Product Security and Telecommunications Infrastructure Bill Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill

Lord Arbuthnot of Edrom Excerpts
Lord Arbuthnot of Edrom Portrait Lord Arbuthnot of Edrom (Con)
- Hansard - -

My Lords, for a technical Bill, this has been a fascinating and most enjoyable debate. I am lucky follow my noble friend Lady McIntosh, whose comments on the rural economy are always of genuine importance. The Bill addresses two important matters, both arising from market failures. The first is the security of the internet of things. That is what I want to concentrate on. The second, a highly polarised dispute between mobile providers and landowners, has been dealt with by noble Lords much more expert than me.

I will therefore concentrate on the internet of things, which opens up huge opportunities and huge vulnerabilities. I declare my interests as chairman of the Information Assurance Advisory Council, chair of the Thales UK advisory board and chairman of Electricity Resilience Ltd. I am also on the advisory panel of the Electric Infrastructure Security Council in the United States.

For a long time, I have hoped that we might be able to come up with a security solution driven by market forces. How wonderful it would be if the market required product manufacturers to make goods that were secure—actually, if the market required companies to have a secure and resilient infrastructure of governance. If anybody could come up with a business plan to achieve that, they would be able to name their price for it, but experience shows us that this is an area of market failure. A company that spends little money on secure products or secure practices is able to sell those products or services more cheaply than those that take security and resilience seriously. Therefore, this is a field in which the Government have to help so that every product manufacturer has to be put on a level basis and everyone can block a hole in our collective security that would otherwise invite attack from malign actors.

These vulnerabilities are indeed serious. A blogger named Jeff Jarmoc once said:

“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”


I am not sure whether internet-connected toasters exist and I cannot think why anybody would want one, but the point remains. The internet is fundamentally insecure because its security model is end-to-end. It was supposed to be a basic tube for a research network for a small group of trustworthy experts—a tube connecting smart devices—but it expanded too far and too fast, and many devices attached to the internet today are not smart at all. Even when they are smart, users can undo their security with unsmart passwords including the ones assigned at the factory and contained in the instruction booklets, which are available online.

There is a problem here. Mankind will do almost anything for convenience. In the Bill, which I very much welcome, we need to cater for those moments when multiple engineers will need to have access to an internet-connected system. They will need to know what to do when something goes wrong, and often they will need to be quick about it to avoid disaster. Without the Bill, often a default password would be the solution to that problem; with the Bill, organisations will have to come up with new ways of addressing it. We also need to cater for that large mass of the population who are neither expert nor in the slightest bit interested in security. Why would I buy a secure internet-connected toaster if I know nothing about security and can get a cheaper one that is not secure?

I note the Government’s intention that

“manufacturers and others should implement a security vulnerability disclosure policy to ensure that such weaknesses are monitored, identified, rectified and reported to stakeholders”,

but I am not sure this works. GDPR, another welcome bit of legislation, to which my noble friend Lord Hunt referred briefly, requires companies to tell you what their cookies are doing, but how many of your Lordships read the terms and conditions you sign up to regularly? I do not, and I bet that not even my noble friend Lord Vaizey reads them. We need the products themselves to be secure by design, in exactly the same way as cars nowadays make it easier for the driver to drive safely.

I make one final point, raised with me by the CyberUp Campaign, and touched on by my noble friends Lord Vaizey and Lord Holmes. The vulnerabilities that I have been talking about mean that cybersecurity researchers need to be encouraged to look for and disclose those vulnerabilities. The Government’s response to the consultation on these proposals mentions the importance of legal certainty for these security researchers. But the CyberUp Campaign suggests that, without a statutory defence in the Computer Misuse Act—and I remember taking part in Committee during the passage of that Act more than two decades ago, in another place—

None Portrait A noble Lord
- Hansard -

Three.

Lord Arbuthnot of Edrom Portrait Lord Arbuthnot of Edrom (Con)
- Hansard - -

Three—well, that is also more than two decades ago. Cybersecurity researchers can still face spurious legal action for reporting a vulnerability to a company. They cite as an example Rob Dyke and his civil legal battle with the Apperta Foundation. They suggest that the Government should go further to reform the Computer Misuse Act and put in law a basis from which cybersecurity researchers can defend themselves. I should be grateful if the Minister, who introduced this Bill with such eloquence, could, in winding up, say something about the Government’s thinking on this.

I welcome this Bill and look forward to its further progress in your Lordships’ House.

Product Security and Telecommunications Infrastructure Bill Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill

Lord Arbuthnot of Edrom Excerpts
Moved by
16: After Clause 49, insert the following new Clause—
“Offences under the Computer Misuse Act 1990: defence
Notwithstanding anything contained in the Computer Misuse Act 1990, it is not an offence for a person (“A”) to test the conformity of a relevant connectable product with all or any of the security requirements, without consent of the person entitled to control access to the product (“B”), where—(a) A reasonably believes that B would have consented to that testing if B had known about the the circumstances of it, including the reasons for performing it,(d) A is empowered by an enactment, a rule of law, or an order of a court or tribunal, to carry out the test, or(c) the test was necessary for the detection of crime.”
Lord Arbuthnot of Edrom Portrait Lord Arbuthnot of Edrom (Con)
- Hansard - -

My Lords, Amendment 16 proposes a statutory defence for ethical hackers. I am grateful to the noble Lord, Lord Clement-Jones, and to the CyberUp campaign, for their help. Again, I declare my interests as chairman of the Information Assurance Advisory Council, chairman of the Thales UK advisory panel and chairman of Electricity Resilience Limited.

The Computer Misuse Act 1990 criminalised unauthorised access to computer systems. The methods used by cybercriminals and cybersecurity professionals are often identical, which is one of the things that makes the drafting of this amendment rather problematic. Usually, criminals do not have permission for what they do, and cybersecurity professionals do, but I am told by the CyberUp campaign that there are occasions on which that permission is difficult or impossible for a cybersecurity professional to get.

At Second Reading, I cited the case of Rob Dyke, who has been through a legal tussle with the Apperta Foundation, which has since been in touch with me to put its side of the story. It is clear that it feels strongly that it was right to pursue Mr Dyke until he gave undertakings that allowed it to drop its litigation. I do not know the rights and wrongs of that, but the Apperta Foundation supports the principles put forward by CyberUp for a legal defence for offences under the Computer Misuse Act.

In any event, the Government are carrying out a review into the 1990 Act. CyberUp’s submission to it sets out that many in the cybersecurity profession do not know whether what they are doing is legal. This is because legislation in 1990 came in before much of what now happens with computers had been thought of—so it inevitably created ambiguities. In the 1990 Act, no consideration was given—I remember because I was there—to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.

This is why there needs to be certainty for cybersecurity researchers; they need to be able to do things for the public good. We cannot rely on the National Cyber Security Centre for everything, because even the Government cannot keep up with the speed of technological development, as has been mentioned. The CyberUp campaign recognises that legislation also cannot keep up with the speed of change, so it has helped with drafting this amendment not with a view to seeing it enacted—my noble friend will resist it for a number of good reasons—but with a view to eliciting from the Government a statement about how they are getting on with this aspect of the review of the Computer Misuse Act.

One suggestion that the CyberUp campaign makes is that

“legislation to mandate the courts to ‘have regard to’ Home Office or Department for Digital, Culture, Media and Sport … guidance on applying a statutory defence that would, ideally, be based on the framework”

of principles. This includes, first, the prospective benefits of the Act outweighing the prospective harms; secondly, reasonable steps being undertaken to minimise the “risks of causing harm”; thirdly, the actor demonstrably acting “in good faith”; and fourthly, the actor being “able to demonstrate … competence”. Here we may come back to the standards/principle discussion that we had on the first group.

So I expect my noble friend to reject this amendment, but I should be grateful if he could say where the Government’s thinking on the matter is.

Baroness Neville-Jones Portrait Baroness Neville-Jones (Con)
- Hansard - - - Excerpts

My Lords, I speak in support of this amendment. My noble friend has just said that he doubts that the Government will adopt it, but, like him, I want to know where their thinking has got to.

The Computer Misuse Act is one of the first bits of legislation passed in the cyber era. It is old and out of date, and it is fair to say that it contains actively unhelpful provisions that place in legal jeopardy researchers who are doing work that is beneficial to cybersecurity. That is not a desirable piece of legislation to have on the statute book.

Last year, before the consultation that closed over a year ago, I corresponded with my noble friend Lady Williams. The common-sense reading of her reply was that the Home Office was quite aware that the Computer Misuse Act needed updating. I confess that I am a bit disappointed that, a year after the consultation closed, there still has not been a peep from the Government on this subject—either a draft or a statement of intention. It would be good to know where the Government are going, because it is quite damaging for this legislation as it stands to remain on the statute book: it needs modernisation.

Like my noble friend, I recognise that actually getting the drafting right is tricky and complex. Drafting language that strikes the right balance is not all that easy. But inability to find an ideal outcome is not a good reason for doing nothing, so I live in expectation, because the best must not be the enemy of the good. If the Government do not intend to produce legislation that updates that Act, I should like to see something in this legislation, taking advantage of it, at least to move the dial forward and protect ethical hackers to a greater extent than is the case at the moment.

If the Government are concerned about our drafting, I am sure we would be willing to listen to suggestions on a better formulation. In the absence of that, perhaps the Minister will say when and how the Government intend actually to modify a piece of legislation that has served its time and now needs to be superseded.

--- Later in debate ---
Lord Parkinson of Whitley Bay Portrait Lord Parkinson of Whitley Bay (Con)
- Hansard - - - Excerpts

I am very grateful to my noble friend Lord Arbuthnot of Edrom for representing the other three signatories to this amendment. I was glad to meet him and the noble Lord, Lord Clement-Jones, to discuss this yesterday.

The role of security researchers in identifying and reporting vulnerabilities to manufacturers is vital for enhancing the security of connectable products. The good news is that many manufacturers already embrace this principle, but there are also some products on the market, often repackaged white label goods, where it is not always possible to identify the manufacturer or who has the wherewithal to fix a fault. The Bill will correct that.

As noble Lords have noted, there are legal complexities to navigate when conducting security research. The need to stop, pause and consider the law when doing research is no bad thing. The Government and industry agree that the cybersecurity profession needs to be better organised. We need professional standards to measure the competence and capabilities of security testers, as well as the other 15 cybersecurity specialisms. All of these specialists need to live by a code of professional ethics.

That is why we set up the UK Cyber Security Council last year as the new professional body for the sector. Now armed with a royal charter, the council is building the necessary professional framework and standards for the industry. Good cybersecurity research and security testing will operate in an environment where careful legal and regulatory considerations are built into the operating mode of the profession. We should be encouraging this rather than creating a route to allow people to sidestep these important issues.

As noble Lords have rightly noted, the issues here are complex, and any legislative changes to protect security researchers acting in good faith run the risk of preventing law enforcement agencies and prosecutors being able to take action against criminals and hostile state actors—the goodies and baddies as the noble Earl, Lord Erroll, referred to them. I know my noble friend’s amendment is to draw attention to this important issue. As drafted, it proposes not requiring persons to obtain consent to test systems where they believe that consent would be given. That conflicts with the provisions of the Computer Misuse Act, which requires authorisation to be given by the person entitled to control access. As the products that would be covered by this defence include products in use in people’s homes or offices, we believe that such authorisation is essential. The current provisions in the Computer Misuse Act make it clear that such access is illegal, and we should maintain that clarity to ensure that law enforcement agencies do not have to work with conflicting legislation.

The amendment would also limit the use of such a defence as testers would still be subject to the legal constraints that noble Lords have described when reporting any vulnerability that the Government have not banned through a security requirement. If a new attack vector was identified that was not catered for by the security requirements, the proposed defences would have no effect. The amendment would not protect those testing products outside the scope of this regime, from desktop computers to smart vehicles. If we consider there to be a case for action on this issue, the scope of that action should not be limited to the products that happen to be regulated through this Bill. None the less, the Government are listening to the concerns expressed by the CyberUp Campaign, which have been repeated and extended in this evening’s debate.

The Home Secretary announced a review of the Computer Misuse Act last year. As my noble friend noted, the Act dates back to 1990. I do not want to stress too much its antiquity as I am conscious that he served on the Bill Committee for it in another place. His insight into the debates that went into the Bill at the time and the changes that have taken place are well heard. The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office. It is being actively worked on and the Home Office hopes to provide an update in the summer.

I hope, in that context, that noble Lords will agree that it would be inappropriate for us to pre-empt that work before the review is concluded and this complex issue is properly considered. With that, I hope my noble friend will be content to withdraw his amendment.

Lord Arbuthnot of Edrom Portrait Lord Arbuthnot of Edrom (Con)
- Hansard - -

My Lords, I was six at the time. It has been a useful debate and I thank all those who have taken part. I am particularly grateful to my noble friend Lady Neville-Jones, who made it quite plain that we understand the problems in the way of the Government in legislating on this but we are getting impatient. With everything that is going on in the world, out-of-date cybersecurity legislation is becoming more dangerous day by day. That said, I beg leave to withdraw the amendment.

Amendment 16 withdrawn.