1: Before Clause 1, insert the following new Clause—
“General principles relating to product security
(1) The provisions in Part 1 of this Act should be read alongside the general principles relating to product security as outlined in subsection (2).(2) The principles are—(a) in regard to the security of internet-connectable products and products capable of connecting to such products, manufacturers, importers and distributors have a duty of care towards their customers to secure their privacy and safety;(b) customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market;(c) manufacturers, importers, and distributors should be able to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.(3) In making regulations under Part 1 of this Act the Secretary of State must have regard to the principles outlined in subsection (2).”Member’s explanatory statement
This amendment would introduce a set of principles relating to product security into the bill.
My Lords, I rise to move Amendment 1 in my name and that of my noble friend Lord Clement-Jones, who is sadly unable to be here today. Should your Lordships feel at times that I am going on a bit long, just think of the alternative: it could have been both of us.
I should first say in the spirit of co-operation that the aim of this amendment is wholly positive; it is designed to firmly support the intentions of the first half of this Bill—support which we heard right across your Lordships’ House at Second Reading. While introducing this part of the Bill, the Minister set out a clear need for improved security. He told us:
“The average UK household now has nine internet-connected devices, and over 50% of all UK households purchased an additional consumer connectable product during the pandemic.”
The danger to individuals is getting worse. As the Minister also said:
“In the first half of last year alone, we saw 1.5 billion attacks on connectable products—double the figure of the year before.”
With this rise in connectable devices, the Minister said:
“Thousands of people in the UK have been victims of cyberattacks.”—[Official Report, 6/6/22; col. 1033.]
I suggest that this is understating the situation—it must be tens if not hundreds of thousands—but frankly, we just do not know.
This is an international business, which preys on poor security and badly configured devices. Further, our household devices can be co-opted by sophisticated criminal or political hackers to present significant threats to our national infrastructure. That is why this part of the Bill is important; I think we all agree on that. For a connectable device to be secure, it needs to be set up right but then supported throughout its active life to meet the changing environment of security threats. We are all used to updating our laptop security regularly, but how many times have we updated other household-connectable devices? A baby alarm, for example, is never updated.
My Lords, I restate these Benches’ support for Part 1, which introduces a range of important powers and processes relating to the security of consumer-connectable products, including smart TVs, smartphones, connected baby monitors and connected alarm systems, all of which we use in our day-to-day lives. For me, the legislation that we seek to improve today is much needed and needs to move with the times and the way we live. For example, in 2006 there were just 13 million of these devices but in 2024, there is likely to be more than 150 million in the UK alone—a huge projected rise.
I am grateful to the noble Lord, Lord Fox, for introducing this sensible amendment, and to the noble Lord, Lord Clement-Jones, whose name is also on it. It seeks to introduce or suggest some guiding principles relating to product security. For me, the key principles are that manufactures, importers and distributors have a responsibility and a duty of care to meet minimum cybersecurity requirements and look forward to emerging security threats. It seems wise and sensible to include these, so I hope the Minister will take them into account. As the noble Lord, Lord Fox, said, the exact wording of the amendment does not have to be used; it is about the principles. Indeed, it is about not just principles but practice: the message given to consumers as well as to manufacturers, importers and distributors.
I know that in other legislation the Government are often nervous about using the phrase “duty of care”, but, as the Minister knows, there are very real concerns about data collection and privacy. I suggest that this is the very least that consumers should be able to expect. While it may be said that the other principles are not necessary to include, there have been several cases of manufacturers knowing about, yet failing to act on, significant security flaws. I feel this is something we need to guard against.
6:00 pm
One further reason the amendment is appealing, and I hope the Minister will find it so, is that it will focus minds when forthcoming regulations are drawn up, not just because of the reassurance to consumers, which I have already spoken of, but for the reasons that will be discussed in the next group of amendments—they will be dealt with by my noble friend Lord Bassam. It is clear that the department needs to do more to show that there is a proper grip on these issues.
Before I close my brief comments, I want to say that I am grateful to the National Cyber Security Centre for its work in this area and I also express my thanks to the various tech and retail stakeholders, consumer groups, academics and many others who are also keen to ensure that this legislation is as workable and practicable as it can be. With that, I look forward to hearing from the Minister and hope that he will be able to reflect on this debate and think about the next steps that need to be taken between Committee and Report.
My Lords, I want to say just a couple of words because, having read this and listened, I think the amendment has a very good point. I like the concept of a duty of care, because if we do not have that, who are we worrying about? In fact, Clause 7, on “Relevant persons”, is all about the manufacturers, importers, distributors, et cetera, with nothing about the customer, the poor person who is going to get hit by it. It is a very good idea to put that in at the beginning, setting down some principles and duties, because the other trouble is that by the time that we have done all these bits and pieces, made the regulations and the provisions, we are always acting after the event. What we need is a bit of proactivity, and we get that in this suggested new clause, because manufacturers, importers and distributors would have to make sure that products met certain minimum requirements. They would need to understand what “emerging security threats” there were; in other words, thinking ahead to the next stage and not just saying, “Oh, well, it complied with those things last year”, by which time the horse has bolted and we are far too late. So, I like it.
I am grateful to the noble Lord, Lord Fox, and, in his absence, the noble Lord, Lord Clement-Jones, for their Amendment 1 and for the wholly positive intention with which it has been tabled. I was grateful to have had the opportunity to talk to them about it before Second Reading as well. As the noble Lord set out today, he has argued that customers deserve some high-level principles setting out the security protections they should expect when purchasing consumer-connectable technology. In fact, Amendment 1 goes further, as noble Lords have noted, and would require manufacturers to owe their customers a “duty of care” to protect them. We are not as keen as the noble Earl, Lord Erroll, on that.
The first problem we have with a duty of care is that it could give consumers a false sense of security. If consumers buy well-designed technology products which meet the best standards, it considerably lowers risk, but with cybersecurity there is no such thing as zero risk: the most aggressive and well-resourced hacker will find a way. Somebody may have a quality product, but have they secured their wi-fi router? Do they have some legacy technology on their network? Manufacturers of a single device do not control the whole range of apparatus which constitutes the attack surface so cannot always provide an absolute security warranty, and they cannot always predict the next attack vector.
The second problem we have is that we have learned that the security of devices is best served by standards rather than principles. If one sets standards, one can send a device to a laboratory and assure oneself that those standards have been met. If one sets principles, that does not apply. That is why the Bill is designed to give force to standards. Those standards, developed here in the UK and now adopted by Governments and jurisdictions across the globe as well as by international standards bodies, are widely recognised significantly to lower risk for consumers.
I thank the Minister for giving way. That does not answer the question of where an app starts. If I am downloading Nest for my heating system, I am getting it from an app store, so where is the regulation coming? Is it the app that is coming from the app store, or is it the connectable device law that is coming through here? In which case, I think some explicit connectivity between the apps that run the connected devices needs to be written into the Bill.
Perhaps, if the noble Lord is happy, we can explore this. The example he gives, as he knows, includes software and technology. Perhaps we can have a detailed discussion where we can work through some of those examples. I would be very happy to talk to him about them because on the question he poses the line is drawn in a different place depending on the product and its nature.
The Minister talked about standards a moment ago. If we are going to rely on standards, who is writing them? I presume that he is talking about British standards; to write a standard will take a year or two. I hope that the Government are going to fund it. We got no help from them in trying to fund stuff around age verification, even though that was core to the Digital Economy Act. If we are going to elevate it to an international standard, that will take another year or two, so we will not see any action for a long time if we are going to rely on externally written standards. I have chaired two BSI standards so far, and it does not happen just like that.
Some of the standards in this area have been set in the UK and have already been adopted by other jurisdictions, so I hope that we can give the noble Earl some reassurances. While I acknowledge his point about the time it takes for these to be adopted internationally, in some areas the UK is setting the way, and these are being picked up across the globe.
As I said, while I note the good intentions behind Amendment 1, these are the reasons why the Government are unable to support it. However, I am very happy to pick up the questions about apps and products with the noble Lord and others who wish to join that conversation. I hope that, for now, the noble Lord will be content to withdraw his amendment.
My Lords, while that was a relatively disappointing response, I am pleased that we can have the discussion about apps. I thank noble Baroness, Lady Merron, and the noble Earl, Lord Erroll. I think he put his finger on it. If we are to keep pace with the speed of change only through a standards regime without making the companies delivering these products in some way responsible—whether through a code of practice or a duty of care, I am not quibbling—there is no way that a standards regime can keep pace with the innovative speed that international crime is running at on cybercrime.
The idea that we can chase this down the road is wholly wrong. I ask the Minister to sit down with the department and perhaps we can come up with a different way of doing it. I am totally agnostic about how we go about it, but some sense that we are not just chasing this needs to be in this Bill, otherwise it is going to be after the fact. That said, I am happy to beg leave to withdraw Amendment 1.
20 of 152 shown
At Second Reading, I described my fruitless search within the Bill for a definition of the security support that a consumer might reasonably expect for consumer-connectable products in the house. This Bill takes the secondary-legislative route. Rather than set out what consumers should legally expect in terms of through-life product security support, we were promised some SIs, and we heard what the focus would be.
In a letter sent last week, the Minister gave the Government’s reasons for choosing those three areas; I will come back to them briefly. He wrote:
“we are starting with a focus on the three security requirements that will make the most substantial change to consumer device security at a proportionate cost to business”.
But why just these three? The Bill is heavily based on the Code of Practice for Consumer IoT Security, in which 13 security issues were highlighted. To be clear, the first two—“No default passwords” and
“Implement a vulnerability disclosure policy”—
match those of the Minister. Interestingly, on the third one, there is a big difference in language between the Bill—which mentions providing transparency on how long, at a minimum, the product will receive security updates—and the code, which says, “Keep software updated”.
But there are 10 other major areas. I will not list them, but the fourth is:
“Securely store credentials and security-sensitive data”.
The eighth is
“Ensure that personal data is protected”.
Why are those two not as important as the other three? I cannot fathom why those have been left out and the previous three selected. So, given the choice of 13—the Minister can look them up—what was the logic in choosing just those three and dropping the fourth and eighth in particular?
There is also the issue of changing technology. Without a set of principles, the Government’s aim is to chase technological development with a string of statutory instruments, simultaneously keeping up with the world’s most innovative companies and pitting their ingenuity against the world’s top criminals. Life is moving fast—for example, a recent issue of Wired announced the beginning of the end for passwords:
“At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using ‘Passkeys’ with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.”
On that basis, this legislation will be partially obsolete before it is enacted.
I have one further technical problem for the Minister to explain. Once again, different bits of government are moving in parallel. A seemingly entirely different exercise—a consultation on app security and privacy interventions—was published in May this year. The suggested interventions include
“a voluntary Code of Practice for App Store Operators and Developers that is intended as a first step.”
Other possible future options set out in the document include
“certification for app store operators and regulating aspects of the Code to help protect users.”
The document then says:
“These proposals link into the National Cyber Strategy through requiring providers of digital services to meet appropriate standards of cyber security and developing frameworks to secure future technologies.”
No mention of this legislation is made.
So where does a connected device end and an app start? Where does the Bill stop and this new code of practice start? If I install my temperature control system, it will involve connected hardware and an app; which of these two pieces of government activity will cover my system, and how are they connected? The Government have not joined this up, and, once again, two things are going on with no connection to each other.
So, I borrowed some of the Code of Practice for Consumer IoT Security for this amendment, which sets out some of the principles. Proposed subsection 2(a) sets a simple obligation for “manufacturers, importers and distributors” to demonstrate a “duty of care”. Proposed subsection 2(b) sets out that
“customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market”.
Proposed subsection 2(c) calls for
“manufacturers, importers, and distributors … to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.”
The Minister would be hard-pressed to argue against these—and his planned SI on accessibility vulnerability is close to proposed subsection 2(c) anyway.
I would like to hear that the Government recognise the benefits that having clear principles in the Bill can deliver. I am sure that the Minister can see these benefits. Secondly, I am not proprietorial over the exact wording. We can use the time between Committee and Report to fine-tune and wordsmith those principles, but I hope that this is a constructive and helpful start.
Of course, we believe that the responsibility for the security of connectable products most effectively lies with the manufacturer. We expect manufacturers to take security seriously, to implement measures to develop and maintain an awareness of the security of their products, and to be up front with customers about the security support they can expect. We have tried voluntary compliance, with our code of practice which was published in 2018. We now need mandatory requirements, and that needs specific security requirements that can be independently assessed. The legislation must enable the Government to keep pace with market dynamics and the changing technological landscape—as the noble Baroness, Lady Merron, said, it is important that we move with the times. The flexibility to be able to set different security requirements for manufacturers, for importers and for distributors is key to this.
Amendment 1 in the form drafted would place an equal weight on the duties of each of these three groups to secure products. Compelling the Secretary of State to have regard to this general duty could constrain the Government’s ability to set specific security requirements in the future. Crucially, these principles could restrict the use of powers in this part of the Bill, working against the Government’s ability to bring this regime into force and impeding our ability to keep that regime future-proof. I should also say to noble Lords that industry and consumer groups have not raised the need for general principles such as this. Our efforts to engage and communicate our intentions have been clear, and the requirements we have set out for the relevant persons have been widely understood and are in line with international standards.
The noble Lord, Lord Fox, asked why the Government have chosen these three specific security requirements rather than others. During the consultation in 2019, we explored a number of options including mandating that all consumer-connectable products meet all 13 guide- lines in the code of practice. They are all important, but the majority of respondents supported the option that the top three security requirements represented the most appropriate baseline, by balancing the important requirements that are testable, being applicable across a range of devices and creating the right incentives to improve security in these products. That is why the Government are initially mandating the implementation of security requirements that will make the most fundamental impact on the risks posed by insecure consumer-connectable products for consumers, businesses and the wider economy.
The noble Lord also asked about where products end and apps begin. The powers in Part 1 allow Ministers to set out requirements that include products and software. The proposals in the consultation he mentioned relate to those who operate app stores. So, while I acknowledge the good intentions behind it, I hope I have been able to set out why the Government feel that this amendment—