Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024
(1 day, 21 hours ago)
Grand CommitteeRead Hansard Text Read Debate Ministerial Extracts
Lord Leong
That the Grand Committee do consider the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024.
Lord in Waiting/Government Whip (Lord Leong) (Lab)
My Lords, these draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022. The PSTI regulatory regime is comprised of Part 1 of the 2022 Act together with the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, which I will refer to as the 2023 regulations.
This world-leading regulatory regime came into force on 29 April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyberattacks on consumer connectable products. The law now requires these products that are made available to customers in the UK to meet baseline cybersecurity requirements. This is a world first, and a world-leading regulatory regime, with many other countries now mandating similar requirements based on the world-leading European Telecommunications Standards Institute standard which the UK helped create.
For instance, manufacturers cannot use universal default or easily guessable default passwords, such as “admin123”; this reduces one of the most commonly exploited vulnerabilities in connectable products. Manufacturers must also ensure that they are transparent about the minimum length of time for which they will provide much-needed security updates that patch these vulnerabilities. They must also publish information on how to report security vulnerabilities directly to them and provide status updates about the reported issues. Importers also have important duties they must comply with, as they play an important role in ensuring that more vulnerable products are not imported into the country. The same applies for distributors, as they are often the last line of defence against non-compliant products making their way to consumers.
Subject to the approval of this Committee, this draft instrument will add three new categories of products to the list of excepted products at Schedule 3 to the 2023 regulations, as well as making a correction to those regulations. In their 2020 call for views for this regime, the Government indicated that products would be excepted from the product security regime if it is deemed inappropriate to include them prior to further investigation, they are already covered by robust legislation or they will be covered by future legislation that is particularly relevant to that product category.
DSIT committed to except certain categories of automotive vehicles on 29 April 2023. The Department for Transport has been working at an international level to agree regulations setting cybersecurity requirements for vehicles. This would allow the cybersecurity of these products to be addressed by requirements that are specific to the sector and their functionality. The Department for Transport intends to mandate UN Regulation 155 on cybersecurity and cybersecurity management systems in Great Britain for all new cars, vans, buses, trucks and motorbikes. Its requirements are more appropriate, as it was created in response to the expanding capability and connectivity of vehicle systems.
A consultation is expected to be published with a proposal to lay, via a negative SI, Article 57 GB approval of assimilated EU Regulation 2018/858 in the first half of this year, with the requirements beginning to take effect from February 2026. Additionally, the automotive industry and its supply chain are already beginning to comply with UN Regulation 155, as it has been mandatory for new types of passenger and goods vehicles in the European Union from July 2022. To avoid dual regulation and unintentionally placing undue burden on the automotive industry and trade, the Government are seeking to except specific vehicle categories from the scope of this regime.
First, through the amendment made by Regulation 4, this draft instrument seeks to except consumer-connectable products that fall in scope of Regulation (EU) 2018/858, Regulation (EU) 168/2013 and Regulation (EU) 167/2013 from the scope of the PSTI product security regulatory regime in Great Britain. The consumer connectable products in scope of these regulations include cars, vans, buses, motorcycles, mopeds, quadbikes and tractors. These products are already excepted from the PSTI product security regulatory regime when they are made available for supply in Northern Ireland, as a result of the Windsor Framework.
Secondly, the amendment made by Regulation 3 will correct a minor error in the current language. Adding “period” ensures that the original intent of the paragraph is preserved.
The UK’s product security regulatory regime is world-leading. It cements our position as a world leader in consumer internet-of-things security. This measure will ensure that the regime works as intended and that the security of vehicles can be addressed through appropriate sector-specific regulations, and it will remove unnecessary burdens from the vehicles sector.
I hope the Committee will recognise the importance of excepting these additional products from the scope of the PSTI product security regulatory regime. I commend the regulations to the Committee.
Lord Clement-Jones (LD)
My Lords, I thank the noble Lord, Lord Leong, for his introduction, but I am slightly baffled by this SI. I looked up whether the Commons had had its debate on it and found that it took place on 21 May 2024. Then I looked at the impact assessment, which seems to be dated 2023. I do not quite know why we are dealing with a historic SI almost a year later. What has happened in the intervening period? The Minister did not mention anything to do with that. Is this some oversight by the department? Has something happened? Was somebody ill and could not deal with this in the House of Lords? It is a rather peculiar situation.
The second rather strange aspect of this is that, when the Automated Vehicles Bill was going through, my noble friend the late Baroness Randerson, who was mentioned by my noble friend Lady Smith—it is rather coincidental that this was one of her big issues: automated vehicles and the data relating to them—raised questions about protection of personal privacy and the national security implications of the data being retained by manufacturers of automated vehicles. She also raised the possibility of a cyberattack that could paralyse traffic over a considerable area. Those concerns were also raised by my honourable friend Wera Hobhouse in the Commons at the same time. I think the noble Lord, Lord Sharpe, might be interested in this: we were assured at that time by Ministers in the previous Government that GDPR was good enough protection in respect of automated vehicles, despite the concerns expressed by my late noble friend Baroness Randerson. Now it turns out, as set out in the Explanatory Memorandum, that special provisions are needed.
Again, this is rather baffling. We seem to be hearing either that we have an administrative problem or that there was a misunderstanding about the intended policy. In some respects, I should be pleased that the Explanatory Memorandum sets out more safeguards, because if we are going to exempt these three areas—in particular, automated vehicles—we need to know that those safeguards will be in place through other mechanisms. I will go through what those might be and put questions to the Minister about them.
How will the collection, storage and use of personal data by automated vehicles be regulated to ensure compliance with data protection laws? What specific criteria must be met for a person or body to be authorised as a self-driving entity, particularly concerning data protection? Do they need to obtain a certificate of compliance with data protection legislation from the ICO, for instance? How can the public be reassured that their personal data will be protected? How will the regulations ensure that personal data is protected, not only during vehicle operation but after the ownership of a vehicle has ended? What are these robust personal data practices that need to be in place for companies to be authorised as self-driving entities?
What information about the data for the authorisation of automated vehicles must be provided and to whom? Will the Secretary of State consult the Information Commissioner’s Office before making regulations relating to the provision of personal data in automated vehicles, and will the ICO be including elements to do with personal data and automated vehicles in its annual report to Parliament? How will the Government protect against potential cyberattacks on automated vehicle systems?
Specifically, how do the regulations for consumer connectable products under the Product Security and Telecommunications Infrastructure Act interact with those that apply to automated vehicles and their components? Does this exempt the whole of the automated vehicle or, rather, particular connectable items in automated vehicles that would in fact be covered by the PSTI Act? How will the regulations prevent anti-competitive practices by vehicle manufacturers who might use data to restrict competition between them and independent operators?
The Explanatory Memorandum talks about the CAVPASS programme, which provides some information that is relevant. Currently, however, it does not deal directly with these specific questions regarding data handling in automated vehicles. We are promised, I think, that something is coming down the track in 2025. There is mention of a staged approach to regulations, which suggests that future measures will be introduced. When can we expect more information of the kind that I have raised? Is it not long overdue, given the speed of development of these vehicles? They are already in pilot form and we need to know that our data is secure. We are still left with questions, despite all that. I doubt whether CAVPASS is necessarily going to cover how data is collected in relation to cybersecurity and how they will be protected in that respect.
There are quite a lot of questions here, and it is rather peculiar that we were not in a position to ask these questions at the same time as the House of Commons last May. I am therefore looking forward to what the Minister has to say in reply.
Lord Sharpe of Epsom (Con)
My Lords, I thank the Minister for his explanation. I would say to the noble Lord, Lord Clement-Jones, that something did happen, and that was the general election, which we, unfortunately, lost. That no doubt explains something of the delay.
The noble Lord, Lord Clement-Jones, has asked some pertinent questions. I will keep mine a little more general, because this SI amends the original regulations and broadens the exceptions under Schedule 3. The most notable change concerns the automotive sector, as has been noted, where vehicles were previously exempt from certain cybersecurity provisions.
The new regulations align the UK’s approach with international standards. They recognise the unique nature of vehicle systems and the need for specialised cybersecurity measures. UN Regulation No. 155 on cyber security and cybersecurity management systems, which governs the security of vehicles, is now set to be the primary framework for automotive security. As far as it goes, that would obviously seem eminently sensible, but the noble Lord, Lord Clement-Jones, has highlighted that there are a number of broader, perhaps more philosophical, questions about the direction of travel—that is not a pun—with regard to EVs, self-driving vehicles and vehicle autonomy, which we will have to grapple with at some point in the future. I imagine that this is a subject to which we will return.
My questions are a little more general. The regulations are undoubtedly important for protecting consumers and securing digital infrastructure, but we must consider the broader implications. The automotive sector is rapidly evolving, as has been noted, and the development of automated vehicles holds significant economic and societal potential. However, with innovation comes the risk of regulatory frameworks that struggle to keep pace; that is self-evident. How do we ensure that these cybersecurity measures do not inadvertently stifle technological advancement in areas and sectors such as the automotive sector? How do we end up striking the right balance between securing the technologies and enabling them to flourish?
There is also a question here around consumer awareness; again, this was highlighted by the noble Lord, Lord Clement-Jones. How long would an individual’s data be attached to a particular vehicle, for example, even after it is sold? These regulations require manufacturers to disclose the duration of product security support, but how well are consumers equipped to understand and act on this information? Are we confident that the public are sufficiently informed about the critical nature of cybersecurity? Will the Government commit to taking the necessary steps to help customers and consumers protect their devices and data? It seems to us that this is an area where the education of the public must go beyond the bare minimum. We need to ensure that consumers are not left in the dark about the sorts of security risks that they may face.
We must also consider enforcement. With the proliferation of smart products entering the market at such an unprecedented rate, how will we ensure consistent and effective compliance across such a diverse range of industries, from household appliances to vehicles? As new technologies emerge and evolve, the enforcement mechanisms that are in place today may not be enough. Are we allocating the necessary resources to monitor and enforce these standards effectively? Are the Government allocating additional resources to help those things along? Does the current enforcement mechanism system adequately address the rising complexity and scale of the challenges ahead?
As I said, these are broader, more philosophical questions—I do not expect the Minister to be in a position to answer them and there is no need to write—but these are the sorts of things that we all need to consider as a society. Obviously, that will have political, economic and societal ramifications that we all need to consider, but the Opposition have no objection to these regulations; they make perfect sense for now. I suspect, however, that this is a subject to which we will return.
Lord Leong (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Sharpe, for their contributions.
I will first address the question asked by the noble Lord, Lord Clement-Jones: why the delay? As the noble Lord, Lord Sharpe, mentioned, it was a result of the general election. At the same time, we were waiting for the Department for Transport to progress UN regulation No. 155, until such time as we knew that we must take this exception out of the current regulations. That is the reason for the delay, basically; it was also about finding parliamentary time to table these regulations. That is that on the delay.
Lord Clement-Jones (LD)
I am sorry to interrupt the Minister but, frankly, this is the same instrument as the one that was debated last May. Nothing has changed apart from the lack of parliamentary time. We could have done this in September, October or whenever. I forget quite when we had the King’s Speech—in July? We could have done this at any time in the past few months.
Lord Leong (Lab)
This is beyond my pay grade, I am afraid. I will need to ask my leader, the Chief Whip, why we could not allocate any parliamentary time for this legislation.
As far as personal data is concerned, the GDPR is still the lead legislation. I respectfully say to the noble Lord that, for the purposes of today’s regulations, the whole issue of such data is outside the scope of this instrument for now. However, I am sure that we will be talking about personal data in the months and, probably, years to come in other forms of legislation, or even about it being regulated itself.
Lord Clement-Jones (LD)
Out of scope? On the basis that we are being asked to exempt automated vehicles, is it not proper that we ask for reassurance about automated vehicles and the implications for safety, data or whatever else? We are exempting them from these connected product regulations, so we need to be reassured that there are other ways of regulating them other than through these regulations. So this is not out of scope; the debate is about whether we should be exempting them.
Lord Leong (Lab)
I take the point, but the instrument is about the two amendments to the regulations. I take the noble Lord’s point about data. Yes, it is important, and we must preserve the data, but this instrument is not within that scope.
Moving on to cybersecurity within autonomous vehicles, cybersecurity is at the heart of the Government’s priorities for the rollout of all self-driving vehicles. The Automated Vehicles Act 2024 enables an obligation to be placed on those responsible for self-driving vehicles to maintain a vehicle’s software and ensure that appropriate cybersecurity measures are in place throughout its service life.
In response to the point made by the noble Lord, Lord Sharpe, about innovation, the Government are committed to supporting the development and deployment of self-driving vehicles in the UK. Our permissive trialling regime means that self-driving cars, buses and freight vehicles are already on UK roads with safety drivers. The Automated Vehicles Act will pave the way to scale deployments beyond trials. The Act delivers one of the most comprehensive legal frameworks of its kind anywhere in the world for self-driving vehicles, with safety at its core. It sets out clear legal responsibilities, establishes a safety framework and creates the necessary powers to regulate this new industry.
On the point about cybersecurity from the noble Lord, Lord Clement-Jones, the Government take national security extremely seriously and are actively monitoring threats to the UK. The Department for Transport works closely with the transport sector, the National Cyber Security Centre and other government departments to understand and respond to cybersecurity issues associated with connected vehicles. UN regulation No. 155 more comprehensively addresses cybersecurity risks with automotive vehicles and has adequate provisions to deal with the prospect of self-driving vehicles. The PSTI regime is designed for consumer contactable devices or products and is not fully equipped to address the specific needs and complexities of vehicle cybersecurity. UN regulation No. 155, which was developed through international collaboration, provides a more suitable and rigorous framework for ensuring the security of vehicles.
More everyday products than ever are now connected to the internet. The Government have taken action to ensure that UK consumers and businesses purchasing consumer connectable products are better protected from the risks of cyberattack, fraud, or even, in the most serious cases, physical danger. The PSTI product security regulatory regime builds on the ETSI international standard and is the first of its kind in the world to come into force.
The cybersecurity regulatory landscape will continue to evolve. The Government need to be agile to ensure that there is synergy between existing and new laws. Through this draft instrument, the Government are delivering on the commitment in 2021 to except certain categories of automotive vehicles from the scope of the PSTI products security regulatory regime. This is because the Government, via the Department for Transport, are in the process of introducing sector-specific regulations that have been developed at an international level to address the cybersecurity of these products. These requirements, which are specifically tailored to these vehicles and their functionality, will create a more precise regime for the sector. This draft instrument therefore ensures that the automotive industry, which contributed £13.3 billion to the economy in 2022, will not be placed under undue burdens from dual regulations.
Lord Clement-Jones (LD)
My Lords, the Minister has not mentioned the point raised in the Explanatory Memorandum, which was designed, I think, to give us comfort about cybersecurity and data: the Government’s Connected and Automated Vehicles: Process for Assuring Safety and Security—CAVPASS—which I mentioned. I did not hear him give us an assurance that that will be developed during 2025 to ensure the safety and cybersecurity of self-driving vehicles. As well as reiterating that the GDPR is an absolutely splendid way of regulating these automated vehicles, I hope that he will reiterate that this will be produced, because I have had a look at what CAVPASS currently says in the area of data, and it is not very much. After all, these connected regulations from which we are exempting automated vehicles are about safety, data and everything else.
Lord Leong (Lab)
My Lords, the noble Lord makes a very important point. Rather than waiting for my officials to give me a briefing note, I will ensure that I write to him on all the points that he has just mentioned.