Product Security and Telecommunications Infrastructure Bill Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(2 years, 6 months ago)
Lords ChamberMy Lords, I start by thanking the Minister for his comprehensive introduction. We have had a really well-informed debate today; it has, in the words of the noble Lord, Lord Arbuthnot, been enjoyable to hear the expertise displayed around the House. As the noble Baroness, Lady Harding, made clear, a lot of the Bill will involve arguing about technical issues. I look forward to many happy hours talking about ducts and poles as we proceed.
As many noble Lords have said, the Bill clearly falls into two distinct parts. The first is a very welcome but overdue addition to the security of connected products; the second concerns a telecom infrastructure element which makes yet more changes to the Electronic Communications Code. The product security elements are a welcome follow-on to the original 2018 Code of Practice for Consumer IoT Security. As the noble Lord, Lord Arbuthnot, also said, the internet is fundamentally insecure. I pay tribute to Which? and the PETRAS National Centre of Excellence for IoT Systems Cybersecurity for highlighting security issues in connected devices, and we welcome the proposals in the Bill.
As techUK says, demand and consumer appeal rose across all categories during the pandemic, and Covid-19 saw UK consumers buying 21.8 million smart home devices—a 22% rise in volume compared with 2019. People overwhelmingly assume these products are secure, but only one in five manufacturers have appropriate security measures in places for their connectable products. While there are strict rules about protecting people from physical harm such as overheating, sharp components or electric shocks, there are currently no such rules for cyber breaches.
My noble friend Lord Fox mentioned some survey work by Which? that found that a home filled with connected devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week. There is, however, a series of issues in this area that will require amendment to the Bill. I am very sorry to disappoint the noble Lord, Lord Vaizey, in this respect—I do not know whether I should say he is from Vivaldi to Velasquez, but maybe we can continue with that later.
As my noble friend Lord Fox emphasised, at the very least there should be an upfront clause that sets out the purpose of the Bill. It should set out the minimum expectations for what a consumer should enjoy with respect to security because the danger, otherwise, is that these requirements are simply treated as a tick box. Which? has called for the three security requirements to be set out expressly as well, in Part 1 of the Bill or an appropriate schedule. At the moment, they are promised in secondary legislation without any draft being available. Will the Government supply this during the passage of the Bill so we can be vouchsafed what these three principles are going to look like? Why are only three out the six principles set out in the original guidelines covered, including minimise exposed attack surfaces and securely store credentials and security-sensitive data—can the Minister explain why these are not going to be included in the legislation?
The noble Lord, Lord Arbuthnot, raised some very interesting points about products being secured by design and access by engineers, and the noble Earl, Lord Devon, raised the very important issue about compatibility with international standards. The proposed mandatory requirements need to be matched with strong enforcement arrangements ensuring that consumers are able to get effective redress when they purchase devices that fail to meet security standards, and there need to be sufficient measures to keep people safe from harms caused by the weak security of these products. At present, the Bill gives the Secretary of State enforcement powers with the ability to delegate to a regulator. What are the Government’s intentions in this regard? What is the regulator going to be?
There are further amendments which we agree with Which? should be made to the Bill and which we will be advancing. We want to ensure that every individual device has a unique or user-set password that meets effective complexity requirements; there should be very clear provision of vulnerability disclosure policy information; and there is a variety of other aspects, such as ensuring that intermediaries, such as listing platforms, online marketplaces and auction sites, are covered as well.
The noble Lord, Lord Bassam, also mentioned the question of exemptions, and these include medical devices. These are increasingly common, and the data captured is sensitive but the regulations covering these are outdated. If they are going to be excluded, what assurance do we have from the Minister that conformity requirements are being updated for these devices to the latest security standards?
As the noble Lords, Lord Vaizey, Lord Holmes and Lord Arbuthnot, said, we have difficulties surrounding the ability to report flaws in device security. The CyberUp campaign has made the case that, without a statutory defence in the Computer Misuse Act 1990, cybersecurity researchers can still face legal action for testing and reporting a vulnerability to a manufacturer—the noble Lord, Lord Arbuthnot, raised the case of Rob Dyke. Can the Minister respond on this very important aspect—will the Government put forward an amendment during the passage of this Bill?
With the latter half of the Bill, we all seem to be trapped in a time loop on telecoms, with continual consultation and changes to the ECC and continual retreat by the Government on their 1 gigabit per second broadband rollout pledge. In the Explanatory Notes we were at 85% by 2025. Can the Minister confirm that that should now read 2026? My noble friend Lord Fox asked the Minister a number of questions about the detail, where we were talking about fixed on the one hand and broadband on the other. I very much hope he will come back on that. But how long will all those targets stick? They seem to be changed just about every six months.
There has been so much government bravado in this area, but it is clear that the much-trumpeted £5 billion announced last year for Project Gigabit, bringing gigabit coverage to the hardest to reach areas, has not even been fully allocated, and not a penny has been spent. As the noble Lord, Lord Hunt, said, this is despite the increased importance of connectivity through the pandemic and the importance of digital exclusion, as the noble Lord, Lord Holmes, mentioned.
The changes to the ECC in the Digital Economy Act 2017 were meant to do the trick. Then the electronic communications and wireless telegraphy amendment regulations 2020 were heralded as enabling
“stronger emphasis on incentivising investment in very high-capacity … networks”,
promoting “efficient” use of spectrum, and
“ensuring effective consumer protection and engagement.”
Then we had the future telecoms infrastructure review and the Telecommunication Infrastructure (Leasehold Property) Bill, where we argued about the definition of “tenant” and “rights of requiring installation” and “rights of entry”. Sadly, we were not able to include a clause that would have required a review of the Government’s progress on rollout—and of course now we know why. Even while that that Bill was going through in 2021, we had the Access to Land: Consultation on Changes to the Electronic Communications Code. That has now resulted in this Bill. It is an extraordinary saga of chopping and changing to the ECC. After all this, we are no further forward on the extent of the universal service obligation, which is so frustrating for rural areas.
Where in all this, as my noble friend Lord Fox and I have asked each time we debate these issues, are the interests of the consumer, especially the rural consumer? How are they being promoted, especially now that the market review is only once every five years? As my noble friend Lord Fox said, the big question is what has and has not worked in all these changes. I fully join with the point made by the noble Baroness, Lady Stowell, that we have not had the promised impact assessment to see where we are on the ECC and the impact it has had.
Regarding the changes to the ECC made by the Bill, we have heard a great deal from, and many noble Lords have mentioned, the Protect and Connect campaign, which represents land and property owners, including sports clubs, churches, farms and country parks. Personally, I found what the noble Earl, Lord Devon, had to say extremely persuasive. Contrary to what the noble Lord, Lord Hunt, said, and as described by the noble Lord, Lord Bassam, and the noble Baroness, Lady McIntosh—I think the phrase the noble Earl, Lord Devon, used was “taking a sledgehammer” to existing property rights—the campaign says that those it represents have been severely impacted by the changes to the Electronic Communications Code made by the Digital Economy Act 2017. It appears that, since 2017, site providers, with rent reductions of up to 90% as opposed to the anticipated 40%, have lost more than £200 million per year in income, including £60.5 million of lost local authority money, while in some cases the capex of some operators has fallen. The Protect and Connect campaign believes that the
“push for massive rent reductions, compared with existing agreements, trample over property rights, and place farmers, small land and property owners, community organisations, charities, and other site providers, who have come to rely on this rental income, in financial peril, not least because it may unfairly result in these groups being forced to refund or repay operators thousands of pounds”.
I can give the Minister some very powerful case histories. It is noteworthy that work by the Centre for Economics and Business Research shows that the 2017 changes have led to a slowdown in rollout and the current government proposals will not remedy this. What is the Government’s assessment of that CEBR response?
We have also heard support for Openreach’s position on achieving easier upgrade rights as regards installation of broadband in MDUs. Like the noble Baroness, Lady Stowell, these Benches are not yet persuaded that this will not give Openreach an unfair competitive advantage, but we look forward to having that debate during the course of the Bill.
My noble friend Lord Fox had no time to raise the implications of the Hackitt report into building regulations and fire safety, and the aspect of broadband installation. We will raise this in Committee, because we believe that could provide a solution to the MDU contact issue by providing a single point of responsibility.
That was a bit of a gallop, but I look forward to the Minister’s reply.
My Lords, I am very grateful to all noble Lords for their contributions to what I agree has been a very enjoyable debate this afternoon. I am sure these contributions will form a prelude to some further interesting and enjoyable debates in Committee and later stages of the Bill. I am grateful, too, for the excessively generous compliments from my noble friends behind me, which I am sure are an illustration of the great harmony and mutual affection for which the Conservative Party is, today of all days, renowned.
As my noble friend Lady Harding of Winscombe rightly said, this is a technical but important Bill, and I am pleased that all noble Lords from all parts of your Lordships’ House are in agreement that people from across the country should be able to benefit from faster digital connectivity and the assurance that their technology is secure. The Bill therefore comes at an opportune time, when cyberattacks are on the rise and when digital connectivity is increasingly important for all the reasons that my noble friend Lady Hodgson of Abinger and other noble Lords set out. We have heard examples in today’s debate of the benefits which will accrue to communities, urban and rural, right across the country.
I am conscious that in Committee we will go into greater detail in some of the areas which noble Lords have alluded to, but I want to respond to some of the points which they have raised in today’s debate. The noble Lord, Lord Fox, began in general terms by asking whether we ought to set out a clear explanation in the Bill of what consumers can expect in terms of product security. The fundamental purpose of the Bill, as set out in its first clause, is to embed security requirements to protect and enhance the security of connectable products and their users. That is the measuring stick against which the impact of the Bill and future regulations will be assessed.
As I alluded to in my opening remarks, there are no silver bullets in cybersecurity. Thousands of people in the UK have been victims of cyberattacks, and cybercriminals are using connectable products to attack large infrastructure as well. Our approach to connectable products lies in both the UK and wider international expertise. Our own 2018 code of practice is the foundation of the first international standard for consumer security and there is an international consensus behind this standard. We are also, through the Bill, the first to embed these protections in legislation. At the moment, some security-conscious manufacturers address these threats, but through the Bill we will now make sure that all manufacturers follow best practice in future.
The noble Earl, Lord Devon, rightly spoke of our international standing. The UK has established global leadership in this area. We have worked closely with our international partners and have seen evidence of other countries and organisations embedding the approach that we have taken in their own codes. In my opening remarks I mentioned Australia and India, which have published codes of practice with the same 13 principles which we published in 2018, but Singapore, Germany and Finland among others have made their own domestic interventions which also align with the UK’s code of practice. The European Commission has also published its intention to explore regulation for connected devices through the cyber resilience Act.
On Part 2, the noble Lord, Lord Fox, in general terms asked why we were revisiting and changing the code again. As noble Lords noted, it was substantially reformed in 2017, following the important and substantial work undertaken by my noble friend Lord Vaizey of Didcot when he was the responsible Minister. A key aim of those reforms was to make it cheaper and easier for digital infrastructure to be deployed, maintained and upgraded. The Government recognised that this would mean telecommunications site providers receiving lower payments than had previously been the case. However, those changes were introduced only following an extensive period of consultation and research and were considered necessary to reduce operator costs and to encourage the industry investment required for the UK to get the digital communications infrastructure that it needs.
The Government intended that the 2017 reforms would speed up deployment and reduce operator costs, and indeed the changes have borne fruit. However, since the changes have come into force we have also received feedback about how they have worked in practice and about some of the ongoing challenges which people face. The Bill aims to tackle those problems and to ensure that the aim and the ambition of the 2017 reforms is realised. To give an example, both operators and landowners have pointed to problems regarding negotiations, with operators saying that they take too long and landowners saying that they face too much pressure to accept certain terms. This is one of the areas we will address through the Bill.
A number of noble Lords spoke about the valuation work which came from the 2017 reforms. The new pricing regime is more closely aligned to those for utilities such as water, electricity and gas, and we think that is the correct position. Landowners should still receive fair payments which, among other things, take into account any alternative uses that the land may have and any losses or damages that may be incurred. We think that the measures in the Bill will support greater collaboration between operators and landowners and help agreements to be completed more swiftly.
The prices being paid for rights to install communications apparatus before 2017 were too high and reflected the rapid explosion that was taking place in demand for digital services; it was right that they were addressed. The 2017 reforms were intended to strike a balance between ensuring that individual landowners are not left out of pocket and making network deployment and maintenance more cost-effective.
The noble Earl, Lord Devon, and others asked about reviewing the impact of the reforms made in 2017. We recognised when the 2017 reforms were introduced that the market would need time to adapt and settle, and it would be premature to carry out a full assessment of the 2017 reforms at this time. There is not enough evidence about agreements which were completed after they came into force for a properly robust and comprehensive analysis to be made—not least, of course, because of the impact of the pandemic. However, the evidence and feedback we have received provides a compelling case that the changes we are making in this Bill will ensure that the 2017 reforms have their intended effect. Making these changes now will help to deliver the Government’s 2025 connectivity target of at least 85% of homes and businesses having access to gigabit broadband. That is not to say that we think the 2017 reforms failed. Much progress has been made. We simply think that more can and must be done to maximise their impact.
The noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Merron, asked about impact assessments. The impact assessments which accompanied the 2017 reforms did not state that the Government would undertake a full economic review of the code’s impact on rents, but in that document the Government committed to reviewing the 2017 reforms as a whole by June 2022—this month. The Government have met this commitment through their continuing engagement with interested parties, including holding monthly access to land workshops. This engagement and the issues which have been highlighted through it prompted the 2021 consultation and the measures in the Bill, which we think are needed for the aims of the 2017 reforms to be fully realised.
That sounds a bit feeble. DCMS has had workshops but has not produced a review. That does not sound like any sort of review.
The noble Lord perhaps thinks we committed to more in 2017 than we did. We have met the commitments we made in 2017 through our engagement with the industry. The points it made have informed the Bill before us. I am sure we will debate—
May I suggest that if the passage of the Bill is to be smooth, any information the Minister is able to provide about the impact, past or expected, would be extremely helpful? Otherwise, we are all going to be arguing about suppositions.
Certainly. I pointed out that the time that has elapsed since 2017 has perhaps not given us as much real data as we would have had, were it not for the pandemic, but of course we will be influenced by what have seen as we scrutinise the Bill in Committee and later.
We have heard a range of views on multiple dwelling units. The Government are aware of calls from parts of the industry for greater automatic rights to upgrade existing infrastructure in multiple dwelling units. The Government are not convinced that granting those rights is proportionate, because we must strike the right balance between private property rights and public benefits. There are other ways that operators can arrange to upgrade equipment in multiple dwelling units. They can ask for those rights and if landlords fail to reply, they will be able to use the process created through the Telecoms Infrastructure (Leasehold Property) Act 2021. If landlords refuse, operators can ask the courts to impose additional rights to upgrade existing equipment if their agreement with the landlord does not already provide them with those rights.
Other measures in the Bill encourage the use of alternative dispute resolution to support more collaborative negotiations. The Government are also considering further changes through regulations to help code disputes be dealt with more quickly. Finally, it is important to stress that there is no consensus from the industry on this issue, just as there was no consensus in our debate today. In fact, many operators have opposed the proposal on the grounds that it would create an unfair advantage for operators who already have equipment inside buildings and could therefore have anti-competitive effects.
My noble friend Lady Harding of Winscombe asked about telegraph poles. It is important that any automatic rights in relation to apparatus on, under or over private land strike a fair balance between any interference with private property rights and any public benefits that can be delivered. We think that the measures in this Bill on rights to upgrade and share apparatus under land achieve that balance. However, we have seen some evidence that further public benefits might be achieved if telecommunications poles sited on private land could be upgraded and shared more easily. Operators already have statutory rights to fly wires between these poles and it is obviously important that the legislative framework supports the effective use of these rights; we are looking into this matter closely.
A number of noble Lords touched on what is and is not in scope of Part 1 of the Bill. The Bill sets out what types of products should be treated as “consumer connectable”. This includes products that can be connected to the internet, such as routers, smart TVs, smart home products and connectable toys. I can tell my noble friend Lord Arbuthnot of Edrom that toasters are indeed in scope, although the idea of an internet-connected toaster makes me think of Wallace and Gromit. I share his bafflement at why people might want to do it, but they are in scope.
The powers in the Bill will allow the Government to update products that are in scope where changes to the wider regulatory, technological or threat landscape render this appropriate. The Government also intend to remove some products from scope where their inclusion would subject them to double regulation or where that would be disproportionate to the level of security risk. An example of such an exception is automotive vehicles, which I can tell my noble friend Lord Vaizey of Didcot include e-scooters; other examples are medical devices and smart charging points.
My noble friend Lord Arbuthnot talked about the vulnerability disclosure process. Of course, manufacturers will not see every vulnerability in their own products. Increasingly, the people best placed to spot them are everyday users and designated security researchers; but the potential point of failure here is the process for reporting those vulnerabilities to the manufacturer, which is often difficult to navigate. The security requirement will mandate a clear point of contact and the policy for the manufacturer to receive such reports and take meaningful action to address them. That is an important step forward, which, I am pleased to say, has widespread industry and expert support.
The noble Lords, Lord Clement-Jones and Lord Bassam of Brighton, the noble Baroness, Lady Merron, and others asked about future-proofing. There is a common notion that Governments are behind the curve when it comes to regulating technology, but not in this case. As well as setting the stage to introduce the regulations to which we have already committed, this Bill establishes a flexible and future-proof regulatory framework so the Government can be agile and proactive in amending and introducing security requirements in step with technological innovation. That is exactly why we have not included the three security requirements on the face of the Bill. By design, the Bill not only addresses the current problem but looks beyond it to ensure that UK consumers can be protected no matter how technologies and threats change and emerge.
My noble friend Lord Holmes of Richmond asked about the Computer Misuse Act. Colleagues at the Home Office are currently taking forward work to identify whether the proposals made in response to the review of that Act, which was launched in May last year, will assist in helping to protect the UK from cybercrime, or whether they are addressed under other programmes of work. We will provide an update to your Lordships’ House in due course, but this Bill will enhance protection for consumers and networks from the range of harms associated with cyberattacks. It equips the Government with the necessary powers to set and update security requirements within a fast-growing area of emerging technologies.
I am sorry to interrupt the Minister again, but I am frightened that he is not going to tell us who the regulator will be, explain why we are covering only three of the many principles covered in legislation in other territories, or provide us with a glimpse of the secondary legislation.
The noble Lord is eager to hear answers to questions to which I may yet turn; on some of them I will write. Work has been done to identify the regulator, but it would not be right to refer to that person at this stage and ahead of Royal Assent. I will write to the noble Lord on the other points he mentioned. I talked just now about our approach, through secondary legislation, to future-proofing and the reasons for not setting out the first three principles in the Bill. We have set out what those standards will be up front.
My noble friend Lord Holmes of Richmond spoke about the important issue of digital inclusion and skills. We run programmes to give young people the opportunity to learn digital skills and to improve their cybersecurity. More than 100,000 young people have participated in these programmes. We have expanded that with a new online training platform, Cyber Explorers, which aims to engage 30,000 young people, and DCMS funded the creation of the UK Cyber Security Council to create professional standards and pathways for cybersecurity.
The noble Lord, Lord Fox, asked about Huawei equipment in our infrastructure. The Government have undertaken a consultation with the industry on the designation of Huawei as a high-risk vendor and proposed directions relating to Huawei goods and services. The responses we receive will inform any final post-consultation decision on whether to issue the designation notice and direction. The Government have also undertaken a public consultation on a set of draft electronic communications security measures regulations and a draft code of practice, the outcome of which will be published in due course.