Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 Debate
Full Debate: Read Full DebateChi Onwurah
Main Page: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)Department Debates - View all Chi Onwurah's debates with the Department for Science, Innovation & Technology
(1 year, 3 months ago)
General CommitteesIt is a delight to serve under your chairmanship, Mr Hollobone, in this important debate. I thank the Minister for setting out the context for the regulations and their intended effect. I declare an interest: as the Minister is aware—I certainly talk about it enough—before I entered Parliament I worked in tech for 23 years, with the last six at Ofcom as head of telecoms technology, which included internet security.
My experiences at Ofcom and as a chartered electrical engineer gave me a strong awareness of the immense value of new technologies, such as IOT, but also of their potential harms. In 2011, I was the first Member of Parliament to mention the internet of things in this place, in a Westminster Hall debate I secured on machine-to-machine communications. Since then, the market for connected devices has grown exponentially; with smart phones in so many pockets, smart appliances in so many homes and wearables on so many wrists, there is a clear need for robust consumer protections. Let me be clear that the Labour party welcomes the introduction of the regulations, which will provide long overdue protection for users of consumer connectable products.
Although a step in the right direction, it has been a long while coming. According to Cisco, in 2010 there were 12.5 billion devices connected to the internet. Strategy Analytics found that in 2018 that had risen to 22 billion, with much of that growth driven by smart phones and IOT devices. It was only in 2016, when the Government published their national cyber-security strategy, that they set an ambition for the majority of online products and services coming into use to be secure by default by 2021.
Responding to a question I tabled in December 2016, I was told that cyber-security was a top priority for the Government. It was a top priority, however, that inspired almost no action—a little like online harms, where legislation is still to be passed. By the time 2020 came around, the Government had acknowledged the failure of their voluntary code of practice, and were instead proposing a new regulatory regime. As the Minister said, having legislated on the issue in 2022, we now stand to see regulations finally coming into effect in 2024.
It is clearly a case of better late than never. I understand the challenges involved in delivering a set of tech regulations on a complex and technical subject. It is right that there has been an extensive consultation on the subject, which no doubt created a wealth of information that required careful analysis. The reason I bring up the delay is that while the Government were asleep at the wheel, criminals were not. In 2016, hackers used domestic IOT devices, including televisions and baby monitors, to bring down major websites such as Twitter and Spotify. That style of attack poses huge risks to businesses and critical national infrastructure, such as our electricity grid.
Individual consumers have also been left vulnerable. Whether it is smart toys, which enable hackers to target our children, or smart alarm systems that leave people’s properties vulnerable to break-in without forced entry, these are massive and hugely damaging threats for individuals, families, businesses and our national security. In delaying action on the matter, the Government have effectively given hackers the head start.
Recent years have seen a surge in the popularity of smart devices in the home, such as smart speakers and doorbells. In 2016, Ofcom estimated that there were 13.3 million IOT connections in the UK, including 5.7 million categorised as consumer electronics. It is estimated that by 2024, that figure will have increased to 40 million. Globally, we expect that there were 14 billion connections in 2022.
There was an opportunity for the UK to get a consumer protection regime in place ahead of this recent acceleration in the uptake of smart devices. Doing so could have meant that millions of devices being bought by British consumers in the intervening period were sold securely, and it could have given a boost to our innovative businesses in that area by giving clarity of regulation. Instead, consumers and businesses have been left relatively exposed to risks. I ask the Minister, could the Government have delivered this regime more quickly?
Acting faster would have carried significant upsides for British businesses, as I have said, in adapting to the new requirements. These regulations translate the three most critical measures from the voluntary code of practice into the statute book, and, as I have said, we welcome them. However, given that mandating these recommendations seems to have remained the Government’s intention from 2020 onwards, it is more confusing as to why that was not legislated for in primary legislation, as Labour called for during the debates on the Bill in 2022. I fear that in pursuit of maintaining the Bill’s flexibility, despite expert consensus on the importance of the requirements, the Government have kicked the can down the road on providing certainty, which our businesses need in order to drive the economic growth that we all hope to see.
As the impact assessment for the SI notes, the proposals will have significant consequences for thousands of businesses, including around 170 manufacturers and thousands of retailers and charities involved in the sale of these products. In many cases, the cost of compliance would have been hard to avoid, but businesses would have benefited from earlier clarity about the scope of the regulations. That is particularly true when non-compliant equipment will need to be disposed of.
Now that the scope of the regime is finally confirmed, businesses will need guidance to ensure that the benefits of the new requirements are felt by consumers and that the detrimental business impact is minimised. The explanatory memorandum accompanying the SI promises non-statutory guidance for industry. Will the Minister commit to a timeframe for delivering that guidance, or give businesses any sign about when that might become available? As we know, small businesses do not have chief technology officers, and they need the support and help of Government.
I would also like to query some of the inconsistencies that I see in the regulations. As the Minister said, computers, laptops and non-cellular tablets, except those designed for children under 14, have been exempted. The reason seems to be that the situation, particularly the supply chain, is complicated. Could he say a little more about that?
I would also like clarity on the relationship between these measures and cellular internet of things modules or SIMs , which I think is what the hon. Member for Windsor was referring to when he spoke about vehicles. SIMs power much of the consumer connected device landscape by enabling internet access, and are often embedded. China is currently attempting to corner the global market in SIMs, which could have immense national security implications. For example, when it comes to cars, they can transmit location, the route and even videos of the driver and passenger. Will the Minister say clearly whether this legislation is applicable to SIMs? If not, why not, and what protection is to be brought forward in that regard?
Further, while the Product Security and Tele-communications Infrastructure Act gave the Government the power to create requirements on manufacturers, importers and retailers, those seem unevenly applied by this SI. To give just one example, there is no requirement for distributers of these products to publicise the defined support period, but there is such a requirement for manufacturers to do so, even though it is the distributers who often provide the direct interface with the consumer. Will the Minister explain why the Government are taking that approach, and whether they are considering further regulations applicable to distributers?
There is also very little in the SI about enforcement, but the parent Act allows for recall notices, stop notices, penalty fines and forfeiture of products, and the impact assessment says that the Office for Product Safety and Standards will be the enforcing agency and will need to buy devices to test. Will the Minister assure us that the office will have the resources it needs to do this, given the global and, as he said, complicated nature of the market for these products and the embedded nature of the connectivity modules?
I have the greatest respect for the Minister. He knows, and I am sure that he wishes it were otherwise, that his Government’s record on digital inclusion is not the best. There has been no digital inclusion target since 2014, and that has resulted in 10% of our population being excluded. Is he certain that consumers will be adequately protected by the three basic measures—as he himself referred to them—that the SI brings in? He says they will give a minimum level of security, but he also implies that they will keep our citizens safe from cyber-attacks. Does he really think that that is the case?
Regardless, we want to see consumers empowered to understand and assert their rights in this area. My final question to the Minister is whether, in addition to guidance for industry, the Government will issue guidance to consumers on digital inclusion and literacy. To conclude, we support the introduction of the regulations, which will establish much-needed protections for users of connected devices and address significant gaps in our national cyber-security. However, the Government must act fast to communicate the new requirements to businesses and consumers well in advance of commencement, and I hope the Minister will address my questions in his remarks. It is important that these regulations are a success, and I urge him to do all he can to ensure that that is the case in the build-up to April next year.
Tempted though I am to delay the Committee with long, exhaustive answers to all those points, which were well made, perhaps I could reassure colleagues on both sides of the House that we have thought about them. Some important points were made for the record, and I will try to keep my speech as short as possible. I thank you, Mr Hollobone, and the Committee: the feedback is incredibly helpful. I would value a chance to continue this discussion with those who have spoken today, many of whom have taken an interest in this subject for a long time.
Let me start with the hon. Member for Newcastle upon Tyne Central, speaking for the Opposition. I congratulate her on returning to the position that I like to think of as my shadow. It has been a pleasure working with her. I also congratulate her on being the first to mention the internet of things in this House if indeed that is verifiable—I am sure it is, digitally as well as in many other ways. On the accusation that the Government were a bit slow to move in 2021, I will just gently point out that there were some other things going on, not least the pandemic, and that we are in fact, with this, quicker than the EU that we have just left. This is an example of us being more agile and more forward-leaning.
I will also make this point. Many of us have sat through and nodded through European legislation, knowing that there is really nothing we can do to change it. This is a good example of Members of Parliament, from both sides of the House, raising important points and the Minister listening, to ensure that we get our own legislation right. I think that if we had done that a bit more, we would not have had the frustrations that we did.
On the point about the hackers having a head start, I think the truth is that technology is moving at such a pace that of course those who want to harness technology for ill generally tend to move much more quickly than the Government. That would be true were the hon. Member for Newcastle upon Tyne Central in my position. What we are doing today is moving to shut down that head start. There are genuine questions about how quickly we move and how we get it right. I make the commitment to all colleagues that this is a start and we intend to have an annual process of listening to colleagues in the House, listening to the industry and asking whether we should not be going further faster to keep up with technology. The Opposition, I know, have the monopoly on hindsight, led as they are by the extremely able Leader of the Opposition, often referred to as Captain Hindsight. I will just point out that none of us quite foresaw the pace at which this would all move. I know that Government are often not the fastest mover, but we are, here, moving more quickly than partners in Europe.
I am on a roll. I have to say that no one cheered more loudly than when I heard the hon. Member talk about business certainty. As the right hon. Member for Hayes and Harlington is a member of the Committee, I cannot help but point out that the biggest business certainty was making sure that he never became Chancellor, with his agenda of radical socialism and neo-communism. I notice—for the record—that he is no longer in his place, which is probably a good thing for business certainty.
Let me turn to the points that were raised. Perhaps, with your permission, Mr Hollobone, I can write to everyone with an update on our thinking about the timetable. We are looking to get the regulations in place as quickly as we possibly can. Perhaps I can come back to the point about the timetable, because it requires a detailed answer.
As I said, I will deal with the various points that were made. On the question of exemptions, this is a start. The Government are initially mandating security requirements that, in the opinion of the National Cyber Security Centre—this is not just my whim; it has been consulted on deeply—will have the most fundamental impact on the risks posed today by insecure consumer connectable products. We are confident that the requirements are robustly evidenced, are proportionate and are appropriate to mandate in law at this time. That is not a step we take lightly. The real key is to change the culture and to create a culture in which distributors and all those involved in the supply chains know that they are required by law to do this; they have a responsibility to consumers. However, should the Government deem it appropriate, the parent Act empowers Ministers to introduce further measures in the future, to keep pace with the changes in technology and the threat landscape. Those are powers that we intend to use, in consultation with the House.
Let me turn to the point about security updates, which a number of colleagues raised. The Government do not yet consider it appropriate to mandate and specify minimum security update periods for relevant connectable products, before the impact of the initial security requirements is known. Our mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits, or leaving citizens exposed to cyber-threats. There is no consensus yet in the industry. One of the things that we hope this measure will do is trigger a broader conversation, on the timescale that we need—each year—to talk to industry about what is happening and ensure that we are keeping up to date.
Let me pick up the point about digital exclusions. A number of people asked, through the consultation, why conventional computers and non-cellular tablets were exempt. We do not have evidence at the moment that including them in the scope of the regime would significantly reduce risk. There is a mature anti-virus-software market that empowers customers to secure their own devices and, alongside this, mainstream operating system vendors already include security features in their services. As ever, we legislate in a way that we think is timely, appropriate and proportionate, trying to deal not with every single risk that one might envisage, but with those that are faced by consumers today. The result is that those devices are not subject to the same level of risk as others.
Let me turn to the point about Northern Ireland made by my hon. Friend the Member for Windsor and others. Customers across the UK will be able to benefit from the security protections that the regime aims to deliver. For selected product categories, honouring the UK’s international commitments has necessitated that the regime will apply differently in Northern Ireland. I stress that, in practice, the exemption applies to limited types of products, such as lifts, pyrotechnic articles and personal watercraft, which are regulated already under legislation contained in the Windsor framework.
We are required to ensure the smooth flow of trade under the United Kingdom Internal Market Act 2020. The Prime Minister has also committed to ensuring smooth-flowing trade within the UK. The House should be reassured that the Government’s position on that is unchanged. My hon. Friend the Member for South Thanet made another, equally important point that we need to ensure that that does not inadvertently allow in a flow of products that would not be compliant.
My hon. Friend the Member for Windsor asked about how we are dealing with automotive vehicles and the internet of things in cars. As we indicated in the April 2021 call for views on the regime, the Government intend to introduce separate regulation to cover the cyber-security of connectable automotive vehicles. To minimise an unnecessarily duplicative regulatory burden on industry, our position remains that cars should be exempted from these draft regulations, because we will be introducing a different framework. Developments in the legislative landscape have precluded the Government from including an exemption for connectable automotive vehicles in this, but we intend to bring forward that legislation as quickly as possible.
I will finish these points, if I may.
On enforcement, astute colleagues have observed that it falls under the Department for Business and Trade. The previous Parliamentary Under-Secretary of State, the Minister for Small Business Consumers and Labour Markets, approved the recommendation for the OPSS to adopt the enforcement role for part 1 of the 2022 Act. The OPSS is part of the DBT and will therefore simply be enforcing the product security regime as the Secretary of State. It will begin enforcement functions as soon as the draft regulations come into force. To the question, I am reassured that the OPSS is properly resourced.
I have some final points. On the international aspect of the IOT security measures, the proportionality of implementing a given cyber-security measure for a product depends on a huge range of factors, from the product’s technical architecture to the settings in which it is ultimately deployed in. The Government are therefore mindful of the risk of imposing obligations on businesses that may in many cases be disproportionate. The Chancellor of the Duchy of Lancaster and Deputy Prime Minister, and the National Cyber Security Centre are keeping an active watch on the importance of updating that.
On SME information, I am absolutely delighted to undertake that we will provide tailored information and guidance to assist small and micro-businesses. As colleagues have observed, they do not always have the relevant bandwidth to keep abreast of technology.
My hon. Friend the Member for South Thanet asked whether the self-certification and compliance mechanism—the duty placed on manufacturers—is sufficient to cover the risk. My answer to that would be that the draft statutory instrument is in our judgment the right place to start, but it is a start. We did not want to introduce heavy-handed legislation on day one, which would undermine business confidence and trigger huge fears in the industry. We wanted to start with something that everyone could at least acknowledge—our very important basic standards—then develop that, through consultation with the House, in a proportionate and agile way. I reinforce my comments on how that is a rather different approach from the EU one.
The hon. Member for Walthamstow made an important point about consumers. On the point about SMEs, we are actively engaging with consumer groups and we will ensure that any of their concerns are also reflected in our ongoing updates.
The hon. Member makes an important point. Perhaps I could clarify that in my written note to all Members to follow up. I think everyone would be interested in the enforceability of consumer rights.
I am sure the Committee will be pleased to know that I will not take up the Minister’s provocation as to whether waiting 14 years to address security on the internet of things is a question of hindsight. Can the Minister clarify two points that I may have misunderstood? I heard him say that distributors did have a requirement on them to publicise the information about software upgrades. I may have misunderstood that because I thought it was only manufacturers who did.
More importantly, on cars, I think the Minister is saying that autonomous vehicles are exempted. I may have missed exactly where autonomous vehicles are exempted—it was not in the list of exemptions that I had. I am happy to take a clarification on that. Obviously, not all cars are autonomous vehicles, but is the assumption that any car that has an internet connection is in some way an autonomous vehicle?
All distributors already have a duty to ensure that the goods they are selling and distributing are legal. What we are doing is placing the onus on manufacturers. Distributors take their responsibility to consumers very seriously, and the vast majority will be very concerned and actively move to ensure they are not distributing illegal goods. It is not that there is not an onus on distributors; it is that we are implementing it via the mechanism.
On the point about cars, I did not want to mislead the House—I say this as the previous Minister for the future of transport—but we are in the process of putting together legislation on the digital vehicle and the internet of things in not just autonomous vehicles but smart and intelligent vehicles generally. It is to that process that we are deferring; this SI is not focused on that.
With that, I think I have addressed the points raised. I will happily write to the Committee, and if there are any points that I have not raised, Members should feel free to collar me between now and the picking up of my pen.