(2 years, 5 months ago)
Lords ChamberI am very grateful to my noble friend Lord Arbuthnot of Edrom for representing the other three signatories to this amendment. I was glad to meet him and the noble Lord, Lord Clement-Jones, to discuss this yesterday.
The role of security researchers in identifying and reporting vulnerabilities to manufacturers is vital for enhancing the security of connectable products. The good news is that many manufacturers already embrace this principle, but there are also some products on the market, often repackaged white label goods, where it is not always possible to identify the manufacturer or who has the wherewithal to fix a fault. The Bill will correct that.
As noble Lords have noted, there are legal complexities to navigate when conducting security research. The need to stop, pause and consider the law when doing research is no bad thing. The Government and industry agree that the cybersecurity profession needs to be better organised. We need professional standards to measure the competence and capabilities of security testers, as well as the other 15 cybersecurity specialisms. All of these specialists need to live by a code of professional ethics.
That is why we set up the UK Cyber Security Council last year as the new professional body for the sector. Now armed with a royal charter, the council is building the necessary professional framework and standards for the industry. Good cybersecurity research and security testing will operate in an environment where careful legal and regulatory considerations are built into the operating mode of the profession. We should be encouraging this rather than creating a route to allow people to sidestep these important issues.
As noble Lords have rightly noted, the issues here are complex, and any legislative changes to protect security researchers acting in good faith run the risk of preventing law enforcement agencies and prosecutors being able to take action against criminals and hostile state actors—the goodies and baddies as the noble Earl, Lord Erroll, referred to them. I know my noble friend’s amendment is to draw attention to this important issue. As drafted, it proposes not requiring persons to obtain consent to test systems where they believe that consent would be given. That conflicts with the provisions of the Computer Misuse Act, which requires authorisation to be given by the person entitled to control access. As the products that would be covered by this defence include products in use in people’s homes or offices, we believe that such authorisation is essential. The current provisions in the Computer Misuse Act make it clear that such access is illegal, and we should maintain that clarity to ensure that law enforcement agencies do not have to work with conflicting legislation.
The amendment would also limit the use of such a defence as testers would still be subject to the legal constraints that noble Lords have described when reporting any vulnerability that the Government have not banned through a security requirement. If a new attack vector was identified that was not catered for by the security requirements, the proposed defences would have no effect. The amendment would not protect those testing products outside the scope of this regime, from desktop computers to smart vehicles. If we consider there to be a case for action on this issue, the scope of that action should not be limited to the products that happen to be regulated through this Bill. None the less, the Government are listening to the concerns expressed by the CyberUp Campaign, which have been repeated and extended in this evening’s debate.
The Home Secretary announced a review of the Computer Misuse Act last year. As my noble friend noted, the Act dates back to 1990. I do not want to stress too much its antiquity as I am conscious that he served on the Bill Committee for it in another place. His insight into the debates that went into the Bill at the time and the changes that have taken place are well heard. The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office. It is being actively worked on and the Home Office hopes to provide an update in the summer.
I hope, in that context, that noble Lords will agree that it would be inappropriate for us to pre-empt that work before the review is concluded and this complex issue is properly considered. With that, I hope my noble friend will be content to withdraw his amendment.
My Lords, I was six at the time. It has been a useful debate and I thank all those who have taken part. I am particularly grateful to my noble friend Lady Neville-Jones, who made it quite plain that we understand the problems in the way of the Government in legislating on this but we are getting impatient. With everything that is going on in the world, out-of-date cybersecurity legislation is becoming more dangerous day by day. That said, I beg leave to withdraw the amendment.