Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 Debate
Full Debate: Read Full DebateTheresa Villiers
Main Page: Theresa Villiers (Conservative - Chipping Barnet)Department Debates - View all Theresa Villiers's debates with the Department for Science, Innovation & Technology
(1 year, 3 months ago)
General CommitteesI beg to move,
That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
It is a great pleasure, Mr Hollobone, to serve under your direction and leadership this afternoon.
Consumers have a right to assume that if a product is for sale, it is safe and secure; too often, that is not always the case. Government must act to ensure that when UK consumers and business customers are purchasing consumer connectable products, they are not putting themselves at risk of cyber-attack, theft or even physical danger. Through the draft regulations, the Government are ensuring that protections are implemented for our commonly used items such as smart phones, smart watches and smart baby monitors, and for the UK citizens and businesses that use them.
Cyber-crime is thought to cost the UK billions of pounds—the total cost is estimated at about £27 billion a year—and it is on the rise, in particular cyber-crime that targets the internet of things. Vulnerable IOT products are a key attack vector for criminals, allowing them to compromise not only the device, but potentially the user’s network and the broader connected technology ecosystem. This draft statutory instrument is an essential step in fighting the dangers of such cyber-risks.
The draft regulations are made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. The regulations will mandate the manufacturers of consumer connectable products made available to customers in the UK to meet minimum security requirements, unless excepted. The instrument completes the introduction of the UK’s world-first product security regime established by part 1 of the 2022 Act.
Subject to the approval of the Committee here gathered, the regime will afford UK citizens and businesses world-leading protections from the threats of cyber-crime. Research covering the first two months of this year shows that cyber-attacks targeting IOT devices have tripled since 2021, so the need for action has never been greater. The regime will also equip the Government with the tools to ensure the long-term security of a vital component of the broader UK technology ecosystem. That is especially important as frontier technologies, from artificial intelligence to quantum, allow technology to become more embedded in our economy and society than ever before.
I very much welcome the Government’s efforts to make consumer goods in the so-called internet of things safer and more secure and resilient against cyber-attack, but how confident is the Minister that the regime will work against a determined attack by a hostile state? Recently, the Intelligence and Security Committee of Parliament produced a report saying that China targets UK industry and technology “prolifically and aggressively”. Will the draft instrument be effective in protecting us from that kind of attack?
My right hon. Friend makes an important point. Perhaps I can come back to it in a bit more detail at the end of my comments, but I will make this point now: as I described, the measures will give a minimum level of security assurance to customers. This draft instrument is not the frontline, the arrowhead, of UK international counter-espionage; this is about ensuring that when people buy an iPhone or some such device, they can be confident that basic minimum standards have been met. It is not the basis on which we can all go to bed at night safe and secure, with the whole of UK critical national infrastructure secure. That work is being led by my right hon. Friend the Chancellor of the Duchy of Lancaster and Deputy Prime Minister.
I turn briefly to the basics of the draft instrument. First, on security requirements, the regulations mandate that manufacturers comply with the security arrangements that Parliament has set out in schedule 1. The security requirements are backed by security experts and have been consulted on extensively. In the view of the National Cyber Security Centre, which has been very involved, they will make the most fundamental difference to the vulnerability of consumer connectable products through the guidelines in the UK’s code of practice for consumer IOT security.
The first requirement bans businesses from selling to UK customers consumer smart products with universal defaults or easily guessable default passwords. Such passwords expose users to unacceptable risk of cyber-attack and allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyber-attacks.
Secondly, manufacturers will be required to publish, in an accessible, clear and transparent manner, the details of a point of contact for the reporting of security vulnerabilities. Despite previous Government interventions and the increasing threat of cyber-crime targeted at these products, less than a third of global manufacturers had any policy for how they can be made aware of vulnerabilities as of 2022.
The final security requirement will ensure that the minimum length of time for which a product will receive security updates is not just published, but published in an accessible, clear and transparent manner. Consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK customers and their intermediaries will be able to drive manufacturers to improve the security protections that they offer through market forces.
I will turn to the conditions for deemed compliance. Where the security outcomes that we are seeking to achieve are entirely or partially delivered through broader international standards, the regime allows manufacturers compliant with those standards to more readily demonstrate their compliance with our security requirements. That is the intent of regulation 4, and schedule 2 sets out conditions based on analogous provisions in two leading international standards. Where those conditions are met, a manufacturer is to be treated as having complied with a particular security requirement. Colleagues will be pleased to know that we have tried to take the opportunity to reduce process-driven bureaucracy and make it easy for proper compliance to be demonstrated in the interest of consumer protection.
The excepted products protocol in the instrument sets out a list of products that we have exempted from the scope of the product security regime. First, select product categories made available for supply in Northern Ireland are exempted. That exemption ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement while extending the protections and benefits offered by the regime to consumers and businesses across the UK. Additionally, smart charge points, medical devices and smart metering devices are exempted to avoid double regulation and to ensure that those products are secured with the measures most appropriate to the particulars of their functions. To answer the point raised by my right hon. Friend the Member for Chipping Barnet, we would not want to rely on these regulations alone for the safety of medical devices; they are covered, quite rightly, by far more extensive regulations through the Medicines and Healthcare products Regulatory Agency.