Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
(Limited Text - Ministerial Extracts only)
Read Full debate
The Minister for Science, Research and Innovation (George Freeman)
I beg to move,
That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
It is a great pleasure, Mr Hollobone, to serve under your direction and leadership this afternoon.
Consumers have a right to assume that if a product is for sale, it is safe and secure; too often, that is not always the case. Government must act to ensure that when UK consumers and business customers are purchasing consumer connectable products, they are not putting themselves at risk of cyber-attack, theft or even physical danger. Through the draft regulations, the Government are ensuring that protections are implemented for our commonly used items such as smart phones, smart watches and smart baby monitors, and for the UK citizens and businesses that use them.
Cyber-crime is thought to cost the UK billions of pounds—the total cost is estimated at about £27 billion a year—and it is on the rise, in particular cyber-crime that targets the internet of things. Vulnerable IOT products are a key attack vector for criminals, allowing them to compromise not only the device, but potentially the user’s network and the broader connected technology ecosystem. This draft statutory instrument is an essential step in fighting the dangers of such cyber-risks.
The draft regulations are made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. The regulations will mandate the manufacturers of consumer connectable products made available to customers in the UK to meet minimum security requirements, unless excepted. The instrument completes the introduction of the UK’s world-first product security regime established by part 1 of the 2022 Act.
Subject to the approval of the Committee here gathered, the regime will afford UK citizens and businesses world-leading protections from the threats of cyber-crime. Research covering the first two months of this year shows that cyber-attacks targeting IOT devices have tripled since 2021, so the need for action has never been greater. The regime will also equip the Government with the tools to ensure the long-term security of a vital component of the broader UK technology ecosystem. That is especially important as frontier technologies, from artificial intelligence to quantum, allow technology to become more embedded in our economy and society than ever before.
Theresa Villiers (Chipping Barnet) (Con)
I very much welcome the Government’s efforts to make consumer goods in the so-called internet of things safer and more secure and resilient against cyber-attack, but how confident is the Minister that the regime will work against a determined attack by a hostile state? Recently, the Intelligence and Security Committee of Parliament produced a report saying that China targets UK industry and technology “prolifically and aggressively”. Will the draft instrument be effective in protecting us from that kind of attack?
George Freeman
My right hon. Friend makes an important point. Perhaps I can come back to it in a bit more detail at the end of my comments, but I will make this point now: as I described, the measures will give a minimum level of security assurance to customers. This draft instrument is not the frontline, the arrowhead, of UK international counter-espionage; this is about ensuring that when people buy an iPhone or some such device, they can be confident that basic minimum standards have been met. It is not the basis on which we can all go to bed at night safe and secure, with the whole of UK critical national infrastructure secure. That work is being led by my right hon. Friend the Chancellor of the Duchy of Lancaster and Deputy Prime Minister.
I turn briefly to the basics of the draft instrument. First, on security requirements, the regulations mandate that manufacturers comply with the security arrangements that Parliament has set out in schedule 1. The security requirements are backed by security experts and have been consulted on extensively. In the view of the National Cyber Security Centre, which has been very involved, they will make the most fundamental difference to the vulnerability of consumer connectable products through the guidelines in the UK’s code of practice for consumer IOT security.
The first requirement bans businesses from selling to UK customers consumer smart products with universal defaults or easily guessable default passwords. Such passwords expose users to unacceptable risk of cyber-attack and allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyber-attacks.
Secondly, manufacturers will be required to publish, in an accessible, clear and transparent manner, the details of a point of contact for the reporting of security vulnerabilities. Despite previous Government interventions and the increasing threat of cyber-crime targeted at these products, less than a third of global manufacturers had any policy for how they can be made aware of vulnerabilities as of 2022.
The final security requirement will ensure that the minimum length of time for which a product will receive security updates is not just published, but published in an accessible, clear and transparent manner. Consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK customers and their intermediaries will be able to drive manufacturers to improve the security protections that they offer through market forces.
I will turn to the conditions for deemed compliance. Where the security outcomes that we are seeking to achieve are entirely or partially delivered through broader international standards, the regime allows manufacturers compliant with those standards to more readily demonstrate their compliance with our security requirements. That is the intent of regulation 4, and schedule 2 sets out conditions based on analogous provisions in two leading international standards. Where those conditions are met, a manufacturer is to be treated as having complied with a particular security requirement. Colleagues will be pleased to know that we have tried to take the opportunity to reduce process-driven bureaucracy and make it easy for proper compliance to be demonstrated in the interest of consumer protection.
The excepted products protocol in the instrument sets out a list of products that we have exempted from the scope of the product security regime. First, select product categories made available for supply in Northern Ireland are exempted. That exemption ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement while extending the protections and benefits offered by the regime to consumers and businesses across the UK. Additionally, smart charge points, medical devices and smart metering devices are exempted to avoid double regulation and to ensure that those products are secured with the measures most appropriate to the particulars of their functions. To answer the point raised by my right hon. Friend the Member for Chipping Barnet, we would not want to rely on these regulations alone for the safety of medical devices; they are covered, quite rightly, by far more extensive regulations through the Medicines and Healthcare products Regulatory Agency.
Adam Afriyie (Windsor) (Con)
I welcome the instrument in general terms, but I have a couple of quick questions. The Minister mentioned that Northern Ireland is outwith the scope of this regime because of its interaction with the European Union as it stands today. In effect, that treats Northern Ireland as not part of the United Kingdom for these purposes. Am I correct in thinking that?
Secondly, I completely agree with the cut-outs for medical devices, smart meters and so on. The Minister may need some inspiration on this, but are vehicles included in the minimum standards, given that lots of them now have autopilot systems and software updates to undertake week in, week out, and passcodes included in the software?
George Freeman
Those are two excellent questions. On Northern Ireland, basically the answer is no. This goes with the grain of the Windsor framework that the Prime Minister has negotiated, and it recognises that for the purposes of consumer standards, Northern Ireland is governed by the EU proposals in this space. I am delighted to say that the UK proposals are a little quicker, more agile and fleet of foot, and to some extent that might give Northern Ireland manufacturers an advantage. Perhaps I could come back to the point about vehicles; it is an important point to which the internet of things is very relevant.
The instrument also exempts laptops, desktop computers and tablets without a cellular connection from the regime scope. Engagement with industry highlighted that the manufacturers of those products would face completely unique challenges in complying with the regime. On many occasions where those products are in use, they are already subject to extensive cyber-protection standards. It is therefore not clear at this stage that including those products in the regime scope would be proportionate. However, as with so many of these things, I am happy and keen to keep a watching eye on that to ensure that we are keeping up with technology.
The administrative provisions in the SI, including those relating to statements of compliance, are uncontroversial. The regime will require that those documents are company products serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement. We do not expect every single consumer to read all of that every time they buy a pair of speakers or any digital device, but the active intermediaries on behalf of consumers will be able to access it, and we foresee an active enforcement culture, not least online.
The product security regime, including these regulations, is the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure, and that the Government have a duty to enforce that. The measures will cement the UK as a world leader in responsibly embracing the enormous potential of emerging technology. They are a first step in the development of a framework that will keep pace with technology. I commend the regulations to the Committee.
The Chair
The Committee will be delighted to know that the debate can continue until half past seven.
George Freeman
Tempted though I am to delay the Committee with long, exhaustive answers to all those points, which were well made, perhaps I could reassure colleagues on both sides of the House that we have thought about them. Some important points were made for the record, and I will try to keep my speech as short as possible. I thank you, Mr Hollobone, and the Committee: the feedback is incredibly helpful. I would value a chance to continue this discussion with those who have spoken today, many of whom have taken an interest in this subject for a long time.
Let me start with the hon. Member for Newcastle upon Tyne Central, speaking for the Opposition. I congratulate her on returning to the position that I like to think of as my shadow. It has been a pleasure working with her. I also congratulate her on being the first to mention the internet of things in this House if indeed that is verifiable—I am sure it is, digitally as well as in many other ways. On the accusation that the Government were a bit slow to move in 2021, I will just gently point out that there were some other things going on, not least the pandemic, and that we are in fact, with this, quicker than the EU that we have just left. This is an example of us being more agile and more forward-leaning.
I will also make this point. Many of us have sat through and nodded through European legislation, knowing that there is really nothing we can do to change it. This is a good example of Members of Parliament, from both sides of the House, raising important points and the Minister listening, to ensure that we get our own legislation right. I think that if we had done that a bit more, we would not have had the frustrations that we did.
On the point about the hackers having a head start, I think the truth is that technology is moving at such a pace that of course those who want to harness technology for ill generally tend to move much more quickly than the Government. That would be true were the hon. Member for Newcastle upon Tyne Central in my position. What we are doing today is moving to shut down that head start. There are genuine questions about how quickly we move and how we get it right. I make the commitment to all colleagues that this is a start and we intend to have an annual process of listening to colleagues in the House, listening to the industry and asking whether we should not be going further faster to keep up with technology. The Opposition, I know, have the monopoly on hindsight, led as they are by the extremely able Leader of the Opposition, often referred to as Captain Hindsight. I will just point out that none of us quite foresaw the pace at which this would all move. I know that Government are often not the fastest mover, but we are, here, moving more quickly than partners in Europe.
George Freeman
I am on a roll. I have to say that no one cheered more loudly than when I heard the hon. Member talk about business certainty. As the right hon. Member for Hayes and Harlington is a member of the Committee, I cannot help but point out that the biggest business certainty was making sure that he never became Chancellor, with his agenda of radical socialism and neo-communism. I notice—for the record—that he is no longer in his place, which is probably a good thing for business certainty.
Let me turn to the points that were raised. Perhaps, with your permission, Mr Hollobone, I can write to everyone with an update on our thinking about the timetable. We are looking to get the regulations in place as quickly as we possibly can. Perhaps I can come back to the point about the timetable, because it requires a detailed answer.
As I said, I will deal with the various points that were made. On the question of exemptions, this is a start. The Government are initially mandating security requirements that, in the opinion of the National Cyber Security Centre—this is not just my whim; it has been consulted on deeply—will have the most fundamental impact on the risks posed today by insecure consumer connectable products. We are confident that the requirements are robustly evidenced, are proportionate and are appropriate to mandate in law at this time. That is not a step we take lightly. The real key is to change the culture and to create a culture in which distributors and all those involved in the supply chains know that they are required by law to do this; they have a responsibility to consumers. However, should the Government deem it appropriate, the parent Act empowers Ministers to introduce further measures in the future, to keep pace with the changes in technology and the threat landscape. Those are powers that we intend to use, in consultation with the House.
Let me turn to the point about security updates, which a number of colleagues raised. The Government do not yet consider it appropriate to mandate and specify minimum security update periods for relevant connectable products, before the impact of the initial security requirements is known. Our mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits, or leaving citizens exposed to cyber-threats. There is no consensus yet in the industry. One of the things that we hope this measure will do is trigger a broader conversation, on the timescale that we need—each year—to talk to industry about what is happening and ensure that we are keeping up to date.
Let me pick up the point about digital exclusions. A number of people asked, through the consultation, why conventional computers and non-cellular tablets were exempt. We do not have evidence at the moment that including them in the scope of the regime would significantly reduce risk. There is a mature anti-virus-software market that empowers customers to secure their own devices and, alongside this, mainstream operating system vendors already include security features in their services. As ever, we legislate in a way that we think is timely, appropriate and proportionate, trying to deal not with every single risk that one might envisage, but with those that are faced by consumers today. The result is that those devices are not subject to the same level of risk as others.
Let me turn to the point about Northern Ireland made by my hon. Friend the Member for Windsor and others. Customers across the UK will be able to benefit from the security protections that the regime aims to deliver. For selected product categories, honouring the UK’s international commitments has necessitated that the regime will apply differently in Northern Ireland. I stress that, in practice, the exemption applies to limited types of products, such as lifts, pyrotechnic articles and personal watercraft, which are regulated already under legislation contained in the Windsor framework.
We are required to ensure the smooth flow of trade under the United Kingdom Internal Market Act 2020. The Prime Minister has also committed to ensuring smooth-flowing trade within the UK. The House should be reassured that the Government’s position on that is unchanged. My hon. Friend the Member for South Thanet made another, equally important point that we need to ensure that that does not inadvertently allow in a flow of products that would not be compliant.
My hon. Friend the Member for Windsor asked about how we are dealing with automotive vehicles and the internet of things in cars. As we indicated in the April 2021 call for views on the regime, the Government intend to introduce separate regulation to cover the cyber-security of connectable automotive vehicles. To minimise an unnecessarily duplicative regulatory burden on industry, our position remains that cars should be exempted from these draft regulations, because we will be introducing a different framework. Developments in the legislative landscape have precluded the Government from including an exemption for connectable automotive vehicles in this, but we intend to bring forward that legislation as quickly as possible.
George Freeman
I will finish these points, if I may.
On enforcement, astute colleagues have observed that it falls under the Department for Business and Trade. The previous Parliamentary Under-Secretary of State, the Minister for Small Business Consumers and Labour Markets, approved the recommendation for the OPSS to adopt the enforcement role for part 1 of the 2022 Act. The OPSS is part of the DBT and will therefore simply be enforcing the product security regime as the Secretary of State. It will begin enforcement functions as soon as the draft regulations come into force. To the question, I am reassured that the OPSS is properly resourced.
I have some final points. On the international aspect of the IOT security measures, the proportionality of implementing a given cyber-security measure for a product depends on a huge range of factors, from the product’s technical architecture to the settings in which it is ultimately deployed in. The Government are therefore mindful of the risk of imposing obligations on businesses that may in many cases be disproportionate. The Chancellor of the Duchy of Lancaster and Deputy Prime Minister, and the National Cyber Security Centre are keeping an active watch on the importance of updating that.
On SME information, I am absolutely delighted to undertake that we will provide tailored information and guidance to assist small and micro-businesses. As colleagues have observed, they do not always have the relevant bandwidth to keep abreast of technology.
My hon. Friend the Member for South Thanet asked whether the self-certification and compliance mechanism—the duty placed on manufacturers—is sufficient to cover the risk. My answer to that would be that the draft statutory instrument is in our judgment the right place to start, but it is a start. We did not want to introduce heavy-handed legislation on day one, which would undermine business confidence and trigger huge fears in the industry. We wanted to start with something that everyone could at least acknowledge—our very important basic standards—then develop that, through consultation with the House, in a proportionate and agile way. I reinforce my comments on how that is a rather different approach from the EU one.
The hon. Member for Walthamstow made an important point about consumers. On the point about SMEs, we are actively engaging with consumer groups and we will ensure that any of their concerns are also reflected in our ongoing updates.
Stella Creasy
Will the Minister clarify a simple point? Would a consumer’s guarantee be voided were they to use one of the items overseas, or if they brought an item here and used it on their connection, because there are now two different regimes?
George Freeman
The hon. Member makes an important point. Perhaps I could clarify that in my written note to all Members to follow up. I think everyone would be interested in the enforceability of consumer rights.
Chi Onwurah
I am sure the Committee will be pleased to know that I will not take up the Minister’s provocation as to whether waiting 14 years to address security on the internet of things is a question of hindsight. Can the Minister clarify two points that I may have misunderstood? I heard him say that distributors did have a requirement on them to publicise the information about software upgrades. I may have misunderstood that because I thought it was only manufacturers who did.
More importantly, on cars, I think the Minister is saying that autonomous vehicles are exempted. I may have missed exactly where autonomous vehicles are exempted—it was not in the list of exemptions that I had. I am happy to take a clarification on that. Obviously, not all cars are autonomous vehicles, but is the assumption that any car that has an internet connection is in some way an autonomous vehicle?
George Freeman
All distributors already have a duty to ensure that the goods they are selling and distributing are legal. What we are doing is placing the onus on manufacturers. Distributors take their responsibility to consumers very seriously, and the vast majority will be very concerned and actively move to ensure they are not distributing illegal goods. It is not that there is not an onus on distributors; it is that we are implementing it via the mechanism.
On the point about cars, I did not want to mislead the House—I say this as the previous Minister for the future of transport—but we are in the process of putting together legislation on the digital vehicle and the internet of things in not just autonomous vehicles but smart and intelligent vehicles generally. It is to that process that we are deferring; this SI is not focused on that.
With that, I think I have addressed the points raised. I will happily write to the Committee, and if there are any points that I have not raised, Members should feel free to collar me between now and the picking up of my pen.
The Chair
We await the Minister’s letter with huge anticipation and great excitement.
Question put and agree to.
Resolved,
That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.