Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

Considered in Grand Committee

Moved by

That the Grand Committee do consider the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

My Lords, these regulations were laid before the House on 10 July 2023, and they will be made under the powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. They will mandate that the manufacturers of consumer connectable products made available to customers in the UK are, unless excepted, required to meet minimum security requirements.

In doing so, this instrument will complete the introduction of the UK’s pioneering product security regime, established by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022. Subject to noble Lords’ approval, this regime will afford UK citizens and businesses with world-leading protections from the threats of cybercrime, as well as equipping the Government with the tools to ensure the long-term security of a vital component of the broader technology ecosystem.

Acting to secure consumer connectable products has never been more critical than it is now, as we cross the threshold of the fourth industrial revolution. Before our eyes, artificial intelligence is rewriting how we live our lives, how we deliver our priorities and the rules of entire industries. AI models are already an inextricable part of the connectable products we use every day, from the convolutional neural networks that recognise the photos of loved ones on our smartphones, to the recurrent neural networks that allow our smart speakers to respond to our requests. The data collected through consumer devices is often also a vital part of a model’s training set.

These regulations are therefore not just crucial if we are to protect our citizens and economy from the array of threats posed by consumer connectable products today but a vital step if we are to mitigate the risks, and therefore fully realise the benefits, of the AI-enabled economy of tomorrow. With the support of this House and Members of another place, this is precisely what the Government aim to achieve with these regulations.

The key provisions of this instrument are as follows. First, the regulations mandate that manufacturers comply with the security requirements set out in Schedule 1. These requirements were selected, following extensive consultation, because they are applicable across a broad range of devices and are commended by security experts as the most fundamental measures for addressing cyber risks to products and their users. This means that businesses will no longer be able to sell consumer smart products with universal default or easily guessable default passwords to UK customers. These passwords not only expose users to unacceptable risks of cyberattack but can also allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyberattacks.

Manufacturers will also be required to publish, in a manner that is accessible, clear and transparent, the details of a point of contact for the reporting of security vulnerabilities. It pains me to share that, despite our entrusting the security of our data, finances and even homes to the manufacturers of these products, as of 2022, less than one-third of global manufacturers had a policy for how they can be made aware of vulnerabilities. With your support, the UK aims to change that.

My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.

I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.

However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.

Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:

However, in its briefing—I think that the noble Lord, Lord Bassam, has the same one as me; we are very grateful for the briefings we have been given—Which? says, and I totally agree:

“The PSTI Act allows the Government to place requirements on manufacturers, importers, and distributors”—

those last four words are underlined—

“of smart products. However, only manufacturers are affected by these regulations, and only those manufacturers who sell directly to consumers will be required to present information about a product’s support period to consumers at the point of sale. As such, consumers shopping for smart products through popular online retailers like Currys, Argos and John Lewis are not guaranteed to have the opportunity to see and consider support period information”.

That in itself is not satisfactory.

Which? goes on to say:

“We are concerned this discrepancy also weakens the pro-competitive effect of the regulations. Our stakeholder engagement has shown that leading manufacturers were expecting to benefit from greater transparency of their security support policies to consumers, but as this may not be showcased in retail environments it risks reducing a competitive advantage for manufacturers with the most consumer friendly policies. Without retailers showcasing this information and enabling consumers to discern between products with stronger or weaker support policies, manufacturers may be disincentivised from investing in robust support policies in future”.

I emphasise that that is from Which?, the major consumer champion—in effect, the progenitor of the IoT provisions in the original Bill, now an Act. Of course, Which? has been pursuing this agenda for quite some time; one can imagine the disappointment among its members and staff at this turn of events. Is not the failure to include online marketplaces a betrayal of the consumer?

In addition to those more, if you like, strategic questions, I have some slightly more detailed ones for the Minister. I want to ask about the impact of changing standards, referred to in paragraph 7.13 of the Explanatory Memorandum. It says:

“Regulation 4 provides that, where the conditions in Schedule 2 are met, a manufacturer is to be treated as having complied with a particular security requirement. These conditions relate to compliance with equivalent provisions to each requirement in appropriate international standards taken from either the EN, or ISO IEC 29147”.

I understand that and think that it a very sensible approach, but what happens when the standards change? Will we come back here? Will we have an affirmative resolution to discuss the new standards? What provisions are made when those standards change and what process will be undertaken to review what is needed by way of new regulations?

Paragraph 7.19 of the Explanatory Memorandum talks about the Schedule 3 exemptions. It uses the same language as the Minister did: for computers, there are “unique challenges”. Can the Minister unpack that? I understand nearly all the other exemptions but we need to understand a bit more about what these unique challenges are rather than just taking it as a matter of faith that the poor old computer manufacturers are in trouble.

Finally, if we are to adopt new technology of this kind, much of which is beneficial, public trust in this area is absolutely crucial. I cannot think of anywhere where the use of data is more important. This is one of the huge gaps here. Do we really expect the ICO to have the resources to be able to oversee the use of data? I am rung on almost a weekly basis by my energy supplier to be asked, “Why aren’t you installing a smart meter?” I am resisting doing so, partly because I am not quite sure what use that data will have and who it will be shared with. I recognise that smart meters are probably a great idea for an energy company but I am not entirely convinced that it is for my individual consumer benefit. It would be marvellous if we had better regulation in that area. To me, that emphasises how important public trust in this area is.