Clause 4 - Relevant connectable products

Part of Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee at 11:45 am on 17 March 2022.

Alert me about debates like this

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State 11:45, 17 March 2022

Clauses 4 to 6 define the products to which the new regulatory regime will apply. Clause 4 introduces the terms “internet-connectable product”, “network-connectable product” and “excepted product”. Clause 5 defines the terms “internet-connectable” and “network-connectable”. It is a pivotal clause in capturing the necessary products that make up a huge part of the internet of things threat landscape. Any network is only as secure as its weakest link, and that could be a single consumer connectable product.

Focusing on a product’s capabilities—instead of attempting to exhaustively list all consumer connectable products—is part of our agile, future-proof approach. We are ensuring that the Bill will remain relevant and effective by capturing new consumer technologies that come to market, based on their capabilities and the risks they present.

Many products captured by the Bill are capable of connecting to the internet, exposing them to remote access and attack. Those are “internet-connectable products”, such as routers, smartphones and certain smart appliances. Some products captured by the Bill are not able to connect to the internet directly, but can connect to other products. In doing so, they can form, and contribute to the formation of, networks, meaning that vulnerabilities in those products can open the door to cyber-attack. Those are “network-connectable products”, such as certain smart lightbulbs, smart home products, and headphones.

Clause 6 defines the term “excepted product”. It allows the Secretary of State to except products from the scope of the Bill via regulations. The Government intend to except products from the scope of the Bill where inclusion would subject them to double regulation or be disproportionate to their risk profile. The Government have consulted on that approach. Products such as electric vehicles, medical devices and smart meters will be excepted from scope because they are already, or soon will be, covered by alternative regulation. I therefore commend clauses 4 through 6 to the Committee.