That the Grand Committee do consider the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Relevant document: 48th Report from Secondary Legislation Scrutiny Committee
My Lords, these regulations were laid before the House on 10 July 2023, and they will be made under the powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. They will mandate that the manufacturers of consumer connectable products made available to customers in the UK are, unless excepted, required to meet minimum security requirements.
In doing so, this instrument will complete the introduction of the UK’s pioneering product security regime, established by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022. Subject to noble Lords’ approval, this regime will afford UK citizens and businesses with world-leading protections from the threats of cybercrime, as well as equipping the Government with the tools to ensure the long-term security of a vital component of the broader technology ecosystem.
Acting to secure consumer connectable products has never been more critical than it is now, as we cross the threshold of the fourth industrial revolution. Before our eyes, artificial intelligence is rewriting how we live our lives, how we deliver our priorities and the rules of entire industries. AI models are already an inextricable part of the connectable products we use every day, from the convolutional neural networks that recognise the photos of loved ones on our smartphones, to the recurrent neural networks that allow our smart speakers to respond to our requests. The data collected through consumer devices is often also a vital part of a model’s training set.
These regulations are therefore not just crucial if we are to protect our citizens and economy from the array of threats posed by consumer connectable products today but a vital step if we are to mitigate the risks, and therefore fully realise the benefits, of the AI-enabled economy of tomorrow. With the support of this House and Members of another place, this is precisely what the Government aim to achieve with these regulations.
The key provisions of this instrument are as follows. First, the regulations mandate that manufacturers comply with the security requirements set out in Schedule 1. These requirements were selected, following extensive consultation, because they are applicable across a broad range of devices and are commended by security experts as the most fundamental measures for addressing cyber risks to products and their users. This means that businesses will no longer be able to sell consumer smart products with universal default or easily guessable default passwords to UK customers. These passwords not only expose users to unacceptable risks of cyberattack but can also allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyberattacks.
Manufacturers will also be required to publish, in a manner that is accessible, clear and transparent, the details of a point of contact for the reporting of security vulnerabilities. It pains me to share that, despite our entrusting the security of our data, finances and even homes to the manufacturers of these products, as of 2022, less than one-third of global manufacturers had a policy for how they can be made aware of vulnerabilities. With your support, the UK aims to change that.
The final security requirement in this instrument will ensure that the minimum length of time for which a product will receive security updates is not just published but published in an accessible, clear and transparent manner. We know that consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK consumers will be able to drive manufacturers to improve the security protections they offer through market forces.
We are confident, based on extensive policy development, consultation and advice from the National Cyber Security Centre, that these security requirements will make a fundamental difference to the security of products, their users and the wider connected technology ecosystem.
We also recognise the importance of cutting red tape or, better still, not introducing it in the first place. For this reason, Regulation 4 allows manufacturers that are already compliant with provisions in international standards equivalent to our security requirements to more readily demonstrate their compliance with our security requirements.
The instrument also sets out a list of products excepted from the scope of the product security regime. First, it excepts select product categories where made available for supply in Northern Ireland. This exception ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement, while extending the protections and benefits offered by the regime to consumers and businesses across the UK.
In addition, smart charge points, medical devices and smart metering devices are excepted to avoid double regulation and to ensure that these products are secured with the measures most appropriate to the particulars of their functions. This instrument also excepts laptops, desktop computers and tablets without a cellular connection from the regime’s scope. Engagement with industry highlighted that the manufacturers of these products would face unique challenges in complying with this regime, and in many cases where these products are in use they are already subject to suitable cyber protections. It is therefore not clear at this stage that including these products in the regime’s scope would be proportionate.
Finally, the regulations also contain uncontroversial administrative provisions, including provisions relating to statements of compliance. The regime will require that these documents accompany products, serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement.
These regulations and the regime of which they are a part represent a victory for UK consumers. They are the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure. These measures solidify the United Kingdom’s position at the forefront of the global cyber agenda, paving the way for other nations to follow in our footsteps. I commend the regulations to the Committee.
My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.
I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.
However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.
Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:
“Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found”.
This is part of its press release.
“The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth. The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data”.
We need to make sure that the Government and the regulator, whether the ICO or others, are on the case in that respect.
Nor did we see any intention to introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations. During the passage of the Bill, the Government resisted that—unlike the EU, which has imposed a five-year mandatory minimum period in which products must receive security updates. So consumers in Northern Ireland, for instance, are going to be far better off as a result of the TCA and the Windsor agreement.
That has inevitably followed through into these disappointing regulations, but they are even more disappointing than previously anticipated. Online marketplaces are not covered. Why not? My noble friend Lord Fox tabled an amendment on Report that sought to probe whether online marketplaces would be covered, a question that I think we all agree is of great importance. My noble friend quoted a letter from the noble Lord, Lord Parkinson, dated 21 September 2022 stating that
“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.
In response, the then Minister, the noble Lord, Lord Kamall, said:
“The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy”.
I accepted that assurance. I said:
“As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter”.—[Official Report, 12/10/22; cols. 794-95.]
That was the assurance that was given and accepted.
My Lords, I am grateful to the Minister, as ever, and to the noble Lord, Lord Clement-Jones, for his contribution. He had lots of questions, as ever, many the same as those we asked during the passage of the Bill.
The Product Security and Telecommunications Infrastructure Act creates a regime that has three purposes, which the Minister set out. They are to minimise default or easy-to-guess passwords, to maintain an awareness of security threats and publish contact information for use by consumers and owners, and to encourage greater transparency about how long the products covered by this legislation will receive security updates and support. I agree with the noble Lord, Lord Clement-Jones, that these are low-hanging fruit for regulation. We should look at this instrument as a small step in the right direction.
With that in our minds, we supported the PSTI Bill during its passage and, in common with other Members of the House, tabled and supported a number of amendments to go further than the Government wished.
The requirements being imposed on manufacturers are widely supported by consumer groups, although they are rightly very nervous and watchful of the direction in which the legislation takes us in terms of data. Questions are being asked about whether the standards are sufficient and what role, if any, distributors will have in improving consumer knowledge of security issues.
As discussed in a debate earlier this week, people’s habits with regard to data and the digital world have changed enormously over the past few years. This includes the rapid take-up of smart and connectable devices, such as smart speakers, CCTV doorbells and so on. These products are highly desirable, and yet research has demonstrated that many contain significant security vulnerabilities and that consumers are generally not aware of the risks that they face.
A policy commitment was made back in January 2020 and the Bill was passed in December 2022, so why will the new regime come into force only by April next year? We understand the need for technical details to be worked through and for manufacturers to adjust their own systems, but could the Government not have moved more quickly than this? This is a fast-moving market, after all.
We supported the passage of the Bill and, as I said, worked with colleagues across the House to push the Government to be more ambitious about the regime’s scope and the security standards that should be met by manufacturers, but it seems that Ministers refused to raise the bar and continue to do so.
As the noble Lord, Lord Clement-Jones, said, Which? and others have noted that, while the Act allows the Government to place requirements on manufacturers, importers and distributors, these regulations cover only manufacturers. Is the hope that distributors and retailers will pass security information on to consumers voluntarily or is the department looking at other tailored requirements for them? If the latter, how long might this take? Perhaps the Minister could elucidate that.
It seems that every day we hear of another major hack or data breach. Some are used to defraud victims, while others harness networks of smart devices to launch attacks on major websites. Sadly, these dangers are likely only to grow, as we discovered in recent weeks, so it is vital that the Government keep their foot on the gas on these issues, rather than passing these regulations and considering them job done. There is much more to do.
Like the noble Lord, Lord Clement-Jones, I draw attention to the Which? briefing paper, reflected in a Guardian article today, which suggests that manufacturers may be using these devices to collect more data than the legislation seemingly enables, which is shocking. Asking for postcodes and date-of-birth data seems outwith the manufacturers’ immediate needs. Can the Minister throw some light on this issue? What are the Government’s intentions regarding it and how do they intend to address it? These issues of data retention and use are serious. They affect consumer behaviour, confidence and trust, and trust is a terribly important commodity in today’s world. I hope the Minister can answer those questions.
I am rather with the noble Lord, Lord Clement-Jones, on smart meters. We have one; it is a scary device, and it has become scarier in the last year as the bills have gone up. I am not sure of its value but my wife tells me it is an invaluable tool. I hope that is the case, that we can get better and more confident about the data that these things produce, and that they are in the service of the consumer rather than of the manufacturer, because that is really where we should be coming from.
I thank the crowds of noble Lords for their valuable contributions to the debate. I will make some general comments to start and then come to specific points that noble Lords have made.
Consumers assume that if a product is for sale it is secure, but too often—I think we are in agreement on this—that is not the case. Many consumers are at risk of cyberattacks, theft, fraud and even physical danger. These regulations will change that, ensuring that protections are implemented for our commonly used items such as smartphones, smartwatches and smart baby monitors, as well as the UK citizens and businesses that use them.
Cybercrime is thought to cost the UK billions of pounds every year, with one report by Detica and the Cabinet Office estimating the total cost at £27 billion a year. In 2020-21 the National Fraud Intelligence Bureau reported receiving over 30,000 reports of cybercrime, resulting in estimated losses of £9.6 million for the victims. Cybercrime is on the rise, and vulnerable internet-of-things products are a key attack vector for criminals. This instrument is an essential step in fighting the dangers of cyber risks.
While the product security regime will come into effect only next April, with the support of this House, I want to take this opportunity to reflect on how far we have come on this agenda. The development of the regime has been supported by a huge range of officials but I extend particular thanks to Peter Stephens, Jasper Pandza, Veena Dholiwar, Maria Bormaliyska, Jonathan Angwin, Warda Hassan, Howard Cheng and Eilidh Tickle for their dedicated and diligent advice.
I thank all experts who have contributed to delivering this regime since 2016. Among them stands Professor David Rogers, to whom I pay particular thanks for his leading role in developing the Code of Practice for Consumer IoT Security on which the security requirements of this instrument are based. Lastly, I too thank Which? for being a champion of consumer security, and for holding the Government to account throughout the process of delivering these important measures and on this agenda more broadly.
I shall now respond to the questions that have been asked. On the topic of why the security baseline does not go further, a matter raised by both noble Lords, we do not believe at this stage that there is sufficient evidence to suggest that mandating security requirements beyond the initial baseline would be appropriate. Specifically, we do not currently consider it appropriate to mandate minimum security-update periods for relevant connectable products before the impact of the initial security requirements is known. Governments mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits or of leaving citizens exposed to cyber threats.
However, the Government agree that, for a number of consumer connectable product verticals, implementation of the three security requirements alone would not be sufficient. Legislation, however, is not the only incentive driving the security practices adopted by tech manufacturers. Evidence suggests that consumers value and consider the security of a product when making purchasing decisions, but assume that products available for them to purchase will not expose them to avoidable security risks.
In ensuring that manufacturers are transparent with UK consumers about how a product’s security will be maintained, we expect the product security regime to incentivise improved standards of cybersecurity beyond the initial three requirements. The Government will closely monitor the impact of the initial security requirements on standards of cybersecurity across the sector, and will not hesitate to mandate further requirements using the powers provided by the parent Act if necessary.
The Minister has moved on from talking about periods of assurance for consumers. I mentioned the EU introducing its five-year rule and the Northern Ireland aspect. That is rather useful for the Government to be able to see the impact of putting down a marker on a five-year period, because there is no alternative under the TCA and the Windsor agreement. Will the Government undertake to review how it is working in Northern Ireland? If it is working well and they think it is practical, will they introduce it across the UK?
That is an interesting experimental chamber to have, because we can compare the two regimes, so I am happy to make that commitment, yes.
The assurances about online marketplaces from my noble friends Lord Kamall and Lord Parkinson remain true. Products sold through online marketplaces are subject to the same requirements as all other products. No regulation is perfect and, if relevant parties do not comply, the parent Act empowers the Secretary of State, or those whom the Secretary of State has authorised to carry out enforcement functions, with robust powers to address non-compliance, including monitoring the market, warning consumers of risks and, where appropriate, seizing products and recalling products from customers.
The Government have made it clear that they expect online marketplaces to do more to keep unsafe products off their platforms, and are conducting a review of the product safety framework. The product safety review consultation is open until 24 October. Following this, we will review and analyse stakeholder feedback and publish a government response. Any legislation will be brought forward in line with parliamentary procedures and timetables, which will include proposals to tackle the sale of unsafe products online. Officials will continue—
I apologise to the Minister, but what is the reason for having two separate processes for manufacturers and online distributors? The assurance that I quoted could not have been clearer, and we all thought that these regulations would include not only manufacturers but online distributors. It still baffles me and I am sure it baffles the noble Lord, Lord Bassam, as well. The logic of doing it in two separate tranches entirely escapes me.
The processes we have put here resulted from extensive consultation with the stakeholders, both the manufacturers and the retailers.
So the Minister is saying that the retailers did not like it, did not have the systems required and could not do things quickly enough—despite the fact that some time has elapsed, as the noble Lord, Lord Bassam, mentioned—so they said, “Not now, Josephine”, basically.
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
The Minister has referenced two pieces of legislation which almost—this is perhaps going a bit far—predate the digital age. Is he saying that those are fit for purpose, given that much has changed since 1986, to cite one of the dates he gave, and subsequent pieces of legislation? Are they right for what we are doing now?
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.
Before the Minister sits down, I wonder whether he could return to his notes on the cyber resilience Act. I heard what he said but it may have been a slip of the tongue because he said that it has not yet come into effect but we will monitor its impact on the continent. I think—at least, I assume—that he meant we will monitor its impact when it comes into effect in Northern Ireland. It will inevitably come into effect into Northern Ireland, will it not?
Perhaps the Minister could write to me or to us. The fact, as I understand it, is that the Act is a piece of EU legislation that is going to come into effect across the EU under the Windsor agreement and the TCA. Northern Ireland is subject to EU legislation of that kind; it will therefore come into effect in Northern Ireland and we will be able to monitor its impact there. So, it is not just a question of monitoring its impact on the continent. We have a homegrown example of how it will be implemented—a test bed.
I do not want to say anything inaccurate. I hope that it is acceptable for me to write to the noble Lord.