With this it will be convenient to consider new clause 7—Cyber Security and hacking of automated and electric vehicles—
“The Secretary of State must, within the next 12 months, consult with such persons as the Secretary of State considers appropriate on what steps will be required for the effective cyber security of automated and electric vehicles to protect those vehicles against hacking.”
This new clause would require the Government to consult on the risks of automated and electric vehicles being hacked and to ensure that measures are in place to address this.
Clause 12 is quite broad. It allows the Government to impose requirements and specifications for charge points. We know from the policy scoping notes that the Government circulated last week that they do not yet know quite what regulations they want to introduce, but that the Bill will give them the power to introduce those regulations via the negative procedure. For the reasons we discussed last week, I do not expect Ministers to know, right now, all the regulations that they will need to introduce, but I question whether the negative procedure is appropriate. I will address that point in more detail when we debate further amendments today.
Amendment 14 and new clause 7 address cyber-security and hacking. Any element of data, digital infrastructure or digital function is incredibly valuable and increasingly involves a risk of being hacked, as we know. The data, infrastructure and digital function behind the charging infrastructure and its interface with electric and automated vehicles are no different. We need to address cyber-security and data protection in relation not only to charging, but to the electric and automated vehicles themselves.
My hon. Friend will be interested to know that I had a great discussion last night with Jeremy Lefroy, who drives a Nissan LEAF. He showed me an app on his phone that not only can tell him the current state of charge of his vehicle, which is parked up in Stafford, but—should he so desire—can turn on the heating in it while he is sitting in the Members’ Tea Room. Unfortunately, when we have apps like that, there are great opportunities for hacking.
My hon. Friend is absolutely right. That example from Jeremy Lefroy makes the point very clearly: there is huge potential to communicate with vehicles—for people who own or rent them, but equally for people who we would not want to be able to communicate with them.
Amendment 14 relates to charge point cyber-security. Clause 12 contains a range of non-exhaustive specifications that a charge point must comply with, and it appears that that will involve a large amount of data being transmitted from the charge point. Measures are therefore needed to ensure that charge points and the data they process are protected against attempts at hacking. I think that is what the Government are getting at in subsection 2(e), but I ask the Minister to clarify whether that provision also covers cyber-security and the risk of hacking. I also invite him to clarify who the information that clause 12 refers to is to be shared with, and where.
New clause 7 is more broadly focused on the cyber-security of automated and electric vehicles themselves. The Bill does not seem to touch on that, but it will be a significant barrier that will need to be addressed if these vehicles are to be deemed safe, secure and reliable. The example that my hon. Friend the Member for Wolverhampton South West gave illustrates that point absolutely.
When we talk about hacking, we tend to visualise a spotty youth on a computer in a bedroom, but it can also mean commercial hacking. The company that has provided the charging point may want the data of people who use its facility.
The right hon. Gentleman is absolutely right. The nature of hacking is that it can come from anywhere if someone knows how to do it. As he says, that can be the individual spotty youth in a bedroom, but hacking can also be done for commercial purposes, which is equally a risk. That is why manufacturers invest millions of pounds putting systems in place to protect future vehicles from being hacked.
That is welcome, but the Government must also play a role, particularly if we are seeking to encourage development and uptake of such vehicles in the UK. Cars will also be particularly vulnerable when serviced. Somebody put it to me the other day that the nature of the information systems in our vehicles are becoming such that taking them to be serviced is a little like taking a laptop to be serviced and handing it over with all its passwords. We need safeguards. It is not beyond the realms of possibility that if those safeguards are not in place, information could be uploaded to or downloaded from an electric or automated vehicle being serviced that would allow hackers to obtain information or, perhaps worse, control safety-critical elements of the vehicle’s function.
In the case of an automated vehicle, the obvious risk is when driving. In extreme scenarios, people could find themselves going somewhere they do not want to go, travelling at a speed they do not want to travel at or, in the most dangerous case, not stopping when they need to stop. I would welcome an indication from the Minister whether his Department has discussed the issue, and what the assessed risk was of those vehicles being hacked. Furthermore, in line with new clause 7, I ask him to consult the industry on what steps might need to be taken to address that risk and whether Government action will be necessary as part of that.
My hon. Friend may be aware that there has already been a case in the United States in which a vehicle with high-level electronics—not a driverless vehicle, but a vehicle for sale on the road; I cannot remember the make—was hacked as part of a process, to show that an existing vehicle could be taken over through its electronics. It is already possible with vehicles that require drivers.
I was not aware of that precise case, but my hon. Friend makes an important point. Once a vehicle generates that kind of data and information, it is always possible for it to be accessed and used in a whole range of quarters. It could be used for commercial purposes, as the right hon. Member for East Yorkshire said, if a firm wants to know the individual’s driving habits and target them for marketing or other purposes. It could be used for malicious purposes, potentially causing harm to the driver or occupants of the vehicle. It could be used accidentally, to return to the example of spotty youths in their bedrooms, for something seen to be a bit of a laugh that could have severe and dangerous consequences. The technology and skills are out there now.
The point I am making in the amendment, and in particular in the new clause, is that once we move to the much more rapid expansion of uptake that we want for electric and automated vehicles, the scale of the risk becomes much greater. That is why it is important.
It has just come back to me that the vehicle involved in the American experiment was a Jeep, and that it happened in July 2015, so it was quite some while ago. That case involved benign hacking to show that it could be done, but it demonstrates to us all the dangers if we do not have the kind of protection that new clause 7 would provide.
My hon. Friend is right. It indicates that when we come to a decision later on new clause 7, it will be important for all Committee members to consider it seriously. This is not something that should divide us along party lines; it is something that we should all be concerned about. We have more issues and questions about some aspects of clause 12, but as the amendments relating to most of them have been grouped under clause 15, I will leave it there for now and keep the Minister and other hon. Members in suspense.
I want to make a few brief points. Cyber-security is clearly a huge issue in this day and age, so we should consider it as we go forward. We need to think about where the endgame is for us: it is the 2050 target of all vehicles on the road being low-emission. That is partly predicated on the roll-out of the smart charge point grid and the use of electric vehicles. If we are looking towards that 2050 horizon, we need to take as many steps as we can to ensure that there is a practical roll-out and a safe mechanism. This and neighbouring clauses are about certain roles, responsibilities and liabilities, so making the owners and suppliers of charge points responsible for their security, and setting out regulations that define that safety and security, makes sense. For that combination of simple reasons, I support the amendment and the new clause.
I am delighted to welcome you back to the Chair, Mr Gray, and to continue our diligent scrutiny of this important legislation.
In a fallen world, it is not the existence or character of malevolence that changes, but its expression. The hon. Gentleman is right that the age in which we live, with its concentration of data, brings new risks through new vulnerabilities. The technology associated with vehicles is a good example of that, although by no means the only one. For those reasons, I am pleased that he has taken the opportunity to debate these important matters.
There will be a great deal of data in vehicles—indeed, a growing amount—as the hon. Gentleman describes. Some of those data will be accessed remotely—a point made by the hon. Member for Wolverhampton South West—some in real time and all potentially of value, and potentially vulnerable. The hon. Member for Kilmarnock and Loudoun is absolutely right that the security we build through the legislation, and beyond it, through the work he has invited us to do with manufacturers and others, will be critical. Its salience will grow as the technology develops and we become more dependent upon it.
I welcome the debate and the interest the Committee has shown in ensuring that vehicles and infrastructure are secure and safe from the kind of malevolence that manifests itself in the form of cyber-attacks. Protecting individuals by protecting the information about them and their vehicles is at the heart of what the Government intend. It is vital not only for its own sake but because it will build confidence if people know what they do is safe and secure. We need to build confidence to give the technology the support it needs if we are to build truly digital integrated transport networks—what a great phrase that is. I could just tell that you were hanging on it for a moment, Mr Gray.
Vehicle connectivity and automation and the decarbonisation of the vehicle fleet are separate issues, but like many commentators we expect to see an eventual convergence between trends in new vehicle technologies. I understand the relationship between those issues, but it might help the Committee if I dealt with them separately.
We strongly believe that connected and automated vehicles must be secure by design, with appropriate safeguards to ensure against cyber-attacks. That will necessitate exactly what the hon. Member for Birmingham, Northfield called for. He invited us to consult the industry on what steps should be taken to guarantee that outcome. Much of this will be done at international level as well as locally. We are working with the United Nations to develop requirements for vehicle manufacturers on cyber-security.
I think that it is reasonable to say that the UK is in a strong position—I hesitate to say “leading,” but only out of personal and national modesty. I think that we can be an important player internationally in ensuring that those standards are fit for purpose. Officials in my Department are chairing this international work, so perhaps it is fair to say—you are the Chairman of this important gathering, Mr Gray—that we are leading.
No, but we look up to you; that is the point I am making.
We are also working with UK security agencies. When I was in my previous job as security Minister in the Home Office, I was heavily involved in consideration of cyber-threats and cyber-security. It is important for the Committee to know that this is something that has been discussed across Government, because some of these responsibilities are shared by different Government Departments and different Ministers. We are therefore working with other parts of Government on the new National Cyber Security Centre to engage directly with the industry to raise awareness and promote best practice. Using the Government’s approach to cyber-security, applying it to this area of work, engaging with the automated industry and those who are developing this technology is central to our purpose.
The hon. Gentleman invited me to go into some more detail. As part of that, we have set out for the industry the objective of developing a set of principles for cyber-security. As a result, our thinking is developing alongside that of the industry. It is important that we establish at an early stage the principles—many of which the hon. Gentleman touched on—that will underpin the safe and secure development that he and I seek.
Given that the foreign countries to which people are most likely to take their electric cars are going to be European countries, can the Minister tell the Committee a little about what co-operation he hopes to have with European partners, particularly on charging points? We know that the vulnerability in cyber-security is often at the point of connection. The telephone network—presumably a telephone network is linking them—and the charging points are going to be vulnerable.
The promotion of sharing good practice will be national; it will be between Government and industry; and it will be pan-national, pan-European and, beyond that, international. The establishment of an information exchange to share exactly those kinds of principles is part of what we are doing. That certainly includes work across Europe, for the very reason my hon. Friend gave, which is that people will want to travel beyond the boundaries of this country. They will also, of course, buy vehicles that are manufactured in other places—the nature of the automotive industry is that it is pan-national. It is critical that we can rely on digital standards, just as we expect mechanical standards to be reliable.
I always hesitate to mention the European Union in anything other than pejorative terms, but that is a personal foible rather than a ministerial position. Of course, we will work with the European Union. We remain members of the EU until the point at which we depart. In any case, our work with European nations and neighbours is critical in this regard. Much of the work that I am describing is not driven or governed by the EU itself. Many of the bodies involved are international, such as the United Nations, and the vehicle manufacturers have a footprint that extends beyond nation states. Of course, the hon. Gentleman is right to say that we will work with both the EU and other European countries, despite the foible that I was very honest to admit having.
Before the previous intervention, the Minister was talking about the consultations that he is already undertaking with the industry, in particular discussions towards setting up a list of principles to govern cyber-security. Will he give a little more detail about who he is consulting? He referred to the industry: does that mean the manufacturers of vehicles or of charge points, or does it mean the broader industry beyond the automotive sector?
Actually, it means all of them, but it would be helpful for the Committee if I set that out separately. We could describe in greater detail some of the work that I have set out, including the development of core principles, the establishment of a dialogue and international work. I am more than happy to set that all out in detail and assure hon. Members that it is significant. It is right that the hon. Gentleman should seek greater clarity and I will happily provide it before the Committee ends its consideration of the Bill.
When the Minister sets that out, will he also set out details relating to intra-national co-operation—I am sure he is doing this, but he has not mentioned it—including discussions with the Government in Northern Ireland, to which the Bill does not apply, and with the Republic of Ireland? If charging points in Northern Ireland are to mirror those in Great Britain, it would be helpful if those Hayes hook-ups could also have common currency with the Republic of Ireland, with which we share a land border.
That is an interesting point. I would not yet want to say how much we can establish uniformity of charging points across countries, for I would not want to suggest in Committee or elsewhere that a driver could be absolutely certain that, wherever he travelled in the world, he would find a Hayes hook—I just dropped the “up”, by the way.
It would be ideal if we could at least establish a set of principles that extended to the distance that people would be likely to travel. That is the reason for the United Nations standards and the international work that I have described. We have to get a good, well-established and well-founded connection between Government and industry. We then have to work, as I have said, pan-nationally.
I emphasise again that this is very much aligned with cyber-security, which is a high priority for both the Government and the nation. That is why we established a national security strategy, and the new National Cyber Security Centre is engaged in all of the work that I have set out.
The hon. Member for Birmingham, Northfield made a point about the electric charging infrastructure and so far I have talked largely about vehicles. The clause makes it clear that smart charge points must be secure against hacking, because the cyber-risk is not just to the vehicle or the data, but to the charge points themselves, so they also need to be safe and secure. Paragraph 39 of the explanatory notes explicitly mentions that the charge point will need to be resilient against cyber-attack.
The hon. Gentleman is right to say that the security is vital and, as the amendment suggests, consultation will be necessary. I am very happy to set out for him in writing the work we have already done to engage with various partners. I am also happy to tell him that that consultation will be ongoing; perhaps I can confirm that now, because essentially that is the information sought by the amendment.
The amendment compels us to consult. I am happy to commit to consulting, because it is critical that we consult people. We will continue to work with the security community, industry and other partners. However, I will go further, because I have been cogitating, as one does on one’s feet when one is capable of multi-tasking, as I know members of this Committee are capable of doing. I think we should publish and set out clearly the cyber-security principles of the connected and automated vehicle ecosystem that we will develop in collaboration with the security agencies in the coming months. I will make that commitment here. In addition to the commitment to consultation, it is important that we establish those principles very early. They will send a significant signal as to why and how this issue matters.
We will also take the additional powers that we need, as appropriate. The hon. Gentleman has said that that is implicit in the Bill, but I do not think it is right to take them yet. I would rather set out both the process by which we intend to consult and the principles, and then take the powers, as set against the principles at the necessary time. That is largely because charge point technology and vehicle technology are evolving rapidly and I do not want to prejudge their development. There would be a risk of doing so if we accepted amendment 14. Therefore, it would be preferable to set out the security requirements in regulations, and to do so having had the consultation that I have described.
I am grateful to the Minister for giving way. Perhaps to save the stand part debate, Mr Gray, I will ask a brief question. The Minister says that security is vital and mentions the anticipated process. Clause 12 uses the word “may” in relation to regulations—it is permissive, not mandatory. Can he confirm that regulations will in fact be made?
Yes, absolutely: regulations will be made, as appropriate and at the right time. That was a perfectly fair question.
With that, I invite the Committee to reject the amendment. Better still, I invite the hon. Member for Birmingham, Northfield to withdraw it, so that we are not obliged to reject it. I do so having given commitments that I will follow through on as soon as possible.
I am grateful to the Minister for his comments. On the issue of process and the powers that Ministers will take, I fully accept his point that they are not yet in a position to know the exact regulations for which they will want those powers. We will discuss that issue of process when we consider the next group of amendments. Nevertheless, I accept what he has said, namely that powers are necessary and that regulations cannot yet be drafted.
I am also grateful to the Minister for the commitments that he has given today, first to the publication of the principles on which cyber-security will be addressed—that is really important—and, secondly, to consultation of the kind envisaged by the amendment and new clause 7, and, thirdly, to making the laying of regulations a mandatory issue, not simply a discretionary issue.
I get the impression that the Minister feels passionately about this issue; I think we transported him back for a moment to his previous job as the Minister responsibility for cyber-security. I have absolutely no doubt that he takes the matter seriously. On the basis of what he has said, I will not press the amendment to a vote. We will reflect on what he has said and on whether to withdraw the new clause when we come to consider it, but for now, I beg to ask leave to withdraw the amendment.