Product Security and Telecommunications Infrastructure Bill Debate
Full Debate: Read Full DebateLord Arbuthnot of Edrom
Main Page: Lord Arbuthnot of Edrom (Conservative - Life peer)Department Debates - View all Lord Arbuthnot of Edrom's debates with the Department for Digital, Culture, Media & Sport
(2 years, 6 months ago)
Lords ChamberMy Lords, for a technical Bill, this has been a fascinating and most enjoyable debate. I am lucky follow my noble friend Lady McIntosh, whose comments on the rural economy are always of genuine importance. The Bill addresses two important matters, both arising from market failures. The first is the security of the internet of things. That is what I want to concentrate on. The second, a highly polarised dispute between mobile providers and landowners, has been dealt with by noble Lords much more expert than me.
I will therefore concentrate on the internet of things, which opens up huge opportunities and huge vulnerabilities. I declare my interests as chairman of the Information Assurance Advisory Council, chair of the Thales UK advisory board and chairman of Electricity Resilience Ltd. I am also on the advisory panel of the Electric Infrastructure Security Council in the United States.
For a long time, I have hoped that we might be able to come up with a security solution driven by market forces. How wonderful it would be if the market required product manufacturers to make goods that were secure—actually, if the market required companies to have a secure and resilient infrastructure of governance. If anybody could come up with a business plan to achieve that, they would be able to name their price for it, but experience shows us that this is an area of market failure. A company that spends little money on secure products or secure practices is able to sell those products or services more cheaply than those that take security and resilience seriously. Therefore, this is a field in which the Government have to help so that every product manufacturer has to be put on a level basis and everyone can block a hole in our collective security that would otherwise invite attack from malign actors.
These vulnerabilities are indeed serious. A blogger named Jeff Jarmoc once said:
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”
I am not sure whether internet-connected toasters exist and I cannot think why anybody would want one, but the point remains. The internet is fundamentally insecure because its security model is end-to-end. It was supposed to be a basic tube for a research network for a small group of trustworthy experts—a tube connecting smart devices—but it expanded too far and too fast, and many devices attached to the internet today are not smart at all. Even when they are smart, users can undo their security with unsmart passwords including the ones assigned at the factory and contained in the instruction booklets, which are available online.
There is a problem here. Mankind will do almost anything for convenience. In the Bill, which I very much welcome, we need to cater for those moments when multiple engineers will need to have access to an internet-connected system. They will need to know what to do when something goes wrong, and often they will need to be quick about it to avoid disaster. Without the Bill, often a default password would be the solution to that problem; with the Bill, organisations will have to come up with new ways of addressing it. We also need to cater for that large mass of the population who are neither expert nor in the slightest bit interested in security. Why would I buy a secure internet-connected toaster if I know nothing about security and can get a cheaper one that is not secure?
I note the Government’s intention that
“manufacturers and others should implement a security vulnerability disclosure policy to ensure that such weaknesses are monitored, identified, rectified and reported to stakeholders”,
but I am not sure this works. GDPR, another welcome bit of legislation, to which my noble friend Lord Hunt referred briefly, requires companies to tell you what their cookies are doing, but how many of your Lordships read the terms and conditions you sign up to regularly? I do not, and I bet that not even my noble friend Lord Vaizey reads them. We need the products themselves to be secure by design, in exactly the same way as cars nowadays make it easier for the driver to drive safely.
I make one final point, raised with me by the CyberUp Campaign, and touched on by my noble friends Lord Vaizey and Lord Holmes. The vulnerabilities that I have been talking about mean that cybersecurity researchers need to be encouraged to look for and disclose those vulnerabilities. The Government’s response to the consultation on these proposals mentions the importance of legal certainty for these security researchers. But the CyberUp Campaign suggests that, without a statutory defence in the Computer Misuse Act—and I remember taking part in Committee during the passage of that Act more than two decades ago, in another place—
Three—well, that is also more than two decades ago. Cybersecurity researchers can still face spurious legal action for reporting a vulnerability to a company. They cite as an example Rob Dyke and his civil legal battle with the Apperta Foundation. They suggest that the Government should go further to reform the Computer Misuse Act and put in law a basis from which cybersecurity researchers can defend themselves. I should be grateful if the Minister, who introduced this Bill with such eloquence, could, in winding up, say something about the Government’s thinking on this.
I welcome this Bill and look forward to its further progress in your Lordships’ House.