My Lords, in moving Amendment 1, I shall speak also to Amendment 13. My noble friend Lord Fox will speak to Amendment 3 in the same group. First, I warmly welcome the noble Lord, Lord Kamall, to his new role in DCMS and join others in that welcome. I am sure he has already found the company of those who speak on DCMS matters very congenial, but he will also note that there are a number of all-purpose vehicles here, so he has probably met quite a number of us already.
In Committee, we called for the three security requirements to be set out expressly in Part 1 of the Bill. At the moment they are promised in secondary legislation without any draft being available, as is, I am afraid, the Government’s consistently bad habit. Customers need absolute clarity on the support period that manufacturers will offer so that they are able to make more informed purchasing decisions. I cannot understand why the Minister’s predecessor insisted in Committee that the minimum security requirements should be stated in secondary, not primary, legislation. He said it was important that technology regulation enables the Government to respond to changes in threat and technology and to the regulatory landscape; surely, these are security principles which should endure.
As for mandating minimum security updates for periods for connectable products, the Minister said that there is no consensus among industry experts on how long security updates ought to last. This is foggy thinking—how can the Government not have taken a view? Contrast the approach of the European Union, which has recently published its own equivalent Cyber Resilience Act. Crucially, the EU has imposed a five-year mandatory minimum period in which products must receive security updates. A rigid five-year period is not necessarily desirable, but the commitment to set out in legislation a mandated period in which products receive security support is very welcome. Before Third Reading the Government really should undertake to look closely at the EU proposals and tighten up the Bill. Why should EU consumers get a better deal than UK ones?
As regards Amendment 13, on computer misuse, the noble Lord, Lord Arbuthnot, introduced this amendment in Committee and this one is exactly the same. Under regulations that will be introduced following the passage of the Bill, manufacturers will be required to provide a public point of contact to report vulnerabilities. However, without a statutory defence in the Computer Misuse Act, it is clear that cybersecurity researchers can still face spurious legal action for reporting a vulnerability to a company which can decide on a whim to ignore its vulnerability disclosure policy—a practice known as “liability dumping”. Amendment 13 seeks to ensure that cybersecurity professionals who act in the public interest in relation to testing relevant connectable products can defend themselves from prosecution by the state and from unjust civil litigation.
In Committee, the noble Lord, Lord Parkinson, seemed to say conflicting things. He said that the key thing is to set professional standards to measure the competence and capability of security testers, and that that is why the Government set up the UK Cyber Security Council last year. On the one hand, he said:
“We should be encouraging this rather than creating a route to allow people to sidestep these important issues.”
On the other, he said that the Government are listening to the concerns expressed by the CyberUp campaign and that the Home Secretary had announced a review of the Computer Misuse Act. The Minister said:
“The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office.”—[Official Report, 21/6/22; col. 212.]
Are the Government positive or negative on this? What approach are they taking? We are past the summer now, in any event. Is there any prospect of change to the Act? I beg to move.