Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 Debate
Full Debate: Read Full DebateAdam Afriyie
Main Page: Adam Afriyie (Conservative - Windsor)Department Debates - View all Adam Afriyie's debates with the Department for Science, Innovation & Technology
(1 year, 1 month ago)
General CommitteesMy right hon. Friend makes an important point. Perhaps I can come back to it in a bit more detail at the end of my comments, but I will make this point now: as I described, the measures will give a minimum level of security assurance to customers. This draft instrument is not the frontline, the arrowhead, of UK international counter-espionage; this is about ensuring that when people buy an iPhone or some such device, they can be confident that basic minimum standards have been met. It is not the basis on which we can all go to bed at night safe and secure, with the whole of UK critical national infrastructure secure. That work is being led by my right hon. Friend the Chancellor of the Duchy of Lancaster and Deputy Prime Minister.
I turn briefly to the basics of the draft instrument. First, on security requirements, the regulations mandate that manufacturers comply with the security arrangements that Parliament has set out in schedule 1. The security requirements are backed by security experts and have been consulted on extensively. In the view of the National Cyber Security Centre, which has been very involved, they will make the most fundamental difference to the vulnerability of consumer connectable products through the guidelines in the UK’s code of practice for consumer IOT security.
The first requirement bans businesses from selling to UK customers consumer smart products with universal defaults or easily guessable default passwords. Such passwords expose users to unacceptable risk of cyber-attack and allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyber-attacks.
Secondly, manufacturers will be required to publish, in an accessible, clear and transparent manner, the details of a point of contact for the reporting of security vulnerabilities. Despite previous Government interventions and the increasing threat of cyber-crime targeted at these products, less than a third of global manufacturers had any policy for how they can be made aware of vulnerabilities as of 2022.
The final security requirement will ensure that the minimum length of time for which a product will receive security updates is not just published, but published in an accessible, clear and transparent manner. Consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK customers and their intermediaries will be able to drive manufacturers to improve the security protections that they offer through market forces.
I will turn to the conditions for deemed compliance. Where the security outcomes that we are seeking to achieve are entirely or partially delivered through broader international standards, the regime allows manufacturers compliant with those standards to more readily demonstrate their compliance with our security requirements. That is the intent of regulation 4, and schedule 2 sets out conditions based on analogous provisions in two leading international standards. Where those conditions are met, a manufacturer is to be treated as having complied with a particular security requirement. Colleagues will be pleased to know that we have tried to take the opportunity to reduce process-driven bureaucracy and make it easy for proper compliance to be demonstrated in the interest of consumer protection.
The excepted products protocol in the instrument sets out a list of products that we have exempted from the scope of the product security regime. First, select product categories made available for supply in Northern Ireland are exempted. That exemption ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement while extending the protections and benefits offered by the regime to consumers and businesses across the UK. Additionally, smart charge points, medical devices and smart metering devices are exempted to avoid double regulation and to ensure that those products are secured with the measures most appropriate to the particulars of their functions. To answer the point raised by my right hon. Friend the Member for Chipping Barnet, we would not want to rely on these regulations alone for the safety of medical devices; they are covered, quite rightly, by far more extensive regulations through the Medicines and Healthcare products Regulatory Agency.
I welcome the instrument in general terms, but I have a couple of quick questions. The Minister mentioned that Northern Ireland is outwith the scope of this regime because of its interaction with the European Union as it stands today. In effect, that treats Northern Ireland as not part of the United Kingdom for these purposes. Am I correct in thinking that?
Secondly, I completely agree with the cut-outs for medical devices, smart meters and so on. The Minister may need some inspiration on this, but are vehicles included in the minimum standards, given that lots of them now have autopilot systems and software updates to undertake week in, week out, and passcodes included in the software?
Those are two excellent questions. On Northern Ireland, basically the answer is no. This goes with the grain of the Windsor framework that the Prime Minister has negotiated, and it recognises that for the purposes of consumer standards, Northern Ireland is governed by the EU proposals in this space. I am delighted to say that the UK proposals are a little quicker, more agile and fleet of foot, and to some extent that might give Northern Ireland manufacturers an advantage. Perhaps I could come back to the point about vehicles; it is an important point to which the internet of things is very relevant.
The instrument also exempts laptops, desktop computers and tablets without a cellular connection from the regime scope. Engagement with industry highlighted that the manufacturers of those products would face completely unique challenges in complying with the regime. On many occasions where those products are in use, they are already subject to extensive cyber-protection standards. It is therefore not clear at this stage that including those products in the regime scope would be proportionate. However, as with so many of these things, I am happy and keen to keep a watching eye on that to ensure that we are keeping up with technology.
The administrative provisions in the SI, including those relating to statements of compliance, are uncontroversial. The regime will require that those documents are company products serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement. We do not expect every single consumer to read all of that every time they buy a pair of speakers or any digital device, but the active intermediaries on behalf of consumers will be able to access it, and we foresee an active enforcement culture, not least online.
The product security regime, including these regulations, is the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure, and that the Government have a duty to enforce that. The measures will cement the UK as a world leader in responsibly embracing the enormous potential of emerging technology. They are a first step in the development of a framework that will keep pace with technology. I commend the regulations to the Committee.