Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Science, Innovation & Technology
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Lord Clement-Jones Excerpts(8 months, 3 weeks ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
My Lords, these regulations were laid before the House on 10 July 2023, and they will be made under the powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. They will mandate that the manufacturers of consumer connectable products made available to customers in the UK are, unless excepted, required to meet minimum security requirements.
In doing so, this instrument will complete the introduction of the UK’s pioneering product security regime, established by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022. Subject to noble Lords’ approval, this regime will afford UK citizens and businesses with world-leading protections from the threats of cybercrime, as well as equipping the Government with the tools to ensure the long-term security of a vital component of the broader technology ecosystem.
Acting to secure consumer connectable products has never been more critical than it is now, as we cross the threshold of the fourth industrial revolution. Before our eyes, artificial intelligence is rewriting how we live our lives, how we deliver our priorities and the rules of entire industries. AI models are already an inextricable part of the connectable products we use every day, from the convolutional neural networks that recognise the photos of loved ones on our smartphones, to the recurrent neural networks that allow our smart speakers to respond to our requests. The data collected through consumer devices is often also a vital part of a model’s training set.
These regulations are therefore not just crucial if we are to protect our citizens and economy from the array of threats posed by consumer connectable products today but a vital step if we are to mitigate the risks, and therefore fully realise the benefits, of the AI-enabled economy of tomorrow. With the support of this House and Members of another place, this is precisely what the Government aim to achieve with these regulations.
The key provisions of this instrument are as follows. First, the regulations mandate that manufacturers comply with the security requirements set out in Schedule 1. These requirements were selected, following extensive consultation, because they are applicable across a broad range of devices and are commended by security experts as the most fundamental measures for addressing cyber risks to products and their users. This means that businesses will no longer be able to sell consumer smart products with universal default or easily guessable default passwords to UK customers. These passwords not only expose users to unacceptable risks of cyberattack but can also allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyberattacks.
Manufacturers will also be required to publish, in a manner that is accessible, clear and transparent, the details of a point of contact for the reporting of security vulnerabilities. It pains me to share that, despite our entrusting the security of our data, finances and even homes to the manufacturers of these products, as of 2022, less than one-third of global manufacturers had a policy for how they can be made aware of vulnerabilities. With your support, the UK aims to change that.
The final security requirement in this instrument will ensure that the minimum length of time for which a product will receive security updates is not just published but published in an accessible, clear and transparent manner. We know that consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK consumers will be able to drive manufacturers to improve the security protections they offer through market forces.
We are confident, based on extensive policy development, consultation and advice from the National Cyber Security Centre, that these security requirements will make a fundamental difference to the security of products, their users and the wider connected technology ecosystem.
We also recognise the importance of cutting red tape or, better still, not introducing it in the first place. For this reason, Regulation 4 allows manufacturers that are already compliant with provisions in international standards equivalent to our security requirements to more readily demonstrate their compliance with our security requirements.
The instrument also sets out a list of products excepted from the scope of the product security regime. First, it excepts select product categories where made available for supply in Northern Ireland. This exception ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement, while extending the protections and benefits offered by the regime to consumers and businesses across the UK.
In addition, smart charge points, medical devices and smart metering devices are excepted to avoid double regulation and to ensure that these products are secured with the measures most appropriate to the particulars of their functions. This instrument also excepts laptops, desktop computers and tablets without a cellular connection from the regime’s scope. Engagement with industry highlighted that the manufacturers of these products would face unique challenges in complying with this regime, and in many cases where these products are in use they are already subject to suitable cyber protections. It is therefore not clear at this stage that including these products in the regime’s scope would be proportionate.
Finally, the regulations also contain uncontroversial administrative provisions, including provisions relating to statements of compliance. The regime will require that these documents accompany products, serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement.
These regulations and the regime of which they are a part represent a victory for UK consumers. They are the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure. These measures solidify the United Kingdom’s position at the forefront of the global cyber agenda, paving the way for other nations to follow in our footsteps. I commend the regulations to the Committee.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.
I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.
However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.
Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:
“Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found”.
This is part of its press release.
“The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth. The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data”.
We need to make sure that the Government and the regulator, whether the ICO or others, are on the case in that respect.
Nor did we see any intention to introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations. During the passage of the Bill, the Government resisted that—unlike the EU, which has imposed a five-year mandatory minimum period in which products must receive security updates. So consumers in Northern Ireland, for instance, are going to be far better off as a result of the TCA and the Windsor agreement.
That has inevitably followed through into these disappointing regulations, but they are even more disappointing than previously anticipated. Online marketplaces are not covered. Why not? My noble friend Lord Fox tabled an amendment on Report that sought to probe whether online marketplaces would be covered, a question that I think we all agree is of great importance. My noble friend quoted a letter from the noble Lord, Lord Parkinson, dated 21 September 2022 stating that
“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.
In response, the then Minister, the noble Lord, Lord Kamall, said:
“The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy”.
I accepted that assurance. I said:
“As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter”.—[Official Report, 12/10/22; cols. 794-95.]
That was the assurance that was given and accepted.
Lord Clement-Jones (LD)
The Minister has moved on from talking about periods of assurance for consumers. I mentioned the EU introducing its five-year rule and the Northern Ireland aspect. That is rather useful for the Government to be able to see the impact of putting down a marker on a five-year period, because there is no alternative under the TCA and the Windsor agreement. Will the Government undertake to review how it is working in Northern Ireland? If it is working well and they think it is practical, will they introduce it across the UK?
Viscount Camrose (Con)
That is an interesting experimental chamber to have, because we can compare the two regimes, so I am happy to make that commitment, yes.
The assurances about online marketplaces from my noble friends Lord Kamall and Lord Parkinson remain true. Products sold through online marketplaces are subject to the same requirements as all other products. No regulation is perfect and, if relevant parties do not comply, the parent Act empowers the Secretary of State, or those whom the Secretary of State has authorised to carry out enforcement functions, with robust powers to address non-compliance, including monitoring the market, warning consumers of risks and, where appropriate, seizing products and recalling products from customers.
The Government have made it clear that they expect online marketplaces to do more to keep unsafe products off their platforms, and are conducting a review of the product safety framework. The product safety review consultation is open until 24 October. Following this, we will review and analyse stakeholder feedback and publish a government response. Any legislation will be brought forward in line with parliamentary procedures and timetables, which will include proposals to tackle the sale of unsafe products online. Officials will continue—
Lord Clement-Jones (LD)
I apologise to the Minister, but what is the reason for having two separate processes for manufacturers and online distributors? The assurance that I quoted could not have been clearer, and we all thought that these regulations would include not only manufacturers but online distributors. It still baffles me and I am sure it baffles the noble Lord, Lord Bassam, as well. The logic of doing it in two separate tranches entirely escapes me.
Viscount Camrose (Con)
The processes we have put here resulted from extensive consultation with the stakeholders, both the manufacturers and the retailers.
Lord Clement-Jones (LD)
So the Minister is saying that the retailers did not like it, did not have the systems required and could not do things quickly enough—despite the fact that some time has elapsed, as the noble Lord, Lord Bassam, mentioned—so they said, “Not now, Josephine”, basically.
Viscount Camrose (Con)
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
Viscount Camrose (Con)
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.
Lord Clement-Jones (LD)
Before the Minister sits down, I wonder whether he could return to his notes on the cyber resilience Act. I heard what he said but it may have been a slip of the tongue because he said that it has not yet come into effect but we will monitor its impact on the continent. I think—at least, I assume—that he meant we will monitor its impact when it comes into effect in Northern Ireland. It will inevitably come into effect into Northern Ireland, will it not?
Lord Clement-Jones (LD)
Perhaps the Minister could write to me or to us. The fact, as I understand it, is that the Act is a piece of EU legislation that is going to come into effect across the EU under the Windsor agreement and the TCA. Northern Ireland is subject to EU legislation of that kind; it will therefore come into effect in Northern Ireland and we will be able to monitor its impact there. So, it is not just a question of monitoring its impact on the continent. We have a homegrown example of how it will be implemented—a test bed.