PARLIAMENTARY DEBATE
Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024 - 21 May 2024 (Commons/General Committees)
Debate Detail
Chair(s) Christina Rees
Members† Aldous, Peter (Waveney) (Con)
† Baillie, Siobhan (Stroud) (Con)
† Ellwood, Mr Tobias (Bournemouth East) (Con)
† French, Mr Louie (Old Bexley and Sidcup) (Con)
† Johnson, Dr Caroline (Sleaford and North Hykeham) (Con)
† Kruger, Danny (Devizes) (Con)
† Lopez, Julia (Minister for Data and Digital Infrastructure)
McDonagh, Dame Siobhain (Mitcham and Morden) (Lab)
† Malthouse, Kit (North West Hampshire) (Con)
Mearns, Ian (Gateshead) (Lab)
† Metcalfe, Stephen (South Basildon and East Thurrock) (Con)
† Monaghan, Carol (Glasgow North West) (SNP)
† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)
Poulter, Dr Dan (Central Suffolk and North Ipswich) (Lab)
Smith, Jeff (Manchester, Withington) (Lab)
† Webb, Suzanne (Stourbridge) (Con)
Whittome, Nadia (Nottingham East) (Lab)
ClerksNicholas Taylor, Committee Clerk
† attended the Committee
The following also attended (Standing Order No. 118(2)):
Elmore, Chris (Ogmore) (Lab)
First Delegated Legislation CommitteeTuesday 21 May 2024
[Christina Rees in the Chair]
Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024
That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024.
The draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022. The PSTI regime comprises part 1 of the 2022 Act and a set of regulations made under that Act, the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. This world-leading regulatory regime came into force on 29 April this year, and it will better protect consumers, businesses and the wider economy from the harms associated with cyber-attacks.
The law now requires consumer connectable products—baby monitors, Ring doorbells and so on—that are made available to customers in the UK to meet baseline cyber-security requirements. For instance, manufacturers will be banned from using universal default or easily guessable passwords such as “admin123”. That will reduce one of the most commonly exploited vulnerabilities in connected products.
Subject to the approval of both Houses, the draft regulations will add three new categories of products to the list of excepted products in schedule 3 to the 2023 regulations. In the 2020 call for views for the regime, the Government indicated that products would be excepted from the product security regime if it was deemed inappropriate to include them prior to further investigation, they were already covered by robust legislation, or they would be covered by future legislation particularly relevant to that product category.
My Department has committed to except automotive vehicles, because the Department for Transport is working at international level to agree regulations setting cyber-security requirements for vehicles. That would allow the cyber-security of those products to be addressed by regulations specific to the sector and to their functionality. The DFT intends to mandate UN regulation No. 155 on cyber-security and cyber-security management system in Great Britain for all new cars, vans, buses, trucks and motorbikes. The requirements of that regulation are more appropriate as it was created in response to the expanding capability and connectivity of vehicle systems.
To avoid dual regulation and unintentionally placing undue burden on the automotive industry and trade, the Government are seeking to except specific vehicle categories from the PSTI regime. The products in scope of the draft regulations include cars, vans, buses, motorcycles, mopeds, quad bikes and tractors. Those products are already excepted from the PSTI regime when they are made available for supply in Northern Ireland.
Regulation 3 will correct a minor error in the language of the 2023 regulations. Adding the word “period” will ensure that the original intent of the relevant paragraph is preserved.
These measures will ensure that the regime works as intended and that the security of vehicles can be addressed through appropriate sector-specific regulations. I commend the draft regulations to the Committee.
Before I start, I must declare an interest. I worked in technology for two decades before entering Parliament, the last six years of which I spent with Ofcom as head of telecommunications technology, which included internet security. I am proud to have been the first Member of Parliament to mention the internet of things—connected devices—in this place, in 2011 during a Westminster Hall debate I secured on machine-to-machine communications, partially as a consequence of my experience in the tech and regulatory sectors.
Over the years I have regularly called for better security for consumers with regard to this important enabling technology. Indeed, the exponential growth that I predicted in the number of connected devices in our homes, on our wrists and on our roads has taken place, and with it the need for robust protections has grown. We on the Opposition Benches are glad that the Government finally took action in 2022 and are building on that with these latest draft regulations, which will take the next steps towards a bespoke cyber-security regime for vehicles. Automated vehicles have the potential to create a market worth £42 billion by 2035, create 38,000 new jobs, and improve road safety and connectivity for all road users, including pedestrians and cyclists. It is right that this highly exciting sector is supported to grow with targeted pro-innovation and pro-consumer regulation.
Members will be glad to hear that I do not intend to detain the Committee long, but I want to address some of the fundamental concerns with the legislation. Above all else, safety is paramount. During the passage of both the Product Security and Telecommunications Infrastructure Act 2022 and the Automated Vehicles Act 2024, which received Royal Assent this week, Labour was crystal clear that the first duty of any Government is to keep their citizens safe. Our cyber-security is a No. 1 priority, and Labour would never play fast and loose with it.
As such, we welcomed the security aspects of the PSTI Act, as well as Government concessions to put the highest standards of safety on the face of the Automated Vehicles Act. The Government’s “Connected and automated vehicles: process for assuring safety and security”, or CAVPASS, with which I am sure the Minister is familiar, is intended to provide Government assurance of the safety and cyber-security of self-driving vehicles by 2025—that is, at the end of this year. Is the Minister confident that the Government are on track to achieve that goal? What assurances can she give the public in the meantime—in the next six months or so, until CAVPASS bears fruit, if that is when it will bear fruit—that automotive products with connected capabilities are being sold secure?
Are the Government taking steps to address the national security implications of connected vehicles, which is an increasing concern for the public? In the debate on the 2023 regulations last September, I highlighted how cellular internet-of-things modules, or CIMs, power much of the consumer connected device landscape by enabling internet access. China is attempting to corner the global market in CIMs, which could have immense national security implications, since, for example, when they are embedded in cars, they transmit location, route and even passenger video. With Chinese firms such as BYD and Geely becoming major players in automotive manufacturing, is the Minister assured that the regulatory regime is strong and flexible enough to protect the British public as the technology adapts and evolves?
Lastly, I want to raise the need for ongoing dialogue in this space. It is right that the Government have communicated to businesses years in advance their intention for automotive vehicles to be exempted from the PSTI regime. I also appreciate the extensive work by organisations such as the Centre for Connected and Autonomous Vehicles and the Law Commission in preparing for the Automated Vehicles Act.
The explanatory memorandum to the draft regulations leaves open a few options for the Government to regulate further, such as mandating UN regulation No. 155 on cyber-security, as the European Union has already done for some vehicles from July 2022. Given that we export 600,000 cars a year, have the Government considered alignment with international partners on cyber-security—the Minister seemed to suggest that she had—through the UN and other fora, and the implications for trade and exports? Can the Minister explain what the Government are doing to keep businesses abreast of their plans? It is vital that businesses, particularly in our incredibly important automotive industry, which is undergoing so many changes, can plan ahead for the next generation of cars.
On that subject, it was disappointing that the Government did not accept any of Labour’s amendments during Committee stage of the Automated Vehicles Bill, which would, in particular, have established an advisory council to aid the Act’s implementation and strengthened the accessibility of automated vehicles for disabled people. Will the Minister commit to consult regularly with business and trade unions during the roll-out of the connected and automated vehicles security regime, and to embed accessibility in all the safety regulations from day one?
Innovation in road transport will create huge opportunities for our economy and society, and we must embrace them. But we must make sure that security and safety are built into these technologies from the outset. Labour and the British people will accept nothing less. I thank the Minister in advance for her answers to my questions.
My first question is whether we will see a more risk-based approach to this kind of regulation. I remember thinking when the PSTI Bill was going through the House in 2022 that if the Chinese really wanted to know what time I turn my central heating on, they would be pretty welcome to that information. Similarly, if I happen to have a connected oven and I have something in there for the evening, they can know about that too. I am actually not that bothered about them hearing my children vomiting in the middle of the night through the baby monitor, if that is what they want—they can listen to the screaming as much as I can. I hope the Minister will accept that a risk-based approach seems sensible in this area.
My second question is whether this deregulatory measure is likely to be replaced at some point with an even more regulatory system for some of the bits of equipment that we are removing from the scope of the legislation. I understand that there is something coming on vehicles, but on electric bicycles, for example, are we likely just to replace this measure with another set of regulations? Will another Committee be sitting in just a few months’ time to consider the Electric Bicycles (Telecommunications Safety) (No. 14) Regulations, or whatever it might be?
If that is not the case, I offer the Minister my congratulations. I have sat on dozens of Delegated Legislation Committees over the last decade, nearly, and despite promises by the Government, this is the first I have known to consider something mildly deregulatory. I just wanted to mark that special moment in my parliamentary career. I am grateful to her.
I thank the hon. Member for Newcastle upon Tyne Central for her support and for bringing to bear her considerable expertise in technology. I agree with a number of the points that she made. She is right to be concerned about whether the sector has been given due notice. We have been in touch with the sector throughout. It was made clear that there would be exemptions and exceptions to the regime, and we are bringing the draft regulations forward now so that the sector can have those exceptions as swiftly as possible.
On some of the questions about automated vehicles, as I said, the Department for Transport intends to mandate UN regulation No. 155, but the automotive industry and its supply chain are already beginning to comply with that regulation, as it has been mandatory for new types of passenger and goods vehicles in the EU since July 2022. I shall certainly ask DFT Ministers to get back to the hon. Lady on some of the specific points that she made about transport and vehicles. I very much agree with her about the need to make sure that accessibility is at the heart of these new regulations. I have responsibility for telecommunications, and she will be aware that we have brought in a number of new security requirements.
On whether there are certain types of risk-based approach that we should take to new technologies, that is certainly the case. These are baseline security requirements that are intended to give flexibility according to the type of product. We are also looking at which types of data we should seek to protect and safeguard and which we should not be too concerned about. I assure hon. Members that that work is under way. These are areas of fast-moving technological development, and we in the Department try to make sure that we have maximum flexibility so that we do not have to come back and legislate every time there is new technology in the market. Hopefully, that will mean that we can avoid bringing hon. Members into these Committee rooms too frequently.
I am grateful for the engagement by all hon. Members as this legislation has gone through the House. It is a couple of years ago now that we went through Committee stage of what became the PSTI Act—we felt the pain of it together. That Act is now on the statute book and implemented, and we are bringing forward the exceptions so that it works well for the automotive market.
Question put and agreed to.
Contains Parliamentary information licensed under the Open Parliament Licence v3.0.