Product Security and Telecommunications Infrastructure Bill

John Nicolson Excerpts
Wednesday 26th January 2022

(2 years, 10 months ago)

Commons Chamber
Read Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
John Nicolson Portrait John Nicolson (Ochil and South Perthshire) (SNP)
- View Speech - Hansard - -

In 2016, the need for regulation on product security became undeniable when huge swathes of the internet went down. This included websites such as Netflix, Amazon, Twitter, Reddit and Airbnb. The attack was conducted by a botnet, an interconnected series of programmes running on a huge number of hacked devices, which overloaded the web providers with requests for access. However, unlike previous or more conventional attacks, this one did not emerge through laptops and computers. This attack came through domestic appliances. I am sure that this will sound completely ridiculous to the many people gripped by this debate: the revenge of the malevolent toaster.

The internet of things is a term given to physical objects that either have processing power or are connected to the internet, such as home security measures or even lighting. When we think of cyber-security, it is natural to think of the precautions we take when using our phones and computers, especially around personal data and online transactions. What is less well known is the risk that poor product security can have. Attacks on internet-of-things devices rose 100% in the first half of last year, and it is a worldwide problem. In the UK since the beginning of the pandemic, 49% of people have purchased an individual smart device and 57% have increased their use of internet-connected devices, yet worryingly, only one in five internet-of-things manufacturers is believed to have embedded strong security into their devices. I want to praise Which? for the excellent work it has done for consumers in investigating this sector.

As we have seen in our inquiries into tech in relation to the Online Safety Bill, it is necessary for Government to intervene, as companies will often do the bare minimum to protect users. As with online safety, one of the core solutions to product security is the principle of secure by design. It is good to see the UK Government acting to embed this principle in law, following on from the Scottish Government’s cyber resilience strategy’s aim to enshrine security by design as a foundation principle of Scotland’s cyber landscape. On the SNP Benches, we are glad that the UK Government have finally taken action on this, but there are some areas where the Bill falls short, and there is the potential to make some aspects of product security less effective.

One area of concern is that the Bill will require manufacturers to declare security flaws in their products publicly, without having a mechanism in place for automatic fixes or requiring that a fix be in place when the flaw is announced. This could make users less, not more, secure. The requirement could in effect alert hackers and malicious users to flaws without giving users the tools to fix the weaknesses, thereby ringing a bell for hackers to target those products. It has been highlighted that a majority of users will likely not have the skills to implement patching, so the benefit of the disclosure mandate, without automatic patching in place, would be without value. The Minister should look to implement requirements for automatic patching or for manufacturers to put solutions in place before the time of a public flaw disclosure.

Another oversight in the Bill is the exclusion of certain types of products, leaving millions out of scope. Internet-connected ovens, which have been targeted by malware, shutting down entire businesses, medical devices, routers and second-hand products, are all excluded from the scope of the Bill. The Bill should clarify which products are in or out of scope. Additionally, the Bill does not cover laptops or desktops, due to the existence of a developed antivirus and security software market. However, a mere 58% of people in the UK use antivirus software. Martin Tyley, head of cyber-security at KPMG UK, has called for the inclusion of laptops and desktops in the scope of the Bill, to protect the increasing number of home workers who have been targeted since the pandemic began. Even with its current flaws, which I hope the Government will be able to iron out, the Bill attempts to tackle an important aspect of cyber-security. However, this should be part of an holistic IT security approach that is taken to defend the UK’s cyber-security landscape.

I would like to mention the enforcement mechanism in the Bill. Section 26(5) makes it clear that the Secretary of State will not be able to bring proceedings in Scotland, but the Bill will still establish enforcement mechanisms and a body to carry out enforcement actions under it. As the Scottish courts and legal system will have to manage enforcement action brought in Scotland, and oversight of the Scottish legal system is devolved, it is only right that the Scottish Government have a role in developing the enforcement mechanism. Therefore, I ask the Minister to consider amending the Bill to include a duty to consult the relevant Scottish Ministers when developing the enforcement mechanism and the security requirements that are to be enforced, so as to account for the requirements of the Scottish legal system.

I also seek clarity from the UK Government on what impact the passage of the Bill will have on the powers of the Scottish Government to regulate products in Scotland. We welcome, in principle, reform of the code. We are working with civil society partners to identify ways in which the Bill can be improved in its passage.

I would like to raise one further issue. BT has highlighted Openreach’s commercial plan to upgrade 6 million properties, all of which will need agreement in order to upgrade them from the copper network. Without more ambitious reform, Openreach risks not being able to access up to 1.5 million flats, even in cases where residents want full fibre. According to BT, the Bill as it stands will not support improved connectivity to flats or rural areas, where most of the network is built above ground.

The need for a fast roll-out must be balanced with the rights of landowners, such as farmers. As we have heard, some campaigners have raised concerns about the rapid drop in rents faced by businesses hosting masts—some by as much as 90%. On this and other issues raised, I look forward to the Minister’s answers.