Product Security and Telecommunications Infrastructure Bill Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Product Security and Telecommunications Infrastructure Bill

Ruth Edwards Excerpts
Wednesday 26th January 2022

(2 years, 10 months ago)

Commons Chamber
Read Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lucy Powell Portrait Lucy Powell
- Hansard - - - Excerpts

The right hon. Gentleman is absolutely right that the Bill and the previous code mean that those cricket grounds, sport clubs and churches in all hon. Members’ constituencies that had phone masts put on their property in good faith to give them income that they would not otherwise have, which in many cases keeps them going, have been offered dramatically reduced rents but are forbidden by law from taking the masts down. They are between a rock and a hard place. It will put many of those community groups, and the roll-out, at risk.

There is a real risk that the Bill will hamper, rather than support, faster broadband and 5G roll-out, so what assessment has the Secretary of State made of the effect of the 2017 changes on rent levels and on the speed of roll-out? Given that previous reforms to the code have resulted in no demonstrable improvement, what makes her think that strengthening the hand of telecoms firms will speed up the roll-out, rather than simply allowing them to increase their profits further? I think that is the thinking behind the now not-selected reasoned amendment tabled by the right hon. Member for New Forest West, with which I have a great deal of sympathy.

The Opposition support the broad approach of the Bill, but the security measures are too little, too late and are behind the technology curve rather than in front of it.

Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - -

I am listening to the hon. Lady with interest and I think that security is an issue on which we can work across the House. What specific measures from the 2018 “Secure by Design” guidance does she think should be included in the Bill but are not at the moment?

Lucy Powell Portrait Lucy Powell
- Hansard - - - Excerpts

I am coming to the end of my speech, but there are a number of issues that could have been included in the Bill, some of which I have outlined. There are security issues, and there are new waves of technologies that are not in the Bill’s scope; as the Secretary of State rightly pointed out, they are coming on us really quickly. Bills like this one tend to come three or four years behind the technology, rather than ahead of it. That is what I would like us to work together to address.

In conclusion, we fear that these telecommunications infrastructure measures could further hamper the Government’s pretty woeful record on broadband and 5G infrastructure.

--- Later in debate ---
Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - -

I start by declaring my interests. Much of my previous career was spent in the cyber-security industry, and in the four years before being elected to Parliament, I led commercial strategy and public policy for BT’s cyber-security team. BT was one of the companies that helped to design the Secure by Design code of practice, some of which we are putting into law through the Bill. Also, I have recently undertaken cyber-security work for MHR, which is set out in my entry in the Register of Members’ Financial Interests, although the company does not produce consumer devices, connected or otherwise.

In some ways, cyber-security was good preparation for politics—for example, waking up to nightmare headlines such as,

“Attack of the refrigerators! The cyber-threats lurking in your home”

and

“Is your smart TV too wise? The FBI warns your screen is watching you”

and

“HACKED IN THE HOME: Your entire home could be HACKED with these simple mistakes, cyber-experts warn”.

Perhaps the most disturbing one I have seen is:

“Hacker who stole nude self-portraits of George W. Bush jailed for four years”.

I am all for being tough on crime, but surely in that case the perpetrator had already suffered enough.

Alarmist headlines aside, the Bill is very much needed to protect our constituents. The average UK household has nine connected devices, and the security on most of them will be poor. Information about how secure the devices are, or how long they will receive security updates for, is unlikely to have been provided when they were sold. What are the risks? There is a huge impact on our constituents’ privacy. Your TV really could be watching you. Two years ago, footage stolen by hackers from home security cameras in Hong Kong was sold to pornographic websites—a huge invasion of people’s intimate private moments. There are numerous reports of baby monitors being hacked by paedophiles.

There is also the danger of hackers using a fairly innocuous connected device as a gateway to jump to other devices and steal valuable information. An infamous example from the business world is the attack in 2013 on Target, one of the top five retailers in the US. Criminals gained access to its network through a supplier connected to an external vendor portal. They then stole the details of 40 million customer credit and debit cards. The supplier just provided air-conditioning. The total cost of the cyber-attack was more than $200 million. That is one hell of an expensive air-conditioning bill. There was also an attack on a casino, where hackers gained entry to the network through the thermometer of a fish tank.

Once they have a foothold in the home, hackers can access other devices that are not properly secured. There is a real danger that sensitive information relating to a constituent’s health or their financial information could be compromised, but how common is that really? Is it just a case of a few alarmist headlines? The consumer watchdog Which? ran an interesting experiment last year. It set up a smart home with a range of consumer devices, from kettles to thermostats, televisions and security devices, all connected to the internet. It experienced 12,000 hacking or scanning attempts in a week. At one stage, it experienced up to 14 hacking attempts an hour. We have a problem, therefore, but not a problem of which many people are aware. A recent report that surveyed 2,000 UK consumers found that people were largely unaware of the risks. Some 48% of respondents were not aware that hackers could hijack their connected devices.

Unsecured consumer devices are also a real risk to our digital infrastructure. Hackers who control connected devices can harness their collective power into a botnet—a network of devices that can be used to launch denial of service attacks on our digital infrastructure. The Secretary of State referred earlier to the Mirai botnet. What is interesting is that it is thought to be the first botnet to harness the power of insecure consumer devices or the internet of things. At its peak, it had about 600,000 devices—baby monitors, radios, cameras—at its beck and call. You and I would not necessarily have noticed it, Mr Deputy Speaker, until the day it launched an attack on the domain name service provider Dyn in 2016. In doing so, it took out Netflix, PayPal, Amazon, Visa, Reddit and Airbnb for the best part of a day.

Contrary to some of the claims we have heard from those on the Opposition Benches, the UK has always been a world-leading cyber-power. Back in 2011, we were one of the first countries in the world to publish a cyber-security strategy. It recognised the risks and opportunities that cyber-security brought to nation state relationships, critical infrastructure, business, consumers and society as a whole. We have always been out in front when it comes to protecting people, businesses and critical infrastructure.

In the 2016 refresh of the national cyber-security strategy, the Government moved from relying on a market-based approach to protect consumers, to a more active role through the UK’s active cyber defence programme, which makes the infrastructure of the UK’s internet more difficult for cyber-criminals to exploit. It does that through measures such as improving the security of internet protocols—the method by which data is sent from one computer to another—and domain name system filtering that blocks access to sites known to host malware, such as phishing sites. The 2016 strategy also committed to publishing guidance on how to improve the default security of consumer products. There are three measures on that in the Bill. As we know, it forms the basis of similar codes used in India and Australia, but it also forms the basis of the first global technical standard for consumer cyber-security products. So far from being behind, the UK is the leading country in the world on this issue.

As has been set out, the three measures put forward are: banning default passwords; implementing a vulnerability reporting scheme; and informing consumers how long a product will receive security updates for at the point of sale. They are really necessary because, I am sorry to say, we have not seen the response from industry that we should have. Too many manufacturers are still not taking responsibility for ensuring their products have the basic security that our constituents need. Too many still shunt their security responsibilities on to the users of their products.

We need to call time on this. The digital economy is growing and holds huge opportunities, but those who benefit from its growth should also be investing in the safety and security of its users. We are still, in my view, only on the cusp of the fourth industrial revolution, the fusing of our digital and physical worlds. Cyber-security needs to be a part of that revolution to ensure that the inevitable risks are outweighed by the opportunities.

--- Later in debate ---
Chris Elmore Portrait Chris Elmore (Ogmore) (Lab)
- View Speech - Hansard - - - Excerpts

It is a pleasure to close this Second Reading debate. The first job of any Government is to keep their citizens safe, and I am glad that the security elements of the Bill were developed in conjunction with the National Cyber Security Centre and the Department. Her Majesty’s Opposition have the utmost confidence in our national security services, which go to such incredible lengths to keep us all safe in an increasingly difficult online world.

A number of speeches have been made by Members on both sides of the House, but let me deal first with what was said by my hon. Friends the Members for Ealing North (James Murray) and for Luton South (Rachel Hopkins), both of whom spoke about the notspots in their constituencies and the increasing problems with access to tech. People may have the “plumbing” that can provide a good standard of broadband, but they may not have, indeed may not be able to afford, the equipment that would give them access to it.

We in the Labour party put security at the heart of everything we do, and it is owing to that desire to see people in this country safe in cyber-space that we will not oppose the Bill. However, there are issues that we feel should be addressed in it, some of which have already been mentioned today.

The product security measures in part 1 contain proposals that Labour fully supports. They include a ban on devices that come with easy-to-guess passwords such as “default” and “admin”, and oblige firms to make such vulnerabilities public knowledge, with those failing to comply being threatened with large fines. That is especially prudent as it institutes common-sense rules for sellers to follow, and ensures that consumers are more engaged in cyber-security. Basic cyber-hygiene is paramount, and measures such as changing default passwords would do a great deal to improve devices’ security by, in theory, adding an additional layer of protection. However, we agree with many in the industry that certain measures could have gone further, and we will continue to hold the Government to account in the areas where we believe that to be the case.

While the pursuit of increased security on devices is laudable, there are concerns about the practicality of such changes. If each device is now legally bound to have a private password, who will be responsible for managing it? Given the plethora of smart devices that we all use, I am sure that we have all forgotten a password or two; I certainly have. If a device needed to be repaired and the user had forgotten the password, how would the specialist repairing the phone gain access? Many in the industry believe that that could potentially lead to a situation in which manufacturers might have to provide “super-user accounts” or “backdoor access”.

The Bill also introduces the mandating of manufacturers to tell consumers at the point of sale about the product’s lifespan and for how long it will receive security updates. While we can all agree that more transparency is a good thing for customers, if security updates are available for a few years—as is the case with Android phones, for example—surely that will lead to built-in obsolescence, meaning, in this case, smart devices being excluded from key security updates after a relatively short lifespan.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

The point is that the companies providing the devices will stop giving out security updates anyway. All that the Bill is doing is ensuring that users are informed of when that will happen. It is not forcing in any obsolescence; it is merely giving consumers choice by enabling them to know when those security updates will be stopped.

Chris Elmore Portrait Chris Elmore
- View Speech - Hansard - - - Excerpts

I take the hon. Lady’s point, but not everyone can afford simply to keep on replacing their technology. [Interruption.] I gave way to the hon. Lady, so she should at least give me the courtesy of allowing me to respond. It is quite simple, is it not? [Interruption.] Government Members do not like it, do they? Perhaps this is not an issue in her constituency, but I bet it is. If a company says, “You will not receive security updates after X amount of time”, people will naturally assume that they have to replace their device. We have heard from Members from across the House today that not everyone can afford to keep replacing devices based on the security that is put in front of them.

All I am asking of the Minister is to work with the industry to ensure that if updates could be taken over a longer period, it is not simply a binary issue of saying, “This device will no longer be updated.” It is as simple as that: we are just trying to make sure that people can afford to keep the devices they own. In many cases, people will save for years to pay for devices or do it through hire purchase.

Ruth Edwards Portrait Ruth Edwards
- Hansard - -

Will the hon. Gentleman give way?

Chris Elmore Portrait Chris Elmore
- Hansard - - - Excerpts

I will not, no, because the hon. Lady does not like the answer—that is the problem, is it not?

We must also consider the wider view that part 1 of Bill is limited in scope. However, it is clear to all of us here today that no one nation can legislate the internet. Part 1 does provide some desperately needed security responsibilities for the consumer, combined with giving them the necessary information to make informed choices about how they manage the basics of their own digital lives. The pandemic has only served to accelerate the shift to digital, and with that comes the question of increased security and safeguards online.

Now let us turn to part 2 of the Bill. I do not often say this, but I am in almost complete agreement with the right hon. Member for New Forest West (Sir Desmond Swayne)—that is an odd experience, after so many years in the House with him. A number of Members have spoken about constituency issues relating to the changes to the code in 2017, including the hon. Members for North Dorset (Simon Hoare) and for St Albans (Daisy Cooper). It is a good job I am a Welsh MP, because the hon. Members for Ceredigion (Ben Lake) and for Carmarthen East and Dinefwr (Jonathan Edwards) have also done so. I pay particular tribute to the hon. Member for Stroud (Siobhan Baillie), who spoke honestly about what many community groups, farmers, landowners, churches and many other organisations across her constituency are facing, and I agree with her.

We are asking the Government for a review, for it to be fair and for it to provide assurance to those organisations, many of which were the backbone of supporting communities up and down the land during the pandemic, whether through feeding us, taking us in collective worship or offering support to our children and young people. These community organisations deserve our support and we need to ask the Government to follow through on their commitment to undertake a review this year, which was part of the original commitment from a number of years ago. I pay tribute to the hon. Lady for saying that.

On part 2 and the current state of our country’s telecommunications infrastructure, we do have some concerns, as set out by my hon. Friend the Member for Manchester Central (Lucy Powell), the shadow Secretary of State. Having inherited a world-leading position from the last Labour Government, since 2010 the Conservatives have cultivated a culture of missed targets, stunted ambition, and ultimately, stagnation when it comes to our telecommunications infrastructure. The last Labour Government recognised the central role that connectivity would play in the economy of the future, and rightly placed the issue front and centre. As a result, we delivered first-generation broadband to about 13 million UK households by 2009, which shows that large digital infrastructure projects can be delivered at breakneck speed.

To put it simply, we had a vision that we made a reality. Ambitions can be delivered at this sort of speed only when there is real effort, action and long-term planning on behalf of Ministers. Unfortunately, we are not getting that from the current Administration. As has become the norm with this Government, bold and exciting-sounding targets are made in public, only to be quietly watered down at a later stage. The Prime Minister came into office promising full-fibre broadband “by 2025”. His Government then realised that they were not going to be able to deliver it, so they reduced the target to full gigabit broadband by 2025. Realising they also could not deliver that, they landed at the current target of 85% gigabit broadband by 2025. Several bodies, including the Public Accounts Committee, the Select Committee on Digital, Culture, Media and Sport, and many industry experts, now doubt that the Government are even going to achieve that. Dither, delay, disappointment—this has become the norm under this Conservative Government.

The primary concern is that this Bill fails to address the fundamental flaws introduced in the ECC. The code did not receive the necessary scrutiny, resulting in an imbalance between mobile operators and property owners. The Law Society’s analysis makes it clear that the Bill fails to address fundamental flaws in the code that are holding back the roll-out across the country. We are now concerned that the measures in this Bill may slow the 5G roll-out further by disincentivising small building owners and landowners, such as churches, community groups, sports clubs and farmers, from hosting phone masts.

This all began when the Government introduced the ECC in 2017, permitting telecoms firms to renegotiate rents for phone masts down by as much as 90%. Despite promising that the reductions in rent would, in reality, be no more than 40%, this has not held true and the rent reductions have far exceeded that figure. It was deeply disappointing to hear the Secretary of State say to the right hon. Member for New Forest West that there will be no review, despite there being promises to the contrary—yet another broken promise to the people of this country.

The Government have created a framework that allows telecoms companies to dramatically reduce their costs at the expense of businesses, sports clubs, farmers, small landowners and community organisations. I know the Minister will have heard at first hand from a number of organisations across the country that rely on this small but crucial source of income. It is therefore of the utmost importance that the Government review the Bill to make rental valuations for telecoms masts fairer.

We heard from the hon. Member for Stroud about the David and Goliath issue of a big telecoms company versus a church, sports club or scout hut. It surely cannot be in the Conservative Government’s interest simply to ignore all the groups across the country that are in desperate need of the regular income that has been ripped away from them for reasons they still do not really understand.

I finish with a couple of questions for the Minister. Will the Government stand by their 2017 commitment that rent reductions should be no more than an absolute maximum of 40%? Will she look to make a statement, or at least issue guidance, to establish a clear expectation of land valuation that removes the impasse between telecoms companies and site owners? Finally, will she commit to looking at the evidence base and undertake a full economic review of the code by the end of 2022, as was promised during the passage of the previous Bill?

The Opposition want to ensure that every community across the UK has the very best opportunities when it comes to connectivity, whether it be in people’s homes or to allow small businesses to start up right across the United Kingdom. We want the Government to share in that ambition and to keep their promise to deliver improved digital infrastructure. We ask the Minister to step up and deliver these much-needed improvements across the UK.