Product Security and Telecommunications Infrastructure Bill Debate
Full Debate: Read Full DebateBaroness Merron
Main Page: Baroness Merron (Labour - Life peer)Department Debates - View all Baroness Merron's debates with the Department for Digital, Culture, Media & Sport
(2 years, 6 months ago)
Lords ChamberMy Lords, I rise to move Amendment 1 in my name and that of my noble friend Lord Clement-Jones, who is sadly unable to be here today. Should your Lordships feel at times that I am going on a bit long, just think of the alternative: it could have been both of us.
I should first say in the spirit of co-operation that the aim of this amendment is wholly positive; it is designed to firmly support the intentions of the first half of this Bill—support which we heard right across your Lordships’ House at Second Reading. While introducing this part of the Bill, the Minister set out a clear need for improved security. He told us:
“The average UK household now has nine internet-connected devices, and over 50% of all UK households purchased an additional consumer connectable product during the pandemic.”
The danger to individuals is getting worse. As the Minister also said:
“In the first half of last year alone, we saw 1.5 billion attacks on connectable products—double the figure of the year before.”
With this rise in connectable devices, the Minister said:
“Thousands of people in the UK have been victims of cyberattacks.”—[Official Report, 6/6/22; col. 1033.]
I suggest that this is understating the situation—it must be tens if not hundreds of thousands—but frankly, we just do not know.
This is an international business, which preys on poor security and badly configured devices. Further, our household devices can be co-opted by sophisticated criminal or political hackers to present significant threats to our national infrastructure. That is why this part of the Bill is important; I think we all agree on that. For a connectable device to be secure, it needs to be set up right but then supported throughout its active life to meet the changing environment of security threats. We are all used to updating our laptop security regularly, but how many times have we updated other household-connectable devices? A baby alarm, for example, is never updated.
At Second Reading, I described my fruitless search within the Bill for a definition of the security support that a consumer might reasonably expect for consumer-connectable products in the house. This Bill takes the secondary-legislative route. Rather than set out what consumers should legally expect in terms of through-life product security support, we were promised some SIs, and we heard what the focus would be.
In a letter sent last week, the Minister gave the Government’s reasons for choosing those three areas; I will come back to them briefly. He wrote:
“we are starting with a focus on the three security requirements that will make the most substantial change to consumer device security at a proportionate cost to business”.
But why just these three? The Bill is heavily based on the Code of Practice for Consumer IoT Security, in which 13 security issues were highlighted. To be clear, the first two—“No default passwords” and
“Implement a vulnerability disclosure policy”—
match those of the Minister. Interestingly, on the third one, there is a big difference in language between the Bill—which mentions providing transparency on how long, at a minimum, the product will receive security updates—and the code, which says, “Keep software updated”.
But there are 10 other major areas. I will not list them, but the fourth is:
“Securely store credentials and security-sensitive data”.
The eighth is
“Ensure that personal data is protected”.
Why are those two not as important as the other three? I cannot fathom why those have been left out and the previous three selected. So, given the choice of 13—the Minister can look them up—what was the logic in choosing just those three and dropping the fourth and eighth in particular?
There is also the issue of changing technology. Without a set of principles, the Government’s aim is to chase technological development with a string of statutory instruments, simultaneously keeping up with the world’s most innovative companies and pitting their ingenuity against the world’s top criminals. Life is moving fast—for example, a recent issue of Wired announced the beginning of the end for passwords:
“At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using ‘Passkeys’ with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.”
On that basis, this legislation will be partially obsolete before it is enacted.
I have one further technical problem for the Minister to explain. Once again, different bits of government are moving in parallel. A seemingly entirely different exercise—a consultation on app security and privacy interventions—was published in May this year. The suggested interventions include
“a voluntary Code of Practice for App Store Operators and Developers that is intended as a first step.”
Other possible future options set out in the document include
“certification for app store operators and regulating aspects of the Code to help protect users.”
The document then says:
“These proposals link into the National Cyber Strategy through requiring providers of digital services to meet appropriate standards of cyber security and developing frameworks to secure future technologies.”
No mention of this legislation is made.
So where does a connected device end and an app start? Where does the Bill stop and this new code of practice start? If I install my temperature control system, it will involve connected hardware and an app; which of these two pieces of government activity will cover my system, and how are they connected? The Government have not joined this up, and, once again, two things are going on with no connection to each other.
So, I borrowed some of the Code of Practice for Consumer IoT Security for this amendment, which sets out some of the principles. Proposed subsection 2(a) sets a simple obligation for “manufacturers, importers and distributors” to demonstrate a “duty of care”. Proposed subsection 2(b) sets out that
“customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market”.
Proposed subsection 2(c) calls for
“manufacturers, importers, and distributors … to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.”
The Minister would be hard-pressed to argue against these—and his planned SI on accessibility vulnerability is close to proposed subsection 2(c) anyway.
I would like to hear that the Government recognise the benefits that having clear principles in the Bill can deliver. I am sure that the Minister can see these benefits. Secondly, I am not proprietorial over the exact wording. We can use the time between Committee and Report to fine-tune and wordsmith those principles, but I hope that this is a constructive and helpful start.
My Lords, I restate these Benches’ support for Part 1, which introduces a range of important powers and processes relating to the security of consumer-connectable products, including smart TVs, smartphones, connected baby monitors and connected alarm systems, all of which we use in our day-to-day lives. For me, the legislation that we seek to improve today is much needed and needs to move with the times and the way we live. For example, in 2006 there were just 13 million of these devices but in 2024, there is likely to be more than 150 million in the UK alone—a huge projected rise.
I am grateful to the noble Lord, Lord Fox, for introducing this sensible amendment, and to the noble Lord, Lord Clement-Jones, whose name is also on it. It seeks to introduce or suggest some guiding principles relating to product security. For me, the key principles are that manufactures, importers and distributors have a responsibility and a duty of care to meet minimum cybersecurity requirements and look forward to emerging security threats. It seems wise and sensible to include these, so I hope the Minister will take them into account. As the noble Lord, Lord Fox, said, the exact wording of the amendment does not have to be used; it is about the principles. Indeed, it is about not just principles but practice: the message given to consumers as well as to manufacturers, importers and distributors.
I know that in other legislation the Government are often nervous about using the phrase “duty of care”, but, as the Minister knows, there are very real concerns about data collection and privacy. I suggest that this is the very least that consumers should be able to expect. While it may be said that the other principles are not necessary to include, there have been several cases of manufacturers knowing about, yet failing to act on, significant security flaws. I feel this is something we need to guard against.
My Lords, I am grateful, as ever, to the Delegated Powers and Regulatory Reform Committee for its very helpful report on this Bill. It would be fair to say that, in general, this Bill has fared better than most Bills, so that gives some comfort. Nevertheless, it is also true to say that the committee has raised a number of concerns and has put forward a very helpful range of recommendations, which are encapsulated in this suite of amendments. I thank the noble Lord, Lord Fox, for his detailed canter through what might be called a veritable feast of amendments.
As I say, this group of amendments very much reflects the concerns of the committee. I should also put on record that as the amendments were tabled at a relatively late stage, these Benches have not signed them. I say to the Minister that there is nothing to deduce from that, because I can confirm that we hope that he will take the concerns that are seriously and sensibly set out in this group and will look at revising the scope of procedures relating to certain powers when it comes to Report stage.