Product Security and Telecommunications Infrastructure Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Bassam of Brighton
Main Page: Lord Bassam of Brighton (Labour - Life peer)Department Debates - View all Lord Bassam of Brighton's debates with the Department for Digital, Culture, Media & Sport
Product Security and Telecommunications Infrastructure Bill
Lord Bassam of Brighton ExcerptsTuesday 21st June 2022
(1 year, 10 months ago)
Lords ChamberRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 16-I(a) Amendment for Committee (Supplementary to the Marshalled List) - (20 Jun 2022)
Lord Bassam of Brighton (Lab)
My Lords, this has been a far more interesting debate than I initially surmised it would be—
Lord Bassam of Brighton (Lab)
No, I give credit where it is due. I congratulate the noble Lord, Lord Arbuthnot, on his amendment because the issues that he raised and the questions posed by the noble Lord, Lord Fox, in particular, are legitimate ones.
Although this is not the place to amend or change the Computer Misuse Act 1990, as the noble Lord, Lord Fox, said, it certainly is the place to raise concerns. After all, we are talking about product security and safety. It is vital that we have appropriate safeguards in place to prevent and, if need be, punish cyberattacks and other forms of hostile behaviour online.
However, as we seek to make smart devices safer, clearly there is a role for researchers and others to play in identifying and reporting on security flaws. They need to be able to do this within the safe zone of concern, knowing that they are not themselves going to be captured by those who are responsible for cybersecurity. As I understand it, exemptions exist in similar legislation to ensure that academics and other legitimately interested parties can access material relating to topics such as terrorism. The amendment before us today raises the prospect of granting a similar exemption and defence in this particular field.
I am conscious that the noble Lord, Lord Fox, raised the spectre of auras in the form of the noble Lords, Lord Vaizey, Lord Clement-Jones and Lord Holmes of Richmond—as well as the intent of the noble Baroness, Lady Neville-Jones, who is of course very knowledgeable about the business of security and has had both professional and political responsibility in that field. However, I think that, when those auras and his own say that this is an issue of concern, we as the Official Opposition reflect that concern.
I hope that the noble Lord will engage with the noble Lord, Lord Arbuthnot, and others following Committee on this—I am sure he will—because it is a very important subject. A campaign backed by such an esteemed cross-party group of colleagues in the Committee and in another place cannot be entirely wrong. The Computer Misuse Act 1990 is the framework we have got, but it is right that it is reviewed and that something fresh is brought before us to protect us from cyberattacks in the future.
Lord Parkinson of Whitley Bay (Con)
I am very grateful to my noble friend Lord Arbuthnot of Edrom for representing the other three signatories to this amendment. I was glad to meet him and the noble Lord, Lord Clement-Jones, to discuss this yesterday.
The role of security researchers in identifying and reporting vulnerabilities to manufacturers is vital for enhancing the security of connectable products. The good news is that many manufacturers already embrace this principle, but there are also some products on the market, often repackaged white label goods, where it is not always possible to identify the manufacturer or who has the wherewithal to fix a fault. The Bill will correct that.
As noble Lords have noted, there are legal complexities to navigate when conducting security research. The need to stop, pause and consider the law when doing research is no bad thing. The Government and industry agree that the cybersecurity profession needs to be better organised. We need professional standards to measure the competence and capabilities of security testers, as well as the other 15 cybersecurity specialisms. All of these specialists need to live by a code of professional ethics.
That is why we set up the UK Cyber Security Council last year as the new professional body for the sector. Now armed with a royal charter, the council is building the necessary professional framework and standards for the industry. Good cybersecurity research and security testing will operate in an environment where careful legal and regulatory considerations are built into the operating mode of the profession. We should be encouraging this rather than creating a route to allow people to sidestep these important issues.
As noble Lords have rightly noted, the issues here are complex, and any legislative changes to protect security researchers acting in good faith run the risk of preventing law enforcement agencies and prosecutors being able to take action against criminals and hostile state actors—the goodies and baddies as the noble Earl, Lord Erroll, referred to them. I know my noble friend’s amendment is to draw attention to this important issue. As drafted, it proposes not requiring persons to obtain consent to test systems where they believe that consent would be given. That conflicts with the provisions of the Computer Misuse Act, which requires authorisation to be given by the person entitled to control access. As the products that would be covered by this defence include products in use in people’s homes or offices, we believe that such authorisation is essential. The current provisions in the Computer Misuse Act make it clear that such access is illegal, and we should maintain that clarity to ensure that law enforcement agencies do not have to work with conflicting legislation.
The amendment would also limit the use of such a defence as testers would still be subject to the legal constraints that noble Lords have described when reporting any vulnerability that the Government have not banned through a security requirement. If a new attack vector was identified that was not catered for by the security requirements, the proposed defences would have no effect. The amendment would not protect those testing products outside the scope of this regime, from desktop computers to smart vehicles. If we consider there to be a case for action on this issue, the scope of that action should not be limited to the products that happen to be regulated through this Bill. None the less, the Government are listening to the concerns expressed by the CyberUp Campaign, which have been repeated and extended in this evening’s debate.
The Home Secretary announced a review of the Computer Misuse Act last year. As my noble friend noted, the Act dates back to 1990. I do not want to stress too much its antiquity as I am conscious that he served on the Bill Committee for it in another place. His insight into the debates that went into the Bill at the time and the changes that have taken place are well heard. The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office. It is being actively worked on and the Home Office hopes to provide an update in the summer.
I hope, in that context, that noble Lords will agree that it would be inappropriate for us to pre-empt that work before the review is concluded and this complex issue is properly considered. With that, I hope my noble friend will be content to withdraw his amendment.
Lord Fox (LD)
My Lords, once again I am a substitute for the noble Lord, Lord Clement-Jones—
Lord Fox (LD)
I know. I rise to move Amendment 17 in his name. I am grateful for the tuition that I have also had from the noble Earl, Lord Lytton—more about him shortly. Unfortunately, we are missing his huge expertise, but do not worry, I will be here to channel some of his thoughts.
This amendment seeks to ensure that any new agreements made with reference to Clause 57 and using paragraph 20 of the Electronic Communications Code must have regard to the terms of the existing agreement to ensure continuity and fairness. It aims to address outstanding concerns with the way rights are assigned when there are operators in occupation at a site. This is a complex issue and I am aware that the Minister and his colleagues at DCMS have been grappling with it as the Bill has been developed, but it is vital that the Government get this right.
The issue that the Government are trying to address was brought about by a confusion in the 2017 code. There have been some issues where operators have been prevented from getting the code rights they need to support their networks because they are already in occupation of the land and they cannot grant themselves rights.
The Government’s original consultation response and the first draft of the Bill tried to address this by changing the definition of “occupier” in the Bill. This was at Clause 57 in the original Bill. The stated policy intent made it clear that the change is intended only to address the issue that we have outlined and to ensure that when operators are in occupation of land they are able to obtain new code rights.
However, it was made clear to the Minister and his colleagues at DCMS that the original draft would in fact have much greater implications and would potentially allow operators to misuse Clause 57 as it was originally set out to modify or cancel agreements mid-term. This would be in the operators’ interest, since they could break a contract that had been agreed in good faith and move the new contract on to a new valuation basis under the 2017 “no scheme” provisions for consideration.
The Government tried to address this by removing the original draft of Clause 57 and replacing it with the new Clause 57 that we have before us today. Instead of changing the definition of “occupier” in the Electronic Communications Code, it creates a more specific code right to deal with the underlying problem.
Lord Fox (LD)
I say to the noble Lord, Lord Bassam, we are coming to the Landlord and Tenant Act 1954.
The residential security of rent control caused a seizing up of the private rented sector for the next 25 years. This is something that the Landlord and Tenant Act 1954 avoided doing in the business sector by providing security of tenure, but on market rental terms. The word of warning here from the noble Earl is that Government should be careful what they wish for and how they go about any significant transition in dealing with human sentiment against actuarial robotics, and be aware of whose voices they lend their ears to.
There are apparently three routes to lease renewal: the 1954 Act, which the noble Earl believes is effectively overwritten in some instances by the 2017 code revision; the immediate pre-2017 code for non-LTA leases; and the situation that pertains for agreements following the 2017 changes. This seems a recipe for confusion, and if the noble Earl is confused, where does that leave the rest of us?
There is a lot of detail in quite a short amendment, but this is an issue. I understand, and I think my noble friend Lord Clement-Jones and the noble Earl, Lord Lytton, understand, that there needs to be some clarity over which measures apply where, and whether the Government really want to sanction wholesale renegotiations of the nature that the noble Earl, Lord Lytton, has set out. I think that is a law of unintended consequence, and it will slow down the implementation of what we want to be implemented rather than allow it to happen more quickly.