Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lord Bassam of Brighton
Main Page: Lord Bassam of Brighton (Labour - Life peer)Department Debates - View all Lord Bassam of Brighton's debates with the Department for Science, Innovation & Technology
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Lord Bassam of Brighton Excerpts(8 months, 2 weeks ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Bassam of Brighton (Lab)
My Lords, I am grateful to the Minister, as ever, and to the noble Lord, Lord Clement-Jones, for his contribution. He had lots of questions, as ever, many the same as those we asked during the passage of the Bill.
The Product Security and Telecommunications Infrastructure Act creates a regime that has three purposes, which the Minister set out. They are to minimise default or easy-to-guess passwords, to maintain an awareness of security threats and publish contact information for use by consumers and owners, and to encourage greater transparency about how long the products covered by this legislation will receive security updates and support. I agree with the noble Lord, Lord Clement-Jones, that these are low-hanging fruit for regulation. We should look at this instrument as a small step in the right direction.
With that in our minds, we supported the PSTI Bill during its passage and, in common with other Members of the House, tabled and supported a number of amendments to go further than the Government wished.
The requirements being imposed on manufacturers are widely supported by consumer groups, although they are rightly very nervous and watchful of the direction in which the legislation takes us in terms of data. Questions are being asked about whether the standards are sufficient and what role, if any, distributors will have in improving consumer knowledge of security issues.
As discussed in a debate earlier this week, people’s habits with regard to data and the digital world have changed enormously over the past few years. This includes the rapid take-up of smart and connectable devices, such as smart speakers, CCTV doorbells and so on. These products are highly desirable, and yet research has demonstrated that many contain significant security vulnerabilities and that consumers are generally not aware of the risks that they face.
A policy commitment was made back in January 2020 and the Bill was passed in December 2022, so why will the new regime come into force only by April next year? We understand the need for technical details to be worked through and for manufacturers to adjust their own systems, but could the Government not have moved more quickly than this? This is a fast-moving market, after all.
We supported the passage of the Bill and, as I said, worked with colleagues across the House to push the Government to be more ambitious about the regime’s scope and the security standards that should be met by manufacturers, but it seems that Ministers refused to raise the bar and continue to do so.
As the noble Lord, Lord Clement-Jones, said, Which? and others have noted that, while the Act allows the Government to place requirements on manufacturers, importers and distributors, these regulations cover only manufacturers. Is the hope that distributors and retailers will pass security information on to consumers voluntarily or is the department looking at other tailored requirements for them? If the latter, how long might this take? Perhaps the Minister could elucidate that.
It seems that every day we hear of another major hack or data breach. Some are used to defraud victims, while others harness networks of smart devices to launch attacks on major websites. Sadly, these dangers are likely only to grow, as we discovered in recent weeks, so it is vital that the Government keep their foot on the gas on these issues, rather than passing these regulations and considering them job done. There is much more to do.
Like the noble Lord, Lord Clement-Jones, I draw attention to the Which? briefing paper, reflected in a Guardian article today, which suggests that manufacturers may be using these devices to collect more data than the legislation seemingly enables, which is shocking. Asking for postcodes and date-of-birth data seems outwith the manufacturers’ immediate needs. Can the Minister throw some light on this issue? What are the Government’s intentions regarding it and how do they intend to address it? These issues of data retention and use are serious. They affect consumer behaviour, confidence and trust, and trust is a terribly important commodity in today’s world. I hope the Minister can answer those questions.
I am rather with the noble Lord, Lord Clement-Jones, on smart meters. We have one; it is a scary device, and it has become scarier in the last year as the bills have gone up. I am not sure of its value but my wife tells me it is an invaluable tool. I hope that is the case, that we can get better and more confident about the data that these things produce, and that they are in the service of the consumer rather than of the manufacturer, because that is really where we should be coming from.
Viscount Camrose (Con)
I thank the crowds of noble Lords for their valuable contributions to the debate. I will make some general comments to start and then come to specific points that noble Lords have made.
Consumers assume that if a product is for sale it is secure, but too often—I think we are in agreement on this—that is not the case. Many consumers are at risk of cyberattacks, theft, fraud and even physical danger. These regulations will change that, ensuring that protections are implemented for our commonly used items such as smartphones, smartwatches and smart baby monitors, as well as the UK citizens and businesses that use them.
Cybercrime is thought to cost the UK billions of pounds every year, with one report by Detica and the Cabinet Office estimating the total cost at £27 billion a year. In 2020-21 the National Fraud Intelligence Bureau reported receiving over 30,000 reports of cybercrime, resulting in estimated losses of £9.6 million for the victims. Cybercrime is on the rise, and vulnerable internet-of-things products are a key attack vector for criminals. This instrument is an essential step in fighting the dangers of cyber risks.
While the product security regime will come into effect only next April, with the support of this House, I want to take this opportunity to reflect on how far we have come on this agenda. The development of the regime has been supported by a huge range of officials but I extend particular thanks to Peter Stephens, Jasper Pandza, Veena Dholiwar, Maria Bormaliyska, Jonathan Angwin, Warda Hassan, Howard Cheng and Eilidh Tickle for their dedicated and diligent advice.
I thank all experts who have contributed to delivering this regime since 2016. Among them stands Professor David Rogers, to whom I pay particular thanks for his leading role in developing the Code of Practice for Consumer IoT Security on which the security requirements of this instrument are based. Lastly, I too thank Which? for being a champion of consumer security, and for holding the Government to account throughout the process of delivering these important measures and on this agenda more broadly.
I shall now respond to the questions that have been asked. On the topic of why the security baseline does not go further, a matter raised by both noble Lords, we do not believe at this stage that there is sufficient evidence to suggest that mandating security requirements beyond the initial baseline would be appropriate. Specifically, we do not currently consider it appropriate to mandate minimum security-update periods for relevant connectable products before the impact of the initial security requirements is known. Governments mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits or of leaving citizens exposed to cyber threats.
However, the Government agree that, for a number of consumer connectable product verticals, implementation of the three security requirements alone would not be sufficient. Legislation, however, is not the only incentive driving the security practices adopted by tech manufacturers. Evidence suggests that consumers value and consider the security of a product when making purchasing decisions, but assume that products available for them to purchase will not expose them to avoidable security risks.
In ensuring that manufacturers are transparent with UK consumers about how a product’s security will be maintained, we expect the product security regime to incentivise improved standards of cybersecurity beyond the initial three requirements. The Government will closely monitor the impact of the initial security requirements on standards of cybersecurity across the sector, and will not hesitate to mandate further requirements using the powers provided by the parent Act if necessary.
Viscount Camrose (Con)
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
Lord Bassam of Brighton (Lab)
The Minister has referenced two pieces of legislation which almost—this is perhaps going a bit far—predate the digital age. Is he saying that those are fit for purpose, given that much has changed since 1986, to cite one of the dates he gave, and subsequent pieces of legislation? Are they right for what we are doing now?
Viscount Camrose (Con)
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.