Lord Clement-Jones:

Moved by Lord Clement-Jones

1: Clause 1, page 1, line 17, at end insert—“(2A) Regulations under this section must, among other things, include security requirements that—(a) prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords;(b) require the production and maintenance by manufacturers of regular publicly-available reports of security vulnerabilities; (c) ensure the provision of information to the consumer, before the contract for the sale or supply of a relevant connectable product is made, detailing the minimum length of time for which the consumer will receive software or other relevant updates for that product;(d) introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations.(2B) Regulations under this section must include provision that all security requirements specified in accordance with this Act are included as essential requirements in statutory conformity assessments and marking procedures under the Radio Equipment Regulations 2017 (S.I. 2017/1206), and in any other such assessments and procedures applicable to relevant connectable products.”Member’s explanatory statementThis amendment expressly sets out on the face of the Bill security requirements, which this bill seeks to establish through future regulations, providing specific legal guidance regarding the individual security requirements and obligations on relevant parties.

My Lords, in moving Amendment 1, I shall speak also to Amendment 13. My noble friend Lord Fox will speak to Amendment 3 in the same group. First, I warmly welcome the noble Lord, Lord Kamall, to his new role in DCMS and join others in that welcome. I am sure he has already found the company of those who speak on DCMS matters very congenial, but he will also note that there are a number of all-purpose vehicles here, so he has probably met quite a number of us already.

In Committee, we called for the three security requirements to be set out expressly in Part 1 of the Bill. At the moment they are promised in secondary legislation without any draft being available, as is, I am afraid, the Government’s consistently bad habit. Customers need absolute clarity on the support period that manufacturers will offer so that they are able to make more informed purchasing decisions. I cannot understand why the Minister’s predecessor insisted in Committee that the minimum security requirements should be stated in secondary, not primary, legislation. He said it was important that technology regulation enables the Government to respond to changes in threat and technology and to the regulatory landscape; surely, these are security principles which should endure.

As for mandating minimum security updates for periods for connectable products, the Minister said that there is no consensus among industry experts on how long security updates ought to last. This is foggy thinking—how can the Government not have taken a view? Contrast the approach of the European Union, which has recently published its own equivalent Cyber Resilience Act. Crucially, the EU has imposed a five-year mandatory minimum period in which products must receive security updates. A rigid five-year period is not necessarily desirable, but the commitment to set out in legislation a mandated period in which products receive security support is very welcome. Before Third Reading the Government really should undertake to look closely at the EU proposals and tighten up the Bill. Why should EU consumers get a better deal than UK ones?

As regards Amendment 13, on computer misuse, the noble Lord, Lord Arbuthnot, introduced this amendment in Committee and this one is exactly the same. Under regulations that will be introduced following the passage of the Bill, manufacturers will be required to provide a public point of contact to report vulnerabilities. However, without a statutory defence in the Computer Misuse Act, it is clear that cybersecurity researchers can still face spurious legal action for reporting a vulnerability to a company which can decide on a whim to ignore its vulnerability disclosure policy—a practice known as “liability dumping”. Amendment 13 seeks to ensure that cybersecurity professionals who act in the public interest in relation to testing relevant connectable products can defend themselves from prosecution by the state and from unjust civil litigation.

In Committee, the noble Lord, Lord Parkinson, seemed to say conflicting things. He said that the key thing is to set professional standards to measure the competence and capability of security testers, and that that is why the Government set up the UK Cyber Security Council last year. On the one hand, he said:

“We should be encouraging this rather than creating a route to allow people to sidestep these important issues.”

On the other, he said that the Government are listening to the concerns expressed by the CyberUp campaign and that the Home Secretary had announced a review of the Computer Misuse Act. The Minister said:

“The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office.”—[Official Report, 21/6/22; col. 212.]

Are the Government positive or negative on this? What approach are they taking? We are past the summer now, in any event. Is there any prospect of change to the Act? I beg to move.

My Lords, I too welcome the Minister to his new role. I think DCMS will be at least as busy as his previous engagements, so we look forward to seeing him on his feet at the Dispatch Box quite a lot.

The unifying feature of these three amendments, which in policy terms are different, is that we are seeking some clarity. So, I support my noble friend in Amendments 1 and 13, and I rise to speak to Amendment 3 in my name. Given that online marketplaces represent the single most popular point of sale for connected products, these platforms should have responsibilities for the security of the products they are selling. That is what we are seeking clarity on today. If online marketplaces are not held responsible under the Bill, these insecure products will continue to be sold and, in all likelihood, their sale would become more prolific.

One of the last things the noble Lord, Lord Parkinson, did as Minister was to dispatch a letter to me in response to queries such as this raised in Committee about the status of online marketplaces—the fear being that channels such as listings platforms and auction sites such as eBay, Amazon Marketplace and AliExpress might present a loophole. The problem is the lack of clear definition for the various players that are part of the internet value chain and the fact that these players have different degrees of insight or control over what is happening online.

As the Minister will see from his predecessor’s letter, dated 21 September 2022, the department’s stated position for online marketplaces is that,

“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.

I would appreciate it if the Minister could confirm this from the Dispatch Box. It is paramount that online marketplaces are given this obligation in the Bill to ensure this security, regardless of whether the seller is a third party. It would help very much if the Minister set out what the Government’s definition of an online marketplace is.

How does the Minister’s department plan to deal with the retailers, which are far away, possibly with their real identity obscured on the online marketplaces? Will the department go to the online marketplace first and how will that process be marshalled? In other words, when a customer has a problem, who do they contact?

My Lords, before I make any comments on this group, I join noble Lords in welcoming the noble Lord to his new position on the Front Bench. I think this Bill is a gentle introduction, and this afternoon will probably give voice to that sentiment. I do welcome him. We have been delighted by the general response we have had from the department on the Bill and the open way in which the noble Lord’s predecessor approached things. I am sure the noble Lord will continue very much in that vein.

This amendment was resisted when we were discussing these matters in Committee, on the basis that minimum requirements will swiftly be set out in regulations. Regulations are not always swift in coming, so perhaps it would be useful for the Minister to remind us how quick that will be. Is he in a position today to commit to a timescale for the full details to be brought forward? This is, after all, an important piece of protective legislation, as noble Lords around the House today have made clear, and, given that it is about protecting customers and consumers, it is important that we have some assurance on that point.

The questions that our noble friends on the Lib Dem Benches have asked are very important ones and they require to be answered. Although the Minister will no doubt resist these amendments, it would help us if we had some further reassurance, perhaps before we get to Third Reading. However, we are grateful for the written assurances that the Minister’s predecessor offered in relation to online marketplaces, and we hope that the current provisions will prove effective. I ask the Minister to outline how the Government would amend those provisions should that need arise in future. The noble Lord, Lord Parkinson, was always willing to provide us with some written responses, and that would probably suffice for us for today’s debate and deliberations. I look forward to hearing what the Minister has to say on this.

My Lords, I thank those noble Lords who gave me a warm welcome—and indeed those who did not. Many noble Lords will know me from my work in the previous department. In the case of the noble Baroness, Lady Merron, who was one of the first to welcome me, it is just a continuation; we seem to be inextricably linked in some way.

I pay tribute to my predecessor, my noble friend Lord Parkinson, for his work as the DCMS Minister. He was widely praised and I think people appreciated his engagement. Those who have engaged with me on previous legislation know that I tend to have a very open policy as well. I am happy to have as many meetings as we need and to facilitate meetings with officials, so please have no fear about asking for those meetings; I will be happy to do that as much as possible.

I turn to Amendment 1, from the noble Lords, Lord Clement-Jones and Lord Fox. I thank them for retabling this amendment, which first appeared in Committee. I also thank them and other noble Lords for meeting me before today.

We think that the threat landscape is ever-changing. Security requirements that are appropriate today could change and differ in the future. Setting that out in primary legislation would limit our ability to respond to threats in the future, impose barriers to innovation and leave unnecessary regulation still on the statute book or unnecessarily complicate the regulatory framework. The vast complexity of the connectable technology landscape means that the definitions used in our security requirements need to be carefully nuanced and readily updatable to avoid imposing unnecessary or inappropriate burdens on industry as those technologies develop. For example, we set out in our 2020 call for reviews that we do not currently consider it appropriate for our intended passport requirements to apply to API queues. Connectable products may be able to access a large number of API interfaces, many of which do not have a material impact on the security of the product. Compelling the Government to extend this password requirement to all APIs key to the product, as this amendment would entail, is exactly the sort of unnecessary industry burden that we are trying to avoid while making sure that we stick to setting out the requirements in regulations.

The Government are unwavering in our commitment to bringing forward security requirements that ban universal default and easily-guessable passwords, mandate the publication of a vulnerability disclosure policy and mandate transparency concerning security update provision. My officials have been working diligently to develop regulations that realise that commitment, and we hope to engage on the regulations in draft by the end of the year. Something that I often to say to my officials, whichever department I have been in, is that there are two phrases that I do not like to see: “in due course” and “at pace”. I like to give an indicative timeframe, so I hope the timeframe of “by the end of the year” gives some assurance.

That is why we do not believe the amendment is necessary, and I hope the noble Lords will consider withdrawing it. On top of that, I am willing to have meetings in future to clarify anything that noble Lords feel has not been clarified.

I turn to Amendment 3, tabled by the same double act of the noble Lords, Lord Fox and Lord Clement-Jones; I think this is going to be a recurring theme in my time as the Minister here. The proposed amendment aims to define online marketplaces as “distributors” for the purposes of the Bill. I assure noble Lords that the Government are on the side of the consumer. That is why the Bill requires all—I repeat, all—UK consumer connectable products to be secure, including those sold via online marketplaces. The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy.

We recognise that as well as bringing benefits to consumers e-commerce brings challenges—the double-edged sword of technology. This is one of the reasons why the Government are reviewing the product safety framework. We will publish a consultation later this year—once again, not “in due course” but later this year —with detailed proposals on tackling the availability of unsafe and non-compliant products sold online. Consumers need clarity and better protection, and this will be a priority for our work in this space.

I hope that the ambition of this Bill, its enforcement plan and the outline of further policy engagement will provide some confidence for noble Lords not to press Amendment 3.

In reference to the consultation, does the Minister include product safety and product security in the term “unsafe”?

We understand that they are two different things, but I am happy to clarify and come back to the noble Lord—I hope to do so before we come to future amendments.

Amendment 3 aims to define what a “distributor” is for the purposes of the PSTI Bill. The Bill requires all UK consumer connectable products to be secure. Where it does not happen, the regulator will act promptly. For e-commerce, given the double-edged sword of technology, reviewing that framework is important. I hope the ambition of the Bill encourages noble Lords to consider not pressing the amendment, but once again I am happy to engage further for clarification and to address any outstanding concerns.

Let me turn to Amendment 13. The Government are listening to and considering concerns that the Computer Misuse Act is constraining activity that would enhance the UK’s cybersecurity. We understand that if you want to test cybersecurity you have to be able to test its breaking point. We are trying to strike the right balance between providing suitable reassurances for well-meaning individuals who want to identify vulnerabilities and not allowing malicious actors to access devices without consent. There are risks here. It is very nuanced, and the Government do not want to rush into legislative change without clear evidence to justify any such change to existing law. As the noble Lord, Lord Clement-Jones, said, the Home Office has been conducting a review of the Act since 2021, and the proposals for statutory defences have been an integral part of this review. I can confirm that a response that sets out how the Government plan to proceed should be published in the coming weeks, and an update will be provided to this House.

I hope that this will provide sufficient assurances on these three amendments, and the noble Lords will consider withdrawing and not pressing their amendments. I repeat the offer of continued engagement and meetings for clarification and to reassure noble Lords.

My Lords, I thank the Minister for those three sets of assurances. I should have thanked him too for meeting with us prior to today.

I am interested in the Minister’s change of language in the department: we have got “by the end of the year” and “in the coming weeks” rather than “in due course”. I think we are making some progress, which is very helpful.

I notice too his unwavering commitment—that was very firm—to publish the regulations by the end of the year. It is grossly unsatisfactory not to have the secondary legislation in draft when the primary legislation contains virtually nothing of the real meat. I am afraid that this Bill is not alone in that respect; it is one of the common complaints that we have whenever legislation comes forward.

As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter. The new consultation on a new set of regulations about unsafe products is interesting, and I hope the Minister will clarify and give us further and better particulars, and more specifics about what that actually involves.

As regards the Computer Misuse Act—I notice the noble Lord, Lord Arbuthnot, is in his place—it is satisfactory that the Home Office is going to divulge what it really thinks about this. We wait with trepidation for what it is going to say on the subject, given some of the negative responses that Ministers have given previously. We can wait and look forward to that. In the meantime, I beg leave to withdraw Amendment 1.

Amendment 1 withdrawn.

Clause 3: Power to deem compliance with security requirements