will assist in helping to protect the UK from cybercrime, or whether they are addressed under other programmes of work. We will provide an update to your Lordships’ House in due course, but this Bill will enhance protection for consumers and networks from the range of harms associated with cyberattacks. It equips the Government with the necessary powers to set and update security requirements within a fast-growing area of emerging technologies.
I am sorry to interrupt the Minister again, but I am frightened that he is not going to tell us who the regulator will be, explain why we are covering only three of the many principles covered in legislation in other territories, or provide us with a glimpse of the secondary legislation.
The noble Lord is eager to hear answers to questions to which I may yet turn; on some of them I will write. Work has been done to identify the regulator, but it would not be right to refer to that person at this stage and ahead of Royal Assent. I will write to the noble Lord on the other points he mentioned. I talked just now about our approach, through secondary legislation, to future-proofing and the reasons for not setting out the first three principles in the Bill. We have set out what those standards will be up front.
My noble friend Lord Holmes of Richmond spoke about the important issue of digital inclusion and skills. We run programmes to give young people the opportunity to learn digital skills and to improve their cybersecurity. More than 100,000 young people have participated in these programmes. We have expanded that with a new online training platform, Cyber Explorers, which aims to engage 30,000 young people, and DCMS funded the creation of the UK Cyber Security Council to create professional standards and pathways for cybersecurity.
The noble Lord, Lord Fox, asked about Huawei equipment in our infrastructure. The Government have undertaken a consultation with the industry on the designation of Huawei as a high-risk vendor and proposed directions relating to Huawei goods and services. The responses we receive will inform any final post-consultation decision on whether to issue the designation notice and direction. The Government have also undertaken a public consultation on a set of draft electronic communications security measures regulations and a draft code of practice, the outcome of which will be published in due course.
It was the “in due course” bit that I was interested in. In other words, what is “in due course” in this case—months, weeks, days, years?
I am afraid I am not able to elaborate further than “in due course” at this point, but if I am able to before Committee I will come back with more particulars. The final regulations and code of practice will be laid in Parliament later this year using the negative procedure, as required by the Telecommunications (Security) Act.
The noble Baroness, Lady Merron, asked about the knock-on effect of telecoms operators’ reduced rental payments on the funding of community organisations. It is important to note that the funding for such organisations should not be reliant on telecommunications. There are many funding streams, not least from the Government, to support them and their important work. The National Lottery Community Fund is the largest non-government funder of community activity in the UK and one of the largest arm’s-length bodies that DCMS sponsors. Officials at the department work closely with the National Lottery Community Fund to ensure that it continues to support the evolving needs of civil society organisations. Over the last five years, the fund has distributed £3.4 billion.
The noble Baroness talked particularly about sports clubs. The Government very much agree that sports and physical activity are critical for our mental and physical health, which is why we provided an unprecedented £1 billion of financial support to sport and leisure organisations during the pandemic. We will ensure that community groups continue to get the support they need.
I shall write to the noble Lord, Lord Clement-Jones, on the points that he highlighted that I have not addressed today. I would, of course, be very happy to speak to any noble Lords who would like to talk about any of the issues in the Bill in further detail. I am very grateful to my noble friend Lord Hunt of Wirral and to the noble Baroness, Lady Merron, and the noble Lord, Lord Bassam of Brighton, as well as the noble Lords, Lord Fox and Lord Clement-Jones, for the engagement that we have had in detail already. I would be more than happy to hold further discussions and talk in greater detail between now and Committee.
My noble friend Lady McIntosh of Pickering offered to furnish me with the details of some of the unused masts in North Yorkshire, and I would be very glad to receive them and take them forward to discuss with officials.