Telecommunications (Security) Bill
Monday 30th November 2020
(3 years, 4 months ago)
Commons ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts
The Secretary of State for Digital, Culture, Media and Sport (Oliver Dowden)
I beg to move, That the Bill be now read a Second time.
Cutting-edge technology such as 5G and gigabit broadband have the potential to transform our lives and this Government are investing billions of pounds in their roll-out nationwide, but we can only have confidence in that technology if we know it is secure, and this Bill will create one of the toughest telecoms security regimes in the world, one that will protect our networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future.
This Bill acts on the recommendations of the United Kingdom telecoms supply chain review, which in turn was informed by the expert technical advice at the National Cyber Security Centre in GCHQ. First, it establishes a tough new security framework for all the UK’s public telecoms providers. This will be overseen by Ofcom and the Government, and they will have a legal duty to design and manage their networks securely. Rigorous new security requirements will be set out in secondary legislation, and codes of practice will set technical guidance on how providers should meet the law, and where providers are found wanting, Ofcom will have the power to impose steep fines. For example, under the current regime fines for failing to protect security are limited to just £2 million or £20,000 per day, while under the new regime they will rise significantly, to up to 10% of turnover or £100,000 per day. Under the current regime Ofcom has limited monitoring and enforcement powers. Under the new regime it will have the power to enter premises of telecoms providers, to interview staff and to require technical systems tests.
If we pass this Bill, few other countries in the world will have a tougher enforcement regime, and the point of this Bill is not just to tackle one high-risk vendor; it raises the security bar across the board and protects us against a whole range of threats. According to the NCSC, the past two years have seen malicious cyber-activity from Russia and China as well as North Korea and Iranian actors. While I know that telecoms providers are working hard to protect our networks against this hostile activity, the Government have lacked the power to ensure they do so. This Bill puts a robust security framework in place, guaranteeing the protection of our networks.
Mr Tobias Ellwood (Bournemouth East) (Con)
It feels like a long time since we had debates about Huawei at, I think, the beginning of the year, which perhaps started this national conversation about our critical national infrastructure. My right hon. Friend speaks about threats: what is the biggest long-term geostrategic threat facing the UK now?
Oliver Dowden
The purpose of this Bill is to give us flexibility so that we do not get bound by the particular circumstances of today, and we have designed it to give us that. The four big threats we consistently face in cyber in this country are, as my right hon. Friend knows, in relation to Russia, China, North Korea and Iran, and we are seeing an evolution in some of those threats, particularly in relation to China.
This new security framework is just one half of the Bill; the second half gives the Government unprecedented new national security powers to identify and tackle high-risk vendors. Under the Bill the Government will be able to designate specific vendors that pose risks to our national security and issue directions to telecoms providers to control their use of goods, services or facilities provided by those vendors.
Mr Kevan Jones (North Durham) (Lab)
In principle, I welcome the Bill. Its focus, however, is on kit, hardware and vendors, and that will go some way towards protecting our telecoms systems, but we are also still facing threats from hacking, so making sure we have basic good cyber-hygiene will be just as important as some of these measures we are discussing today.
Oliver Dowden
In short, yes, the right hon. Gentleman is absolutely correct. What this Bill does is bite in three respects. First, it sets out the overarching duties on mobile network operators and other telecoms providers in statute. It then empowers the Government through secondary legislation to provide further requirements on them. On top of that, for the tier 1 providers, which will basically be all the big telecoms providers, it also introduces a code of practice whereby they have to comply with that to ensure that they are secure. Across the board, the Bill tightens the requirements on them.
Bob Stewart (Beckenham) (Con)
To follow up on the comments of my good friend the right hon. Member for North Durham (Mr Jones), does the Bill also give added protection to private individuals using their mobile phone, to stop them having it tapped by, say, a newspaper reporter?
Oliver Dowden
I cannot imagine what my hon. Friend is alluding to. This is aimed at the telecoms providers, but in tightening the security requirements on them, it in turn, of course, tightens the security for individual telecoms users. The Bill makes it a duty for telecoms providers to comply with those directions and introduces robust penalties for those that fail to do so.
The point is that these powers will protect us against both the high-risk vendors of today and the threats of tomorrow. I know that for right hon. and hon. Members there are significant concerns about one high-risk vendor, Huawei. This has rightly attracted the attention and concern of many hon. Members and I want, first, to reassure them that I have heard them, that I am acting and that I am taking a clear-eyed approach to protecting our national security.
In July, I announced that UK telecoms providers should cease to procure any new 5G equipment from Huawei after 31 December 2020 and remove all Huawei equipment from our 5G networks by the end of 2027. This Bill enables us to implement those decisions in law.
Tom Tugendhat (Tonbridge and Malling) (Con)
I welcome both the Secretary of State’s direction and his much earlier than expected announcement of no new installations. Does he agree that this fundamentally changes the incentives on any boardroom for using any kit—in this case, Huawei—that is a risk? The cost is going to be laid with the company—that they will have to remove it anyway—which changes the pricing structure that any other company would have to bid for.
Oliver Dowden
My hon. Friend makes a very important point, and I will be coming on to that in a minute. It is actually happening now because telecoms providers and mobile network operators know three things. They have to remove Huawei equipment in respect of 5G by 2027 entirely. They cannot purchase any equipment from the end of this year, and—I will come on to this shortly—we have double locked that, as it were, by having the installation requirement. Mobile network operators are already working on that assumption.
Mr Kevan Jones
I find that very strange because the Bill is about security. The Secretary of State is now saying that he is introducing proposals which mean that if, for example, Vodafone or any other operator has got some stock in, it cannot put it in from the end of this year. What is the security risk there? The only reason we changed the projections earlier last year—which I supported—was the US sanctions on future kit. There is not a security risk to the kit that is going in now so how can he use this Bill, on security, for doing that? Is this not just a political decision that he is making?
Oliver Dowden
To clarify the position for the right hon. Gentleman, mobile network operators cannot purchase from December this year—so they can purchase it now— and the installation limit will then apply from September 2021. The point of these measures is to address the concerns that Members rightly raised that companies could be incentivised to purchase large amounts of stock, stockpile it and then roll it out right the way through to 2027. I told the House in July that I would set us on a clear and unambiguous path to 2027, and these measures do exactly that.
Alun Cairns (Vale of Glamorgan) (Con)
Does the Secretary of State agree that, associated with the Bill, there needs to be a plan for the greatest diversity in the supply chains? That is the long-term solution, because part of the challenge is that we have ended up focusing on one supplier, Huawei, which has been dominant in this field. What action is he taking in that area?
Oliver Dowden
I thank my right hon. Friend for his intervention. The interventions are tempting me to jump around points that I intend to make, but he is right about the importance of diversification. We have published the diversification strategy, which is available for Members to examine, and I will come on to it in a moment.
It is this Bill and this Bill alone that gives Members the assurances they seek for the security of our networks both now and in the future. Further to the point made by my hon. Friend the Member for Tonbridge and Malling (Tom Tugendhat), operators are already taking our approach seriously—they are working now to meet the Government’s requirements. For example, BT has signed a deal with Ericsson for 5G equipment to enable it to phase out Huawei and is already in the process of using Ericsson products to replace Huawei in its core. Where operators can go further and faster without jeopardising the stability of our network, we will of course encourage them to do so, but it would be a big risk to force them to go even further. BT and others have warned that moving faster could put our networks under considerable strain, creating significant risk of blackouts, and it would take longer for 5G to reach the parts of the country where it would make the most difference.
Mr Ellwood
O2, Three and BT had concerns that they would have to cancel their contracts with Huawei but still pay for them, because the equipment was on its way. Could my right hon. Friend clarify what happens to contracts that are in the pipeline, which could see these companies go bust if they have to pay for them?
Oliver Dowden
My Department is in close contact with mobile network operators. I do not think that the sort of risk my right hon. Friend describes of companies going bust is remotely the case. Furthermore, we have given clear advance notice of this. For example, we made the first statements in January this year. We updated the guidance in July, and we also consulted extensively with the mobile network operators on the requirements in relation to installation that I am announcing today.
Oliver Dowden
I will make some progress. I may come back to the right hon. Gentleman later, but I have already given way to him twice.
I know that some Members are concerned that we have not named Huawei on the face of the Bill and that our approach could be reversed in years to come. I want to reassure those Members on a number of fronts. We have not chosen to name Huawei for two compelling practical reasons. First, as we discussed, this Bill is designed to tackle not only the Huaweis of today but the Huaweis of tomorrow, wherever they come from. It needs to be flexible enough to cover future threats and not tie our hands by limiting our response to one company and one company alone. Secondly—this is the most crucial point—making reference to any one company would create a hybrid Bill, dramatically slowing the passage of the Bill and therefore our ability to combat all high-risk vendors, including Huawei.
However, as a concrete sign of our commitment to tackling the national security risks posed by Huawei, I can confirm today that we are going further in two significant ways. First—I hope Members will have had a chance to see this—we have published an illustrative designation notice and an illustrative designated vendor direction to demonstrate how the Bill’s powers in relation to a high-risk vendor could be exercised. Given the level of concern in this House and in the other place about Huawei’s role in 5G infrastructure, these illustrative drafts name Huawei explicitly, clarifying our position beyond doubt, and set out a clear pathway to the reduction and removal of its equipment.
Dr Luke Evans (Bosworth) (Con)
Does the Secretary of State believe that taking out companies such as Huawei may damage the economic impact, and what assessment has he made about making sure that we are at the forefront of growing 5G network in the UK?
Oliver Dowden
My hon. Friend raises an important point. We are clear-eyed about putting national security first. If national security and economic interests are in conflict with each other, national security comes first. But within the context of that, we have properly weighed up the risks as between different dates. I believe that 2027 strikes the appropriate balance in that it can be delivered with impact, in the way that I described in my statement to the House in July—it will have an impact in terms of cost and roll-out for mobile network operators—but it does not run the risk that we go too far and too fast, whereby we risk some sort of blackout and loss of provision.
In addition to the draft directions, we are going a step further by using the illustrative directions to set out a new hard deadline for the installation of Huawei equipment. That direction makes it clear that all operators must not install Huawei equipment in their networks from the end of September 2021.
That clarification has clear practical implications. It will prevent any operator from stockpiling Huawei kit in the hope that the ban might be reversed. The new installation deadline will create cold hard facts on the ground, effectively turning the plan for Huawei’s removal into an irreversible reality.
The powers in the Bill also allow us to keep an eagle eye on the progress of Huawei’s removal. They enable us to require Ofcom to obtain information from companies to see whether a provider has complied, or is complying, and they allow us to require providers to prepare a plan setting out exactly how they intend to get to zero Huawei by 2027.
Using those powers, we will not just publish an annual report of compliance on the removal of Huawei equipment, but keep a close watch on the future progress of all telecoms companies where Huawei is concerned. Under this rigorous monitoring and reporting system, no provider will be able to drag their feet. They will need to provide proof that they are working to meet the 2027 deadline. But, critically, we can do this only if we secure these important powers—the powers that will enable us to take action in relation to Huawei to protect our networks, but also to take action against any other potential high-risk vendors now and in the future.
Mr Kevan Jones
The right hon. Gentleman is wrong. This Bill is actually about security. The reason he is going to get the powers is to take out vendors who are a clear high risk. Huawei has been there for a while. The kit that he is talking about banning after 2021—even if it is stockpiled or part of a contract—has not got a security implication at all because it has already gone through our Huawei centre. So I am not sure that he has the powers in the Bill to do that. I am sorry, but if I were a telecoms provider and I had a contract or a stockpile of kit that I could not use, I would be looking at taking legal action against the Government, because he cannot use the Bill if that equipment is not a threat to national security, which it is not.
Oliver Dowden
I say to the hon. Gentleman—[Interruption.] I beg his pardon. It is the right hon. Gentleman. I stand corrected. I say to the right hon. Gentleman that, first, this Bill and the measures in it implement what we announced as a Government in January and July, which, in turn, was based on the advice of the National Cyber Security Centre and GCHQ. In relation to whether I, or any Secretary of State, has sufficient powers in the Bill, I refer him to clause 16(2), which inserts new section 105Z8(4)(a) to (l) into the Communications Act 2003, which sets out a very wide range of bases on which I can designate a provider as high risk and take measures, so I am confident that I have those sufficient powers.
We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors, thanks to a lack of competition in the global telecoms supply chain. While this is a global problem, today this Government are officially leading the way in solving it. Alongside the Bill, we have published an ambitious diversification strategy—the first such strategy to be published anywhere in the world. It sets out our vision of what an open, competitive, diverse supply market for telecoms will look like, and the measures we will bring forward to develop an innovative and dynamic market.
We want to make progress as quickly as possible, so today I can also confirm that we are committing £250 million to kick-start this work. That includes funding and building a state-of-the-art national telecoms lab, which will bring together suppliers from across the world to test the performance and security of their equipment. We are also running a 5G open radio access network trial with the Japanese supplier NEC in Wales to help the entire UK benefit from this exciting new industry. That, of course, comes on top of NEC establishing a global open RAN centre of excellence in the UK just last month. We also know that Vodafone has recently announced that it intends to deploy open RAN technology across more than 2,600 of its sites—the largest commitment of its kind across any European network.
Tom Tugendhat
The Secretary of State is rightly focusing on open RAN and the opportunity to partner with others in the democratic and law-abiding world. What has he done to reach out to countries such as South Korea, whose Samsung system could provide for the UK, and to encourage Nokia, Ericsson and Fujitsu in Japan?
Oliver Dowden
I am pleased to say that the Minister for Digital Infrastructure has met every one of the parties my hon. Friend named; indeed, I have met many of them. Essentially, we are working across three strands. First, we are working with the existing vendors—there were three, now to become two—to secure them and make sure we do not lose a further one. We are also working with new potential incumbents such as NEC and Samsung. In addition, we are working across a range of countries, in particular the D10, to ensure that we work together to improve standards in telecoms.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
I am grateful to my right hon. Friend, who is being customarily generous in giving way, but can I just make a point to him and hear his answer? This situation has constantly been wrongly described as a market failure. It was not a market failure; the failure was in the reality of one country abusing and breaking World Trade Organisation rules on subsidies. The key problem has been that China has subsidised its providers dramatically, even over 100% on contract, which has killed this market over the last 10 years. Once we release the market by stopping that, the private sector will come back into this industry because competition will be real competition, not broken competition. That is the key point.
Oliver Dowden
My right hon. Friend highlights one of a range of different market distortions that have been going on. To a certain extent, there will be some market correction, but the Government also need to intervene, and our diversification strategy addresses that. If we are to get existing vendors who are not currently in the UK market back in, or to create a new open RAN solution, we need to provide financial incentives, and the diversification strategy touches on many of the steps that we propose to take.
We are taking concrete steps towards a solution, but diversification is not just a problem to be solved. It is also an opportunity to be seized. As part of our strategy, we will invest in homegrown solutions that will put us at the forefront of developing 5G technology and all the transformative benefits it brings. The next phase of this work will be taken forward by the Telecoms Diversification Task Force, chaired by Lord Livingston, formerly of BT, and others. I am grateful for the work that he, industry and academic experts have done in developing the strategy and in taking it forward.
The Bill has not been designed around one company, one country or one threat. Its strength is that it creates an enduring, flexible and far-reaching telecoms regime, one that keeps pace with changing technology and changing threats, that supports billions of phone calls, email exchanges and file transfers in this country every day, and that is essential to the UK’s economy and its future prosperity.
I listened carefully to the concerns of Members on both sides of the House in designing the legislation, and I have sought to address those concerns head on in the Bill as it stands before the House. I genuinely hope that the Bill will command cross-party support and that we will be able to work together in the national interest to ensure the security of our telecoms networks. I commend the Bill to the House.
Jo Stevens (Cardiff Central) (Lab)
It is a pleasure to speak in this Second Reading debate on the Telecommunications (Security) Bill on behalf of the official Opposition. Labour will always put national security first, so we are pleased to finally see this Bill brought forward by the Government. All sides of the House agree that the first duty of any Government is to protect their citizens, and we have confidence in our national security services, which go to such lengths to keep us all safe.
I say I am pleased to finally see this Bill brought forward because it has been clear for a long time that there were serious questions over whether high-risk vendors, specifically Huawei, should be allowed to control large sections of our country’s telecoms networks. But let us be frank: until this year, the Government had failed to face reality. I agree with the shadow digital Minister, my hon. Friend the Member for Newcastle upon Tyne Central (Chi Onwurah), who said here in July that the Government’s
“approach to our 5G capability, Huawei and our national security has been incomprehensibly negligent.”—[Official Report, 14 July 2020; Vol. 678, c. 1378.]
As long ago as June 2013, the Intelligence and Security Committee report on “Foreign involvement in the Critical National Infrastructure” made it absolutely clear that risks had to be properly identified, assessed and managed, and that processes and procedures had to be put in place to achieve this, and those needed to be completely robust.
I am sure that Conservative Members will be keen to mention that Huawei first entered the UK network in 2006 under a Labour Government, but as is very clear from the ISC report, that decision was one taken by officers, and Ministers were not told about it at the time. In fact, they were not even told that a contract had been signed until a year later, seemingly because those officials felt that to invest in Huawei brought significant trade, financial and diplomatic consequences. Since that decision, much has changed with the situation of the UK’s relationship with China. The Conservative party have had ample time not only to begin that removal process, should it have wished to, but to invest in the diversification that could have meant we had a homegrown alternative ready to use. It is only today, after 10 and a half years in government, that this diversification strategy has finally been published.
We know that the political background to this Bill has much to do with the power of many Conservative Back Benchers—many are here today, and I am looking forward to hearing all the contributions to the debate in due course—but it is as much to do with what had been a desire to satisfy the now outgoing President of the United States as it is with the safety of our critical national infrastructure, and this political soap opera has been an unnecessary distraction.
Tom Tugendhat
The hon. Lady will forgive me for picking just a very small hole in her argument. One of the very few policies on which President-elect Biden and President Trump, and indeed even Speaker Pelosi, do absolutely agree is the challenge of China and digital infrastructure, and particularly Huawei, so I am not entirely sure this can be put down to satisfying the Trump Administration. Indeed, it is something on which we agree with Australia, Japan, South Korea, Germany, the Czech Republic—I can keep going—while France banned it in 2009. This is not just an American issue.
Jo Stevens
I accept that it is not just an American issue, but it was the right thing for the wrong reasons, essentially. As I say, this political soap opera has been an unnecessary distraction when it comes to the serious matter of extracting high-risk vendors from the network, which has been slow and fragmented.
Mark Pritchard (The Wrekin) (Con)
On a point of fact and detail, I recall in 2009 the Chinese Premier being with the then Prime Minister Gordon Brown in Downing Street, welcoming the strategic partnership—with an all-singing, all-dancing party in Downing Street—between Vodafone and Huawei. It is therefore a little party political to suggest that it is only the Conservatives who have perhaps taken their eyes off the ball, something which we are correcting today.
Jo Stevens
The hon. Gentleman seems to have forgotten about the former Prime Minister David Cameron and the former Chancellor of the Exchequer George Osborne, who also gave such a welcome.
It is worth outlining for the record the meandering journey that we have been on towards the publication of the Bill. The House will recall that in May 2019 the current Secretary of State for Education, the right hon. Member for South Staffordshire (Gavin Williamson) was sacked as Secretary of State for Defence following an inquiry into a leak from a National Security Council meeting at which it was reported that the Government had been advised in May 2019 to remove Huawei from the network. It was not until January this year—eight months later—that the Government decided that Huawei equipment should be excluded from the sensitive core parts of the 5G and gigabit-capable networks and from sensitive and safety-critical locations such as critical national infrastructure, and that its access to the non-sensitive parts of the network described as the “edge” would be capped at 35%.
In May, the United States imposed sanctions on Huawei through changes to their foreign direct product rules that restricted Huawei’s ability to produce important products using US technology or software. The NCSC advised that the UK could no longer be confident that it would be able to guarantee the security of future Huawei 5G equipment affected by the change in those US rules so, as the Secretary of State outlined, the Government changed their position again in July, announcing a ban on the buying of new 5G Huawei equipment after December this year and the removal of all equipment from our 5G networks by the end of 2027.
The UK has been slower to take action than our Five Eyes allies. In August 2018, the Australian Government blacklisted Huawei from the country’s 5G network in response to security advice, and New Zealand took the same decision in that same year. Our Intelligence and Security Committee made it clear 18 months ago that the debate on high-risk vendors had been “unnecessarily protracted” and damaging.
Mr Kevan Jones
It is worse than that. I know we had the panda-hugging days of Osborne and Cameron, but an ISC report in 2013 raised the issue of critical national infrastructure, with particular reference to Huawei, and nothing was done.
Jo Stevens
My right hon. Friend is absolutely right. For the benefit of anyone who has not read that report, it is pretty damning. We now find ourselves in a situation in which drastic action is necessary to safeguard national security and our critical national infrastructure, while at the very same time the economic imperative of the roll-out of 5G for the country has never been more urgent—and that has obviously been added to by the impact of the covid pandemic.
It is worth putting on the record that there are reasons other than national security in respect of Huawei that concern many Members from all parties in this House. The telecoms company has provided surveillance technology to the Xinjiang public security bureau, facilitating the construction of the world’s most invasive surveillance state. Last November, an Australian Strategic Policy Institute report detailed how Huawei has developed the Xinjiang public security cloud, which makes possible the total control and repression of Uyghur Muslims. As my hon. Friend the Member for Leeds North West (Alex Sobel) set out in a Westminster Hall debate on 4 March this year, the company has a shameful record on workers’ rights, operating
“a ‘wolf’ work culture of long hours and brutal workplace norms.”—[Official Report, 4 March 2020; Vol. 672, c. 282WH.]
Mr Ellwood
The hon. Lady is setting out a long list of concerns with which many in the House would absolutely agree. Does she agree that for the reasons she is outlining it is perhaps now time for us to review the overseas aid that we give to China?
Jo Stevens
I do not want to step beyond my brief and interfere in that of my shadow Cabinet colleague, but we certainly should not be doing business with any companies that breach both human rights and workers’ rights. We have international labour standards in place and these are not companies with which to do business.
Turning now to broadband and 5G roll-out, and the delays and the costs layering on top of them, we have already seen delays in the roll-out of second and third generation fixed broadband, and we are now at the bottom of the OECD tables. In fact, only last week the Government sneaked out in the Chancellor’s spending review plans to water down their broadband promises. Instead of keeping to their manifesto promise to roll out gigabit-speed broadband to every home in Britain by 2025, the Chancellor revealed that the Government are now aiming to have a minimum of 85% coverage by that date. The budget for that plan remains the same, but now only £1.2 billion of the £5 billion will be made available up until 2024, so this will impact on the so-called levelling-up agenda.
The Government’s delay in dealing with the issue of high-risk vendors until now has also meant that there will be added delays and costs to the roll-out of 5G. The Secretary of State accepted that in July, when he said that the cumulative delay would be two to three years. However, the Government’s impact assessment for the Bill does not establish the effect of removing Huawei from the core network on the timescale for the 5G roll-out, so has the Secretary of State’s position, set out in July, of a two to three-year delay changed at all, and why does the impact assessment fail to address that issue? Also in July, the Secretary of State predicted that removing Huawei would cost operators up to £2 billion, but that could be a huge underestimate, because BT alone is saying that it will cost it £500 million, and the costs could be far greater, including the knock-on effects in terms of lost revenue and wider economic benefits.
As well as those economic consequences, there is another impact, because the provision of 5G for most of the UK will increase the digital divide without significant measures to tackle it. The three central problems at the heart of this divide are lack of internet connection, lack of technological devices, and lack of the skills to use new technology in a meaningful way. The Government have promised, and so far failed, to solve the lack of connection, which is a particular problem for under-served communities. There is nothing about 5G that will make it a better option for those communities, who are already lacking affordable access to fast internet. In addition, there is the distinct possibility that in order to access mobile 5G internet, users will need newer and more expensive devices built for those increased speeds. The pandemic has highlighted these divides and thrown into stark relief the need for help and support for those whose lack of connection, skills and equipment is a real barrier both in terms of employment and other meaningful connections.
There is one other significant consequence to the Government’s delay, and that is the new 4G-based emergency services network. That is now unlikely to completely take over from the existing platform until 2024-25. This delay is costing taxpayers millions. If the Government are forced to keep airwaves going beyond 2022, every year of delay adds an extra cost of about £550 million. The core of the ESM network does feature Huawei equipment, but EE has said that it is already working to strip this out and hopes to complete that by 2023. However, can the Secretary of State reassure the House that the presence of Huawei kit in the 4G ESM network will not have any impact on its lifespan, financial implications or security status and safety concerns?
I turn now to the removal of high-risk vendors’ equipment from the 5G networks. For the purposes of this debate, it is probably easier to refer to it as the removal of Huawei equipment, because that is where everybody’s current focus is. This must all be removed from networks by 2027. There is the “no new purchasing” rule from the end of this month, and the Secretary of State has announced today that existing stocks cannot be used after September 2021. However, there are questions for the Government around the implementation of this that I hope the Minister will be able to answer.
I have five specific questions. First, given that the Bill is based on a distinction between the core and the edge of the networks, how confident are the Government of the durability of the barrier between the core and the edge? Secondly, what steps are the Government taking to prioritise the removal of any existing Huawei equipment from the more sensitive core part of the network, and how much equipment does Huawei have in it? Thirdly, are the Government proposing to provide help to businesses who have invested in Huawei equipment ahead of this decision, and will there be legal support, as many operators may have to honour contracts that they cannot actually use or possibly afford? Fourthly, what steps will the Government be taking to work with local authorities and others to minimise disruption to businesses and individuals when removing the equipment? Fifthly and finally, what steps are being taken to minimise the costs to business?
I have one other point, from a different policy angle. When Australia banned Huawei from participating in its 5G network in 2018, China imposed retaliatory measures on Australian goods. The Government’s impact assessment does not address the economic consequences of potential retaliatory measures, so can they explain what steps are being taken to plan for that possibility?
Sir Iain Duncan Smith
The hon. Lady makes reference to what the Chinese Government have been doing with regards to the Australians, which is appalling and breaches WTO rules. In a way, her request for the Government to formulate plans against such a breach is really a request of the WTO to act in this case, as it should have done earlier against China’s abuses and breaking of the WTO rules.
Jo Stevens
The right hon. Gentleman makes a valid point.
This Bill gives huge powers to the Secretary of State under the auspices of national security, but it does not define what that means. The Secretary of State will be responsible for making national security judgments and decisions in relation to potential high-risk vendors. The impact assessment suggests that he will not do so unilaterally and that he will consult with the NCSC, but it is incumbent on the Government to explain why they consider that the Secretary of State for Digital, Culture, Media and Sport—I mean nothing personal to the right hon. Gentleman in saying this—is the appropriate decision maker on issues of national security. Would it not be better for the Secretary of State to conduct a multi-agency review prior to using these national security powers, as my right hon. Friend the Member for Doncaster North (Edward Miliband) has suggested in relation to the National Security and Investment Bill, which hands similar powers to the Secretary of State for Business, Energy and Industrial Strategy?
The lack of a definition of national security in this Bill raises particular concerns about the significant level of discretion afforded to the Secretary of State, the transparency with which such decisions will be made and the ability of Parliament to scrutinise those decisions. On another issue relating to scrutiny, Parliament is being asked to vote on this primary legislation before significant elements of how it will operate have been published, because secondary legislation will set out specific security requirements that providers must meet and the codes of practice that have been mentioned. Those will only be available after the Bill has received Royal Assent.
We have concerns about the role and the scope of the powers given to Ofcom in this legislation. These are new powers, which are pretty onerous. With Ofcom also expected to be named as the regulator in the promised online harms Bill—when that finally arrives—we are concerned about the resourcing of and the expertise within Ofcom to be able to deliver its statutory duties and responsibilities. We are concerned not so much about the volume of work, but that the administering of this new security regime may require skills that Ofcom, and potentially DCMS, are unlikely currently to possess. The impact assessment with the Bill suggests a combined monitoring cost for DCMS and Ofcom of £7 million to £12 million over a 10-year period. Do the Government really think that this resourcing budget will be sufficient?
Finally, I turn to the issue of diversification of the telecoms sector. In the ’80s and ’90s, as BT was privatised, our telecoms supply chain was allowed to fall mainly into foreign hands, although they were the hands of our allies. Conservative Governments over the last decade squandered the world-leading position that our broadband infrastructure had been left in by the last Labour Government. Successive Conservative Governments have lost, given away or under-invested in our sovereign telecoms capability as that supply chain has become dominated by high-risk vendors. There are of course added benefits to reducing reliance on a small number of global vendors, including increasing competition, driving innovation and improving resilience, but, as BT and others have warned, it will take time to move at scale towards new approaches. Network operators need to be confident in the maturity, performance, integration and security credentials of new vendors and technologies before they are deployed in their main networks. We agree that the Government can and should help to accelerate that progress, because in doing so, there is the potential to create opportunities for the UK to take the lead, as well as to create much-needed jobs. The strategy published today will need significant scrutiny. The £250 million announced in the spending review last week is obviously welcome, but it lacks sufficient detail, and we look forward to hearing more about how it will be spent.
The Secretary of State claims that this Bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks, and I hope he is right. We will not oppose the Bill’s Second Reading, but we have many concerns that will need to be considered and addressed in Committee. The Bill that the House eventually passes must take steps to ensure that our telecoms supply chain is resilient in the future, or we will be forced to return here in a short time to deal with the next Huawei.
We must be mindful, as with all legislation, that we seek to anticipate the problems of the future rather than just deal with the issues that we face today. We of course fully support steps to remove high-risk vendors from the network, but they must go hand in hand with credible measures to diversify the supply chain. We are in this situation because there are no viable alternatives to Huawei, homegrown or otherwise, and that is, in part, a result of the chronic under-investment and lack of leadership from the Government on digital infrastructure. We have to ensure that this does not happen again.
Dr Julian Lewis (New Forest East) (Ind)
It is an absolute pleasure to follow such sensible speeches from those on both Front Benches. There is a history to today’s legislation which I shall set out and against which my Committee colleagues can develop the Intelligence and Security Committee’s current perspectives. As the hon. Member for Cardiff Central (Jo Stevens) mentioned, it was in June 2013 that the Intelligence and Security Committee, on which I served under Sir Malcolm Rifkind’s chairmanship, published a no-holds-barred report on foreign involvement in the critical national infrastructure. It focused on the casual and cavalier way in which contracts were signed between British Telecom and Huawei prior to any ministerial involvement, and it insisted that:
“The National Security Council should ensure that there are effective procedures and powers in place…when it comes to investment in the CNI.”
We demanded an effective process by which Government are alerted to potential foreign investment in the CNI; an established procedure for assessing the risks; a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond; clarity as to what powers the Government have or need to have; and clear lines of responsibility and accountability. The Committee was
“shocked that officials chose not to inform, let alone consult, Ministers on such an issue.”
That, we concluded, must never again be allowed to happen.
The Government’s July 2013 response to the report bordered on complacency. They conceded that
“with hindsight, we agree that Ministers should have been informed”
and put their faith in the relatively new National Security Council, in conjunction with “cross industry-government groups”, to provide better protection in future. Replying to our main finding that their
“duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences”,
the Government observed that
“HMG’s approach balances economic prosperity…with national security…Boosting trade and investment is a key part of the Government’s plan for growth and we are working hard to develop our economic relationships with key trading partners, including China.”
As Huawei’s chief executive officer had been given the full red-carpet treatment at 10 Downing Street only the previous September, that response was all too predictable, and thus the courtship continued, despite growing anxiety among our Five Eyes partners, such as Australia and the United States.
There can be no doubt of the sincerity of the technical advice given by our experts at GCHQ and, more recently, in the National Cyber Security Centre, its public-facing arm. They recognise—as does the Bill—that the lack of diverse suppliers is a critical future vulnerability. For telecommunications to be resilient, their networks need more than two providers on which to depend. Otherwise, the collapse of one provider means total reliance on the other. Yet should that really override the danger of ever-closer involvement with a company legally in thrall to potentially hostile Chinese intelligence services?
In a statement in July last year, the ISC acknowledged the National Cyber Security Centre’s paradoxical point that three providers might be safer than two, even when the third comes from an adversarial state. Yet it rightly pointed out that
“the issue cannot be viewed solely through a technical lens—because it is not simply about telecommunications equipment. This is a geostrategic decision, the ramifications of which may be felt for decades to come… It is about perception as much as anything: our Five Eyes partners need to be able to trust the UK and we must not do anything which puts that at risk… And there is the question as to whether other countries might follow the UK’s decision”
when they are not as capable of protecting their networks as we are of protecting our own.
Some say that the Government’s perseverance with Huawei was justified on the basis of the technical advice they were given—right up to the point earlier this year when the United States brought in its fierce further sanctions. Yet the fact that the US would take such a step should have been anticipated. Our belated U-turn in July shows what happens when multifaceted problems are examined in a one-dimensional way.
Seven long years after our Huawei report, the Government have—in the space of a fortnight—introduced two important Bills: this one and the National Security and Investment Bill. Taken together, according to the National Cyber Security Centre, they should help to establish an
“appropriately secure and resilient telecoms infrastructure”
and
“effect the security transformation we”—
the NCSC—
“believe to be necessary”.
We are assured that
“operators adhering in totality to the new security regime will be among the most secure in the world”.
Hopefully, our US partners—currently promoting an international clean network initiative—will agree and Five Eyes harmony on those vital matters can now be reinstated.
Having waited so long for two such necessary Bills, the ISC must sadly record our concern that, in both cases, their Second Reading debates were held within just four working days of their introduction on First Reading. Normally, adequate notice of about two weeks would enable our hard-working staff to obtain relevant confidential material and advance sight of such legislation to allow proper prior consideration. The tiny window of opportunity afforded by the parliamentary timetabling has prevented this from happening, and our staff had to fall back purely on publicly available sources.
Proposals such as those in this Bill, which the Committee first recommended in 2013, are therefore to be welcomed, but the public rely on the ISC to assure them that we have asked those questions in private that cannot be discussed more openly. As that has not yet happened, our support for the Bill in principle cannot be as unqualified at this stage, as we should like it to be, though I welcome the Minister’s offer to speak to the Committee later this week.
Here are a few of the questions that can be asked on the Floor of the House. First, as the Department for Digital, Culture, Media and Sport has not traditionally specialised in national security, on whom will the Secretary of State rely for advice when deciding whether to issue restrictions against high-risk vendors, or directions to telecoms providers?
Secondly, if the answer is the National Cyber Security Centre and our wider intelligence community, will there be procedures to guarantee that they will be consulted with adequate notice, and who will ensure that their advice is given sufficient weight? Thirdly, in view of the revolving door, via which too many businessmen and ex-civil servants effortlessly glide between their former roles and the Huawei boardroom, what assurance can we have that the Government will be immune from lobbying campaigns by those on the payroll of high-risk vendors?
Finally, I have a question that I was pleased, I think, to hear the Secretary of State answer 15 minutes into his opening speech, but it would be nice to have the Minister reiterate that answer: unlike in 2013, do the Government now fully accept that national security must always be their overriding consideration where critical national infrastructure is concerned?
Richard Thomson (Gordon) (SNP)
It is a pleasure to speak in this Second Reading debate and to follow the Chair of the Intelligence and Security Committee, the right hon. Member for New Forest East (Dr Lewis), who has given us some very important historical context to how we have arrived at the point we have arrived at today. He posed some pointed and pertinent questions, which we look forward to seeing addressed as the Bill progresses.
The Bill provides a very much stronger security framework for telecommunications infrastructure and gives the Government the ability to manage the risk posed by high-risk vendors. I speak on behalf of my group when I say that we support it in all that it is trying to achieve. 5G technology offers great opportunities for connectivity and for commerce, through the internet of things, including the greater use of telemedicine, automated threat detection and even autonomous vehicles, but anything that compromises the access to or proper use of telecommunications networks or the security and integrity of the information that flows through them is a cause for concern. Whether in terms of intercepting information, interfering with information or stopping it from being transmitted or received, it represents a commercial and security threat to be very much guarded against.
Clearly, the infrastructure that the suppliers use to provide us with that communications bandwidth is of crucial importance in maintaining the security and integrity of that information. Therefore, it is something of a surprise that the UK Government appear to have come to the realisation only comparatively recently that having too much of the critical national infrastructure in too few hands might be a problem.
The Scottish National party is clear: the UK Government need to learn the lessons of how we have got to where we have got to on security in awarding the 5G contracts and to provide assurances going forward that the replacement strategy will be a safe and secure one. My party very much wishes us to be among the forward-looking nations at the forefront of the 5G age. However, given that these new opportunities carry new risks, security and resilience need to be built into it from the outset. We also wish to be assured that this legislation and the impacts that it may go on to have will not adversely impact network roll-out or consumer costs in the longer term, and we also want to make sure that the opportunities for building our domestic capabilities in manufacturing, in open RAN and in the broader supply chain will be fully seized.
Inevitably, in this debate so far there has been a focus on Huawei and China, and for all that Huawei has previously been regarded as a reliable partner, that focus is entirely understandable. The point needs to be made that Huawei did not suddenly become a potentially high-risk vendor overnight. This has not just crept up on us; it has been allowed to creep up on us. The Chinese Government’s involvement in recent state-sponsored cyber-attacks ought to have been enough to set the alarm bells ringing, if they were not already ringing, and to give proper cause for refection over the possible security concerns in that well before now. It is right that we use this opportunity to pause for reflection on the relationship we have with China.
Clearly, it is important to have a strong relationship, one on which we would seek to exert a positive influence, especially when it comes to human rights. However, international relationships need to be founded on self-respect as well as on mutual respect, and if this Government wish to be able to deal with other Governments on as close to equal or favourable terms as is possible, it is important to ensure that they do not leave us in a position where we are too reliant on any other single state for technology or investment.
Make no mistake: a rapid de-engagement of this kind with Huawei technology is not helpful to maintaining constructive relationships. In our relationship with China, there will now inevitably be a price to pay in terms of loss of influence, as well as an economic price to pay at home if this holds up our roll-out of the technology. To be absolutely clear, we are glad that the decision was taken, but although that U-turn was necessary, there needs to be a clearer commitment to domestic manufacturing than in previous years—decades, even—and better visibility on emerging threats from Governments. This situation was avoidable.
Hybrid threats are growing, as are the capabilities of states and non-state bad actors to enact them, and the UK very much likes to see itself as a country that punches above its weight in the world. In our military and intelligence services, that is almost certainly the case, but I believe there needs to be a realisation and an embracing of the concept of total defence and resilience. At this point in time, our Scandinavian and, particularly, Baltic neighbours seem to have a much better grasp of the significance of that concept than the UK Government do. It is to be very much hoped that with this legislation and recent announcements on defence spending, the UK might now be beginning to come to terms with the many ways in which our economic activities, our public space, and even our political space can be undermined in asymmetric and unconventional ways and finally taking steps to properly address that.
To get into some of the detail of the Bill, the Government have made it clear that vendors who they consider to be high risk should not have access to the core 5G infrastructure. Obviously, we agree, but this needs to be a formal part of any requirements for infrastructure of this kind, and there should be assurances from the Government that any replacement vendors for Huawei or, indeed, others meet the very highest standards that we would expect with that objective in mind.
The Government also need to ensure that there is a proper dialogue with our international allies, to ensure conformity—as far as possible—with high standards of protection. Like many western countries, we are an importer of technology, and as such we need to be seeking unity, as far as possible, in the standards we are willing to allow for this infrastructure that we will ultimately be sharing with our allies and neighbours.
For all that technology is a matter that is reserved to Westminster under the Scotland Act 1998, there are clear implications in how the Bill may operate for devolved nations. We would very much like to see in it a duty on the part of Ministers to consult with devolved nations before taking any ministerial actions under the Bill, as well as a duty on the Minister to consult with devolved nations when it comes to the five-yearly review of the effectiveness of clauses 1 to 13. Given the reserved nature of telecommunications, if there are any additional costs that accrue to businesses or Governments—by businesses, I do not necessarily mean the telecoms companies themselves—the UK Government may be willing to at least contemplate assuming some of the costs that might otherwise fall on tiers of government or the non-telecoms businesses.
I wish to spend some time dwelling on the impact of the roll-out. As a Member of Parliament for rural Scotland, I know that this problem is not unique to rural Scotland—other parts of the UK are affected as well—but there is a recurring theme. From the original Vodafone and Cellnet networks through 3G and to 4G, the coverage maps for mobile phones inevitably roll out in exactly the same way and cover pretty much exactly the same pattern, with the same notspots being missed out.
It is my earnest hope that the same thing does not happen with 5G. It is also important to point out that the roll-out of 4G, and even 3G, across Scotland has not been as complete as we would like, and it would be naive in the extreme to think that 5G roll-out will be any different unless there are some significant changes. It would also be naive not to recognise some of the potential problems that the Bill might present in that light, in terms of the rate of build-out that would otherwise have occurred.
To put the issue into perspective, just 42% of Scotland’s land mass has 4G coverage from all four main UK operators, and 80% from at least one mobile operator. Almost 1 million people living in rural areas currently have no reliable mobile service at that speed of connectivity. That is unacceptable, and has to be an early part of any levelling up agenda.
Owing to the lack of hardware interoperability that the mobile network has been built with, mobile network operators will have to rip out and replace a large amount of high-risk vendor equipment from existing 4G mobile masts before they can even be upgraded to 5G using equipment from an alternative supplier, as well as writing off and replacing that equipment from high-risk vendors already deployed. It is inevitable that the resulting reduced competition will drive prices higher.
From discussions with and briefings from the industry, it is clear to me that while operators can absorb the costs of the decision to remove Huawei equipment, BT estimates that the cost will be as much as half a billion pounds for it alone. It will not be possible to move any faster than the 2027 deadline that the Minister mentioned without creating a significant risk of network blackouts, as well the loss of economic benefits that would otherwise accrue to all parts of the UK. It is a huge challenge for the network operators, and we should not underestimate it. I would like to hear the Minister give a clear assurance that the Government will stick to the 2027 deadline and will not make what is already a difficult job for the mobile network operators even harder.
I would also like the Government to look at ways of trying to counteract the negative effect on the speed of the roll-out. Governments of all political stripes have been rewarded handsomely from selling off electromagnetic spectrum portions for mobile roll-out. Looking again at some of the licence fees might allow some of the telecommunications companies to save that money to invest in new infrastructure from non-high-risk vendors, which would compensate for that level of roll-out and give consumers and business the coverage that we all hope they can get from 5G.
On diversification of the marketplace, we very much welcome the Government’s 5G supply chain diversification strategy, which has been announced alongside the Bill. Reducing the reliance on a comparatively small number of big-player vendors will be hugely important in increasing competition, driving innovation and improving resilience. It will take time to move at scale towards new approaches such as open RAN, and to be successful, network operators need to be confident in the maturity of the performance and the integration and the security credentials of new vendors and technologies before they are deployed on the main networks. The Government can help to accelerate that process and create real opportunities for leadership and job creation with an ambitious commitment to research and development and trials. The funding of £250 million for that activity in the spending review and the Government’s national infrastructure strategy are very much to be welcomed.
This is an important and necessary Bill. It is one that we very much look forward to getting into the detail of and scrutinising further as it makes progress.
Mark Pritchard (The Wrekin) (Con)
I welcome the introduction of the Bill. It is long overdue. Over the past two years, the Government have attributed a range of significant cyber-attacks to Russia, China, North Korea and Iran. Such attacks are unlikely to reduce any time soon, but our legislative and technological resilience can increase in the meantime. The UK needs to be proactive in staying ahead of its adversaries, rather than just reactive. The Bill and the National Security and Investment Bill will help in that regard.
The attacks, often through arm’s length third parties, include dangerous espionage attacks, often on the networks of companies that deliver equipment to telecom providers but whose security is currently inadequate. That can no longer be acceptable, and the Bill will go a long way to making the UK’s networks more secure.
I would like to pay tribute, as has already been done, to my predecessors on the ISC, who, in the Committee’s 2013 report “Foreign involvement in the Critical National Infrastructure”, noted that
“there is no general requirement on companies that own CNI assets to inform or consult Government prior to awarding a contract, whether that be to a UK company or a foreign company. Instead, the Government relies on informal processes or the private company taking the initiative themselves. This is far too haphazard an approach given what is at stake.”
The same Committee also stated:
“Government must have a proper procedure for assessing the risks…and also for developing a strategy for managing those risks. Crucially, this should be an integral part of the process, both before and after contracts are awarded, and not merely an afterthought.”
I hope that the Bill marks a national security turning point, where key infrastructure decisions are based on fact-based risk assessments, not on trust, commercial convenience, political convenience or naivety.
Of course, the Bill is also a recognition—I differ from some colleagues—of market failure. The dominance of major telecoms companies, driving out or buying out the competition, has led to companies such as Huawei positioning themselves as perhaps too big to fail or, in the context of the telecoms market, too big not to buy from, or too big not to supply to. In my view, that is down to political and commercial failure, and I am glad that the Government are putting wrong—putting right that wrong. [Interruption.] I was just making sure that the Minister is on his toes—not literally, but I am glad he is paying attention. I am glad that the Government are putting that right; it is long overdue, as I said.
I hope that the new diversification strategy that has been alluded to today will include enough commercial incentives to attract new vendors and suppliers into the market for the first time, or for existing providers to seek new capital raises in order to maximise new markets, many of them in the public sector—the public sector is a good customer in most cases—and global in nature.
I hope that there might be a new global collaboration in joint development of 6G, 7G and beyond. Five Eyes-based companies might be a good place to start, but trusted EU partners can play a key part too. I think about Airbus and the collaboration on civilian airframes across the world; I think about Typhoon and, prior to that, Tornado—large collaboration, R&D developmental projects that brought together trusted partners around the world to look after our national security, albeit on a different platform and in a different context.
As it stands, as we have already heard, there are only three potential suppliers of mobile access network equipment in the UK: Nokia, Ericsson and Huawei. The lack of diversity across the telecoms supply chain has invariably led—that is why we are here today—to a national dependence on limited suppliers.
Jamie Stone (Caithness, Sutherland and Easter Ross) (LD)
The point the hon. Member makes about international co-operation is a very good one. In buying into joint efforts with allies, we have a share of the intellectual knowledge. Does he agree that that is something we would not have had with Huawei?
Mark Pritchard
The hon. Gentleman is absolutely right, and I am delighted that the Secretary of State has set out that there is going to be a new national telecoms lab. I am not sure whether he has decided on the location, but I commend the telecoms expertise of Shropshire and the west midlands to the Minister.
The Government’s own telecoms supply chain review, published by DCMS in July 2019, found that
“the telecoms market is not working in a way that incentivises good cyber security”—
perhaps another example of British understatement. This Bill will end that, and rightly so.
In its October 2020 report, the Defence Committee, ably led by my right hon. and gallant Friend the Member for Bournemouth East (Mr Ellwood), concluded that the current 5G
“regulatory situation for network security is outdated and unsatisfactory.”
I thank all the members of that Committee for the work that they have done in highlighting that.
I welcome the fact that the Bill will strengthen the security framework for technology used in 5G and full-fibre networks, including electronic equipment and the hardware and software at phone mast sites and telephone exchanges, and that it will give the Government new powers to issue directions to public telecoms providers to manage the risk of perceived high-risk vendors. It is right that the Bill will allow the Government to impose controls on telecom providers’ use of any goods, services or facilities supplied by high-risk vendors.
I very much welcome the Government’s new powers to limit and remove high-risk vendors, such as Huawei, about which we have heard so much already, from the UK telecoms network. I also very much welcome the new and revised timetable that the Government have announced today for doing this. In saying that, I hope that the Government are not being overly ambitious, as we heard from other hon. Members, but it is right to establish the principle today and move more swiftly on this key issue of national security and diversity in the marketplace.
I welcome the Bill incentivising better security by financially penalising providers that operate below minimum security standards, but I hope—the Minister is here—that a carrot-and-stick approach will be the default DCMS and Ofcom approach, rather than just a stick, as it is the private sector’s co-operation that will help us to move forward on this. It is very much key to the market diversification that the Government want and, more widely, to the partnership in cyber-security resilience in both the private and public sectors. We do not want to have enmity with the very people that the Government need to work more closely with in dealing with these issues.
The Bill makes Ofcom responsible for monitoring and enforcing telecoms providers’ compliance with their security duties where providers do not meet their obligations. I gently ask the Government whether they feel that Ofcom has the necessary teeth. Will Ofcom outsource or buy in any additional and required expertise?
The Bill, rightly, does not allow vendors to have access to the UK telecoms network denied, removed or limited for any reasons other than the protection of the UK’s national security, again making sure that we are not putting up new barriers to new entrants to the marketplace. It is also welcome that the Bill does not give the Secretary of State the right to limit or remove vendors to protect or improve the commercial interests of other vendors in the marketplace. I hope that the Minister will elucidate this important point so that there can be, from today, investor, shareholder and commercial safeguards that will allow any of those reading Hansard in the private sector to be reassured.
I would like to ask the Minister some questions. How will the Government ensure that Ofcom has sufficient staff with the necessary skills to undertake this work before it assumes its new responsibilities, which are separate from the point of buying in or outsourcing? Even if someone is buying in or outsourcing, they need to have the skills to know what they are outsourcing to and for, and so it is with buying it in, making sure that they are getting the right people in.
How will the Minister’s Department ensure that Ofcom is provided with the necessary information and relevant data on what is a new area of expertise and work for it, particularly in this detail? I welcome the fact that the Bill requires the Secretary of State to lay before Parliament a copy of all designated vendor directions and designation notices, except where doing so would be contrary to the interests of national security. However, when such information cannot be laid before Parliament, as was alluded to by my right hon. Friend the Member for New Forest East (Dr Lewis), the Chair of the Intelligence and Security Committee, will the Minister undertake to provide that information to the Intelligence and Security Committee so that Parliament and the public know that there is sufficient and adequate oversight?
Finally, as the shadow Secretary of State asked, given the recent experience of the Australian Government, what can the Minister say today on the record to deter any temptation by the Chinese Government to take any similar retaliatory measures against the UK? Does he agree that if they were so tempted—I hope they would not be—perhaps the £20 billion trade surplus for China might focus calmer and more reasonable heads in Beijing today?
Sir Iain Duncan Smith
I hear my hon. Friend’s point, but does he not agree that one of the greatest bastions against this behaviour by the Chinese Government would be for all members of the free world, particularly the Five Eyes, to come together both to condemn their behaviour and to themselves talk about introducing sanctions against China if it carries on behaving like this?
Mark Pritchard
Colleagues will be pleased to hear that I am reaching my concluding comments and I will address that question then. While I have huge respect for my right hon. Friend—he is absolutely right and has been leading the way on this and I pay tribute to him on that—there is a lot we can do with China. In fact, I will put my notes down and jump to my conclusion now.
This is not an anti-China Bill; this is not an anti-Huawei Bill. This is about ensuring the greater resilience of our national security through our telecoms infrastructure. It is not about putting up barriers to entry for existing or new companies coming into the marketplace. I agree that we have to be robust against China when that is right, but we also need to recognise that there is a lot of co-operation and collaboration with China on trade and on climate change, so we agree on many things and we disagree on many things, but I do not think talk of sanctions is necessarily right at this stage.
I support this Bill. It is long overdue; I commend the Government for bringing it forward.
Several hon. Members rose—
Madam Deputy Speaker (Dame Rosie Winterton)
Order. There is now less than two hours until the wind-ups are likely to start. By my calculation, that means that if everybody is going to have equal time, contributions ought to take about eight minutes. I do not want to set a time limit, but that is a rough guide for the debate.
Mr Kevan Jones (North Durham) (Lab)
I join the right hon. Member for New Forest East (Dr Lewis) in welcoming this Bill in principle but giving it a qualified welcome. It amends the Communications Act 2003, and in terms of technology 2003 is light years away.
When I was at school computers were not as common as today and even having a telephone at home was a rarity, so great changes have taken place in these types of technologies—as I have seen even in my short lifetime—and the pace of change is only going to increase. That is why this Bill is welcome in updating our laws, and it will not be the last Bill we require, because as technology advances, further updating will be needed. However, as the right hon. Gentleman said, the Intelligence and Security Committee warned about all this in 2013. It was the same with the National Security and Investment Bill last week; the warnings have been there. Yes, there has been a change of direction in the Conservative party from panda hugging to panda bashing now as the flavour of the day, but the question of security should always be central to all this.
To be fair to the Government, they have not stood still. We have been ahead of other nations in terms of Huawei and security and having the Huawei cyber security evaluation centre, which has helped us protect our networks. But a balance must be struck between open competition and being able to interact with other nations, and also protecting our security.
I want to touch briefly on the issue of security, as that is what the Bill is about. I think some people are getting carried away in thinking that the Bill will be used in a protectionist way to protect our own suppliers or as a way of cutting off altogether any trade with regimes that we might have huge reservations about, such as China. We are never going to be able to do that. The powers in the Bill are clearly around security, and my only problem is with the definition of the word. I would argue that the way in which the Government approached the matter of the Huawei security centre had security its centre in order to protect our networks. As the Minister knows, I was one of those who agreed with the Government’s decision in July to allow Huawei to have 35% of the market as long as the security was there. The National Cyber Security Centre was clear in its evidence that that could be maintained. It was the American sanctions that changed that.
When a Secretary of State makes his or her decision on whether to take a vendor out, the important thing is that it is made on the ground of security. It is not clear from the Bill how that will be looked at. I would not want to see lobbying for a certain company, for example, or a situation such as we are currently seeing on the Conservative Back Benches where anything with “China” on it has to be resisted. I should point out that many people in the Chamber tonight will have mobile phones in their pockets that contain Chinese components. Even Ericsson and Nokia, which we are going to allow into our system, use components that are made in China. We cannot just close our minds to China altogether, so these decisions must have security at their centre.
Any decisions made by the Secretary of State have to be around security, and I have some concerns about DCMS having control over this. I raised a similar point on the National Security and Investment Bill. I am not sure that the Department has the necessary expertise. Personally, I would sooner see the Secretary of State taking such decisions alongside the National Security Council, or a sub-committee of the NSC, for example, to ensure that security could be at the heart of those decisions. Likewise, I have reservations about Ofcom. As a regulator, it has been around for quite a while now, but I wonder whether it has the expertise to look at the security sector.
A specific practical point about DCMS and Ofcom is that if a decision were taken by the Secretary of State on security grounds, a lot of the relevant information would be highly classified and would not be available to people without the necessary security clearance. I presume that the Secretary of State has the highest security clearance, but I doubt whether anyone in Ofcom would do so. I would like to hear more about how that will work in practice when they are dealing with highly classified information, because the Bill makes it clear that that is the only way in which a vendor can be struck from the marketplace.
Another issue, which has already been raised, is whether Ofcom will have the necessary budget and focus to undertake this work. The right hon. Member for New Forest East made the point about a revolving door, and that is an issue that concerns many people. There is a revolving door between industry, the various regulatory bodies and the Government.
There is also an issue around oversight. I do not see anything in the Bill that will allow parliamentary oversight of these decisions. Clause 17 refers to the Secretary of State being required to lay a copy of their decisions before Parliament, but there is also a get-out clause in that the requirement
“does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.”
Anyone who has been in the House for any length of time and who has worked in this field will know that that is the usual way for civil servants to get out of any kind of question whatsoever. There is a need for oversight in this regard. I am not trying to make work for the Intelligence and Security Committee, which I am a member of, but it is the only Committee of Parliament that has a high enough security clearance to be able to see the information that will inform these decisions. Without that, there is an issue in the Bill in terms of how Parliament will scrutinise the Secretary of State’s decisions effectively.
Anthony Mangnall (Totnes) (Con)
I am sorry to interrupt the right hon. Gentleman while he is making such good progress. If a decision were not to be laid before Parliament, would he accept the idea of it going before the Intelligence and Security Committee?
Mr Jones
Yes. If we were able to see it, at least we would be able to get access to the intelligence that informed it. The DCMS has its own Select Committee, but that Committee does not have the clearance, so I would suggest taking the approach the hon. Gentleman describes. There is a way of doing that. Under the Justice and Security Act 2013, the DCMS does not come under the Intelligence and Security Committee’s remit, but we could change the memorandum of understanding to include this issue. I think that is needed, and I said the same thing on the National Security and Investment Bill.
On diversity, we would love to have a large number of vendors, but there is a clear issue we have to recognise. People talk about market failure. There has been a market failure because, in terms of Huawei and the Chinese state, there has been a deliberate decision to buy in to a sector. There has also been a tendency among us all, as consumers of telecoms services, to make sure that the rates go down as low as possible. That has led the prices down, so there is no money in the infrastructure at all, which is why companies have got out of the sector.
There is an area where diversity can come in, and that is open RAN. If the investment goes into that, we could be a world leader, but let us not make the mistakes we have in the past, where we have been a world leader—for example, in fibre technology in the early 1990s—and then gave that lead away.
On the removal of Huawei from the 5G network, the 2027 deadline needs to be maintained. I am sorry, but I think the Secretary of State is wrong in what he is suggesting. If he does what he suggests, that will add further costs and slow our progress. The equipment that is there now has been through the cyber security centre. We are satisfied that there is no security risk from that equipment, so why rip it out before we have to do so? All that that will do is slow our system down and slow the economic advantages that can come from 5G.
We have concentrated a lot in the debate on the hardware. Will the Bill somehow make us completely immune from cyber-attack? No, it will not. The other side to this, which is just as important, is to ensure that we educate companies to ensure that they use their systems safely and that upgrades are done on security networks and other things. That is about the basic education of the people who use a mobile phone or any type of computer network.
With those concerns, I welcome the Bill as a step forward. Let us see it not just as a way for us to somehow solve all our cyber-problems, because we will not. We still have to be vigilant, and we still have to make sure that our security services have the finance, ability and expertise to respond to the enemies who are attacking us.
Bob Stewart (Beckenham) (Con)
This Bill makes sense. I agree with the right hon. Member for North Durham (Mr Jones) that it is primarily about security. It is a top priority for us to ensure the security of all telecommunications networks, particularly those that might carry classified information and that is what this Bill is all about. I particularly endorse those clauses in the Bill that give the Government robust powers to manage high-risk vendors based, of course, on National Cyber Security Centre advice. That may well also include direct guidance from other intelligence agencies as well. It is also absolutely right that the Government have placed a ban on purchasing new equipment from high-risk vendors from September 2021 and ordered the removal of high-risk vendor equipment from our networks by 2027, but, as I will go on to say, it will have implications. I wish we could achieve that earlier, but, obviously, industry needs time to manage the transition required.
The NCSC is at the forefront in developing telecommunications security requirements. It has done this in collaboration with industry and these requirements are detailed and effectively designed to establish a layered defence against cyber-attacks and infiltration. Codes of practice will devolve from these requirements and they will form a method of operation as well as being a way of calculating risks for operators Ofcom, DCMS, and NCSC. I endorse the view that these requirements and codes of practice will definitely increase the difficulty, the cost and the risks faced by a hostile player attempting to infiltrate or to compromise a UK telecommunications network, but, as the right hon. Gentleman has said, that does not mean that we are invulnerable—oh, no, it does not. There are still risks.
Next year, I gather that we will need to pass secondary legislation to endorse codes of practice that will, thereafter, be used to instruct operators on how to meet their security obligations. Such codes of practice will be policed by Ofcom—we have talked about that a little. Most certainly, it will require training on how to do this. Here there needs to be a serious interchange with the NCSC where a working relationship between the two bodies is crucial—and at cost. Of course there are penalties for this decision. Not only will this change delay the roll-out of the 5G network, but significant consequent costs will be incurred by industry. I know that industry may need the Government to support it in consequence of this decision. On the other hand, a recent report has also suggested that upgrading the UK’s 5G infrastructure could be worth about £158 billion to the economy over a 10-year period.
We have already mentioned that there are three significant vendors who provide large-scale telecommunications equipment in the UK. These are Ericsson, Nokia and Huawei. With the significant removal of Huawei as a result of this Bill, choice of vendors is of course reduced by a third, which is most certainly not ideal. It would be far better if we had more choice and competition, but we do not—that is the fact of it. However, Ericsson and Nokia are very good, trusted and long-standing companies whose security credentials are tried and trusted. I am very pleased by the idea of the open radio access network—open RAN—being developed. It is crucial to develop the UK as a world leader in 5G. Essentially, open RAN allows interconnectivity between different telecommunications mobile networks, and avoids the necessity of all components coming from just one supplier. For instance, Ericsson equipment can be interfaced with that of Nokia, or perhaps another new supplier—let’s hope so. That aids the drive towards competition andthus has cost benefits.
I have been an extremely good boy, Madam Deputy Speaker. I hope I am going to get a thumbs up for finishing in six minutes. I commend this Bill to the House.
Bob Stewart
I got a thumbs up from Madam Deputy Speaker; I sit down with a big glow on my face.
Jamie Stone (Caithness, Sutherland and Easter Ross) (LD)
Follow that if you can.
The hon. Member for Beckenham (Bob Stewart) and the right hon. Member for North Durham (Mr Jones) make the point: it is about security, absolutely. Anyone who thinks that there are not states out there, which have been named here today, that are not about the UK’s good health, is kidding themselves; it is as simple as that. We have come a long way since the Westminster Hall debate earlier this year, if my memory serves me rightly, but I always think that a late convert is the best convert of all, and we are where we are today. My party and I support the Bill at this stage.
It is an incredibly complex situation, which gets more complex almost by the month and the year. Frankly, the whole subject of cyber-security terrifies me. When I first came down here three years ago, a humble—no, I will not say a humble crofter, because that nomenclature belongs to another Member on this side of the House. When I came down here from the highlands, the situation was forcibly brought home to me when I went to Estonia with the Armed Forces Parliamentary Scheme. I was firmly instructed by a Sergeant Major from the 3rd Battalion the Yorkshire Regiment on no account whatever to turn on my mobile, otherwise a state not terribly keen on our good health would simply triangulate in on me, and would probably try to hack in; that brought it home to me in no uncertain terms.
In the short time available—I will try to be as good as the hon. Member for Beckenham—I want to make two points. The first was touched on, correctly, by the shadow Secretary of State: there is, alas, an unsavoury side to the way in which China does some things. We are all aware of the reports coming out of that country of the horrendous abuse of the Uyghur people in Xinjiang province; it is an ugly scene. A recent report suggests that some 82 foreign and Chinese companies benefit from the forced labour programme by the Chinese Government. Of course, the Chinese Government would say, “No, no, no. That’s not right at all. It’s not forced labour; it’s not like that.” They have described it as “detention centres”, “re-education” facilities and—this is quite sinister—“de-extremification” camps. They have contorted their language quite deliberately to cover this stuff up. I make no apologies for saying these things. I had hoped that a state being able to behave in that way had been left behind in 1945 or the end of Stalin’s Russia, but, alas, all is not as it should be.
I welcome this Bill as being a bit like the Government discovering their moral compass. Coming away from Huawei has the benefit that we are helping, in our small way, to bring an end to this sort of behaviour by China. It is only a first step. We are going to have to co-operate with other nations. There is a great benefit to what the right hon. Member for New Forest East (Dr Lewis) said, about an alliance with Five Eyes, but that is for another day. The road ahead is beyond our borders. As a good Liberal Democrat, I would make this point: not only should we co-operate as much as we can with Five Eyes, who are crucial to our security and defence, but we should also try to maintain the best possible relationship with our friends in the European Community.
Let me turn to my second point. The hon. Member for Gordon (Richard Thomson) made an excellent speech, and said that 4G and 3G are, at best, patchy. I am afraid that my constituents might be afforded a hollow laugh if I talk about the roll-out of 5G, because in so many parts of Caithness, Sutherland and Easter Ross, there are not a lot of Gs at all—it is not particularly good.
My appeal to Her Majesty’s Government is that they try to address the inequality of provision as they roll out 5G. It is wrong that people should be disadvantaged simply because of where they live. All United Kingdom citizens have a right to these services, and it is fundamental to the way we think of ourselves as a nation—we believe in fairness and fairness of provision. As we come out of this dreadful pandemic, we will have to punch above our weight economically, and access to 5G means that we can mobilise our bright innovators and entrepreneurs all over the United Kingdom, whether they live in the glens and straths of Sutherland, the central belt of Scotland or down here in England.
I will conclude with two points. First, I agree that the 5G diversification strategy brings great opportunities. There will be a financial injection into the UK economy, which will be incredibly useful. Secondly, the right hon. Member for North Durham (Mr Jones) was spot on: it is not just about the hardware. It is about the software and the clever things we do to safeguard ourselves from cyber-attacks, because as I described with the example of the iPhone in Estonia, there are people and states out there who are not for the good of our health.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
I welcome the Government bringing forward this Bill now, and I congratulate them on having listened, which is not always something that Governments can be accused of. The Secretary of State and his Minister, whom I welcome—the Under-Secretary of State for Digital, Culture, Media and Sport, my hon. Friend the Member for Boston and Skegness (Matt Warman) —have listened to many concerns, and measures to address them are now embedded in the Bill.
China recently said that if there was any further interference, it would poke the eyes out of the Five Eyes. This Bill puts the missing fifth eye back into the Five Eyes, because we have been laggard, lazy and late on this, and I think this would probably be the case across the board, so perhaps that is a positive. The right hon. Member for North Durham (Mr Jones) made a very good speech. He was right to say that this is not about China. There are plenty of security risks, as my right hon. Friend the Member for New Forest East (Dr Lewis), the Chair of the Intelligence and Security Committee, said. Russia is a massive security risk to us and has probably carried out more cyber-attacks on us than anybody else. That is debatable, but it has a very big criminal network that attacks us the whole time.
I accept that. However, the difference is that China is now the driving force for our introducing this Bill, because it poses a very different kind of threat. The fact is that China has juxtaposed the ability to dominate in a market sense, which sucks us in—I will come to project kowtow and the mistakes that were made—while at the same time forcing us to often turn a blind eye to some of the work it did, which we do not do with Russia and some of the more immediate threats. It is a peculiar and different challenge, which is now embedded in the Bill.
My right hon. Friend the Member for New Forest East made the important point that the nature of our exposure has been known about for some considerable time, and we should not have ignored it. I thank my colleagues who joined the Huawei interest group early on, in winter last year, and who have campaigned to try to tighten up these security measures. Following that, the Inter-Parliamentary Alliance on China was set up, which is now made up of politicians on the left and right from 38 countries, and they are asking us to tighten up our security co-operation and ensure that we get this right.
This Bill is long overdue, and it is welcome, but I want to highlight three issues in it. First, although it is not in the text of the Bill, the Government have now announced that they accept 2027 as the end point for Huawei as a provider that may be high-risk and that no new Huawei equipment may be installed from September 2021. That is very welcome. In fact, the September 2021 date is better than I would have expected at this point, so I congratulate the Government on being very clear about that. That is a more important date than 2027, in effect, because it opens the market and allows others to recognise now that they have a possibility of re-entering a market that was closed to them by one company in particular—there are other companies in China—that has manipulated the normal rules of market adherence and subsidy. It has been a disaster for us not to recognise that on that basis alone, forgetting the security risks as well.
I am, however, concerned by another point about the process, which leaves the Secretary of State to make these decisions going forward, against criteria that are laid out, and I will come back to that. I think my right hon. Friend the Member for New Forest East said, “Who will be the advisers? Who will advise?” That is absolutely right, and the Secretary of State should listen to the Chair of the Committee on that point. It is important to structure who will advise the Secretary of State and how that will happen. Perhaps the Committee can have a very strong look at that and advise the Government on how to structure that.
There should be a more formal structure embedded in the Bill, otherwise it will be too easy for a Secretary of State, under pressure from the Business Secretary or a Chancellor, such as one we once had, who was very keen on a golden era, to be leant on and told, “Do you really need to go down this road?” That will happen. I sat as a Secretary of State, and I can tell the House that all that stuff happens, and anyone else will say that, too. A more structured approach would not allow the Secretary of State to miss the right people on advice. That will be very important.
The descriptions in the proposed new sections of the Communications Act 2003 under clause 16 of the Bill are important, and I will come back to those, because the list gives the Secretary of State plenty of scope. Tightening up the advice means that that scope will not therefore be wasted.
We are here because of the mistakes of the golden era—the great kowtow, as I would rather call it—where we too often ignored the realities of what was going on in security terms for the sake of this great drive that we would benefit massively from the opening up of trade with China. There was also a mistaken belief: too often, liberal democracies and all of us who believe in freedom of speech and the general freedoms believe, rather arrogantly, that all we have to do is open up markets and everyone else will realise that their system must be wrong and therefore they will change it.
That was the great belief. I was told it endlessly in government, “Don’t worry about this sort of stuff. China will change once they realise exactly how wonderful it is to trade with the west.” Well, they did not. They do not want to change, because they think that their form of government is a better form of government. They will say, “We are opened up to the markets. We are getting the benefits of the marketplace.” China was invited to join the World Trade Organisation back in 2001. There have been real problems since then with market forces, but I want to come back to the security elements.
The worry is that others of the Five Eyes spotted what was going on long before us, and we ignored a lot of the evidence that we should have been tightening up much, much earlier. We should have been concerned. I cannot remember which Member said that security should be the No. 1 consideration, over everything else. We lost that—I hate to say that—and considered it just one of the things we might look at.
Mr Kevan Jones
I am not one for doing the Government’s job or supporting them, but I do not think we did that actually, in terms of the Huawei cyber-security evaluation centre. We were ahead of other countries that did not do that, including the United States, and let Huawei into their country networks without any checks whatever. But the issue has to be security. I know that the right hon. Gentleman has strong views about China trade, but security has to be at the heart of things, which I think is where we have been up to now.
Sir Iain Duncan Smith
I have to say that I do not agree with the right hon. Gentleman on this. Although the Huawei cyber-security evaluation centre was installed, when I sat and listened to people from it making a presentation to us earlier in the year, it was almost as though we were watching people who were kind of squeezing their own genuine, real opinion, which would have been coming via GCHQ, about how the real threat was formed. Their arguments did not stand up, even in the face of people who were not every day working on security.
The truth is we need to be careful, and it should have been a tighter position from the word go. The very fact that the Government are bringing this measure forward now suggests that that was not the case. [Interruption.] Listen, I am critical of my own Government. I resigned from the damn thing at one point. I have to say that I therefore do believe it is possible for great Governments, like mine, to get things wrong.
Dr Julian Lewis
In defence of the Huawei cyber-security evaluation centre, its sixth annual report, from September this year, is absolutely devastating in its criticisms of Huawei’s failures to be secure or to make improvements when insecurities have been highlighted.
Sir Iain Duncan Smith
I agree completely. The point is that when we were talking about this earlier on, it was clear that that was, underneath it all, the centre’s real opinion, but it was kind of moving and modifying. It was also used in a political way, by the way, which I did not think was right. An opinion is either there or it is not; do not get people in to brief Back Benchers about what they should be thinking. I thought that was wrong.
We are absolutely in the right place at this point and the Bill goes a long way towards achieving that. However, we need to do some other things that could be in the Bill. For example, the Bill is about security but it does say on the front that it goes slightly wider than security: the Under-Secretary of State for Digital, Culture, Media and Sport, my hon. Friend the Member for Boston and Skegness (Matt Warman) signed the bit that says:
“In my view the provisions of the Telecommunications (Security) Bill are compatible with the Convention rights.”
That convention is the European convention on human rights. We need to ask ourselves whether that idea applies to many regimes—not just China—and companies that come from those regimes that may be guilty of human rights abuses.
I asked the Minister previously, in a private context, whether he would consider including in proposed new section 105Z8 of the Communications Act 2003, on designation notices, the inclusion of the ability, where it may arise, to do something in the area of genocide and the involvement of companies in that process. There is very strong evidence in a couple of cases—particularly in the Uyghur case—of the use of slave labour, which should result in those companies being outlawed. The Minister may argue that this Bill might not be the appropriate vehicle for that because it is specifically about security, but every Bill has on its face that we abide by human rights laws. I am not trying to widen the Bill’s scope; I am giving the Minister the opportunity to have that extra element as part of his possible designations. After all, we are dealing with countries and nations that have, particularly in China’s case, torn up much of the book on co-operation and diplomacy.
Let me raise a final point before I conclude. My hon. Friend the Member for The Wrekin (Mark Pritchard) has gone, but he mentioned Australia. One of our Five Eyes partners, Australia, had the temerity to ask for an inquiry into the covid outbreak. Since then, the Chinese have attempted, in essence, massively to beat up Australia in a very undiplomatic and aggressive manner. It started with abuse of the individuals who asked for an inquiry and then went further into abuse of the Government. Subsequently, it has gone on to sanctions: the Chinese has now broken WTO rules, with sanctions of more than 200% on Australian wine.
In the past couple of days, the Chinese have produced what I think is called a meme—which is a mocked-up instrument on the internet—that shows something about an Australian soldier trying to kill a child. This is appalling behaviour and I want my Government, at some point, to be very clear that such behaviour is simply not to be borne. Although we have said that we stand with China, the key thing about this sort of thing and our co-operation with our Five Eyes partners is to do more than stand with China: we should condemn behaviour like that that deliberately targets and demeans a democratic nation that goes by the rule of law and human rights, which is something that China does not do. I do hope that the Minister will pass on to his colleagues that no matter what we do with this Bill, we need to make sure that we stand up with our Five Eyes partners, now that we have the National Security and Investment Bill and are moving in that direction, and never allow any one of them to be isolated and picked off one at a time. I commend the Bill to the House.
Madam Deputy Speaker (Dame Rosie Winterton)
The next listed speaker has withdrawn, so we go straight to the Chair of the Defence Committee, Tobias Ellwood.
Mr Tobias Ellwood (Bournemouth East) (Con)
Thank you, Madam Deputy Speaker—does that mean that I get 16 minutes to speak? That is fantastic. [Interruption.] That is my first intervention, so it is now 17 minutes. It is good to catch your eye in this important debate, Madam Deputy Speaker, and to see present so many colleagues who were there at the start of the journey—I referred to this in the first intervention I made—when we first discussed Huawei in the Chamber.
The Defence Committee looked at this subject because the security of 5G is now critical, given our ever-growing reliance on data movement. To establish a new security framework for the UK telecoms sector and to ensure that telecoms providers operate a secure network and resilient services and manage their supply chains is absolutely fundamental to our new way of life. The completion of 5G over the next decade will be nothing short of revolutionary. Every aspect of our lives as we know them, including how we communicate, socialise, work, travel and manufacture things, will become increasingly dependent on lightning movements of wireless data. The advantages of such scope and scale in our growing online world have very much been appreciated during this pandemic, but, equally, we must recognise how our reliance leaves us very much exposed to those who might choose to cause us harm.
The backdrop of this was of course the lively debate, which I have referred to, over Huawei. Perhaps that was a wake-up call on just how powerful and tech savvy China has become. The Minister and the Secretary of State have made it very clear that this is not just about China—other non-state and state actors are now developing capabilities to interfere with our online world—but I make it very clear indeed that what we are discussing today exposes the wider uncomfortable reality of the gradual geopolitical shift in global power from west to east.
In our lifetimes, China is on course to become more powerful economically, technologically and militarily than the United States of America, and how we handle this so-called Thucydides trap is yet to be reckoned with. This is a usually disruptive transition of influence from one ruling power base to a rising power with eventually more dominance—a transition that history suggests is rarely peaceful. The only example of a peaceful transition is that from the British empire to the American superpower. If we are honest, this Bill is about exactly that. This is the starting point of a bigger conversation about how we manage such a transition. We are placing protections on our country against China, which we privately no longer trust, but I have to say that, publicly, we may be in denial about what we need to discuss.
We should finally come to terms with the fact that China has not matured into the responsible global citizen that, a decade ago, we hoped it would be. Instead, China offers a competing authoritarian ideology, leveraging its colossal economic growth to undercut western competition and ensnare dozens of countries into infrastructure projects and high-tech plans on terms that they can ill afford. Our growing dependence on the online world has created a new virtual theatre of war. The actual character of conflict has been changing in front of us: it is less about terrain, and now more about data. We are becoming increasingly vulnerable, with cyber-attacks, disinformation campaigns, interference in elections, manipulation of social media, data theft, online espionage and sabotage. These are the new battlegrounds that we must prepare for and defend against. Our international rules-based order was crafted in the pre-digital age. A major cyber-attack, for example, could cause more damage than a dirty bomb, but would not technically trip a NATO article 5 response. International law must catch up, and this legislation is a small line of defence in a far wider geopolitical battle that we need to embrace.
Britain is rightly seeking to remain on the cutting edge of this fast-developing digital world, but this can only be achieved with greater protection and, indeed, investment in our critical national infrastructure. Our 5G capability must leave no virtual backdoors left open. Consequently, phasing out high-risk vendors, such as Huawei, from our 5G programme is the right call. However, we have to ask the question: why is it that a decade ago there were 12 vendors that can provide this support, yet today there are only six? There are two in Europe, with Ericsson and Nokia, two in the far east, with NEC and Samsung, and then of course two in China—Huawei and ZTE—and there the question lies. What we need to do about it is to make sure we have that capability to move forward in a secure environment.
We must accept that Huawei has grafted its way into our telecoms network partly because the UK vendor market is not diverse enough. Regaining the secure technological capability on which our new digital world will depend requires more than just legislation to block high-risk vendors from entry; it needs the advancement of our own technological capabilities. Open RAN has been mentioned, but it is still a long way off. OneWeb has been purchased as a possible capability for communications. We have yet to hear what the Government plan to do with that.
Ultimately, we must recognise that Huawei, ZTE and others are so powerful because they are state funded. Perhaps it is time for an Apollo moment: when the United States knew it was losing the space race, a combination of state aid and the commercial sector allowed it not only to catch up with but to overtake the Soviet Union. We need the same penny to drop here and to recognise what China is all about.
It is good to hear growing talk of the D5 trusted alliance of nations. It has been mentioned as an advancement of the Five Eyes community and I very much welcome that. We need to provide an alternative to the cheap solutions that the Chinese are rolling out, which continue to be peddled across the road. They are high-tech versions of the one belt, one road programme. Only with greater western resolve can we design and build the secure foundations for the profound new technological world we are about to experience.
I will underline the elephant in the room: what do we do about China? Unless we in the UK and collectively in the west address China’s conduct, there will be a geopolitical clash. That is inevitable and will slide us towards another cold war.
We should make it clear that the UK has huge respect for the Chinese people. Our histories are intertwined, perhaps more than many of us appreciate. The opium wars, the ceding of Hong Kong, the Boxer rebellion, the century of humiliation—perhaps Britain glosses over many of those historical footnotes, but for those in China, they influence their thinking and their attitude towards the west today.
However, today, the west is recalibrating its view of China. China’s conduct in the pandemic, from its initial efforts to hide the outbreak to rejecting any independent investigation, has exposed a dangerous agenda that we can no longer ignore. During China’s incredible economic ascent, western policy focused on deepening engagement in the hope that China would evolve into a responsible global citizen that embraced hard-fought principles of liberty, democracy and open trade. It is clear that the Chinese Communist party has something very different in mind. As it has increased its economic power, Beijing has deliberately shunned international accountability and rules. It may be gaining superpower status, but it avoids any sense of duty to uphold core values of freedom and the rule of law. Knowing that its conduct repudiates those values, it now pursues a geopolitical authoritarian agenda, as illustrated in the crackdown in Hong Kong, the terrible treatment of the Uyghur minority and its manipulation of the digital world, which mimics its one belt, one road initiative.
With countries becoming locked into long-term commitments with reduced autonomy and little prospect of withdrawal, more and more countries are becoming ensnared in China’s authoritarian sphere of influence. The US now publicly confirms that China is a strategic and geopolitical threat to the west, while here in the UK we have yet to say so, though I am pleased that the Secretary of State pointed out concerns about China.
I hope that the full publication of the Government’s integrated review will confirm that China now is a geopolitical threat. We require a turning point—another Sputnik moment, where we no longer pretend and we do not just legislate on high-risk vendors, but hold the regime behind the state-owned companies to account.
I hope that, with the changing of the guard in Washington, there will be a rejuvenation of the west’s collective resolve about what we stand for, what we believe in and what we are willing to defend. The next decade will be very bumpy indeed. If we are to avoid another cold war, protecting our telecoms infrastructure must be the first step of many.
Jim Shannon (Strangford) (DUP)
It is a pleasure to follow the right hon. Member for Bournemouth East (Mr Ellwood), with his vast knowledge, and other right hon. and hon. Members who have spoken. I thank them for their speeches. I am pleased to have the opportunity to speak on this issue. I spoke about it back in March, when I stated my fear of reliance on Huawei.
Let me quote what I said at that time:
“I am only one of 650 Members of this House, and I absolutely believe in the tenets of democracy, but I will not stay silent. I do not believe that what the Government are doing is in the best security interests of this nation, and if steps can be taken to pare it back, those steps must be taken. We have been known as security giants, and I do not like the idea that we are now standing on the shoulders of Chinese giants. We have stood alone, and can do so again, but it is always best that we stand with our allies. The Chinese may hopefully be strong trading partners post Brexit”—
we will wait to see whether or not that will be the case—
“but by no stretch of the imagination can they ever be considered our allies; their human rights abuses cannot be ignored. This issue is concerning, and we must not leave it here.”—[Official Report, 4 March 2020; Vol. 672, c. 288WH.]
The right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith) referred to the Uyghur Muslims and the human rights abuses they are going through—the fact that their right to worship has been abused and that they are subjected to violence, both physical and psychological. As others have mentioned, there is also the question as to whether they are involved in some of the slave labour in Huawei and what it does. We have heard and read the stories in the press about Volkswagen, which refused even to acknowledge the fact that perhaps some Uyghur Muslims had been being used as slave labour. I chair the all-party group on international freedom of religion or belief, and I feel strongly about this issue. It is close to my heart, so I wanted to speak out. I know it is not directly what this Bill is about, but we have those concerns on human rights issues for the Uyghur Muslims, the Christians and the Falun Gong. We know all about the issue of the forced organ harnessing that takes place, and all those three religious groups are part of that.
So I am thankful for the steps taken by the Prime Minister. We all knew that when these steps were taken, there would be the detrimental knock-on effect of narrowing the UK telecommunications market and possibly driving up infrastructure costs, but I still believe this to have been the right decision. I am thankful for the steps that the Minister announced today, and for the support there seems to be across this Chamber for them. This is about building supply chain resilience, with support available for supporting incumbent suppliers. The security of this nation is undoubtedly a red-line issue, and we must protect it at all costs. Everyone has said that, and we mean it, and we want to see that being delivered though this Bill.
Clauses 1 to 14 introduce a stronger telecoms security framework. The Bill amends the Communications Act 2003 by placing strengthened telecoms security duties on public telecoms providers. I am thankful that the Bill purports to enable more specific security requirements to be set out in secondary legislation, underpinned by the codes of practice providing guidance on the security measures to be taken to meet those requirements. I am given to understand that the Bill gives the telecoms regulator, Ofcom, powers to monitor and enforce industry compliance with the duties and specific security requirements. placing new obligations on public telecoms providers to share information with Ofcom that is necessary to assess the security of their networks.
The UK is part of the Five Eyes, along with Canada, Australia, New Zealand and the USA. We cannot ignore that influence, and the sanctions that the US imposed on Huawei. The US first placed it on the entity list on 16 May 2019, citing national security concerns. This sanctioned the company’s access to important US technology for design and production use. While acknowledging the potential impacts this might have on the reliability of Huawei’s products, the Government, on advice of the National Cyber Security Centre, determined this to be a manageable risk. The restrictions to network access imposed on high-risk vendors in January 2020, alongside pre-existing oversight measures, were considered sufficient mitigation strategies.
So the USA clearly saw what the problems and risks were, and took a stand early on, and I am pleased that we are now doing the same. Chinese influence, across the whole of the world, always has a condition, as we see in many countries in Africa and further afield where it is trying to increase its influence. It has an insatiable demand for every country’s resources, but along with that come the conditions and the influence they have on digital and cyber-security. I am deeply concerned about that, as are others.
It is my belief that while not perfect, this Bill puts in place an emphasis on our nation’s cyber-security that is essential.
During the lockdown, our increasing reliance on the internet has been made abundantly clear. It is phenomenal that where we have been precluded from meeting to worship, our pastors and praise teams have been able to livestream church services, it has been wonderful to carry out certain MP duties online where applicable, and it has been a life-saver for some businesses to carry on their work at home. This has highlighted the reach of the internet into our lives and the absolutely essential nature of its being secure from cyber warfare and attacks. The Government have said that such an attack is highly likely and would have a high impact. I had a discussion with a gentleman from Northern Ireland who is involved in the Royal Air Force, and he said that the greatest threat that it felt was cyber warfare. This Bill will be a very strong way of addressing that.
We can all sit in this place and say that something needs greater funding. Every aspect of our budget could do with enhanced funding. My grandchildren—indeed, probably my great-grandchildren—will be paying off the coronavirus outgoings their entire lives. We need to take what we have and do the best we can with it. My belief is that on this one, the Government have taken the steps to address my grave security concerns, and while the Bill is not all I would like to see, as others have said, I find myself much more content today than I was in this place in March of this year.
Alun Cairns (Vale of Glamorgan) (Con)
It is a privilege to speak in support of this Bill and to have the opportunity to support many of the calls that colleagues have made.
Only just over a week ago, the Minister and I were in Westminster Hall debating an allied subject to this Bill when we discussed the challenges and opportunities that came from excluding Huawei from our 5G network. I do not want to repeat all the points that were made in that debate, but in the short time since then, the Government have taken significant, welcome steps—something the Minister hinted at—in developing policies associated with the Bill. Today’s publication of the 5G supply chain diversification strategy sees a welcome plan that contributes to the solution that Huawei brought about, as does the neutrORAN pilot that was announced earlier today.
As a backdrop, it is worth recalling that it was the lack of diversity in the supply chain of this specialised area of technology that created a tension between the desire to roll out 5G as quickly as possible and the potential exposure of our national security to high-risk vendors. Among a whole range of factors, we were being forced to weigh up, or were tempted by, the economic and social benefits that 5G could bring within a relatively short timescale against the risks of being exposed to largely one company with its umbilical cord attached to one nation and the potential security risks associated with that country—obviously, China.
The Government ultimately, and rightly, decided that the concern for the latter outweighed the former, and this Bill is the result. That is welcome, but simply passing the Bill will not necessarily reduce the risks if we continue to be exposed to a limited number of vendors. That is why the diversification strategy and the neutrORAN pilot are also important. It is worth highlighting that in any vital supply chain, diversity is key, but a few organisations in the commercial world allow supply chains to become too constrained. The commercial risks, let alone the security risks, are far too great.
It is worth recognising that the reach and influence of 5G will be far greater than any previous generation of communications. Its capacity to carry much larger volumes of data at very high speeds well beyond 400 Gbps capacity means that our connected lives will be taken to a whole new level. Some have mentioned the internet of things, connected vehicles, smart cities and even smart energy networks, and many more areas that we have not even thought of will become connected in an ever greater, independent way, highlighting the risks that we could have faced if this Bill had not been brought forward. However, all these innovations lead to an exponential growth in connectivity and pressures on spectrum that has its natural limits, which also need to be overcome. Smart cell technology is likely to be part of the solution, meaning that more apparatus than ever before will need to be adopted, along with a greater dependence on the fibre networks that will take it from the small cells. However, this also highlights the need for quantum encryption—something I will come to later, because it is not included in the strategy plan that the Minister published earlier today.
It is therefore obvious that alternative suppliers need to be developed, not only because of the risks we are considering but because of the unprecedented demand for equipment needed to deliver the connectivity that will be called for. There is significant value in this—in the research and development, in the intellectual property and in the manufacturing opportunities, all of which need to be exploited. A fundamental turning point for me was during the summer, when the Government announced their intention to adopt open standards such as open RAN. This signalled that the Government understand the challenges, and the need to encourage more investment and innovation in this space. This was a hugely welcome step, and will be pivotal to diversification in the marketplace. Furthermore, today’s neutrORAN pilot project shows that the Government are determined to be at the forefront of the technological advances.
I would add that we need to ensure these pilots are particularly open—very open—to UK businesses. In last week’s debate, I went into detail to highlight the many individual companies that show the UK has exceptional expertise in specific areas, such as radio frequency and satellite communications, base station capability, backhaul and cyber-resilience. I went through a whole list of organisations in last week’s Westminster Hall debate; I will not go through them again, but I will just highlight a few.
Many right hon. and hon. Members have referred to cyber risk, but south-east Wales and the western gateway have among the greatest cyber-resilience expertise anywhere, certainly in Europe: Thales, Airbus, and quantum technology at the University of Bristol, along with GCHQ. It also happens to coincide with the disproportionate strength that south-east Wales has in compound semiconductors, which I will come on to in a moment, and the satellite and radio frequency expertise that exists in north-east England, highlighting that this coincides with the levelling-up agenda that the Government also want to pursue. Today’s Bill will lead to new economic opportunities in different parts of the country.
Enabling the technology through all these elements is a great economic opportunity. 5G will only work with the compound semiconductor technology that I mentioned earlier—high-capacity chips that enable more data to be managed effectively. I said last week that if a silicon chip is a country lane, compound semi-conductors are great big highways: that is the volume of data that will be carried by the 5G network. The world’s largest cluster for compound semiconductor technology is in south-east Wales, part of the western gateway economic region. Companies such as IQE, SPTS Technologies, Newport Wafer Fab and others work with the Compound Semiconductor Applications Catapult, as well as universities from Cardiff and Swansea to Cambridge and Bristol.
It is worth noting that the UK has great expertise in silicon chip design, but we do not manufacture such chips any longer. In contrast, we design and fabricate compound semi-conductor chips, so supporting and encouraging further investment in this sector can maintain manufacturing capacity as well. Their energy efficiency is also a key benefit, particularly with technology consuming 2% to 3% of global energy demand.
Finally, I mentioned quantum encryption earlier. So much more use will be made of fibre technology as part of the small cell element of the 5G roll-out. Quantum encryption is vital if we are going to maintain our defences against the cyber threat that so many colleagues have talked about.
It is a privilege to support this Bill. There are so many elements that must coincide and go along with it, and I am glad that the Minister is taking large leaps in the right direction.
Tom Tugendhat (Tonbridge and Malling) (Con)
This is one of those unusual moments when almost everything I wanted to say has been said, so I will be exceptionally brief.
The Minister has done a very good job in listening. There was a time earlier this year when many of us thought that this could become a very difficult issue for the Government. I have to say that the Minister and his entire Department have done a fantastic job in listening, not just to those of us on the Government side of the House but to those on the Opposition side, and making sure that the points we have raised have been addressed—and, if I may say so after the statement today, much sooner than I think many of us expected.
I would also like to say thank you to the Minister for the effort he has put into reaching out not just to companies around the world—Nokia, Ericsson, Fujitsu, Samsung and a few others—to replace Huawei, but to UK companies to make sure that, at some point, we will be talking not about foreign companies supplying UK markets but about UK companies supplying foreign markets. On that, I will merely say thank you and sit down.
Chris Loder (West Dorset) (Con)
It is a privilege to follow my hon. Friend the Member for Tonbridge and Malling (Tom Tugendhat). Like him, I will keep my comments short because of the many contributions we have had this evening so far.
I welcome this Bill very much. I truly believe it has security at its heart. Many of us in this Chamber this evening were here debating this matter and related matters, if memory serves me correctly, on 10 March. We had very heated exchanges and very important points were made. It was a great concern of ours that high-risk vendors and others could access our infrastructure systems. I think it is clear—crystal clear, in fact—that the Government have listened to our concerns, both mine and those of many of my hon. Friends and colleagues from across the House.
The critical national infrastructure that we have should be, and I think increasingly is, a national priority, and I believe that this Bill will ensure this. Indeed, the Act that it seeks to amend, the Communications Act 2003, I am sure will do so too. These powers protect us from threats both now and in the future. As hon. Friends have pointed out in this debate, it is clear that the speed of digital infrastructure, digital services and so on is progressing so fast that we need the powers that we are debating this evening to keep up the pace.
I would like particularly to commend my colleagues here this evening—my hon. Friend the Member for Tonbridge and Malling, my right hon. Friend the Member for Bournemouth East (Mr Ellwood) and my hon. Friends the Members for Isle of Wight (Bob Seely) and for Totnes (Anthony Mangnall)—for their very informed and helpful, insightful contributions to this debate. I would like to say an enormous thank you to all of them for what they have contributed in increasing my own understanding of this matter.
We see in many fields, though, that in the future of the market, particularly in this area, it is key that the private sector is involved. We see that where there are foreign powers at play, they can disrupt this market, and we must make sure that that does not continue to happen. The new technology also of course has a vital role to play in dealing with some of the many connectivity issues that we experience here in the UK today. As the Member for West Dorset, I like to speak sometimes for wider Dorset and my neighbouring colleagues who also experience the many difficulties that are associated with lack of connectivity, both in terms of broadband and mobiles. It is not only my mission to make sure that we make that better, but—I believe, after the debate this evening—it is also the mission of this Government to make sure that that is done better and safer, and that the digital security not just of individuals but of the nation and the Government is absolutely at its priority.
Finally, I thank very much the Minister for all the work that he has done, both on this Bill and others. I look forward to working with him still further to make sure we deal with some of those connectivity issues closer to home in West Dorset. I thank him very much indeed.
Anthony Mangnall (Totnes) (Con)
It is a pleasure to be able to speak in this debate and to follow my hon. Friend the Member for West Dorset (Chris Loder), who was so kind about me it almost makes me think he has set me up for a fall. It is also very good to be able to follow my right hon. Friend the Member for Vale of Glamorgan (Alun Cairns) who we might think, having listened to his speech, has every single high-tech industry in his constituency. If that is the case, I am sure he will be willing to share some of it with the south-west.
My maiden speech was made during consideration of the Telecommunications Infrastructure (Leasehold Property) Bill, and the shadow Minister was good enough to attend. After that, I have taken a keen interest in this topic and the issues of national security that surround it. The Minister has consistently met me, members of the inter-parliamentary alliance on China and those who had concerns about Huawei, and I thank him for doing so. The result that we have got today is a real progression and benefit to our national security network, and also an example of what we can do when the House works together in a consensual way.
We know that the international landscape is now far more varied and dangerous, and that it seeks to exploit domestic networks. A recent example of this was highlighted in a Bloomberg article that cited Nortel, a Canadian company that was so badly hacked—reportedly—by Huawei in 2000 that it led to the collapse of the company over a period of 10 years. Some 5,000 employees were working in my constituency in the early 2000s. That shows that a company supported by the Chinese state can have a dangerous impact on companies around the world, as well as on our own state infrastructure.
The steps in the Bill are very welcome. Not only will they check the dominance of international companies such as Huawei, but they will identify potential future threats. As right hon. and hon. Members have said, this is not an anti-China Bill or an anti-Huawei Bill; it is about national security and identifying future threats that we may face. It is also an opportunity to focus on our domestic market and what we can do to create new businesses and opportunities and use our homegrown talent. As the Secretary of State mentioned, the £250 million national telecommunications lab will be a perfect opportunity to cultivate and innovate new technologies and encourage new people to go into the sector. My hon. Friend the Member for The Wrekin (Mark Pritchard) was kind enough to suggest that it should be based in his constituency, but I might also suggest that it comes down to the south-west and Paignton in my constituency, which has the high-tech EPIC centre focused on photonics. I will put that in there, and I hope to meet the Minister to discuss how we might make that happen.
As we know, how far we can go with this depends on how our willpower is positioned and our determination to cultivate British talent, skills and innovation. The diversification point has been made several times, and much has been said, but we also have to be conscious of the need to create the environment that will see new entrants into the marketplace. Relying on Ericsson and Nokia is all very well, but we can and will be able to develop new companies with our Five Eyes colleagues—the same point was made by the US Secretary of State earlier this year, looking at opportunities to build new companies together. Where diversification is limited, there are correct measures to guide and limit high-risk vendors in our telecommunications network, and those are contained in the Bill, notably in clauses 15 and 23.
I also take the point that the right hon. Member for North Durham (Mr Jones) made about parliamentary oversight. I hope the Chair of the Intelligence and Security Committee, my right hon. Friend the Member for New Forest East (Dr Lewis), will forgive me for suggesting that if the Government are unwilling to bring forward proposals for parliamentary oversight, they could go to that Committee so that it could scrutinise them. I apologise for adding to his workload, and I hope he does not think that that is a poor suggestion.
My right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) mentioned convention rights, including human rights. One of the biggest grievances many of us have had in terms of Huawei’s role in our telecommunications infrastructure network relates to China’s violations of human rights. The Minister might say that this is not the right time or the right Bill to look at human rights, and if it is not the right Bill, I hope he will say in his closing remarks when the right time to address this point is. I know there are other opportunities, alongside the National Security and Investment Bill, but I would be keen to hear at which point we might address human rights.
Sir Iain Duncan Smith
I am listening carefully to my hon. Friend’s excellent speech. The Minister will note, as I pointed out to him, that this Bill is signed off on the basis of the application of rights, including human rights. Every Bill has the right to be amended.
Anthony Mangnall
I thank my right hon. Friend for his experience and knowledge in guiding me on that point. Of course, I accept that he is right on that matter. In that case, how might we address the issue I have raised?
We have righted a wrong. We have addressed an issue on which we have been seen as out of kilter with our international allies. Now, we have the opportunity to go further and to pass this fantastic piece of legislation. We can harness the international community and, as with the Augean stables, clear up the mess. We can make sure that, in future, we have a robust and secure telecommunications infrastructure network that is the pride of Britain.
James Sunderland (Bracknell) (Con)
It is a great pleasure to follow my hon. Friend the Member for Totnes (Anthony Mangnall). I am delighted to speak in the debate, for two key reasons. First, it shows that the Government do listen to Back Benchers. We have provided feedback all the way through this process, and some of us have some background on this topic. I am therefore greatly reassured that the Minister is here and is listening to what we are saying.
I also commend the Bill for what it is. I am very reassured that the conclusions of the telecoms supply chain review in 2019 are being met. As the world recovers and recalibrates after covid, the UK has a great opportunity to take the initiative and to become a world leader on another piece of vital technology, and I will be firmly supporting the Government on the Bill.
As our defence and national security move ever more online, it has never been more important to secure our lines of communication. With £16.5 billion extra in the Ministry of Defence budget alone, it is really important that the defence sector takes advantage of that, not least in the cyber-sphere. We have heard today of the strategic independence imperative, and I firmly welcome that.
The Bill will do three things. It will allow for better security, which is absolutely important. It will placate our allies, notably in the Five Eyes community, and why not Japan as well? There is a neat link there with the NEC trial that is coming up in Wales. It will also open the door for other 5G providers. I therefore support the UK’s diversification strategy.
As we have heard, clauses 1 to 14 introduce a more robust telecoms security framework. The Bill enables more specific security prerequisites to be set out in secondary legislation. It also gives the telecoms operators’ regulator Ofcom more power to monitor and enforce industry compliance. Clauses 15 to 23 give new national security powers for the Government to manage the risks posed by high-risk vendors, and we have heard much about that today. The Bill therefore gives the Government new powers, and rightly so.
On 14 July, the Secretary of State announced that, from the end of this year, telecoms operators must not buy any 5G equipment from Huawei, with a timetable for removing all Huawei equipment from our 5G network by 2027. September 2021 has also been announced as the new cut-off date for new Huawei equipment in the UK.
What about the wider requirements of the Bill? This is really important, so I urge the Minister to take note. Industry must be given sufficient time to comply with telecoms security requirements, and deadlines must be realistic. The Government, as we have heard, have settled on 2027 as the date by which high-risk vendor equipment is to be removed and this timeframe must be left as it is. It reflects the complexity of the task and slippage will not be welcomed.
I also support the Government’s initial commitment to promote diversification and resilience in the supply chain backed by the initial £250 million from the spending review. That is probably just the start and it may need more funding. I welcome, as I mentioned, the forthcoming trial in Wales with NEC and our Japanese friends.
I will mention Vodafone very quickly. Vodafone has called for greater investment in Open RAN and, of course, Vodafone has been a key contributor to Open RAN. This would reduce UK reliance on mobile network vendors and allow the UK to develop domestic vendors at scale and benefit consumers through greater price competition. That is to be welcomed. Again, it is clear that the more 5G providers there are, the better it is for everyone. As we have heard, the most sensitive core parts of our 5G network must be free of Huawei equipment and must remain so.
Lastly, upgrading the UK’s mobile infrastructure to 5G could be worth as much as £158 billion over the next 10 years. It will also keep us safe. Surely this is worth investing in, so the telecoms bill is absolutely a step in the right direction and I support it.
Sir John Hayes (South Holland and The Deepings) (Con)
The Government have acknowledged the need to protect critical communication infrastructure and that is welcome, particularly so as it comes on the heels of the National Security and Investment Bill. Telecoms provision is more important than ever. We have always lived in a data-rich world, but what has changed is how readily we access that data as the way in which we gather, exchange and distribute information has changed. I am left wondering whether T.S. Eliot was not right that wisdom is lost in information. Nevertheless, it is the world in which we live and that world means that the way in which we control or, if necessary, prohibit provision of that data, by which I mean the technology, the networks and those that supply and manage them, is critical to our security. To that end, this Bill is indeed, as the Intelligence and Security Committee was told, an important first step, but only that. We do need to look at other factors, to which I will draw the House’s attention in my brief contribution this evening.
Of course the main purpose of the Bill is to raise telecommunications security standards across the board by means of a new and more rigorous telecoms security framework, but the Bill also gives the Secretary of State particular powers to designate vendors of telecommunications equipment as a risk to national security. All dependence is, by definition, a risk, for dependence creates risk. Over-dependence means unsustainable risks and, in terms of national security and national interest, there are three kinds of risks: monopoly or near-monopoly provision; malevolence; and corporate failure.
Madam Deputy Speaker (Dame Eleanor Laing)
Order. I hesitate to interrupt the right hon. Gentleman, and it is for a very unusual reason. I just feel that I ought to point out to the House that, having exhorted the right hon. Member for Vale of Glamorgan (Alun Cairns) to be rather more brief than he was going to be—though I have to say that he took only one minute longer than the eight minutes that Madam Deputy Speaker (Dame Rosie Winterton) had previously asked people to take—I should point out most unusually to the right hon. Gentleman who currently has the Floor that, as four of his colleagues who have immediately preceded him have spoken incredibly —I mean incredibly—briefly, the exhortation to take only eight minutes no longer applies, though I would not recommend taking no more than about 12 minutes.
Sir John Hayes
Not only is that typical of your generosity, Madam Deputy Speaker, but for me it is what amounts to nirvana, and for the House, something similar I hope.
All of those aspects of risk are mitigated by market diversification, but as we have heard from many speakers during this debate, this market is anything but diversified. The concentration of provision has exacerbated the very risk that this Bill seeks to deal with. It is vital that, as well as the taskforce, which we have heard the Minister has established, a strategy emerges on exactly how we are going to diversify this market, because competition not only counters dependence, but competitive pressure drives up innovation and quality. The telecoms supply chain review judged that, should the UK become dependent on a single vendor of telecoms equipment—particularly a high-risk vendor—it would pose a range of risks to the security and resilience of UK telecoms networks.
The issue of national dependence goes beyond high-risk vendors, however. The number of suppliers in the UK telecoms market—as we have heard repeatedly, currently Huawei, Ericsson and Nokia—is already critically low. While the security of the network can be improved by removing Huawei equipment, the wider problem of potential dependence will be exacerbated by the power to designate vendors and introduce directions unless there are new entrants to the market. We really need to hear from the Minister either in his wind-up or later, if he does not have time tonight, precisely when the diversification strategy will be brought to the House for consideration and what legislation will be necessary. I understand that a Bill may be forthcoming, following this one, to give life to that strategy.
My right hon. Friend the Member for New Forest East (Dr Lewis) emphasised that diversification is by far the best way to secure UK telecoms. The Government judged in their assessment that there is a global market failure in the telecoms market. While the Government will intervene to take the measures necessary and facilitated by the Bill, unless we grapple with that global failure, we will, I fear, come back to this House time and again and need to do more. As I said when we spoke a week or a two ago about the Bill that I just mentioned, I suspect that security considerations will increasingly feature in Government strategy and policy and that this House will need to debate security issues with much greater regularity than it has historically, given the dynamism that we now face.
I have spoken about market failure and the need for diversification. Let us speak about malevolence, because much has been said, of China in particular, and Russia has been mentioned too. There is no doubt that, as the Government have acknowledged, there are malevolent powers who seek by a variety of means to disrupt the lawful activities of this country and so endanger its citizenry by whatever method they deem most appropriate. We should not be naive about this and, frankly, for too long successive Governments were. This Bill is welcome but again, as my right hon. Friend mentioned, it has been a long time coming, given the warnings that were issued from the ISC and others.
Let me re-emphasise to the Government that we certainly need a diversification strategy urgently. We need the legislation that supports it but there are other matters, too, that I want to conclude with, Madam Deputy Speaker, despite your invitation to speak at appropriate—I will not say “excessive”— length. These questions are critical but not, in my judgment, designed in any way not to recognise the achievement of the Minister and the progress made by the Government.
When will the strategy come forward? I would like to hear about that as soon as possible. Given that the ISC raised this matter 18 months ago, I think we need a firm timeline and an assurance that there will be no more prevarication. My right hon. Friend the Member for New Forest East is right that national security must be an overriding consideration in this field of work. In being deployed, the powers conferred by the Bill must, at heart, always gauge national security as predominant. How will that be determined? Threats are subtle and dynamic, and yet the means and methods by which the Department will both define national security and apply that definition through the provisions of the Bill to differing circumstances have not been made crystal clear. I am mindful that this is a Department for sport and culture without a security role apart from this one— perhaps more skiing than spying, and more existentialism than espionage. What specific processes, structures and procedures will the Department use to access the expertise of the National Cyber Security Centre and the wider intelligence community in designating vendors?
We heard earlier about the expertise, skills and resources of Ofcom, but given that the Bill gives new powers to Ofcom, how will it be held to account? I know that my right hon. Friend the Member for New Forest East would share my view—I have not discussed this with him so I am making that assumption—that Ofcom ought to be scrutinised by the Intelligence and Security Committee, given the particular nature of its new responsibilities: to proactively assess the security practices of larger telecoms providers; to take action where security is, or is at risk of, being compromised; and to make information available to and provide annual security reports to the Government.
Finally, will the Minister say more about related telecommunications challenges such as Russian involvement with undersea cables that carry comms data and the future security and resilience of satellite technology? The covid crisis emphasises the need to build resilience to risk. It can be done by making more of what we consume, and by recognising that in the fragility and imperfectability of our socioeconomic order, the market is no guarantor of wellbeing, so it must be shaped, guided and, where necessary, constrained by people with power for whom communal interest is the defining purpose. Those people with power are the Minister and others who govern and we here in this House who hold them to account.
David Johnston (Wantage) (Con)
It is always a pleasure to follow my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes). I welcome the Bill and congratulate the Government on it. It is a good Bill, and credit should go to the ministerial team for that. Credit should also go to my Back-Bench colleagues who have made important contributions this year. There are plenty of them, but in particular, my hon. Friend the Member for Tonbridge and Malling (Tom Tugendhat), my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) and my hon. Friend the Member for Isle of Wight (Bob Seely) have helped us to get to a better Bill.
This comes a couple of weeks after Second Reading of the National Security and Investment Bill, which I also spoke in support of. As with that Bill, it is right that we devise a new regime for the risks that we think we face at this time, and we should not be too prescriptive. Our focus in 2020 is Huawei, but we have to leave this open to new threats that we might encounter, so I am comfortable with Huawei’s name not being on the face of the Bill.
I support Ofcom being given the powers to ensure that providers adhere to the new security measures that we want them to take. I also support the Government bringing forward the deadline for buying new equipment from Huawei to September 2021 and the removal of all its equipment by 2027. Of course, I would like that date to be earlier, and I maintain that there is a distinction between what the providers want to do and what is genuinely impossible for them to do, but I accept the Government’s judgment. I accept that, like any businesses making an investment decision, providers require certainty. They need to know that that is the year it is happening, and we need to stick to that. I also accept—perhaps the Minister could comment on this—that providers have an understandable concern that the decisions made by local authorities about masts and so on may further delay the roll-out, and perhaps we can support them in those decisions.
As this debate went on in 2020, I found some of the contributions—not necessarily from this House but from outside it—frustrating. One in particular was the suggestion that there are no risk-free vendors. I accept that, but when we are dealing with companies such as Nokia and Ericsson, we know that we are dealing with fundamentally different entities from companies such as Huawei. We are not concerned that Nokia and Ericsson will collaborate with intelligence agencies on spurious national security grounds, and we are not concerned that there might be back-door vulnerabilities in the equipment, as Vodafone found a decade ago; even though it was assured that they had been taken out, that was not the case. It is also fair to say that we are not concerned about malicious cyber-attacks being directed at us from the Governments of Finland and Sweden. I accept that no provider can be without any risk at all, on the basis that I accept that no system is completely foolproof, but we are dealing with very different companies in those respects, compared with those where we have concerns about the world view of the country they are headquartered in.
Yet we need more competition and more diversity of providers. We would need that, by the way, even if there were no security considerations whatsoever, because competition improves quality, choice and price. I therefore very much support the Government’s investment of £250 million. I represent a largely rural constituency, so I entirely understand the importance of connectivity generally, and of 5G for the country as a whole and for my constituency. It has been suggested that it will be worth £170 billion to our GDP in the next decade. I know that the decisions being made through the Bill will delay the roll-out and increase the cost, yet they are entirely the right decisions to take because they are about our national security. In July 2019, the Government’s own supply chain review found that successive policy decisions had meant that, although we might have achieved good commercial outcomes, we had poor cyber-security. It is therefore entirely right that the Government should now reverse that order of priority, even if it is going to cost more and take more time, and I wholly support their aspiration to have one of the toughest security regimes in the world.
Bob Seely (Isle of Wight) (Con)
It is a pleasure to follow my hon. Friend the Member for Wantage (David Johnston). I noticed that he was speaking without notes, which was very impressive. Sadly, I still rely on mine. I thank the Minister for bringing forward the Bill, and I thank the ministerial team for talking to us and engaging with so many colleagues. It would be great if other Departments could do that. What can I say? Hint, hint!
When the Henry Jackson Society and I produced our “Defending our Data” document back in May 2019, many Members had yet to form an opinion on Huawei. I am therefore grateful to the 60-odd members of the Huawei interest group who took an interest in this subject, and to the 36 people who voted to show their concern to the Government back in early March on the Telecommunications Infrastructure (Leasehold Property) Bill. I am aware that that Bill was not necessarily the right place to express those concerns, but with hindsight I think it sent an important message to the Government from those 36 Members—plus two tellers, of whom I was one. The United States moving its position in subsequent months was also important. I think the change would have happened anyway, regardless of whether there was a Republican or a Democrat Administration. A combination of Back-Bench concern, quite rightly, and the United States’ understanding of the geopolitics being perhaps a little ahead of that of the United Kingdom and on a par with that of Australia helped to shape Ministers’ understanding of the problems.
I am slightly concerned that the situation came to this in the first place, because there were so many warning lights about Huawei’s deepening relationship with BT. My hon. Friend the Member for Totnes (Anthony Mangnall) spoke about Nortel. We must remember that Huawei had a supply contract with Nortel, during which time it hacked its way into Nortel’s systems and stole everything, like a parasite within a body. Nortel was one of the great, spectacular Canadian bankruptcies of the early 21st century. Why? Because it went into partnership with a business that deliberately collapsed it after stealing its IP. If that is not a lesson for us, it is difficult to know what is. Huawei never was and never will be a private firm. It is 99% owned by the Chinese state via trade unions. When I heard Ministers—not this Minister, but others—using the line about Huawei being a private company, I felt that it was a deeply naive thing for the Department to say.
Dr Julian Lewis
Just for the record, a former Prime Minister said that as well, repeatedly.
Bob Seely
It was very concerning that those who govern us were calling a part and parcel of the Chinese state a private firm, which it clearly was not.
The Government claimed that Huawei could be safely limited to the periphery of the network. That is a dubious argument that is still being debated and is not believed by many experts in many other countries. Were there espionage issues with Huawei? Well, as my hon. Friend the Member for Wantage said, we do not expect a state threat to come from Sweden or Finland. But we do expect a potential threat to come from one-party totalitarian states such as China, Russia, Iran and North Korea. China is clearly one of those. So the Nortel example was a good one.
As we know, China has a dreadful reputation for intellectual property theft and cyber-attacks, so there were many reasons to be deeply concerned about what was happening in our relationship with Huawei. Yet at the same time it became incredibly powerful in this country. Why? Because it had a very aggressive lobbying network. It was throwing money at lobbyists and senior people who used to be at the heart of Government, at very senior levels. This really concerns me about the state of our democracy, and it is one reason that I would like to bring in a foreign lobbying Act. We need to have a much clearer idea of what those companies or oligarchs—those who act on behalf of other people and states—are up to in this country. We did not really know the extent of the Huawei lobbying operation.
Sir John Hayes
My hon. Friend is painting a picture of a strategic view of China and other powers that has prevailed under successive Governments. It is born of a kind of determinism: “We can’t stop them, so we’ll have to live with them”. There is a predetermined inevitability about the domination of these states, and that is a misconception that needs to be challenged fundamentally, in the way in which he is doing so tonight.
Bob Seely
I look forward to being as eloquent and well dressed as my right hon. Friend one day. Before I come to the point that he mentioned on the need for a consistent approach and better understanding, let me say one more thing about Huawei.
A few other Members have touched on this matter: China’s human rights issues. The excellent Australian Strategic Policy Institute has presented credible evidence of significant human rights forced labour issues, with people from Xinjiang province being used not only by Huawei, but by other significant Chinese firms, or by firms producing goods for western consumer markets and western branded goods. This point brings us to the National Security and Investment Bill—although I know that we are not talking about that at the moment—and the need for a definition not only of national security, but of national interest as well. Do we really think it is in our national interest for us to be accepting slave labour products in this country, whether through Huawei—allegedly—or other firms, including well-known branded names? That human rights aspect is well worth playing up.
It seems clear that the China that we had all hoped for —indeed, the golden era that we were meant to welcome under David Cameron and George Osborne—is not the China that we are getting. We need to be realistic. When it comes to international relations, in the west we are effectively liberal internationalists. We take a positive view of humanity—maybe a liberal, rather than a conservative one, if one is being philosophical about these things, but a benign view of humanity. That is not necessarily shared by the hard-nosed realism school of thought that we see in Russia and China, which is much more of a zero-sum game: we win, you lose. China plays that more subtly than Russia, but there are enough similarities between the two that it should be of concern to us. We need a clearer understand that some people out there with whom we do business do not necessarily wish us well and do not wish our values well. Finally on that, we are stumbling towards that understanding, but we need a more consistent approach to how we deal with China, along the same lines of how we deal with Russia. They are not the same—they are very different—but we have been forced to take a more consistent understanding of the Russian threat, and we need to do the same with China.
I congratulate the Minister on his work on the Bill. The “no new install” date is the key now, and that is why everyone is on side with the Bill. We need that September date, because it shuts down any alternatives for Huawei in the short term. We need a consistent approach, whether it is the Huawei Bill or the National Security and Investment Bill, across Government. This is one of the very small number of truly significant policy packages that we will have to get right in this country for the 21st century.
There are two choices for humanity this century. We can go down our route of open, broadly tolerant societies where people control their Governments—that free open model—or there is the closed model of totalitarian or one-party states, which are building up, with Huawei’s help, this Orwellian state, where the state knows what you are thinking before you do. That is not a good avenue for humanity to go down and, without being antagonistic and too hostile to other people, we need to defend our version of the future of humanity with a little more resolve.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
I start by thanking Members from all parts of the House for a well-informed debate with many impressive contributions. My first job as a hardware engineer was with Nortel, which has been mentioned by a number of Members. Having spent 23 years in the sector before entering the Commons, I am thrilled that the main debating chamber of our parliamentary democracy should spend so many hours dedicated to our telecommunications infrastructure. I regret that Members who wanted to take part in this debate, particularly from the Opposition Benches, and who could have done so remotely, were not able to do so because of an arbitrary decision by the Leader of the House.
However good the debate is, it cannot make up for the wasted decade under this Government. Successive Tory Governments have squandered the world-leading legacy position on broadband infrastructure left by the last Labour Government. Since then, we have seen delays in the roll-out of networks and the development of a dependency on high-risk vendors. The UK’s sovereign telecoms capabilities and our national security have been neglected, resulting in the Huawei debacle and ultimately this Bill.
My hon. Friend the Member for Cardiff Central (Jo Stevens) put it so eloquently: national security is the first duty of any Government, and Labour will always put that first. The point was made strongly by a number of Members, including the right hon. Members for New Forest East (Dr Lewis) and for Chingford and Woodford Green (Sir Iain Duncan Smith).
Given where we are, we support the aims of the Bill. National security should be the priority of any Government, and our telecommunications infrastructure is clearly critical to our defence, our security and our economic prosperity. That point was made by a number of Members, including the hon. Member for The Wrekin (Mark Pritchard).
We must make sure that we do not find ourselves in a similar position again and that our telecoms network and supply chain are resilient and protected in future, even, critically, as the geopolitical environment evolves. Our telecoms infrastructure lacks security and resilience. We have taken no steps to maintain or develop a sovereign communications capability, and the Government’s broadband strategy, if we can call it that, has far more U-turns, dither and delay than meaningful policies. We want to work with the Government to get issues of national security right, but the Bill is far from perfect.
Members have raised many issues, and I will focus on just three: cost, resource and diversification. I have found telecoms operators to be extremely responsive to the need to take action on the issue of, and in the cause of, national security and to replace high-risk vendors, but six months since the decision to strip out Huawei was finally made, we still do not know how the Government plan to achieve this. They seem to have decided that that is for the private sector to sort out.
The impact assessments, of which there are two, admit that the Government cannot figure out what the impact will be. They have chosen not to give operators any legal protection on existing contracts, but have again not quantified that impact. The Government are apparently happy to pass on the costs of their mistakes, indecision and poor planning to the operators, stating that the costs of removing Huawei are
“commercial decisions that are for the mobile operators to make.”
Yet clearly there was a failure Government here, as 5G security was not sufficiently safeguarded, in the ways that the right hon. Member for South Holland and The Deepings (Sir John Hayes) set out so clearly. Will there be a delay in 5G roll-out? Again, we are not clear, and depending on what is factored in, various research projects have found the costs to be anything from £6 billion to £18 billion. If the Government plan to leave this entirely to the mercy of the market, I would say that all the information-gathering skills Ofcom has will not give us an accurate integrated view of progress and effectiveness. There is no mention of working with local authorities to ease this or to make it quicker, cheaper or more effective.
I joined Ofcom in 2004, just a few weeks after it was born, when it was to be a light-touch regulator, small and nimble. Over the years, it has acquired responsibility for critical national infrastructure; the BBC; the Post Office; soon, we understand, the entirety of online harms; and now, it would appear, national security as well. As Members have pointed out, this Bill refers only to the Secretary of State and Ofcom when it comes to making these key decisions. Of the two, I have to say that I would have more confidence in Ofcom, but the Bill says very little about the resources or the skills that will be provided. This is a huge job, an issue that my right hon. Friend the Member for North Durham (Mr Jones) set out so clearly in what was a truly excellent contribution. One still has to ask: is it sufficiently well scoped? It is a huge job, but is it actually scoped? Is it the role of Ofcom to consider the security of our current networks, or should it be forward-looking? Members have set out what kind of a challenge that would be. Members also touched on the importance of human rights with regard to China’s record. How is that to play on national security decisions?
Sir John Hayes
The real point about Ofcom is whether it acquires those skills or what the processes will be for it to access them from the intelligence community and the National Cyber Security Centre, which would seem to be a much more straightforward way of quickly tooling up to do the job the hon. Member describes.
Chi Onwurah
I thank the right hon. Member for that intervention, and indeed for his contribution to the debate. I agree with him, although I think that is something we need to work out and probe in Committee, because currently there is no reference to that, or no plan to do that. I think we should certainly be taking into account and using our existing resources, and we all know that these kinds of resources and skills are both expensive and hard to find at the moment. The right hon. Member makes an important point.
On 14 July, the Secretary of State, who is not in his place, said in this House that he had
“set out a clear and ambitious diversification strategy.”—[Official Report, 14 July 2020; Vol. 678, c. 1377.]
I asked him repeatedly over the summer when he would publish this clear strategy that he had already set out. Answer came there none, and I could only conclude that he had misspoken. However, I did think that today we would get that strategy, but unfortunately not. Yes, there is actually a diversification strategy, which has been published, but it is neither clear nor ambitious. It is far more concerned with bringing new vendors into the UK than with developing our sovereign technological capability. Indeed, as it diversifies opportunities for Nokia and Ericsson, we could call it an effective Scandinavian industrial strategy. Apart from a vague commitment to link the scale of home-grown suppliers to the Government’s broader growth and productivity agenda, there is no clear plan—no plan at all—to build UK sovereign capabilities, which the right hon. Members for Vale of Glamorgan (Alun Cairns) and for Bournemouth East (Mr Ellwood) emphasised as being important.
Just today, Mobile UK, the mobile operators industrial body, emphasised that the Bill and the 5G diversification strategy are intrinsically linked but not, it would appear, by the Government. The diversification strategy also does not refer to fibre, although the Bill applies to our fibre networks too and may impact the Government’s constantly shifting roll-out targets.
Network operators need to be confident in the maturity, performance, integration and security credentials of new vendors and technologies before they are deployed in their main networks. We agree with the Secretary of State that the Government can help accelerate that process, and in doing so there is potential to create opportunities for the UK to take the lead, as well as much-needed high-skilled jobs. The hon. Members for Totnes (Anthony Mangnall), for Strangford (Jim Shannon) and for Bracknell (James Sunderland) all agreed about the importance of diversification, but all the diversification strategy says about developing UK technology, jobs and capability is that it will be part of the industrial strategy, which we have yet to see. Clearly, we do not have a diversification strategy.
Mr Kevan Jones
Does my hon. Friend agree the Bill will have to dovetail closely with the National Security and Investment Bill? If new developments were taken over by foreign entities, that could be a security risk as well. However, as we were told last week, the responsibility for that lies with the Department for Business, Energy and Industrial Strategy, not DCMS.
Chi Onwurah
My right hon. Friend makes an excellent point. He is absolutely right. The question of how the diversification strategy delivers home-grown capability and protects that as it grows and strengthens has been avoided.
As the shadow Secretary of State said, it is important that everyone can benefit from 5G, both in our technological capability and in using it. There is a digital divide in this country: 11 million adults lack one or more basic digital skills and 10% of households do not have internet access. 5G has the potential to increase digital inclusion, providing greater access to broadband. As the hon. Members for West Dorset (Chris Loder) and for Caithness, Sutherland and Easter Ross (Jamie Stone) highlighted, digital technology can be a great leveller, but we need to ensure that the infrastructure and skills base exist for everyone to take advantage of the opportunities it provides. Digital inclusion requires political will, urgent action and a Government who understand the importance of universal digital suffrage. Government interventions on that have been brief—not quite as brief as the intervention of the hon. Member for Tonbridge and Malling (Tom Tugendhat) in the debate, but far less eloquent.
As a chartered engineer, I want to finish by celebrating the potential of 5G, which can truly transform our businesses, our industries and our daily lives. It will not only vastly improve our connectivity and browsing experience but support new enabling technologies, from the internet of things to artificial intelligence. If the first industrial revolution was powered by engines, the fourth will be powered by data. As hon. Members have observed, 5G is essential for innovations from driverless cars to smart cities, and to addressing the climate emergency through monitoring and improving our energy efficiency. Some estimates predict that 5G could mean productivity savings for the UK of up to £6 billion a year on top of energy and waste reductions that internet of things devices could enable.
We must get this right. As we all agree, our national security is priceless, but until we see a detailed plan, a proper impact assessment and an industrial strategy, the Opposition will remain deeply concerned that the Government are not prepared to make the interventions necessary to ensure that our national security is safeguarded.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
I thank all Members for a well-informed and important debate. We have heard across the House that all Members believe that this Government should be putting national security at the very top of our agenda. That is what we are doing tonight. We are also putting forward a strategy that will allow the UK to derive all the benefits that we possibly can from all the enhanced digital reliance that we have seen across the country over the course of this pandemic and, of course, before it.
We have all heard this evening just how much connectivity matters and just how much our national security matters. We heard upwards of 20 speeches, which clearly demonstrated the critical importance of the security of our telecoms networks, especially as we move into the next phase of digital connectivity. As the Secretary of State has said, this Bill will raise the security bar across the board. It will provide us with the capabilities that we need to protect ourselves from a range of threats, both now and in the future. I am pleased that the Bill has support across the House. It is clear that we are all keen to put the UK’s national security interests first.
I hope that Members are reassured that the Government are taking these issues seriously. A number of Members referred to the Huawei interest group. Much as I have enjoyed being the subject of the Huawei interest group’s interest, I am glad that we have come to a position that has been welcomed across the House. The Government have taken steps today both to lay out our diversification strategy—an important £250 million commitment that is detailed and has real potential to see British companies grow in the way that my right hon. Friend the Member for Vale of Glamorgan (Alun Cairns) identified—and to publish illustrative designations and directions demonstrating the transparency that many Members across the House have asked for. Through that, I think we have demonstrated our commitment to dealing with the risks to our networks and the national security threats that come from high-risk vendors.
I turn to some of the points that have been raised in the course of the debate. The first, which was raised across the House, is the important matter of human rights. We want respect for human rights to be at the centre of all business that takes place in this country. These are vital issues that go much wider than telecoms. A number of Members rightly pointed out that the Telecommunications (Security) Bill will be focused on matters related to telecommunications and security, but of course we have serious concerns about the human rights situation in Xinjiang, including the extrajudicial detention of over 1 million Uyghur Muslims and other minorities in political re-education camps, systematic restrictions on Uyghur culture and the practice of Islam, and extensive invasive surveillance targeting minorities.
Where China is not meeting its obligations under international law, the UK Government will continue to speak out publicly. Indeed, the 30 June formal statement that the UK read out on behalf of 28 countries at the UN Human Rights Council highlighted arbitrary detention, widespread surveillance and restrictions targeting ethnic minorities. The Government published their response to the consultation on transparency in supply chains in September, and we are committed to taking forward an ambitious package of changes to strengthen and future-proof the transparency provisions in the Modern Slavery Act 2015. While, as many have said, issues of human rights are not matters directly for this Bill, they are acutely important, and Britain will continue to take that leading role.
Sir Iain Duncan Smith
I hear what my hon. Friend says, but surely he would concede that, as this Bill deals specifically with vendors and the vendors are themselves located, originally, in countries that may have been guilty of these abuses of whatever nature, should those companies be found to be using slave labour—such as some that are already referenced in this Bill—that would be a reason not to have them. Would he not think that they were high-risk vendors for the very simple reason that they abused those human rights?
Matt Warman
As I said earlier, we would want to apply those standards not just to telecoms companies but to the garment industry and in a host of other areas where we know that there is the potential for similar abuses. I absolutely hear what my right hon. Friend says, but Britain can do better than focus simply on the relatively narrow aspect of telecoms.
Bob Seely
I hear what the Minister is saying, but I wish to follow up the point made by my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith). If the debate on this Bill is not the place to discuss human rights, I get that, but we are also told that the debates on the National Security and Investment Bill are not the place to discuss human rights. I may get that as well, but the Government need to say where significant national interest concerns that are outside national security can be addressed. We talk the talk on human rights an awful lot in this country and this Parliament, but we have to put some trousers on that, I think.
Matt Warman
I am not going to engage too heavily with my hon. Friend’s trousers, but I will say to him that, as I said a minute ago, we are committed to taking forward an ambitious package of changes to strengthen and future-proof the Modern Slavery Act 2015, and that is one of several significant avenues that are open to him.
On the important matter of diversification, the telecoms supply chain review asked how we can create sustainable diversity in our telecoms supply chain. That question is addressed by the new diversification strategy that we published today, which is crucial to ensuring that we are never again in a situation in which we are dependent on just a handful of vendors who supply the networks on which so many of us have come to depend. I wish to spend a little time on this issue. The Government have been working at pace to develop the 5G supply chain diversification strategy, which sets out a clear vision for a healthy, competitive and diverse supply market for telecoms and the set of principles that we want operators and suppliers to follow.
The strategy is built around three key strands: first, securing incumbents; secondly, attracting new suppliers; and thirdly, accelerating the development and adoption of open and interoperable technologies across the market. That is why, in the diversification strategy that we published today, we commit to exploring commercial incentives for new market entrants as we level the playing field; to setting out a road map to end the provision of older legacy technologies that create obstacles for new suppliers; and to investing in R&D to grow a vibrant and thriving telecoms ecosystem here in the UK.
I say gently to the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) that we have directly addressed a number of the issues that she raised in Westminster Hall last week. I look forward to engaging with her more on the strategy because it is important that we should work together to try to make sure that we all derive the benefits of a serious £250 million Government commitment that will drive early progress and ensure that our 5G diversification strategy not only bolsters the resilience and security of our digital infrastructure but creates opportunities for competition, innovation and prosperity.
Sir John Hayes
It is wonderful that the strategy has emerged, but will my hon. Friend be just as clear about legislative change associated with that strategy? I understand that a further Bill may come forward; given the urgency of this issue and the concentration that his Department is applying to the strategy, when can we expect that legislation?
Matt Warman
We do not anticipate legislation as a direct result of the diversification strategy, but of course there are other important avenues to explore as part of the broader industrial strategy. A lot of what is in the diversification strategy does not need to be delayed by the legislative programme, and I think my right hon. Friend would welcome that.
A number of Members raised the role of Ofcom. Ofcom will monitor, assess and enforce compliance with the new telecoms security framework that will be established by the Bill. It will report on compliance to the Secretary of State alongside publishing the annual reports that he mentioned on the state of the telecoms security sector. I want to be absolutely clear: we have had productive conversations with Ofcom already. Ofcom will continue to have the resources it needs. We appreciate that those needs will be affected by the changes that we are bringing in today, and we will agree their precise nature with Ofcom. We will make sure that Ofcom has all the security clearance that it needs to do the job, and all the resources, external or otherwise, to do the job, because this is an important new power.
Ofcom may also play a role in gathering and providing information relevant to the Secretary of State’s assessment of a provider’s compliance with a designated vendor direction, and it may also be directed to gather further information to comply with the requirements specified in a direction. The Bill already enables Ofcom to require information from providers and, in some circumstances, to carry out inspection of the provider’s premises or to view relevant documents. Ofcom’s annual budget, as I say, will be adjusted to take account of the increased costs it will incur due to its enhanced security role.
Let me turn to a couple of issues raised by the hon. Member for Newcastle upon Tyne Central. We will of course be working with local authorities and with networks to minimise any disruption, but we do not anticipate that the decisions that we have made over the past few months will have a direct impact on existing commercial decisions. As the Secretary of State said, we do not expect the two to three-year delay to be extended by what we have said today, but we will keep in close contact with the networks and continue to make sure that we do everything we can to remove the barriers to the roll-out of the networks as far as we possibly can. I do, however, expect companies to do as much as they can to minimise the effects. These are commercial decisions that have been made by companies over a number of years. We have already seen, as a result of the Government’s approach over the past few months, significant changes to decisions. I welcome the neutrORAN project that my right hon. Friend the Member for Vale of Glamorgan mentioned, as well as a number of others that have been taken by networks that already see important changes to how they procure their networks.
Mr Kevan Jones
The Minister has introduced the September 2021 date after which no new Huawei or high- risk vendor equipment can go into the networks. What will happen to those companies that perhaps have stock of Huawei equipment or entered into contracts thinking that they could implement them before September 2021 and will now have to be told that they cannot? Would they actually lose a lot of money?
Matt Warman
Those decisions, as I said, were taken in the context of the environment that people were already well aware of, and they are taken at a degree of commercial risk. However, we have worked closely with the networks to ensure that there will be no additional delays as a result of this decision. I think it is the right thing that puts national security at the absolute heart of our programme, but it also does that in the context of not jeopardising the clear economic benefits and the clear practical benefits of improving connectivity across the country that we would all like to see.
On the emergency services network, we anticipate that these announcements concerning Huawei will have a very low impact on the emergency services network. We do not anticipate any impact on the programme schedules. There is some Huawei equipment in the EE part of the emergency services dedicated core network that EE is already working towards removing.
Let me cover one other aspect raised by the Chair of the Intelligence and Security Committee, my right hon. Friend the Member for New Forest East (Dr Lewis). I look forward—maybe that is not quite the right phrase—to appearing before the ISC in the next few days. We will always co-operate with it, and I am very happy to work with it on the best way to balance the obvious requirement between transparency and national security, although we would always seek to be as transparent as we possibly can be within those important bounds.
Dr Julian Lewis
I did ask a few questions. If the Minister cannot answer them now, by all means he should write to me. However, I am concerned about a situation where, for example, a former leader of the Conservative party and former Prime Minister has a major role in the China belt and road funding operation. How secure will Government be against lobbying of people with that sort of connection and prominence?
Matt Warman
I will simply say that the Government will always put our national security interests first, and of course we are always alive to the commercial interests of the companies that seek to engage with us in this matter or any other. I look forward to further engaging with my right hon. Friend and his Committee.
To conclude, this Bill does not simply produce a framework that will address one particular company or even one particular country. It sets up the futureproof regime that will allow us to deal with the company that we have spoken about so much this evening and also its successors in successor networks. The intention of this legislation is to persist well beyond the current challenges that we face. I am glad that it commands the support we have seen across the House. I am immensely grateful for what has been a genuinely well-informed debate and one that I look forward to carrying on in Committee. The Telecommunications (Security) Bill will create one of the toughest telecoms security regimes in the world. It will enable us to protect our national telecoms infrastructure, and it is also a chance for the UK to become the world leader in the development of new 5G technology that we all know we can be.
Question put and agreed to.
Bill accordingly read a Second time.
Telecommunications (Security) Bill (Programme)
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Telecommunications (Security) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 19 January 2021.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Proceedings on Consideration and up to and including Third Reading
(4) Proceedings on Consideration and any proceedings in legislative grand committee shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which proceedings on Consideration are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and up to and including Third Reading.
Other proceedings
(7) Any other proceedings on the Bill may be programmed.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (Money)
Queen’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Telecommunications (Security) Bill, it is expedient to authorise any increase attributable to the Act in the sums payable under any other Act out of money so provided.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Telecommunications (Security) Bill, it is expedient to authorise provision requiring public communications providers to pay certain costs incurred by the Office of Communications.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),
That if, at the conclusion of this Session of Parliament, proceedings on the Telecommunications (Security) Bill have not been completed, they shall be resumed in the next Session.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (First sitting)
Thursday 14th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
The Chair
Before we begin, I have a few preliminary announcements. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings of this Committee. I would also like to remind Members of the need to observe the rules on physical distancing, both in this room and when entering and leaving via the marked entrance and exit doors. It is important that Members find their seats and leave the room promptly in order to avoid delays for other Members and staff. Date Time Witness Thursday 14 January Until no later than 12.30 pm Three; O2; Vodafone Thursday 14 January Until no later than 1.00 pm British Telecommunications Thursday 14 January Until no later than 2.45 pm Mobile UK; TechUK Thursday 14 January Until no later than 3.30 pm Mavenir; NEC Europe Ltd Thursday 14 January Until no later than 4.15 pm Small Cell Forum; Digital Policy Alliance Thursday 14 January Until no later than 4.45 pm British Standards Institution; Royal United Services Institute Tuesday 19 January Until no later than 10.10 am Webb Search; Oxford Information Labs Tuesday 19 January Until no later than 10.45 am Dr Alexi Drew, the Centre for Science and Security Studies, King’s College London Tuesday 19 January Until no later than 11.25 am The Office of Communications Tuesday 19 January Until no later than 2.45 pm Catapult Compound Semiconductor Applications; Dr Nick Johnson; UtterBerry Tuesday 19 January Until no later than 3.30 pm MWE Media Ltd; Lumenisity; Dr David Cleevely CBE Tuesday 19 January Until no later than 4.00 pm Information Technology and Innovation Foundation
Today we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication, and then a motion to allow us to deliberate in private about our questions, before the oral evidence session. In view of the time available, I hope, but cannot insist, that we take those matters without debate. I call the Minister to move the programme motion standing in his name, which was discussed on Tuesday by the Programming Sub-Committee for this Bill.
Motion made, and Question proposed,
That—
(1) the Committee shall (in addition to its first meeting at 11.30am on Thursday 14 January) meet—
(a) at 2.00 pm on Thursday 14 January;
(b) at 9.25 am and 2.00 pm on Tuesday 19 January;
(c) at 11.30 am and 2.00 pm on Thursday 21 January;
(d) at 9.25 am and 2.00 pm on Tuesday 26 January;
(e) at 11.30 am and 2.00 pm on Thursday 28 January;
(2) the Committee shall hear oral evidence in accordance with the following table:
(3) the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Thursday 28 January.—(Matt Warman.)
Mr Kevan Jones (North Durham) (Lab)
I have no problem with the programme motion, because it is sensible, but I want to put it on record that it is frankly nonsense for us to come in today and sit in a room to take evidence from virtual witnesses, as we will do next week as well. There is no reason why evidence sittings, particularly, could not happen remotely. I have attended two meetings this week, including a meeting on Tuesday of the Defence Committee, which took evidence from witnesses virtually.
I understand that things are being done in this way at the insistence of the Leader of the House. I think he is hiding behind the usual channels having sorted it out. I want to put it on the record that that is not true and that objections have been raised by the official Opposition, certainly about evidence sittings being done in this way. If we are to travel long distances, as many of those present have, to get here today and next week, that flies in the face of the advice of not only the Government but Public Health England about moving between areas.
I do not know whether, at this late stage, we could at least consider whether next week’s evidence could be taken virtually, because it is a bit ironic that we are sitting in a room here—I accept your rulings about social distancing and so on, Mr Hollobone—and that the evidence that we shall listen to from the witnesses today and next week will be given virtually.
The Chair
Mr Jones, I note your remarks and know that many others will share your view. As the Chair of the Committee I can operate only under the rules that I have been given by the House.
Question put and agreed to.
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Matt Warman.)
The Chair
Copies of written evidence that the Committee receives will be circulated to Members by email and made available here in the Committee Room.
Resolved,
That, at this and any subsequent meeting at which oral evidence is to be heard, the Committee shall sit in private until the witnesses are admitted.—(Matt Warman.)
The Chair
All our witnesses today will be giving evidence by video link. Before calling the first panel of witnesses, I should first like to remind all hon. Members that questions should be limited to matters within the scope of the Bill and that we must stick to the timings in the programme order that the Committee has just agreed. For this first panel, we have until 12.30 pm. Secondly, may I ask whether any hon. Members on the Committee wish to declare now any relevant interests in connection with this Bill?
I now call the first panel of witnesses: Patrick Binchy, technical services director at Three, Derek McManus, chief operating officer at O2 and Andrea Donà, UK head of networks at Vodafone. Would the witnesses please be kind enough to introduce themselves for the record?
Patrick Binchy: Good morning. I am Patrick Binchy, and I work for Three, as you said, as the technical services director. I do not know what happened previously, but we lost some degree of ability to hear what you were saying. I think it was Chi Onwurah who was talking, but we could not hear what she was saying, and then it went completely silent for about two minutes.
The Chair
Patrick, I think that was because we were in private session, deciding how we were going to conduct our affairs. You were not cut off out of any rudeness; it was simply that we were going through some procedural matters. May I ask Derek McManus to introduce himself, please?
Derek McManus: Good morning. My name is Derek McManus; I am the chief operating officer of O2 in the UK, and part of my responsibility is therefore network.
The Chair
Thank you. Andrea Donà?
Andrea Donà: Good morning, everyone. I am Andrea Donà; I head up networks for Vodafone UK. I would like to thank you all for inviting us today; I appreciate the opportunity to give evidence to the Committee.
The Chair
Q
Patrick Binchy: Other than thanking you for the ability to represent the industry here, I do not have anything to add, thank you.
Derek McManus: I will add my thanks too. As I have said, my name is Derek McManus, chief operating officer. My teams run the network and the roll-out of 5G and maintain the security and integrity of the network. I am here to answer questions on the Bill and the impact from a business and operational perspective. The security Bill and associated diversification strategy need to be viewed as part of wider powers and requirements being introduced via the Telecommunications (Security) Bill.
The telecoms sector faces considerable costs—resources and time, among other things—in introducing new security measures in the Bill while removing HRVs from networks and looking into diversifying. A balanced approach that gives the sector time to implement the new measures in a cost-effective manner is essential if the Government want the same individuals and companies to develop and roll out ORAN while maintaining and building a secure network.
Andrea Donà: Vodafone accepts the UK Government’s policy on high-risk vendors and continues to work actively with the NCSC and the Government on maintaining the highest security standards in our network. We want to ensure that the objectives of the Bill are fulfilled. We also welcomed the Government’s recently published 5G diversification strategy and the policy framework that comes with it. The strategy sets out ways in which the Government plan to work with industry, and we very much welcome that. We also support the Government’s drive for higher minimum security standards in the telecoms network, and we are continuing to work with DCMS, the NCSC and Ofcom to ensure that all those relevant measures to protect our customers are implemented.
The Chair
Thank you. We have three superb witnesses from Three, O2 and Vodafone. I am now in the hands of Members.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
Q
I should have mentioned, as an interest, that I spent 20 years working in the telecoms industry within four network operators and vendors, as well as Ofcom, the regulator. I also may know personally some of the witnesses.
The Chair
It sounds like you might be dangerously over-qualified to take part in this Committee.
Chi Onwurah
You make a very good point, Mr Hollobone. I am going to try to keep my engineering and technical interest as much to the back as possible.
I am the shadow Minister for digital, and I am leading for Labour on this Bill. I will focus on the costs of removing Huawei and the diversification strategy, and Opposition colleagues will be focusing on different areas. I thank you for your presence and expertise. I want to ask two somewhat related questions.
First, some have given estimates of the costs of removing Huawei from your networks, and I want to verify whether those are the most up-to-date estimates. I also want to know whether they include opportunity costs, and the time and resources from your boards and others in your organisations. Are they the full costs, if you like, of the removal of Huawei? How can we minimise the economic impact, in your view? Are there other significant costs associated with the Bill and the implementation of a new security framework?
Secondly, your mobile network procurement is currently made through what I will call full-service providers, such as Huawei, Ericsson and Nokia. They basically design and make a network, and provide it to you—I know it is not quite as simple as that. Do you think the removal of Huawei or the develop of open RAN will change that? Critically, is the Government’s diversification strategy likely to lead to the emergence of significant full-service suppliers that will compete head on with the remaining suppliers, Ericsson and Nokia? If not, what other measures should the Government consider taking? How best can the Government work with partners around the world to achieve their goals? That is quite a lot in two questions.
Patrick Binchy: There was quite a lot in those questions. I guess the first thing is that the costs are obviously commercially sensitive, and we cannot disclose them in a public environment, but we would be very happy to respond to any of the Members or the Committee in private to give the detail behind that. At a more generic level, there will, of course, be cost to the industry and to Three. We had selected Huawei to build our 5G network, and we have now selected a second vendor, Ericsson. We have to go through the process of mobilising Ericsson and removing the Huawei equipment, which has a cost to it and will have an impact.
In terms of the diversification of the market, there are really only two players in the UK market now. As you rightly point out, there are service as well as equipment capabilities within those suppliers. As we look for diversification, we need to diversify across all those aspects of the market. We are working with the Government, NCSC and DCMS in terms of how to approach that and how to build that. We will continue to support that as we go forward.
Derek McManus: We have similar commercial sensitivities on cost. You may or may not be aware that we are not indebted to Huawei. For our network, the cost of removing from the radio network is relatively small compared to some of our competitors. So, I will focus more on your second question, if that is okay.
You are absolutely right that we tend to buy end-to-end service in the current mobile environment. ORAN today is set up with a quite separate and different supply chain, with different companies specialising in software, different companies specialising in hardware and specialists doing the integration. It is likely to change the nature and relationship that we will have with supplies. ORAN is relatively immature in its development. As it is technically and commercially ready for scale deployment, that may well change. But we see today that the leaders in ORAN tend to be smaller companies specialising in the hardware or, more specifically, the software.
Andrea Donà: Very much like my colleagues, I am more than happy to write to the Committee in the future, once we have completed our procurement process, with the details on the cost for replacing our high-risk vendor. More specifically, when it comes to the diversification strategy and the role that open RAN has, we at Vodafone believe that the UK should seek to be a leader in open RAN. We are, indeed, leading the way, and have committed to swapping out 2,600 of our base stations to an open RAN technology.
In order to fulfil that ambition, the current timescales for removing the high-risk vendor equipment must remain unchanged. We need the stability and the time, as Derek rightly points out, to allow industry and Government to develop a diverse supply chain and allow the technology to mature, both in its functionality and its capability, as well as the possibility of scaling industrially. The legacy vendors have had a lot of time in the market to develop their competence. We need to support any new entrants in the open RAN space with appropriate investment incentives and a policy framework that attracts and supports new entrants in the open RAN space.
The Chair
Three Members have indicated that they would like to ask questions. We will take them in the following order: James Sunderland, Miriam Cates and Kevan Jones.
James Sunderland (Bracknell) (Con)
Q
Patrick Binchy: I think, initially, it is not for the industry to comment on and define national security and risk. That is for the Government. However, we absolutely support whatever is put in place beyond that. I think that this Bill, in the way that it is structured, very much helps with that, because not giving a definition, and the way that it will be able to include additional vendors and additional technologies, gives it the flexibility to move forward and to adapt to threats, whether they are technical or through suppliers in the future. In that way, it is well constructed.
Irrespective of the Bill itself, we work with the security bodies on a regular basis—on a day-to-day basis—and we continue to do that, to protect the British public from any and all security threats. And I would add that the UK is actually very well advanced in terms of protecting itself and its security posture.
Derek McManus: Similarly, I am the COO of a commercial organisation; I am really not best placed to answer that point specifically. But what I will say is that we run our business by security by design—it is a key part of the evolution of our network and all of our services. I believe that as an industry we are actively engaged with the security forces to deliver a good track record in terms of national security from telecoms. It is important that we continue to do that. Everyone who is connected closely to security knows that it constantly evolves as technology evolves, and the continued collaboration between the industry, the Government and the security forces is essential beyond the completion of the Bill.
Andrea Donà: Similarly to my colleagues, I am not in a position to comment on national security. What I would say is that Vodafone worked very closely with Government on how the Bill best enables us to secure our networks in practice. I think it is very important that we maintain a very close collaboration as we work in implementing the Bill.
We believe the Bill is sufficiently flexible for the Secretary of State and Ofcom to interpret the security threats and issue notices to providers to deal with them. Reviewing the legislation at regular intervals to assess its efficacy in the face of new technological challenges, and also in the light of new strategic aims by Government and that constant review involving the industry, will be very welcome for us. Our continual engagement will enable us to ensure that the new regulations can be enforced in practice effectively to achieve the scope of the Bill.
The Chair
Thank you. We will come to Miriam Cates next. Then, after Miriam, the order will be Kevan Jones, David Johnston, Christian Matheson, Dean Russell and James Wild.
Miriam Cates (Penistone and Stocksbridge) (Con)
Q
Patrick Binchy: In line with the previous answer, I cannot go through the specific commercials—they are commercially and competitively sensitive. But I would be happy to take such questions offline if you want to follow up on that.
Regarding the 2027 deadline, I think there is a balance here between UK connectivity and UK security. First and foremost, I would say that we have a security regime in place today. We use the Huawei cyber-security evaluation centre to check all of the technology that comes through Huawei and goes into UK networks, and we work closely with the security authorities to make sure that we are protecting the UK public today. We also have full visibility of any traffic that is transiting our network, either incoming or outgoing, so we are confident that we have the security in place today that is necessary.
In terms of achieving the 2027 timeline, that is a challenge. It is not going to be easy, because we need to balance that national connectivity against security and do it in a way that ensures that we continue to provide good-quality connectivity to the public.
There are a number of timelines within the legislation. We do not think the timeline for 2021 in terms of using equipment is a major issue. The 2023 35% cap and the 2027 are challenging, but we have plans in place. We have put our second vendor in place. They are already rolling our 5G network out in Manchester, Glasgow and Reading, and we are confident that we can meet those timelines and supply good-quality connectivity to the UK public.
Derek McManus: I think everybody, particularly in this environment, understands the immediate value of connectivity in the situation that we as UK society face. In terms of the opportunity for that connectivity to be part of economic growth as we evolve 5G and help build the economy, those are two of the competing challenges that we have to balance, while also removing HRVs and delivering diversification.
Yes, it is a matter of balancing costs in terms of investment, but we also have to recognise the customer disruption caused by removal of equipment. It is important that we maintain those other two key criteria—that important connectivity and that support to economic growth. By working together and taking the right balance, the Bill’s timescales are appropriate. I cannot, obviously, talk about the plans of individual businesses to meet the deadlines, but as an industry, I think it is appropriate.
Andrea Donà: At Vodafone, we believe that the Government’s decision to set a timeframe of 2027 truly reflects the complexity of what we have been asked to do. It is important that the deadline of 2027 does not change further. We need certainty and a fixed time plan so that we can plan for the future. Any further changes will disrupt our investment plans and will also cause undesired further disruption, as we attempt to accelerate a swap out that is, in itself, very complex, and will deliver inevitable disruption to our customers—the businesses and the public services. We are actively working with all the involved parties—the Government, Ofcom, NCSC and DCMS—to ensure that we minimise disruption. It is a complicated and difficult effort from a technology perspective, but also from the perspective of the practical implementation on the ground.
If the Government truly share our ambition to be a leader in digital infrastructure, we need to ensure that we give the high-risk vendor enough time to carry out the plans, under a very well-defined timescale and, as I said earlier, in parallel, allow the diversification agenda to grow, as well as the stability, to allow new entrants to come in and be a viable alternative to the incumbent high-risk vendor that we are swapping out.
The Chair
We will come on to Kevan Jones. Now I am getting the hang of this now, I do not think it is fair to always ask Patrick to be the first out of the blocks to answer the questions, so I will try to rotate so that everyone has a chance of going first.
Mr Jones
Q
Having met many of you at a previous Committee and taken evidence from you, it is clear that there is little profit to be made on the hardware side because we all want cheaper phone calls, and you obviously react to customer demand to try to get costs down. What are the realistic prospects of any UK-based company or other vendor coming into the hardware side? On open RAN, I accept that it is for the future, but what timescales are we talking about for that having an impact on how our telecoms networks are organised?
Derek McManus: On timescales for ORAN, I think we are very early in the evolution of that technology. There are trials in the UK, as there are in various markets across the world. In our view, it will be at least a couple of years before you have a viable technical and commercial product, focused initially on rural. To have diversification in a meaningful way, you have to have scale, and scale will take a number of years beyond that—I would say five to eight years to get a real, viable-scale vendor to challenge the two incumbents.
On your previous question about the likelihood of there being UK players in that market, the UK used to have a very healthy telecoms supply industry, which sadly over time has faded away. I think it is more likely that the UK could play in the software part of the future of radio, and particularly ORAN, than in the hardware part. I cannot see today a viable UK hardware provider. Actually, there are not that many UK telecoms suppliers around. But software is a bigger opportunity. Part of the diversification work that is going on with the industry and Government is looking at ways to encourage the inclusion of UK business in that emerging opportunity.
Mr Jones
Q
Derek McManus: Yes, and if you look at the scale of mobile growth, the fact that there are only two remaining viable competitors is an indication of how difficult it is to have competition in today’s marketplace. That is technical and, to meet the economic challenges, that requires scale, too. There are other providers in the marketplace, but only two provide the 2G, 3G, 4G and 5G capability that the current UK markets require.
Andrea Donà: To answer the specific question on timescales, Vodafone UK is pioneering the development of open RAN. We were the first operator to achieve a commercial open RAN solution, in August last year, having delivered the first commercial open RAN unit on the ground radiating and carrying traffic at the Royal Welsh showground. We recently developed and announced plans to deploy open RAN across 2,600 sites. It is a promising innovation, but it is not yet mature enough to match the traditional vendors in terms of functionality and efficiency on an industrial scale.
However, if the UK wants to lead in this field and take advantage of the existing advantage that it has when it comes to design, it should continue putting its weight behind this promising technology and allow partnerships to be formed, where the incumbent vendors are asked to play a role in the architecture of this new technology. That will allow other parts of the technology chain—as Derek said, software, the baseband or the antennas—to attract and welcome new entrants through appropriate policy frameworks and the diversification strategy.
With new entrants, as we open this technology, we fuel innovation. If the UK keeps ahead of that, it will be able to be at the forefront of exciting new innovation. We welcome the steps that were outlined by Government to try to press this technology ahead. You could do that through trials or through incentives for the MNOs to use their technology. We can work together to create local research and development centres to fuel this new technology.
Mr Jones
Q
Andrea Donà: There is an opportunity for British companies to play an active role in the open RAN ecosystem. As we open up the interfaces of the technology, it creates a golden opportunity for British companies, with British support and know-how, to come and contribute to the development of this new technology.
Patrick Binchy: My views are broadly aligned with the previous answers. The reality of the situation that we find ourselves in is that there are only two practical vendors for the next couple of years. As both my colleagues have said, beyond that there is opportunity for ORAN.
I am not sure if it came across in the previous answers, but I would stress strongly that the first thing we need is the R&D. We need to understand how we can move this technology forward. As Derek said, trials are primarily operating in rural capacity, but to be a true competitor to the incumbents we have to be able to use it in deep urban areas, under significant loads, which needs a lot of development.
The Government can support trials and help build the ecosystem around them, but the first thing that we need is to get the research and development that will feed the trials. In terms of the Government’s development of opportunities in ORAN, it is key that they look at working with international partners. This has to be scaleable; otherwise, it is never going to be commercially viable. The UK market will not be big enough to drive that scale and commerciality.
David Johnston (Wantage) (Con)
Q
Andrea Donà: Specifically on the incident you are referring to, which was in April 2019, it was a Telnet protocol, which is used by many vendors in the industry to perform diagnostic functions. It is important to note that it would have not been accessible from the internet. Detailed analysis showed that it was simply a failure to remove a function that is used, as I said, for performing diagnostics after it had been developed.
On the broader question of security and our concerns, we have always maintained the very highest level of security policies, security processes and security procurement mechanisms and frameworks. We use a layered approach to our security needs, whereby we secure by design. All our systems and process put in place guarantee the highest security standards, end to end. The UK networks and standards are the highest in the world. We constantly work hand in glove with the NCSC, and abide by all the latest NCSC guidance and policies to keep those minimum standards high every time. We have worked very closely with the NCSC to set up HCSEC, an ad hoc centre where any new Huawei equipment or software goes through rigorous checks, audits and assurances, in line and in close collaboration with NCSC.
Patrick Binchy: I do not have much to add to that. We are similarly aligned in terms of our processes, from procurement to deployment. We have security checks throughout, and separate functions to make sure that we are adhering to those. We work very closely with the NSCS and HCSEC in terms of the technologies that are in the network. Going forward, we will continue to do so. We will be reviewing the software and hardware versions that we have in place and ensuring that those are fully checked and validated. As I said earlier, we also have a full, independent view of the traffic traversing our network, so if something untoward were to start happening, we would immediately have a view of it, and would be able to shut it down independently.
Derek McManus: As I said earlier, we do not have sufficient numbers in the UK. We have fewer than 10 Huawei base stations, so although we perform all the necessary checks, we are not exposed on the scale of others in the market.
The Chair
I propose drawing this part of our deliberations to a close at 12.30 pm. We have five Members seeking to ask questions. If our panellists keep each of their answers to one minute, we will get everybody in—and we will get all the answers as well. I call Christian Matheson.
Christian Matheson (City of Chester) (Lab)
Q
Gentlemen, can I assume that you have done an audit—an asset register, if you like—and that you know where all the at-risk equipment is in your networks, so that once the Government push through an order, you know exactly where to go to address the requirements of that order? How interconnected are your networks? Are you as confident as Mr McManus, who says that the integrity is fairly good? Do you all rely on each other to maintain an overall integrity? What if one is insecure ?
Patrick Binchy: Of course, the networks are interconnected. As I said, we have full visibility and control of what transverses between the networks, so we can maintain full control over that. I do not think there are any significant risks in this space, because of all the security checks that we do on the equipment that comes into the network. We maintain a regular relationship with NCSC in terms of any future threats or concerns that it has. We all have our asset registers, and an understanding of what we have in our networks. We maintain and update those on an ongoing basis as the technology changes and evolves.
Christian Matheson
Q
Patrick Binchy: We know where all the equipment is for our main supplier, yes.
Derek McManus: On the question on the asset register, absolutely. As for whether networks are interconnected, Patrick gave a good answer. The O2 and Vodafone networks are somewhat different, in that we work together on a network share; the O2 team manages and maintains a network in a certain geography, and the Vodafone team manages and maintains a physical network in another geography. In that sense, the O2 and Vodafone networks are very interconnected.
Andrea Donà: It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have. That is a clear aspect of our working together: ensuring that the assets in the telecoms network infrastructure that are in scope are very well defined.
Dean Russell (Watford) (Con)
Q
Derek McManus: There are a number of different security threats. I will talk about network from a physical point of view, though there are obviously also scams and threats through direct human contact. It is mostly penetration of the physical network either from attack or from virus software. Attack is where foreign agencies or bodies look for vulnerabilities or holes in your defences. The role of the telecoms operator is to ensure that all its physical equipment and software are of the highest support and variation that defends from attack. We see quite a high volume of attack, either DDoS or penetration, on a regular basis. As I said, we do cyber-security by design. It is built into the fundamental processes of expanding and adding to our network, to protect us from those very things.
Andrea Donà: To add to what Derek says, it is also important that Government play a role in securing the additional security needs across the whole ecosystem of the supply chain, including the vendors. With the ever-changing nature of the threats we are exposed to, as Derek explained in layman’s terms, we have to change the protocols and the rules by which we and our vendors implement our defence mechanisms.
It is important that the Government do not leave providers such as us alone to reinforce these additional minimum security standards; they should play an active role in ensuring that vendors adapt their technology road map, so that things are done in a much more future-ready, cyber-security-compliant manner, because we face an ever-changing picture and ever-changing scenarios.
Patrick Binchy: In terms of the threats and penetration, as Derek said, the key things are that they get into the networks, either to bring the networks down and create chaos for the UK economy, or to extract information from the networks. All our security, as both my colleagues have said, is built into design, right from the very start of the procurement process. How do we protect against, and build networks that are able to detect, avoid and block, any of those risks and threats? We do that through our knowledge, the knowledge of NCSC and the authorities, and the knowledge of the wider industry on what is going on beyond the UK and in the international regime. We are constantly reviewing and updating our capability to protect against any of those threats.
The Chair
Gentlemen, we are right up against the clock. We have seven minutes left. Your answers are superb, but they need to be pithy, because we have three sets of questions coming and we need to get the answers in, and I am afraid that 12.30 pm is a hard cut-off; I am not allowed to extend beyond that.
James Wild (North West Norfolk) (Con)
Q
Patrick Binchy: I do not think it is quite as simple as yes or no; there are some challenges in how those rules and laws are articulated, and whether that allows us to move away from our commercial obligations. Of course we work with NCSC, and so far, what is in place is fully aligned with the direction taken by the Government and the Bill, so in this case, we believe it is sufficient.
Derek McManus: I refer you to Patrick’s answer. I have nothing specific to add. It depends on the circumstances. We continue to collaborate, and to speak with the authorities to ensure that we align with current and future needs, from a security point of view.
Andrea Donà: We will abide by the requirements.
Chi Onwurah
Q
Derek McManus: Basically, we have not seen anything directly like the UK legislation, although various forms of it can be seen internationally. The second question was on standards. We operate in 23 countries, and as you can imagine, their standards are key to us. We hold a lot of expertise, from a Telefónica group point of view, that the UK team is able to rely on and work with to ensure that we are at the very edge of developing the right standard.
Andrea Donà: As the Government plan to take a lead in enhancing the minimum security requirements, and in diversifying their telecoms strategy, we as a global company are happy to support the standard setting, and to advise on the practical implementation of the additional security requirements.
Patrick Binchy: I refer to Derek’s answer. We have a very similar position with regard to the UK legislation: we have not seen quite the same in the other countries. On standards, we play an active role, and we have a number of UK staff who act actively in standards setting.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
Q
Andrea Donà: We need the clarification that I mentioned of what is, and what is not, in scope, so that we have absolute clarity from the word go. We all work together to understand the profile of that implementation. It cannot be a big bang—everything complying from day one. We obviously need to do a detailed risk assessment of the areas that we need to work on immediately on the Bill’s coming into force, and of what can afford to be done at a secondary stage, based on the risk assessment and the risk management analysis of the various assets in our network.
Derek McManus: As I said in my opening remarks, collaboration to date on getting the Bill to this stage has been positive. We should continue that. My request is for flexibility to help us execute effectively, while balancing the other demands on the industry.
The Chair
You have 30 seconds, I am afraid, Patrick Binchy.
Patrick Binchy: Again, very similarly, we have to balance good connectivity with security. We are confident that our plans will meet the needs, but we will continue to work with Government and security on how we achieve and deliver that. It will be challenging, but we are confident that we can do it.
The Chair
Order. I am afraid that brings us to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, I thank all our witnesses very much indeed for their evidence this morning.
Examination of Witnesses
Howard Watson and Alex Towers gave evidence.
The Chair
Q
Howard Watson: Good afternoon, Mr Chairman. My name is Howard Watson, and I am BT Group’s chief technology officer.
We at BT support the principles of the Bill. We echo what the other operators have said—I have just listened in to the previous session—about the importance of having realistic timeframes, and we are pleased that the Government have listened on that. We have some outstanding questions, but they are pretty much about the detail of the implementation of the Bill. There is also need for some further reassurance about the proportionality across the rich landscape of operators that we have in the UK in how that regulation will be applied.
Alex Towers: Hello, my name is Alex Towers and I am director of policy and public affairs at BT Group. I have not really got anything to add to Howard’s opening statement. I think that covers it.
The Chair
Lovely. I am now in the hands of Members. I am very happy to give preference to Members who did not ask a question in the previous session. First out of the blocks is Sara Britcliffe.
Sara Britcliffe (Hyndburn) (Con)
Q
Howard Watson: I note that some of this was answered by my colleagues earlier. Threats to the network include physical access. We all saw earlier this year a lot of attacks on our physical infrastructure, which were highly regrettable. I mean by that the setting alight of some of our infrastructure. We also faced logical threats, such as malware implants, DDoS attacks and what are called advanced persistent threats, which is an actor embedding themself into parts of the environment, staying hidden for a while and potentially collecting credentials—think of the SolarWinds hack that is in the news at the moment.
We take all those threats extremely seriously at BT. For as long as we have operated, we have worked very closely with all aspects of Government, and in particular with the National Cyber Security Centre. We take a sort of defence in depth approach. We have a red team who are ethically hacking us, and we are part of the TBEST scheme.
We think that the UK has a good track record here, but we also welcome the strengthening of that in the Bill. We think that some of the specific items about protecting even more against potential insider threat, looking hard at the vendors we use in the supply chain and having specific rigour about that, and the reporting mechanisms and requirements in the Bill, specifically around telecoms security requirements, will enhance that for all operators in the UK.
Alex Towers: I do not have much to add to that, except to say that, as Howard says, lots of the attention in the debate in the run-up to this Bill has been focused on a small number of very specific, clearly high-risk vendors. It is right that we take steps to protect ourselves around them, but just as important in the Bill will be the telecoms security requirements that stretch well beyond those specific vendors into all manner of aspects in which operators run their networks. Putting those two things together will be important.
The Chair
Thank you. The running order is Dean Russell, Miriam Cates, Kevan Jones, Christian Matheson and Chi Onwurah.
Dean Russell
Q
Alex Towers: I think we see long term that diversification of vendors would be good for the operators in the marketplace if we can get to that point. It is important to say, I suppose, as the other operators were doing earlier on, that we are not at that point right now, so we are having to manage a situation where with the market as it stands we have a small number of very large-scale, important vendors and suppliers and we are having to remove one of them, clearly, from the 5G marketplace. That creates a degree of complexity and engineering difficulty that we need to just work our way through; so there is a lot of work to do just to manage within the current market framework to replace Huawei and to bring Nokia and Ericsson to the point we want. While we are doing that, if we can at the same time create the prospects of, in the longer term, a more open marketplace with a wider range of vendors—with other-scale vendors that do not quite work at the minute in the UK market, and Howard could probably explain exactly why that is, as well as with the potential for open RAN and other types of technology and software-based models to be developed—that is good for the whole industry and could be good for UK jobs and potential UK companies and therefore also for the citizen.
Howard Watson: I certainly welcome the Government’s supply chain diversification initiative here. It is concerning that we are moving from, essentially, three suppliers in the mobile supply chain down to only two. Our network going forward will use both of those. So widening that choice over time, for all the operators in the UK, is I think a critical opportunity. Please bear in mind that most operators quite like to have a primary source and a second source. It is unlikely that we will all start deploying equipment from four or five different vendors, because the operational challenge of the person in the van maintaining that tends to limit you to a choice of two; but being able to choose two from six is a lot better than choosing two from two, of course.
We welcome the three initiatives, which I will summarise. The first is whether we can we encourage Samsung, NEC and other large vendors who build mobile networks elsewhere to enter the UK market. The second is open RAN and it really just creates through more open standards the ability to have more players in that end-to-end solution. The third area really is to have a thriving research agenda for the UK. We really welcome the £250 million allocated in the recent spending review. We already have a thriving research capability in the UK and I think continuing to focus that on antenna design, optoelectronics and semiconductors will have a role to play in diversification going forward.
Miriam Cates
Q
Howard Watson: I actually think the structure of the Bill accommodates that quite well. It allows secondary legislation and guidelines to be upgraded. We note the critical role of the National Cyber Security Centre working with Government in doing that. I think, actually, you have taken care of that well with the way the Bill is structured.
Alex Towers: Yes, I would completely agree with that. I suppose our concern, slightly, at the minute, is to see some of the detail that is going to sit underneath the Bill in terms of a code of practice, in particular, and secondary legislation, because that is where it will become clear exactly what the implications are for operators. The sooner we can see some of that detail and get into the teeth of that, that would be great; but the way the Bill is structured, to allow that sort of detail to be updated on a regular basis as the world changes around us, seems totally sensible.
Mr Jones
Q
Howard Watson: Let me work through that. First, from our perspective, given that we do have quite a large amount of BT in our mobile network, which is with the high-risk vendor, we have a large swap-out programme already under way. Effectively, we already use Nokia to extend their reach, but also to introduce Ericsson. That essentially means that I will be replacing a significant amount of my network over the next seven years.
It is quite difficult for me to start introducing new opportunities and new options into that, certainly in the early part of that. For my network, I see the opportunities in the latter part of this decade, not the early part. That does not mean that there will not be opportunities to try open RAN in some of the rural areas or to conduct some trials with the other vendors that we have talked about. It is very much an industry approach that we are taking here. Some of my colleagues may be able to move a bit earlier. It is important that we collaborate and work as a UK set of operators with the Government to make sure that we have the right rich set of solutions.
We would not want to come down to just one vendor. That would certainly be a worry for many reasons, so we need to continue to ensure that, in the short term, we absolutely have the choice of two.
Alex Towers: Given the timeframes that Howard has described, it is a five to seven-year cycle of replacement for the vendor. That is why it makes sense, we think, to go big now on large-scale trials of things like open RAN. The important investment in R&D and the £250 million is a good step towards that, but we will probably need some more, because we need to be ready for the next cycle if it is going to be a workable solution in future.
Chi Onwurah
Q
Secondly, we heard from Sir Richard Dearlove, the previous head of MI5, that when Huawei was first used as a vendor or equipment supplier by BT, it was not considered worth informing Ministers of that fact, despite what he considered to be evident security concerns. Can you say what in the Bill changes that so that the Government of the day will be better aware of ongoing and future security concerns?
Thirdly, on behalf of Catherine West, on international collaboration, what presence do you have on standards bodies? Can you say what your budget is for research and development so that we can see how that compares with the £250 million on offer?
Alex Towers: I will defer to Howard on the questions about standards and technical details. On your point about the relationship with Government, I do not think that any of us were around in 2005, but I know that there is some sort of contested story about exactly who was told what about the introduction of Huawei. You would—[Inaudible.] We have moved a long way on that. We have a very close working relationship with the NCSC and with other parts of Government, and we would be very confident that we are constantly in contact with them about exactly the mix of suppliers that we are using. The introduction through the Bill of TSRs will take that even further, so we would be very confident that we have got a good enough structure there to ensure that any concerns that any part of Government had would be captured and dealt with, and Ofcom is also now in a position to regulate.
The question about relying on just the one supplier is less a concern about security and more one about the commercial resilience of that position. Howard can probably say a little bit more about the standards and the technical questions around that.
Chi Onwurah
Q
Alex Towers: I think they overlap and that is one of our questions about the drafting of the Bill. There is clearly a relationship between those two things, and the concern about the timeframes for the removal of Huawei, for example, has been partly about ensuring that we have operational resilience during what is going to be a very complicated engineering programme to take out all its kit without losing resilience, in the sense of outages and blackouts for customers. Some of the Bill’s provisions talk about outages, but there is a difference between outages for operational maintenance and updating of kit and outages because of a security issue or attack. It is going to be quite important to pull those threads apart a little bit.
Howard Watson: On the vendor point, to summarise the approach that we are taking, we stopped purchase at the end of December, we will stop deployment in September of this year, we get down to 35% by two years hence from the end of next week, and then we have it removed from the mobile network by December 2027. I think that timeframe works well for us with introducing effectively a third supplier into our mobile network in terms of that 2027 point. It certainly helps mitigate any future steps in terms of a two-to-one.
I would not bank on it taking a full eight years to have an open RAN opportunity. As we heard from Andrea, colleagues at Vodafone have already started deployment . The real challenge there is about being able to use open RAN in dense urban areas where the technology works at its hardest, shall we say.
On your final question about research, we are in the top five investors in R&D in the UK—we invest in excess of £500 million a year across both research and development. In fact, the only companies that research more than us in the UK are the pharmaceuticals. I have 280 researchers based in the BT labs at Adastral Park near Ipswich and they, plus a standards organisation —we also draw in from engineers across my organisation—remain really actively involved in the standards bodies. I welcome what colleagues from the other operators say and think it is really important that we maintain that as a UK presence and as a European presence to ensure that we are not lost in the middle of any risk of divergence between the US and eastern and Asian countries and China. I would implore us all to work hard to ensure that that does not happen.
Matt Warman
Q
Howard Watson: Let me take the final part of that question first, Minister. We are very much aware that that is a deadline, not a target, but we welcome the fact that the deadline is 2027. I have given evidence previously and have talked with Government significantly about the real risks to the availability of service if we pull that date forward.
We have a lot of infrastructure. That deadline allows us to plan carefully how we can switch off a site, if we have to, to replace it and swap it out, so that the spike has overlapping coverage from adjacent sites. Were we to be required to bring those timescales forward, we would be talking about mobile blackouts in the UK, which clearly we all want to avoid, given the increasing dependence of UK citizens on networks. We have a plan that gets us to that. The 35% by 28 January 2023, just two years away, is a little bit more challenging, but we have a plan to get us there. The pandemic is making that challenging, but right now we are on track for that too. I think that answers the second question.
In answer to your first question, the ambition that we have, and what will become requirements across the TSRs, will put the UK ahead of the pack, in being a safe place for people to work and run businesses, secure in the knowledge that we have a high level of protection against cyber-threats. We welcome that, particularly in the environment in which we are now operating.
We have remaining questions—we raised some of those in our written evidence—about the sequence by which the requirements will be applied. We think it is critically important that there is a strong baseline level of compliance that applies to everybody who operates a network in the UK. We do not want to have entry points through weak links across our environment.
Alex Towers: A large majority of what is in the TSRs reflects current best practice and we are already complying with it. There are some places where there is a stretch for us to do more, which is good. The key point, I suppose, concerns Howard’s point about making sure that the baseline for all operators is higher and strong enough, given that these are inter-connected network, as you have already heard this morning. The whole edifice is only as strong as its weakest point. We are concerned about the idea that the code of practice might not apply to some operators, for example. That is the sort of detail that we will begin to see debated further as the Bill goes through.
Chi Onwurah
Q
Howard Watson: We do believe that fixed networks, whether full-fibre or fibre-to-the-cabinet, have a different risk profile—a lower risk profile—from mobile networks. Please remember that it is only in the access part of the network, so the fibre—the device in the exchange that connects to that. In the core of the fixed network, we have no presence of high-risk vendors. So we do believe that is manageable. We worked really closely with DCMS and NCSC to arrive at the 35% threshold that was published a year ago, and we think maintaining that in the fixed network is proportionate and sufficient to ensure security there, combined with the oversight that, again, we continue to support from the HCSEC and NCSC to ensure that we are inspecting everything that goes into the network.
I will also say that it is essential that we do take that approach because, as you know, we have large ambitions to increase full-fibre coverage in the UK. Ofcom reported in December that that was now at 18%. We at BT have now built for 3.5 million homes. We have a plan, which we have talked about—this is with the right conditions—to get to 20 million. We do need that 35% to be part of that plan because, again, introducing alternative vendors is challenging.
Chi Onwurah
Q
Howard Watson: Fundamentally, you are dealing with a customer that is a fixed end point, so you are not having to provide handover between different sites as you do in mobile. Essentially, we are taking an electrical signal, modulating it into optical and converting it back to electrical at the other end, in very standard ethernet-based protocols. It is therefore really easy to see if there is a problem, so if something was infiltrating the network, we would spot it very quickly. Also, it is a very segmented network. The FTTC network has a granularity of over 85,000 cabinets in the UK, and the FTTP network has splitters for every 32 homes. Any issues are very easy to spot and so it is much easier to keep secure.
Chi Onwurah
Q
The Chair
I am afraid you have only about a minute to respond. Which of you gentlemen would like to answer?
Howard Watson: I will take that. You are right. We want two vendors to be consistently in the market, so that we can continue to deploy. If one of them were to fail—well, we insist on commercial and physical measures being in place such that we could step in and run the equipment that was already in the network, so it would not be switched off in the short term or anything like that; there would be no immediate threat to the existing network. It is the ability to build forward that is important.
As I think Alex mentioned earlier, the primary reason, which relates to the second part of your question, is that we want competition on pricing. As we have looked to have the two remaining vendors compete with each other for replacement of our Huawei estate, that has actually worked quite well as we have put in place contracts for that replacement.
The Chair
Gentlemen, I am afraid we have reached the limit of our own bandwidth this morning. That brings us to the end of the time allotted for the Committee to ask questions. I thank both gentlemen for their evidence. The Committee will next meet in this room at 2 o’clock this afternoon to take further evidence. Members will be delighted to know that they will have a far more accomplished and competent Chairman present.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
Telecommunications (Security) Bill (Second sitting)
Thursday 14th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
The Chair
Order. We will now hear from Hamish MacLeod, the director of Mobile UK, and Matthew Evans, the director of market programmes at techUK. We have until 2.45 pm for this session, and I will try to alternate as best I can. May I ask the witnesses in turn to introduce themselves for the record?
Hamish MacLeod: I am Hamish MacLeod, and I am the director of Mobile UK, which is the trade body for the UK’s four mobile network operators.
Matthew Evans: My name is Matthew Evans, and I am director of markets at techUK, the trade association for the wider technology sector, which has several telecom-related members.
James Sunderland (Bracknell) (Con)
Q
Matthew Evans: I am happy to take that question. From the principle point of view, the principles of cyber-security are the same regardless of the network: having security built in by design, but also having a zero-trust principle and good assurance that your defences are looking inwards as well as outwards. On a principle basis, they are very similar.
Hamish MacLeod: I have nothing to add to what Matt said.
Dean Russell (Watford) (Con)
Q
Matthew Evans: I am happy to take that as well. We completely agree with the overall objective of the Bill, which we think provides clarity to the sector and helps us to further enhance the security and resilience of the UK’s telecommunication networks. Obviously, as more and more services and applications are used over our fixed and mobile networks, ensuring their security and resilience is incredibly important. That is why we are pleased to welcome the Bill and the associated diversification strategy alongside it, which is obviously separate to the Bill but intrinsic to matters of resilience as we seek to broaden the supply chain.
Hamish MacLeod: I should perhaps reiterate what my colleague said this morning—that the mobile sector very much welcomes the Bill. Security has always been a top priority for mobile operators. We have always worked closed closely with the National Cyber Security Centre, but this is a great opportunity to formalise the arrangements and to make them more structured and transparent.
The Chair
Chi Onwurah, did I detect that you were going to ask questions on behalf of Catherine West?
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
Q
Matthew Evans: From techUK’s point of view, obviously our members—you heard from some of them this morning, and you have more this afternoon—operate across a number of different territories. We seem to be the furthest, or the most advanced, in bringing into place quite a holistic security regime. That is in the first half of the Bill. Obviously, the conversation about high-risk vendors is prevalent in other areas, but I would say that in terms of bringing in a regime that covers the entire telecoms sector, this seems to be a world-leading initiative.
Hamish MacLeod: Chi, I am certainly aware of what other countries are doing as regards high-risk vendors. The operators absolutely accept the Government’s policy and the 2027 timeline. The important thing now is to stick to that timeline, because it allows not only for an orderly removal of the HRV equipment, but for alternatives to develop and emerge as viable competitors to the remaining companies.
Chi Onwurah
Q
Hamish MacLeod: The States, New Zealand and Australia have all excluded Huawei, among others. We could supply you with a full list if that is needed.
Miriam Cates (Penistone and Stocksbridge) (Con)
Q
Matthew Evans: Thank you for that question. As I said at the start, we welcome the Government’s diversification strategy. It looks to tackle four issues, really, which are supporting incumbent suppliers to the UK market; attracting other global-scale suppliers; accelerating open interfaces and interoperability; and then the fourth area, which we could probably do with more detail on, which is really building on that domestic capability. I know that the taskforce that helped Government to frame the strategy is working on that aspect of it. As I say, I think we could do with some more detail.
However, we welcome the funding that has come alongside that strategy, and I think that we have a real opportunity in the UK in some of the areas where we have traditional strengths, in the software side in particular, to build some world-leading capability. As for the Bill itself, I do not think that it necessarily presents a barrier to that domestic capability; it is more in how we develop the strategy that sits alongside the Bill.
Hamish MacLeod: Just to add to what Matt said, yes, we very much welcome the diversification strategy. It is an absolutely necessary step to mitigate the risks of having to rely on two incumbents. It gives the UK an opportunity to have a leadership role in the development of exciting new technologies, such as open RAN, and, as Matt said, to grow the supplier base in the UK in the mobile sector.
Mr Kevan Jones (North Durham) (Lab)
Q
Hamish MacLeod: Yes. As I just said, the 2027 deadline is very important, because that will give time for realistic competitive alternatives to develop. The open RAN is being deployed in the UK in sort of rural areas and in the less high-performance environments, and that will change over time. The investments that this diversification strategy talks about in research and development will help to develop open RAN, and also in the test bed programmes. All these things will help to build the capability of alternative vendors.
Matthew Evans: Just to add to Hamish’s answer, there is a reason that we have a relatively constricted number of scale providers for telecoms, and it is the level of R&D required—that is the risk associated with each generation of technology if it is not taken up on a global scale by operators. To be realistic, we are likely to be focused around two incumbent vendors in the short term.
I think that what the diversification strategy sets out, though, and in fairness it is a strategy and not a complete plan, is a path to open up the UK market to those scale providers who at the moment do not participate in it. That is through trying to reduce the commercial and regulatory barriers that we face, such as on spectrum defragmentation and on providing a single RAN solution —at the moment in the UK, there are obviously 2G, 3G, 4G and 5G. But it also then opens up the possibility of greater use of technologies such as open RAN, which really breaks away from that proprietary architecture, whereby we have both the hardware and the software from the same provider.
That will be a challenge in the short term, but in the medium to long term there are actions that can be taken both to attract the scale providers not in the UK market and to make the UK market attractive to people who work in the open RAN area as well. So I think a dual-track approach helps to bring diversification to the UK market.
Mr Jones
Q
The Chair
Mr Evans, let us go to you first.
Matthew Evans: Is it going to be easy? No is the short answer. Is it possible to increase that diversification? Yes. We would like to see more commercial incentives for operators, who will have to change and adapt. This will be a change for operators as they diversify their vendor base. Part of the strategy has to be around the scales and the commercial incentives for operators to do so. We have certainly seen, as we heard from the witnesses this morning, UK operators really pushing the boundaries in terms of what open RAN trials can deliver. As I said, I suspect it will not be a short-term solution, but it is promising to see the trials that are already under way in the UK.
Hamish MacLeod: I would also like to highlight the Government’s commitment to taking a greater part in the process of international standard setting and driving scale across the global market. Although we expect the operators to do the technical heavy lifting, the Government can leverage our international relationships, and the actual resource makes the whole standardisation process move along more quickly.
Mr Jones
Q
Matthew Evans: I think the £250 million is clearly initially focused on the R&D ecosystem. That is a big commercial barrier when you look at the testing environment and the time it often takes for operators, understandably, to feel confident in deploying equipment into their networks, because they are ultimately responsible for the integrity of them. If we can supercharge the testing environment in the UK, we should be able to shorten the time to market, but open RAN in particular is going to require a boost in funding to accelerate the maturity of that technology.
The other part of the diversification strategy is the scale vendors that may be operating in other parts of the world but are not present in the UK today. That is why it is also important to tackle some of the regulatory or commercial barriers that exist and prevent them from entering the market today.
Hamish MacLeod: I do not think I really have anything to add to what Matt just said.
David Johnston (Wantage) (Con)
Q
Hamish MacLeod: One of the things about open RAN and more open architecture generally is that you generate competition in the hardware and in the software—it is not one package—so I think it is realistic to expect more competition, particularly in the software side of things.
The Chair
Do you have anything to add, Mr Evans?
Matthew Evans: Not too much. It is hard to put a number on it, but success would be where we clearly have a greater number of vendors than today, and that is a mix of open and proprietary technology. As Hamish says, the reason it is hard to put a number on it is that in that open stack, you could have competition within the stack, rather than between vendors that sell the consolidated package.
David Johnston
Q
Hamish MacLeod: The analogy that has sometimes been used with me is looking back 40 years to the computer market. We all used to buy IBM computers and you got the computer and all the software integrated, and then the two separated out. There was interoperability and you create a lot more competition and innovation. That is a potential analogy—a rough analogy, I would say.
Christian Matheson (City of Chester) (Lab)
Q
Matthew Evans: The strategy sets out the outline of what the industry would like to see. There are commercial and regulatory barriers that need to be removed or analysed. That includes things like how the lifespan of 2G, 3G and 4G in the UK is going to exist, and setting out a road map. That will allow people to develop technologies in 5G and future generation without having to invest in what are still very good technologies—those that have already been deployed.
What we would like to see in the strategy—this is where the funding is really important—is the R&D and testing ecosystem. We would like to see something like the Future Networks Initiative, which is a proposal for a series of test centres around the UK specialising in different areas of telecoms, particularly open RAN. As I said before, that should help accelerate the adoption of new products and services when utilised in conjunction with the National Telecoms Lab. That is key. As Hamish has said, standards are also really important. Again, we need closer collaboration between the Government and industry, because the technical side is naturally going to be driven by industry.
The Chair
Mr MacLeod, do you have anything to add?
Hamish MacLeod: Very little to add. Personally, I can say that the recent 5G testbed programme that the Government have been initiating to generate interest, applications and scale is a good model. We expect to see that being replicated; indeed, the two might work hand in hand going forward.
The Chair
Thank you. I am going to switch to the Minister and shadow Minister. If there is time left, I will come back to other Members, but I want to be sure that we do this fairly. I call Chi Onwurah.
Chi Onwurah
Q
I am also really interested in what you said, Mr Evans, with regard to research and development. I absolutely agree with you that we clearly need investment in research and development if we are to lead in hardware and in open RAN and software. You said that the £250 million was focused on R&D, but it is actually focused on testing. It does not really do much for research at all, as far as I can see. You also referred to the diversification strategy as a strategy and not a plan, so do we need investment in research and development? Is the £250 million, which I think—I am looking at the Minister now—is over five years, a significant amount of investment in research and development for the mobile sector and tech sector generally?
Finally, the Bill gives the Secretary the State a huge amount of powers to set out requirements to remove vendors and for Ofcom to inspect what operators are doing. Do you think that might have an impact on international foreign investment in the UK telecoms sector, and are you confident that the right sort of technical, security and democratic scrutiny is in place? That is three things: hardware, research and development, and scrutiny.
The Chair
Shall we start with you, Mr MacLeod?
Hamish MacLeod: I think the question that was directed at me was whether it is possible to have a secure supply chain. I will not try to gainsay Chi’s knowledge on this, but my understanding is that that is the role that the proposed National Telecoms Lab will perform, to validate that security aspect.
Matthew Evans: I agree with Hamish on that first point, to answer Chi’s questions on R&D. We do not yet know how the £250 million is going to be spent. We believe that we will need to accelerate the maturity of technologies such as open RAN, to make them deployable and commercially viable. Yes, we do need to see more, but as I said, that has to be alongside testing, because accelerating the maturity of it does not really matter if the operators do not get that confidence in either the hardware or the software.
In terms of the Secretary of State’s powers, we are broadly comfortable. We would like to see some thresholds on what amounts to a security compromise, particularly in terms of Ofcom’s powers of oversight. From our point of view, and this is also relevant to the foreign direct investment question, if it is evidence-based, as transparent as possible—we know that we will not see all that evidence, particularly that element in the security services—and the actions are proportionate, that is also important. We believe that that builds into the best practice that we see in other areas of national security.
In terms of the technical expertise, we know that NCSC is going to work closely with Ofcom, in terms of providing that oversight. We are comfortable with the experience that we have had over the past couple of years, as the telecoms supply chain has gone through, in terms of the expertise and the overall regime that this Bill seeks to put in place.
Chi Onwurah
Q
Matthew Evans: I think it sends quite a strong signal to the market of the Government’s intent. If we published the strategy without the funding, it would not have sent the same signal. We have seen NEC, for instance, commit to opening an open RAN test centre in the UK. I think that is a signal of how the market is starting to react. This needs to work with the grain of industry, so it is important that industry is able to participate in this funding. I think it sent a strong signal.
Matt Warman (Boston and Skegness) (Con)
Q
Hamish MacLeod: My meeting following this hearing is with the operators addressing that very point. This is something that we want to work extremely closely with the Government on. We are meeting officials next week to continue the conversation on doing things such as setting out the road map for what needs to be done R&D-wise to develop open RAN, what needs to be done from the point of view of the test programme, and what needs to be done on the standardisation road map. We will be taking a very close interest, both as individual operators and jointly.
Matthew Evans: To add to that, I echo that we have had excellent engagement with the Minister’s officials. It is about keeping the momentum up while working with the grain of industry and making sure that we are getting the incentives on the supply side, in the R&D and in the testing, and also in the demand side. That is all about making sure that we have the right commercial incentives for operators, but also that we have the right skills and, if necessary, reinforcing the operators on some of those points as well.
Chi Onwurah
Q
I respect your reluctance, if you like, to voice criticisms at this stage, but can I just get a further idea on the level of R&D spend in the sector? We heard from British Telecom this morning that it spends £500 million a year. I imagine it is not the only company to spend. Do you have a view of the level of R&D spend? You talk about the £250 million being a signal. Am I right in thinking that a lot more investment needs to be attracted into the UK telecoms sector in order to really move the dial? That is what we are talking about, is it not—really moving the dial on UK telecoms capability?
Hamish MacLeod: Absolutely. The £250 million was very much described as an initial £250 million, because you are right that moving the dial will take significant investment. With R&D, there is pure R&D—what you do in labs—but there is also the testbed activity, which is a very important aspect, and trials at scale and all those things. Working with the operators, bringing in international partners and leveraging what is going on elsewhere in the world will all be important.
Matthew Evans: The important word there is “leveraging”. Telecom spend on R&D, both traditional and in open RAN, runs into billions and billions of pounds each year, but we can use that £250 million to leverage greater investment. It has to be with the grain of what the industry is delivering, so we can attract more of that investment. If we can be world leaders in the adoption of open RAN, that is key, and we will attract that investment. That is why I think the supply has to match up with the demand side fully.
The Chair
Does anyone else have any other questions? No. In that case, I thank both our witnesses for their evidence. We are extremely grateful to you. We will end this session and move on to the next panel.
Examination of Witnesses
Stefano Cantarelli, John Baker, Pardeep Kohli and Chris Jackson gave evidence.
The Chair
We are now going to hear from Stefano Cantarelli, global chief marketing officer, John Baker, head of RAN business development, and Pardeep Kohli, chief executive officer, of Mavenir. Joining them is Chris Jackson, president and chief executive officer of NEC Europe Ltd. We will use the same format as last time, although if you want to direct your question to a specific witness, that might be helpful. We have until 3.30 pm for this session. I ask the witnesses to introduce themselves.
Stefano Cantarelli: Good afternoon everybody. My name is Stefano Cantarelli. I am the chief marketing officer for Mavenir. I have spent the last 30 years of my life in telecommunications, of which 20 years have been in the UK, in both fixed and mobile networks.
John Baker: Good afternoon. I head up business development for Mavenir. I was instrumental in setting up the UK industry back in the ’80s for manufacturing and R&D for Nokia, and with Vodafone and Orbitel. I have long experience in the industry and I have been leading the open RAN initiatives from the US globally. I am a member of the open RAN policy coalition board.
Pardeep Kohli: I am Pardeep Kohli, President and Chief Executive Officer of Mavenir. I have been with the company since 2005. The company is over 20 years old and employs about 4,500 people. We have a good presence in the UK. We have been providing software for telecoms applications to UK operators for over 20 years. All operators use our software today for making phone calls, sending messages and voicemail. We started working on open RAN five years ago and now we have deployment in the UK, which has been provided in the test sites. We are building networks in other parts of the world as well, based on open RAN.
Chris Jackson: Good afternoon. I am Chris Jackson, CEO of NEC Europe. I have worked for NEC for 12 years. I took on the role of CEO for Europe on 1 April last year. In terms of my opening statement, I fully support the principles of the Bill. It has been well constructed. The additional powers that the Government and Ofcom now have are much more wide-ranging, and we absolutely support that. We very much promote the vendor diversification strategy, and we are supportive of the aims and objectives behind it.
The Chair
Who wants to go first? It looks like it is Mr Johnston. Can I just ask you to say which of the witnesses you are directing your question to?
David Johnston
Yes, although I was going to ask them who they think is best to answer it.
David Johnston
Q
John Baker: Perhaps I could take that one. This is falling in line with what is going on globally. We see initiatives coming from Spain, the EU and the US. The US is further ahead in terms of passing law on trusted suppliers, and it is now setting timelines and budgets for taking suppliers out of the network. That rip-and-replace programme is now under way. The money for that was approved in December, and operators are looking at open RAN as solutions for that. That is very similar to the activities that you are planning through this Bill in the UK.
Chris Jackson: What we have seen in Japan is strong support for this direction, but I think the UK Government have taken the lead in terms of putting forward an aggressive stance on this to ensure that the security of the country is protected. The UK is doing everything that we would expect it to, and we fully support that.
Stefano Cantarelli: Some of the things said about the diversification of the supply chain are particularly important in terms of the ability to create competition and, as such, innovation. The interoperability of interfaces is fundamental in order to boost data and to be able to create more competition. We strongly believe that competition is based in innovation, and innovation these days can create a very powerful cycle of technology. It is not like how it was in the old days when it took maybe a year, two years or three years to get things into deployment; today, in less than a year a trial can become a commercial deployment.
Pardeep Kohli: I agree with the other gentlemen. In a number of countries, operators have made the decision that, going forward, they will only buy open RAN-based solutions. Governments are supporting that in many parts of the world.
Mr Jones
Q
Pardeep Kohli: Let me start. You are right that until now it was all about hardware, because people were building proprietary hardware to supply radio products. When you do hardware-based solutions, the scale matters, because you need logistics, manufacturing capability and factories, and obviously Huawei, Ericsson and Nokia had a strong base and the logistics set up.
When you do open RAN, it is more software leaning on general-purpose hardware. Companies like us do not need manufacturing plants any more because we are only providing software, and we have the advantage that our software can run on a private cloud that an operator can build on, for example, standard Dell servers—there are plenty of them, and people can build those—or we can run it on a public cloud on Amazon or Google. If you look at the scale that Google, Amazon and Azure have, Huawei is nowhere close to their scale. In that sense, the whole matter of Huawei’s scale does not matter at all the moment you move a hardware problem to a software problem.
The same thing happens with logistics and people. For us, hardware-based solutions need people to carry the hardware around, bolt it and everything. For software, with the click of a button you can distribute it to 2,000 sites; you do not need people and logistics to drive hardware around. This is how with what we are doing—for example, we are working with Dish to build a nationwide network, and we will have 50,000 sites deployed in less than two years—not that many people are required to do all this, because the problem has moved from hardware to software.
We would like the Government and other people to understand that there is no way any company can beat Huawei with the presence it has in China alone if they take on the problem as a hardware problem. It must be converted into a software problem—that is the only way it can be solved.
On your question about how we convince operators, it is always on the point about proof. We are a 20-year-old company working with operators all over the world. We handle 60% of the world’s operators’ messaging. If you look at SMS, for example, we carry that traffic for all the operators in the UK, and voice calling. We already do more critical services: radio is important, of course, because of the connectivity, but operators are relying on us for the day-to-day services. Now we are working with them to prove that our software is as good or better than what they can get on from the incumbents. Of course, we are expecting them to participate in the journey and work with us so that we can prove to them that we are good. We have done that in all other layers of the software, so we feel that if somebody engages with us, within six to nine months we will prove to them that we are good and it works.
That is working; in terms of the whole idea that the technology does not exist, we have crossed that hurdle. Now it is more about, “Okay, does it work for this use case or that use case?”, or, “In my network, I may have some proprietary stuff I have done with existing vendors, and I want you to do that as well.” So it may take six to nine months, or even 12 months, to get there, but I think we are beyond the point where we need to prove that it works. We know it works.
Mr Jones
Q
Pardeep Kohli: If you look at investments, because of Dish, the US is making the most investments; the Government have now surpassed $1.9 billion on rip-and-replace to replace Huawei equipment, so that will create an ecosystem. In Japan, with Rakuten, they are building a whole nationwide network based on open RAN. We have seen Deutsche Telekom, for example, announce in Germany that it is building an ORAN town, so it will have a whole city that will have only ORAN components in a due timeframe. We have systems applied now in Sri Lanka, in India and in Malaysia. A lot of countries are looking at the economics: obviously, volume makes the numbers different, and with higher volume you will improve the economics further, but if you include the opex cost as well to go along with the capex cost, there is no way to compare what you can get with this technology compared with the legacy one.
The Chair
I am just conscious of time; do any of the other witnesses have anything they want to add to what we have heard from Mr Kohli?
John Baker: I would just like to add that Vodafone has been very much in the lead with the development of open RAN solutions. We have been engaging with Vodafone for three and a half years in test labs and specifying the technology, and so on. The UK has been very much part of bringing this technology forward, as well as BT with the Telecom Infra Project labs.
Chris Jackson: Coming back to your question, I would not like to speculate as to how long it would take for open RAN to become standardised and commonplace within the UK. The Government are setting up a national telecoms lab and SONIC. There are a number of companies like ourselves, NEC, who have just set up our 5G global centre of excellence here in the UK, and the operators have all set up laboratories. If we can start to encourage and bring all those parties together, that is the key to accelerating the technology.
Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.
Stefano Cantarelli: I just want to say quickly that we are part of some of the initiatives Chris has mentioned, such as SONIC with DCMS and so on, and we think they are particularly useful to give visibility on the status of open RAN. My last comment is about the hardware; I heard a few comments this morning, and I want to underline that hardware is still quite a profitable business. If we look at what happened to IT servers in the IT industry, there are companies that are much more than profitable in those spaces. Commoditisation of a hardware does not mean that there is no profitable business behind it.
The Chair
Thank you. I am going to Mr Sunderland. I will come back to you if you want to come back later.
James Sunderland
Q
James Sunderland
Mr Baker is the obvious candidate.
John Baker: I think the legislation, as you have it written, is good and supportive. The underlying thread of this is all about open interfaces. Having open interfaces fully specified makes the ability for testing of elements in the network simpler and easier, because you open up the testing community, the vendors, to produce interoperable equipment, so you can compare equipment side by side. This has been the basis of the whole open RAN discussion. Open RAN is about open and interoperable interfaces. If you follow that philosophy through into this Bill, you should be able to test each of the elements and the network end to end, from a security perspective, so we are fully supportive of the activities that you have in place.
The Chair
Anyone else?
Stefano Cantarelli: I will just add that of course, when we say “open interfaces” and “open and interoperable”, “open” means standardised and well known, not open in the sense of open sources or whatever else people can think of. As far as the Bill is concerned, I believe that it is quite appropriate for the specific actions and conditions that will be triggered. I would just suggest that you make sure that it is followed up by secondary legislation to make sure that in some cases there are very tangible and specific examples that will be able to make it a bit more specific and will give directions within the framework that the Bill itself provides.
The Chair
What about Mr Jackson or Mr Kohli? Do you have anything to add to that?
Pardeep Kohli: I was about to read something to you about the example offered by the Government of Japan. I am just reading the wording of the document. It says:
“The Government of Japan cites the need for equipment to be interoperable, based on open architecture, and utilize international standards to be certified. MNOs and private network owners are eligible for tax benefits, which include the following…Tax deductions of 15% or special depreciation of 30%... Fixed property tax exemption of 50% for 3 years”.
That is how the Government of Japan have passed the law.
Chris Jackson: I have nothing further to add to what Pardeep has just said. He has succinctly put basically what we need to do.
Chi Onwurah
Catherine is always interested to understand what international comparisons there are, but I think that that has already been addressed, so thank you; she will be grateful to you.
Miriam Cates
Q
Chris Jackson: First of all, the answer is yes in terms of, “Do I think it is a game changer?” Absolutely. You only have to look at what happened in the IT industry to see what open standards have done for that, so I absolutely think it is the right thing to do and we very much support it.
In terms of NEC’s capability, if you look at the work that we have done with Rakuten and NTT DOCOMO in Japan, we have shown that we have proven experience and open RAN capabilities. We also have a long history of R&D capability, and we have the capability on the ground now, with the launch of the global open RAN centre of excellence, to take that development further forward in the UK. Those are the main reasons I think the NEC is well placed to take advantage.
A final point that I would make is that, one of the things that we are going to see, which we would want to see, is a lot of smaller companies coming into this marketplace. That is very healthy, and they would certainly play an important part in driving innovation. There is also definitely a need for large companies with strong balance sheets, and NEC certainly ticks that box.
The Chair
Q
John Baker: Yes, I will jump in. Mavenir is heavily invested in the UK as well. We have addressed the 2G, 3G, 4G solution with the recent acquisition of ip.access in Cambridge. We are building up a significant open RAN solution centre in the UK and we have made several press announcements about that.
In terms of hardware versus software, we have demonstrated that with some of the networks that we have deployed, such as T-Mobile in the US, which has 150 million subscribers essentially running on disaggregated software and hardware platforms. That demonstrates that you can build secure, reliable mobile networks with a software architecture. That is the way of the future. Obviously, that now has to fit into the cycles of deployment and rip and replace that the various carriers have.
The Chair
Who is next? If there are no pressing answers, I will go to the shadow Minister.
Chi Onwurah
Q
Pardeep Kohli: Maybe I can take that. To answer your question, if there is a greenfield operator in the UK that is similar to Dish, which we are working with in the US, we can definitely provide that. Dish, for example, is doing only 5G, but we obviously look at requirements all over the world and we appreciate that, in certain parts of the world, there is still a lot of 2G and 3G presence, and, of course, 4G will be there for a long time. We have a solution that can handle 2G, 3G, 4G, 5G, and if you are talking about a 12-month window, we can definitely provide a complete greenfield solution for those four technologies.
Regarding the hardware aspect, everything other than the real radio that goes on the tower and does the transmitting and receiving is largely general computing open silicon—
Chi Onwurah
Sorry—say that again. I could not hear that. What is the rest of it?
Pardeep Kohli: It is general-purpose open compute; it is already available hardware.
Chi Onwurah
It is computing—it is processors.
Pardeep Kohli: That is correct. You get processors for CPU or general-purpose computing, or even if there are some accelerators, which we use for some specific algorithms, even though they are openly available from companies like Xilinx and Nvidia. They make those chips and we can use them to do some of the functions; but they are openly available, and you can buy that today. That is what carriers are doing. They are building the new networks.
Regarding the hardware that goes on the tower, that depends on the frequency band you allocate, so if there is an operator coming in that is on a frequency band that the existing operators do not have, whoever the vendor is would have to build those radios anyway, and it takes about nine to 12 months to build those.
Chi Onwurah
Q
Pardeep Kohli: Today, because it has always been proprietary solutions, that is where the challenge comes for companies like us, because it is demand and supply. Until open RAN came in, you really could not build this channel on radio, because there was no demand for it. So today the radios get built only by companies like Huawei, Ericsson, Nokia—I know NEC is building a few of them; but now, with open RAN, there are new players coming up. NEC, for example, is building radios outside of the Japan market. Fujitsu has now started building radios. We are actually building some radios ourselves for the frequency bands that are not available from our partners, so if NEC has a radio we use the NEC radio, but if it does not have a radio and Fujitsu does not have a radio and if you want to get into that market, we start building some of those radios ourselves. So we actually have, now, opened a centre in the UK, to build some of those radios, and we are working with Facebook and together we are building some of the radios for a frequency band not currently open.
Chi Onwurah
Q
Pardeep Kohli: So if the frequency band radios are available today, which are right, then we can actually build it in 12 months—the complete network; but if the bands are not available and we have to build those radios then, maybe, by the end of next year.
Chi Onwurah
Q
Chris Jackson: Just to add to what Pardeep has been saying, I think open RAN is not about, necessarily, any one company providing an all-encompassing solution. So at the moment, for NEC, we would provide 4G and 5G radios, but in terms of 2G and 3G we will work with our partners to provide that solution, so we would leverage third parties in order to provide that all-encompassing solution. I think that is the way that open RAN will work moving forward. As I say, you will not see any one company dominating one particular area. It is about bringing best of breed together. In terms of the actual hardware platform, in terms of 4G and 5G, NEC will provide that radio, but as I mentioned for 2G and 3G we would look to other vendors to provide.
Chi Onwurah
Q
Chris Jackson: The majority would be US-based now, but again, we are not restricted to that. As a systems integrator, which is what you will basically need, moving forward, we would work with whichever vendors were the best of breed for that particular scenario.
Chi Onwurah
Q
Chris Jackson: We would not compete with Nokia and Ericsson in terms of standard RAN, but the whole idea is that we would look to bring open RAN technology. That is the direction that NEC is supporting. If you ask me whether we could step in today and provide that capability, we believe yes, we could.
Matt Warman
Q
Chris Jackson: First of all, thank you very much indeed, Minister, for support in that particular trial. We believe that this is very important, because it has given us the opportunity to showcase 4G and 5G open RAN capability with multi vendors, and we are doing it in supporting the share of your network, which we know is an important KPI for the UK Government, in terms of increasing that capability across the UK. They want to ensure that the investment is targeted at areas within the UK—where the UK will receive the most benefit—and, more importantly, or as importantly, an opportunity for a trial that brings multiple companies together. So, although NEC is leading this particular trial, we are working with a number of other companies to bring this overall solution together. That is exactly what open RAN is trying to embrace, and that is the way forward. We would be delighted to work with Mavenir; we are already involved with Mavenir as well. That is not a hurdle or obstacle for us.
Stefano Cantarelli: There are several angles. The first one is the neutral hosting. I would like to draw attention to the fact that we have already done work with British Telecom, two years back, on neutral hosting, so that has now been talked about for a long time. Also, you might have noticed in the market that companies—the one that comes to mind is Vilicom—have been doing this type of thing, where they deploy Mavenir infrastructure to provide neutral hosting capabilities. So, we are fully supportive and believe that this kind of funding is particularly important.
We understand that that there is some interesting funding. We are in discussion with DCMS. We are discussing some projects that we believe will boost a lot of the innovation in this space. For example, we are trying to get funding for our R&D activities for open source software that could boost the availability of radio units. We say that the radio unit is hardware, but in reality there is of course a bit of software on top. This type of software, which is mainly interfaced towards the rest of the software and the control of the operation and maintenance activities, is not differentiated for each radio unit; it is just standard. By having an open source like that, you can fundamentally get the radio vendors to focus on their IPR for analogue development and being able to produce a radio unit with different frequencies, as Pardeep said before, which we believe could boost the market. That type of funding is particularly useful, because it is aimed at boosting the market and giving availability in the open RAN of these radio units.
I would also like to add that most of the frequencies that are used today in the UK are available in our view for open RAN, so I do not see that as a problem. But that type of investment is particularly important—in R&D—so the trial that you have funded in the first round of the 5G Create programmes is particularly useful to get learning and experience. As I said, in the SONIC, we are particularly active, although that is not a 5G Create programme but a different one. We believe that in the second round, you can focus on funding some R&D specifically to boost the ecosystem of the open RAN.
Matt Warman
Q
Stefano Cantarelli: First, remember that, as John mentioned, we acquired ip.access, which is a British company that has been in hardware for some time, so there is still space for hardware as well. Software is definitely where the majority of the innovations are. That is particularly clear—Chris mentioned this—in the IT space, where they moved from generic servers. I want to reinstate that, with servers generically available everywhere. The whole thing has really flipped on to different software. That will definitely boost the ability of a lot of companies to bring innovation.
As we always repeat, competition means innovation, and innovation is the only way. Many years ago, I was part of Vodafone. I built the 3G network for Vodafone in the UK, and at that time I had only one supplier in my network—I will not say who. I introduced another one, and it was only then that the other suppliers started to be active. Some legacy suppliers—I would say most of them—start to sit down and lie back if they are the only one in the network, because there is no motivation. From my experience from all these 30 years, that component is so important.
Chi Onwurah
Q
Stefano Cantarelli: Let me just address that initially before anyone else. We are a supplier in other places in the network, so they consider us a reliable supplier. We supply voice services, messaging services and everything else. You mentioned the initial deployment of open RAN by Vodafone this morning. That relates to us, because we are the supplier that it has deployed and is continuing to deploy. We are actually deploying sites for it.
I think that you have to look at two aspects when you are on an operator’s side. I am speaking from experience. It is not just about the technology; it is also about your processes and how you are able to move forward and change your mindset. I think that operators have a lot of complexity. We sympathise with them, of course—it is not an easy environment—but there are a couple of mindsets that they need to over-pass, if you let me use that word.
First, the world is changing. It is not hardware and software together; it is software and hardware disaggregated, and that of course requires some different capabilities. It is the same as when we passed from circuit voice to packet voice. Some people here may not get the example completely, but it is just a different point of view. That does not mean that it is more complex or whatever; it is just a different point of view, and you need to change. We know that change is not an easy thing. That is the first aspect that we need to take into consideration.
The second aspect is that, despite the technology that is available, you still need to consider the in-life service that you need to swap over. You have to consider that you did some planning or design based on certain principles that were available before, and you need to rethink how you are going to do that. For example, most of the 5G deployed today just uses additional frequencies on the existing sites that they have deployed with 4G, 3G and 2G. This is not what I consider full 5G, with all the characteristics of low latencies and so on. You need to start to think about the densification of sites. The Government can help a lot—with policies, by helping to define new capabilities, and by allowing the operators to change their architecture by enabling them to get more sites, and get permits more easily to build new sites.
These sites will not be like sites today; on these sites, there will be lot of carriers, a lot of technologies, and a lot of frequencies. As Pardeep said, a site today is probably just a radio unit that connects, through an internet connection—not necessarily just fibre—to a software data centre. These things are more important, and they are the reason why, although operators are in the middle of that transformation, it is taking a bit of time.
Chi Onwurah
Q
Stefano Cantarelli: Not only with fibre. The open RAN interface is such that you are not forced to use fibre only. You can also use internet connectivity. The internet is what you use when you are in a building.
Chi Onwurah
Q
Stefano Cantarelli: I add that this transformation in the core infrastructure has already almost happened. Already, most of the core infrastructure of the MNOs is running on general-purpose hardware, such as Dell servers and so on, with software on top of it. The RAN is really the last one to be transformed, for the reason that I gave, and also because, as I said, the market has been dominated by some suppliers who have been providing hardware and software, because they work with better interfaces between the radio access component.
Chi Onwurah
Thank you. That is very helpful. That makes me think that there are security issues arising from, for example, having our cloud infrastructure dominated by one vendor, such as Amazon Web Services. Those are perhaps future security issues that we need to look at. I now understand much better what you need to support your transition, so thank you very much for that.
The Chair
Q
Pardeep Kohli: I would just add that I understand the operators’ point of view as well. They are familiar with these vendors; they have been using them and they understand their processes. The vendors know each other. Obviously, we have to gain their trust. We spend over $300 million on research and development every year on open RAN, so we are fully committed, and we will seek any help that you can provide on engaging with operators in the UK market.
Chris Jackson: Can I come in on the NEC side of things? Frankly speaking, we are re-entering this market, and one of the reasons why is because we believe that open RAN, and particularly the Bill, now provides the framework and conditions to enable us to compete. It is probably similar for the operators; it is a change for them to actively work with companies such as NEC, as opposed to the companies they have previously been working with, but we are starting that process. We are actively engaged with the operators, and more support from the Government, through the Bill, is the way to move this forward.
John Baker: One last comment. Open RAN is all-inclusive, so this is not excluding the incumbents of the network. As soon as Nokia and Ericsson add open RAN interfaces to their products, we will be very happy to work with those guys. That will speed up the ability to deliver open RAN solutions in the marketplace.
The Chair
If there are no further questions, it remains for me to thank all our witnesses. We are extremely grateful to you.
The Chair
We will now hear from Julius Robson, who is the chief strategy officer of the Small Cell Forum, and Dr Louise Bennett, who is the director of the Digital Policy Alliance, and we have until 4.15 pm for this session. May I ask the witnesses to introduce themselves for the record? Julius, could we start with you?
Julius Robson: I am Julius Robson, the chief strategy officer for the Small Cell Forum. We are a global organisation of component, equipment and service providers, all working to make mobile infrastructure more accessible to public and private sector organisations of all sizes. We see diversity as being really essential if we are to deliver on the promise of 5G connecting cities and communities, and to provide smart industry and the internet of things.
We welcome the publication at the same time of the Bill and the 5G diversification strategy; it is really important to consider both together, so that we can arrive at the best of both worlds. Two angles have not really been represented to the Committee so far, but are important to diversification. To fuel open RAN, we need chipsets for base stations. We also need to think about diversification at service provider level, so that in addition to mobile operators there are other service providers, particularly neutral hosts and private networks, which can help with this diversification agenda. Those are the topics of which I would like the Committee to be aware.
The Chair
Thank you. Dr Bennett?
Dr Bennett: I am Louise Bennett, and I have worked in computers all my career, with a focus on security and risk management. I am attending as a director of the Digital Policy Alliance. The DPA is an independent, not-for-profit membership organisation that alerts parliamentarians and policy makers to the potential impacts, implications and unintended consequences of policies associated with online and digital technologies. I am very grateful to have been asked to give evidence.
DPA is broadly supportive of the intentions of the Bill, because it baselines the security measures required by law in the UK telecoms network, and anything that encourages security to be top of mind for vendors in multiple supply chains is a very good idea.
There are four areas that are absolutely key to telecoms security and on which I hope to answer questions in this sitting. The first is the security of network architecture. The Bill really focuses on this, but in our opinion it does not cover everything adequately. The second is the security of data—both data about the network and data going across the network. The latter is covered to quite a large extent, but the former, which I would characterise as begin about the network asset database, is not adequately covered, and if it is not properly covered, I do not think that you will succeed in your intentions.
The third area is the processes for maintaining, over time, the security needed time—that is not adequately covered, either—and appropriate scrutiny of how that is done. The fourth area is operational costs and other impacts of compliance, which I do not think have been fully considered.
The Chair
Thank you very much. Okay, who wants to go first?
Dr Bennett: I am happy to go first.
The Chair
I think it is possibly better if I get one of the Members to put a question to you first. David.
David Johnston
Q
The Chair
I think that is primarily to Dr Bennett.
Dr Bennett: It is because I care very much about you succeeding with this. I think everyone in the telecoms industry wants your intentions to be met, but we have to remember that when it comes to something as complex as security in the UK telecoms network, even if everyone follows best practice, it is a question of not if there will be a security breach, but when, and how quickly you can mitigate it. The reason is that our communications network has grown like Topsy. It has multiple digital infrastructures sitting on a lot of legacy systems, including analogue systems and copper. It is a very complex system of systems, with multiple, ill-defined interfaces and literally billions of end points, many of which have no security at all; the internet of things is an example.
The question is how you can minimise the likelihood of breaches. To do that in this very complex situation, you need a balance between light-touch regulation, which Ofcom seems to prefer, particularly with tier 3 suppliers, and the absolute need for security. Looking at our absolute need for security and the recent SolarWinds compromise, the inclusion of SolarWinds Orion products in networks was considered by everyone to be perfectly sensible. It was a trusted supplier. However, the latest things that I have seen say that thousands of networks have been compromised by that. As it seems to have been a spying attack, only about 10 networks are known to have been breached, but it will take months for all of those networks to be secured, and there are other potential breaches. The NCSC recently put out a note about that to all end users.
That is typical of the kind of things we will face. If we want an infrastructure that can cope with that, we need to do a lot of things. There needs to be a very honest and open dialogue between all the telecoms suppliers, their supply chains, their subcontractors, the Government, Ofcom and other agencies.
The Chair
Q
Julius Robson: Security is about resilience, and it is not a question of whether something will go wrong; it is a question of when. When we realise that one of our vendors is high-risk, will it take seven years to fix that problem? That is not a healthy place for our industry to be in. We want a rich diversity of suppliers working together, so that when we identify a suspect component or part in our network, there is something sitting there, warmed up and already integrated, ready to be swapped over. That is where we want to get to.
Dr Louise Bennett pointed out that there are many parts to this network; it has lots of legacy pieces. It is not a bad thing that our network is comprised of many diverse parts—that makes it less vulnerable to a single point of failure. Someone pointed out earlier that there is the idea of the weakest link—something is only as good as its weakest link—but actually, a diverse system with many different types of vendors involved is harder to take down. Maybe you can take down part of that network, but the whole thing will not fail if just one part is compromised. I think diversity is the answer to resilience in this case, and we should be looking to head in that direction.
David Johnston
Q
Dr Bennett: It is partly to do with what the whole sector is doing, but I think some things have not had enough emphasis in the Bill. One of them is what I have called the asset database. Those of us who were involved with the millennium bug know that we spent a hell of a lot of time trying to understand what the asset database for all our networks was, in order to find the components that were likely to cause a problem. I assume that the tier 1 suppliers and our main network suppliers have a comprehensive asset database, but you actually need a well-secured asset database that goes down to the component level. Over time, as you maintain it and move some components out and other components in, you need to be clear about what has happened to them.
At a subcontractor level, that can often be extremely difficult to do. You can find someone who thinks, “Oh, it’s okay; I’ve replaced that with something, and the spec looks similar.” The spec may look similar, but when someone says, “Actually, it is version so and so of such and such a component from such and such a supplier that you now need to take out,” you will find that you do not know in your asset database that you have some of those components in it. I could not see anything in the Bill that talks about the asset databases of the companies that supply the networks we are using, and I think that omission needs to be dealt with.
That leads to another point, which is about the processes for maintaining security over time. You may now be taking out all the Huawei kit and putting other things in its place, but that is happening all the time—that maintenance is going on all the time. There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition. The board would perhaps be able to point out that there were new types of components coming in that ought to be looked at or considered and that ought to be recorded in people’s asset databases, and people should make sure that happens.
Leading on from that, I also think that the processes are not as transparent as they ought to be for Parliament. It would be helpful if there was a commissioner, such as the Information Commissioner or the Investigatory Powers Commissioner. That would be helpful in keeping an eye on what is going on here, and in order to be able to help policy makers and the Secretary of State to make the right changes.
The Chair
I am just going to interrupt you there, because I am conscious of time and a couple of Members are indicating that they want to come in. I call Christian Matheson.
Christian Matheson
Q
Dr Bennett: I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.
When there is this desire, quite rightly, to bring in new and additional suppliers, those suppliers will need help to ensure that their parts of the network are working well. Again, I would suggest that something that is not in the Bill but should be there is the type of sandpit that the City of London has done for FinTech companies, where new entrants can test their equipment against the type of networks that they will be interacting with. That would reduce the risks of security problems in that area and give everyone confidence that the lower tier suppliers are compatible and have the same level of security as the top level of suppliers.
Christian Matheson
Q
Dr Bennett: Yes.
Christian Matheson
Q
Dr Bennett: This is the type of thing that would be done by a commissioner. I think NCSC is well placed to be involved in that and things like sandpits. I am not sure whether Ofcom has all the resources it would need to be able to do that. But we also must remember that audits and responses to audits are quite expensive things. If we want the infrastructure to be secure over time, as we all do, we have to agree that that is an expense that we will have. That will make the whole system more expensive to maintain, because it is an important job.
The Chair
Thank you. Mr Robson, do you want to add anything to that?
Julius Robson: I think it is very important. One of our angles on this security Bill is that we see diversity as important not just for building resilience, but for delivering on the promise of 5G, which is to take mobile—which currently is about voice and data for people—and deliver it into organisations, to have e-health, smart industry and connected communities. To do that, you need a diversity in service providers. It is fair to say that mobile operators have done a great job of the outdoor national network, but perhaps not so much delivering into enterprise.
We want to ensure that when we implement new policies, like the telecoms security Bill, we are not introducing large barriers to entry to those smaller players that will come in and diversify our network. This talk of making everyone auditable is a workload that will drive us back towards a monolithic industry, where you have a small number of service providers, and only the largest vendors are able to service that. We need to ensure that whatever policy we implement looks forward and is workable for this diverse ecosystem that we aim for in 2025 and beyond, not the monolithic one we have today.
James Sunderland
Q
The Chair
Who wants to go first? Dr Bennett, I think that was mostly directed at you.
Dr Bennett: I appreciate that it is a framework, but it is a framework that does not say that powers in certain areas are going to happen and how you might do it. I think the Secretary of State and the whole industry actually needs a lot of help to do this. The whole tenor of wanting to have things like the telecoms diversification taskforce and the 5G diversification strategy is absolutely right, but as you do that you are bringing in people to do these things who have less resources than the people currently in there. As Mr Robson said, they can afford the expense of the barriers to entry, whereas smaller players require assistance from the Government to enter this world without going out of business because of the impacts of the cost of compliance.
The Chair
Q
Julius Robson: It is a good point. I recognise that the Bill essentially describes a process of setting codes of practice and does not actually say what those codes of practice are. One thing I noticed is that the language of the Bill speaks very much to the problem we have today that there are only one or two viable vendors of networks. The open RAN movement is about ensuring that your network is comprised of parts from many different vendors, with hardware from some people and software from others, and a mix of providers doing similar things. The Bill must ensure that it represents that world. So where it talks of “public electronic communications network” providers, do we assume that you have to be a network provider—an end-to-end network—to play in this game.
I did read that the code of practice will define three tiers of telecom providers, with the biggest and most important providers subject to the most intense scrutiny and oversight. That is not expressed in the Bill—it is in the notes—so I assume it will come out in the codes of practice, but at the moment we do not have visibility of what that will look like. From our point of view, it is important to encourage companies of all sizes to be able to play in this game, so proportionate legislation is important.
Chi Onwurah
Q
I have questions for both of you, but let me start with Dr Bennett. I was impressed by your structured list of things that are missing from the Bill, because we are here to scrutinise the Bill and see how we can improve it. I think you talked about the breadth of the security challenge and how this Bill, as it stands, might not meet the full breadth of it. You had four areas, and I think you have run through two of them in more detail. Could I ask you to summarise again the areas that you think are missing? In particular, could you talk a little bit more about the need for improved scrutiny? Could you just summarise that and then go into more detail on the ones where you have not yet?
Dr Bennett: I said that the areas that needed to be covered were network architecture, which is the Bill’s focus, the security of the asset databases that make up the network, how to ensure security of the data passing over the network, the maintenance of security over time, and the operational costs and other impacts of compliance. I have touched on all of them, but perhaps not very much on the operational costs and impacts of compliance.
The more diversified your network, and the more small vendors there are, the harder it will be for them to maintain the level of scrutiny, record-keeping and general security that is required as their bits of the network develop and the interfaces they have with other bits of the network change over time. That is an area where the Government should consider giving help to people to cover those costs. I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.
If the Government suddenly say, “All components from supplier X must now be removed from the network because of x, y and z,” it is incumbent on the Government to have some funding to help people to do that and to ensure that that really does happen, because it could be a step too far if you have a lot of very small suppliers that do not have the resources of skills, time or money to do it. You need to think about that and about how you can ensure that they are not squeezed out of the network—this diverse network that we want—by those costs.
Chi Onwurah
Q
Dr Bennett: I think most people would agree that the diversity of end points, of interfaces and of applications running over complex networks all pose security problem areas. The more of those you have, the more resilient your network might be on the one hand, because there are multiple parts, but on the other hand, the harder it is to maintain them adequately.
We see some of these problems today in the decision to move the copper out of the network. Applications that are very important to many users, notably alarm signals, are ones that often assume they have an underlying network of a particular type, and if it is not there those applications do not work and they do not work suddenly. These types of things are very complicated but are actually very important for the end users. It may be an alarm that says an elderly person has fallen in their home; it may be an alarm that says your bank has been attacked by a criminal gang. Who knows what it may be? But those types of things are the types of applications that run over these very complex networks, and unintended consequences can happen as you change the network architecture. If those tier 3 suppliers and the people providing key applications over the network are not involved in this conversation at the CNI level with the top-level suppliers, all sorts of unintended things can happen.
It is a question of how you make sure that you minimise the number of these unintended consequences and support people to realise what they need to do early on, so that they are not caught out by them.
The Chair
Q
Julius Robson: We are discussing the use of the mobile network for new and innovative services, such as worker alarms or falling-over alarms. Actually, there are some smaller players working in specialised industries that understand those customer requirements probably better than mobile operators, and that are very used to dealing with them. In fact, many of the applications for mobile are those that already exist in proprietary and bespoke wireless systems today and that we would want to move on to mobile. Some of the newcomers probably understand these things better than others and the diversification policy is about bringing in that expertise—those industry specialists who understand these requirements.
I would also say that, yes, the network is complicated—radio wireless networks, with lots of endpoints—but intrinsically the wireless medium is insecure. Anyone can listen in to it; it is possible to modify the signal. It has been designed so that everything going over it is secure and protected, and those security paradigms are locked up in the core, so that there are parts of the network that you do not have to worry about, because the information has been secured at a higher level.
I think this was mentioned by Andrea from Vodafone this morning: it is really important for us to understand which parts of the network are in scope of the security rules and which bits we do not need to worry about. The air—anything in the airwaves—is intrinsically already easy to eavesdrop on or modify. So obviously that is out of scope. I think we do not have to get too worried about certain parts of the network.
The Chair
I am just going to go to the Minister; if there is time, I will come back. Minister.
Matt Warman
Q
Julius Robson: I think it is important. What we are looking at in the 5G era is the application of mobile technologies for specialist industries, and it is entirely relevant that those industries have their own requirements for security and other requirements that apply on top of what is necessary in the basic mobile network. I do not think we need to duplicate that effort. Where we are using mobile in certain scenarios, the scenario should define the requirements. The base level of mobile connectivity should be something suitable, and affordable, for the consumers and the masses.
Dr Bennett: I am aware of the work you have been doing on security for the internet of things. I think it is complementary and extremely important. Everything should have security by design in it. It is very important to cover these types of points.
Matt Warman
Q
I would have expected you to say, if I can put words in your mouth, that you would like the agility of the regulator’s ability to update those codes of practice, to be able to say to networks, “This is what secure looks like. If you are complying with these kinds of codes of practice, then we will be able to understand that you are meeting the requirement.” You seem to actually be saying that you want greater rigidity. I am interested to understand whether you would like the codes of practice to have the flexibility offered by the writing from the regulator or whether you would like to see them on the face of the Bill.
Dr Bennett: I think we actually want both. There should be mention in the Bill of some of the ones that I think are key, so that people realise that there is going to be a code of practice on that they should follow. It is very important to be able to be agile and to get early information, from something like a technology reference panel, about things that are coming along, in order that you think about them before they get attached to the network. Trying to do it after you have attached something to the network is frankly a nightmare, so you need to be anticipating. It is not clear that there are mechanisms for that anticipation in the Bill.
Given the SolarWinds Orion hacking, which is a recent example of something that will take a long time to sort out and is precisely what you do not want to happen in the future, it would be sensible to get someone like NCSC to test whether the things in the Bill, and things that should be in the Bill, would have enabled the mitigation of that problem to happen faster than it has. The Bill ought to be doing something like what the Americans are doing in response to that now. The Government should consider a rapid response, co-ordinated unit to deal with similar incidents in the future, because they will happen. That is the kind of thing that ought to be in the Bill to say, “This is how we are going to be able to mitigate these problems when they happen, as quickly and sensibly as possible.”
Matt Warman
Q
Dr Bennett: Yes, and anticipating things as early as possible.
The Chair
Chi, we have time for another quick question. I think you had a point that you wanted to come back to.
Chi Onwurah
Q
Julius Robson: Thank you for that question. I have mentioned chipsets, which are important, and lots of people have talked about software and open RAN. The specialist base station chipsets are an important component, and if we can make them available at scale, which is something that we work on with our FAPI—our functional application programming interface—I think that will really help to fuel the diversity of equipment providers. That is one aspect.
Another aspect—I am not sure how well it is coped with in the consideration of the supply chain—is diversification at service provider level. As I have mentioned, mobile operators are the main service providers for mobile services, but they partner with other providers, particularly ones that work in specialist environments. There is a particular type called neutral hosts that can offer multi-operator services. If you wanted to connect to a hospital, it would not be any good to have just one operator service and have only a quarter of the people served. You need all of them served, and that needs to be done affordably. We want to make sure that the partners of mobile operators, such as neutral hosts, are supported in legislation.
It is also about recognising, as has been mentioned, the challenges of getting the hardware out. You can scale software just by selling it to more people, but hardware needs more feet on the streets and more deployers. We have to look at how we go about enabling more people to deploy mobile infrastructure into communities and industry, so that more people are aware of how it works, which means making the system simpler. From a security perspective, we need to recognise that there are parts of the network that need to be kept secure, and there are parts of the network that are out of scope of that.
Chi Onwurah
Q
Julius Robson: Just to make the point that you do not have to worry about every last resistor—components were mentioned—and every piece of equipment you have. As I pointed out, the radio airwaves themselves are also not secure. The whole system is designed to securely operate over an untrusted environment. In standards, we have the concepts of trusted and untrusted networks. Typically, you can operate your mobile network over the internet, which is considered untrusted. It is important that we recognise that paradigm.
I would say that all service providers are well accustomed to working with the level of security that the mobile operators and the regulatory regime demand, so we are happy with that. I just hope that we do not introduce new burdens with this legislation that stand in a way of diversification.
The Chair
Looking around the room, I think that is it. In that case, I thank Dr Bennett and Mr Robson for their evidence. We are extremely grateful to you. Thank you both very much indeed. That brings this session to a close.
Examination of Witnesses
Dr Scott Steedman and Charles Parton gave evidence.
The Chair
We now move to the sixth and final panel of the day, which consists of Dr Scott Steedman CBE, who is the director of standards for the British Standards Institution, and Charles Parton from the Royal United Services Institute. We have until 4.45 pm for this session. Again, I ask the witnesses to introduce themselves for the record. May we start with Dr Steedman, please?
Dr Steedman: Good afternoon, everyone, and thank you for the opportunity to attend the Committee this afternoon. My name is Scott Steedman. I am director-general of standards at BSI, the British Standards Institution. In my role, I have primary responsibility for the activities of the National Standards Body, which provides the UK experts—industry, Government and consumer experts—to participate in the development and maintenance of standards at the national, regional and global level.
The Chair
Thank you. Mr Parton?
Charles Parton: Good afternoon. My name is Charlie Parton. I used to work as a diplomat, for 37 years, and the vast majority of that was working on China. Since I left diplomacy in 2017, I have continued to work on China. My “Mastermind” special subject, I suppose, is the Chinese Communist party and domestic politics, but of late, in the past couple of years, I have also been looking at strategy—UK relations with China—and, in that context, the question of Huawei and how we deal with technology and divergence.
Dean Russell
Q
Charles Parton: I think you are absolutely right to focus on our Five Eyes allies, in particular America and Australia—Canada and New Zealand at the moment are a little bit undeclared—which have come out very forthrightly to say that we really should not be entertaining Huawei in our systems. We have now followed them—even if only by 2027—and I think that is very much the right decision for a number of reasons, which I could go into if you wish me to.
I am not a technologist, and look at it much more from the political angle. It seems to me, if I may say briefly on the technology and the 5G system that is going to last us for the best part of 25 years and on which, no doubt, 6G will be built, that the idea that we can stay ahead in technology and be absolutely certain for the next two or three decades that we are ahead of the game and can keep them out of manipulating our data or using it in some advantageous fashion, is one of very great trust in our own abilities—first, they are putting enormous resources into it.
There are other reasons why the decision to get rid of Huawei was correct, and one is what I call the “black vulture of policy”. We have seen the way in which China will bully and sit on those countries that go against its wishes, in whatever field—way outside telecom. If you are dependent on another country’s systems, whether for getting equipment on time, or upgrades—let alone the more devious aspects of possible interference—I think that you will be looking at that black vulture and thinking, “Is it safe to pursue a policy that is very much in my interests, on telecoms, if I am going to be hit hard in other areas?” We have seen that: Australia, at the moment, is under the cosh; the UK was under the cosh when the Dalai Lama visited in 2012; Norway has been under the cosh, and so on.
In that context, are we saying that Huawei rules the Chinese Communist party’s policies? Of course not, but they are very intimately linked. I think that if the Chinese Communist party says to Huawei, “Jump!”, the only response from Huawei is, “Yes, sir! In what direction and how high?” You might look at the national security laws and say that those of course oblige them to co-operate and all that, but I do not think that matters so much—if the Communist party says, “Do it!”, they have no choice. If you look at how close they are, as another illustration, look at what is happening in Canada with the two hostages and the chief financial officer, Meng Wanzhou. Again, I could go into more detail if you want.
Also, there is the financial support that Huawei has received over the years, in terms of cheap finance, loans to customers, tax rebates and so on. Why does it do that? Because the Communist party wants to dominate the technology of the future, and Huawei is its tool for doing that. So I think that to trust Huawei in the long term would be a very unwise decision.
Dr Steedman: Can I take us back to the Bill and talk in that context? We are in a period of very rapid technological development and evolution. Many countries, including the Five Eyes countries, have allowed the market to drive this forward and not perhaps paid attention to it. While this was a hardware-driven sort of infrastructure, that was possibly manageable, and we have managed it over the last few years fairly satisfactorily. But looking ahead to the 5G and, perhaps—who knows?—the 6G world, we have moved to a much more vulnerable position away from hardware and towards software.
I welcome this Bill because I think it is incumbent on countries that want to protect themselves with secure and resilient infrastructure, and because it puts in place a structure of regulation, guidance and standards, which I represent, that will enable a transformation in the industry of the United Kingdom. It will enable us to use technology and software from providers all over the world, but also from SMEs and start-ups in the UK that we can encourage, and create a really innovation-friendly future. But to do that we have to create a market framework that is structured under a quality piece of regulation that enables that to take place in a clear way—clear for the market, clear for the regulator Ofcom, and clear for the Department that manages it on behalf of the Government.
In this Bill we see clear statements about new duties, codes of practice and guidance—another form of standard —to be approved by a Secretary of State for the industry, and also indications about the use of industry standards to support and deliver a new policy. We can really play to our strength in the UK, where we work in a very performance-based market structure, and we can enable a pro-innovation culture that will stimulate and deliver the diversification, security and resilience that we are looking for.
It is not unusual in the world that major commercial players, given free rein, try to influence things in the direction that suits them best. It is not unusual. We are talking about China specifically, but it is not unusual. The key to this is ensuring that in the standards landscape, which is used to support the delivery of regulatory bodies, the governance and processes of the development of those standards is managed and influenced with UK stakeholder interest at heart. In the big landscape of standards, which we might want to talk about further, there is a very wide range of organisations developing standards, from the fringes to the formal systems, and we can discuss and deploy that in a coherent and consistent way.
There is evidence from other Departments of how this works in a co-regulatory manner, supporting industry, Government, Departments and the regulator to deliver the outcomes that we as a nation desperately want.
Christian Matheson
Q
Charles Parton: Of course, Huawei got the headlines because of the urgent need for 5G, but you are absolutely right that it is not the only player in telecoms, and indeed telecoms is not the only subject. I think that we need to look much more seriously at the whole question of technological co-operation with China. This gets into the whole question of divergence, or decoupling if you are American.
We have to recognise that, whereas our aim in China relations is to maximise trade, investment, global goods and so on, there are increasingly limits because divergence is happening. The intention of the Chinese Communist party is to dominate. As Xi Jinping in fact said in his first speech to the Politburo, the intention is to dominate western capitalism. He said that the Chinese system will take the superior position. Clearly, technology and its advance is a very important way of doing that, so it is not just Huawei and 5G. Therefore, we have to look very carefully at the whole question—that, I suppose, is what lies behind the National Security and Investment Bill—of how we co-operate on technology with China.
I have called for this a number of times, as many others have. The Government will need to set up a body and give much clearer guidance on which subjects in this field of technology we can co-operate happily with China, as well as which organisations—many are connected with the military, and the distinction between civil and military technology is eroding—and which individuals, because there are a number of individuals who have taken back or collected technology to help the Chinese security apparatus develop it.
You are absolutely right that it is really important to look much more broadly than Huawei. The company that comes immediately to mind is Hikvision, because it has such a large amount of the CCTV market. Secretary of State Dominic Raab made an interesting point in his speech the other day about the reputational harm that could be done to some of our companies if they are co-operating with Chinese companies that are deeply involved in the surveillance state, of which of course Huawei and Hikvision are two. Huawei has three laboratories with the public security bureau in Xinjiang, and is devising for them technology that will enable them to pick out Uyghur faces in crowds. That is on that side.
I think your second question was, why has Huawei been successful?
Christian Matheson
Q
Charles Parton: I think the Chinese state very strongly supported Huawei through its financing provisions and tax breaks, and indeed worldwide by giving cheap tied loans to countries and companies that would use its equipment. Of course, Huawei has been very successful because it is enabled thereby to provide very cheap goods, and it works extremely hard and quickly. I have to say also that there have been times when we have helped it. I am not a great supporter of the Huawei security cell that checks it. I think Huawei must be delighted with that, because some of the best brains in Britain are paid to pick out the holes in its shoddy system. It does not necessarily have to do the work and it can plough ahead with speed, in the knowledge that the Brits will very kindly point out where its systems are deficient and demand that it fills them. It is a great model, and we need to think a bit more carefully about that in future.
Dr Steedman: Technology companies that secure major positions in the market, wherever they come from, do so either because the market is not being monitored or regulated carefully enough, or because they win the contracts. You would need to ask market experts about why Huawei achieved the position that it did.
Perhaps I could focus on the diversification question and looking to the future. There are very effective ways and means to manage the market structures in our country, and they require a combination of regulation, guidance and standards. You can do that through procurement routes on both the technical side and the supply chain side, and you can do it through the contractual routes. Although we have a very successful and professional regulator in Ofcom—its role is to police the regulatory environment—we can also encourage, through the supply chain channels, the use of standards on specific technical requirements and on specific contractual requirements which encourage better business behaviour.
The Government in the UK use a small proportion of the British standards catalogue—perhaps 10% or 15% of the 37,000 standards that I am responsible for—in support of regulation. This is the area where co-operation can take place in a very effective way between UK experts, industry experts, consumer experts, regulators, academics and other countries of our choosing. Indeed, in the international domain, I have 1,200 committees. The UK chairs, hosts and manages 200 international committees, and a lot of the action, in terms of co-operation outside individual companies and universities working in their laboratories, takes place in the international standards system. It is in this system that we can seek to increase UK participation, co-ordination and influence, in order to get the results that we want. We want to ensure that the standards used are open and interoperable, that their governance is managed in an independent and neutral way, and that British stakeholders have the opportunity to influence the content of those standards.
The key to international co-operation is managing and influencing the international standards through which technologies, software and business processes are all delivered around the world. That is the plug- and-play global economy—trade, innovation and so on. It is an enabler; it is not a level playing field. The Telecommunications (Security) Bill will provide the level playing field for parties in the UK, and standards provide the opportunity. I would encourage us to see beyond the Bill’s provisions on rules, guides and guidance and to see the role of standards as a tool for us to help stimulate the diversification, security, resilience and quality that we are looking for in a future market environment in the UK. That is an area where the diversification taskforce under Lord Livingston, which I am privileged to be a member of, has been working very hard. We have some ideas emerging from that taskforce to support the 5G strategy, which I hope in the medium term will see British influence in international co-operation on standards really ramped out. We look forward to that.
The Chair
I think I might interrupt you there, because we have only until 4.45 pm. I would really like to bring in Mr Sunderland, the Minister and the shadow Minister, so we need very tight questions and very succinct answers.
James Sunderland
Q
James Sunderland
The important question from me is: what will be the reaction to the Bill within the Five Eyes community?
Dr Steedman: I will lead on that. I think the Five Eyes community will welcome the Bill, and it may well begin to set a model for the way that the UK and like-minded nations can create a pro-innovation market framework which has sufficient regulatory powers, backed up by industry standards, to deliver the environment that we want and that will, particularly in the UK’s case, stimulate new entrants, SMEs and innovation. That is a really critical part of future diversification, because we have no incumbent major players based out of the UK, so we need to stimulate our own industry as well.
Charles Parton: I do not have a great deal to add to that, other than, as a side note, that I do not think we should underestimate American bipartisan attitudes to the whole question of China and technology. I think we are going to have to take that into account in the broader context, because they are long-standing allies and sharers of the same values as us.
Chi Onwurah
Q
I start with a question to Mr Parton on behalf of Catherine West, which relates to the last point you made. As we know, the Government were moved to ban Huawei entirely from the network following US sanctions instigated by President Trump. What changes do you see the Biden Administration having on the US’s outlook on China, if any? Can you also squeeze in a reference to Chinese influence on academic research and development in this country? Then I have another question for Dr Steedman, which I will ask afterwards, if I may.
Charles Parton: A very quick response to that. I am more an expert on China than America, but nothing in the last couple of years has suggested to me that the Democrats will take a very much different position from the Republicans on the question of technology. I think they see it as a very great threat, as the Chinese have said. I think nothing will change there.
On the question of academic influence, I really do not think we should underestimate that. I wrote a paper on it about two years ago and much of what I sketched out there exists. For that reason, if I may repeat the point I made earlier, a great deal of effort has to be made, particularly in the STEM subjects. We could talk about the arts subjects and the clampdown, or the influences, on the freedom of speech and the self-censorship there, but in the STEM subjects it is really very urgent that we give our universities good guidance on what subjects, what organisations and what people they can co-operate with in the China context. As some of the research has shown, in terms of what is going on in our universities, there are subjects that we perhaps should not be helping on. GAIT technology with Huawei is an example. What can GAIT technology be used for? Surveillance. Not always, but it is very important in surveillance when you cannot see someone’s face because they are wearing a mask or it is bad weather. We have to be very much more on the ball in that area.
Chi Onwurah
As I said, I am a massive fan of standards development. I have worked in the area, with the ITU. I agree that it is essential to enable open RAN and diversification. The Government have said that standards are driven by vendors. We heard this morning from the network operators that their standards presence was driven by their headquarters—their owners. We do not have a UK vendor. When you say that we need to improve our presence in standards bodies, who is going to do that and how is it going to be funded?
Dr Steedman: Actually, we have excellent people in the UK who participate in international standards work. The challenge is that there is a huge breadth of organisations, fora, consortia and formal bodies that generate, develop and maintain the standards that are then used in the evolution of the equipment—hardware, software and so on. We need to pick those organisations that are doing the critical work, particularly perhaps the ones around security, and ensure that we have British voices in there. It is true that if you look at a consortia model, you will find that the consortia that develop standards are what we call pay to play: companies pay to join a consortium, and together they sit and write a standard. But actually there are other organisations that have more governance and more formal mechanisms for national representation, national voice and consumer voice, as well as industry voices. This spectrum is the piece that is often not well understood.
Our ambition, on the diversification taskforce, is to look to co-ordinate UK voices, which are currently fragmented in these multiple organisations, and to see what we can do to target, to focus, on the areas of standards development that we know are going to support the ambition of security, resilience and diversification in the UK—and, frankly, to allow other areas of standards development to carry on as they will. People write standards to suit themselves. But where we need formal standards to support a market structure in the UK, we must be absolutely sure that those standards have had UK stakeholder voices in the process, and that is part of the formal process.
You mentioned the ITU-T. That is where the DCMS, of course, is representing the Government. And the BSI represents the UK in ISO/IEC JTC 1 and in and the European regional organisations, including ETSI. So there is a big opportunity for us to take those lessons that we have learned in influencing these great international organisations and extend that policy of influence through co-ordination of the UK voice in other spaces. The ORAN-ALLIANCE is one example of where we need to improve our co-ordination. Who is going to pay for it?
The Chair
I am going to interrupt you. I am sorry, but I want to let the Minister get a last question in. My apologies.
Matt Warman
Q
Dr Steedman: Thank you, Minister. I might suggest that this is very much a matter of horses for courses. There is a range of organisations. I mentioned the ORAN-ALLIANCE; that is clearly one. We know, obviously, about 3GPP and the role of ETSI and 3GPP; that is another. And there may be roles for the formal bodies. We need to discuss the ITU-T, the UK participation in ITU-T and how we can strengthen that. With respect, this is an area that we need to work further on; and in the diversification taskforce, we are talking about the detail of that and how we might approach it from a United Kingdom perspective.
I am optimistic that the initiatives that have been taken today with the diversification taskforce, under Lord Livingston’s leadership, are going to produce for you really quite powerful ideas and initiatives to be taken forward in the years ahead. This is possibly the first time that the UK has really co-ordinated its input in this way to try to achieve some industry transformation and behavioural change.
The other areas I have mentioned, Minister, that are really important are in the area of procurement. This is not just about the technical standards; it is also about the way standards are used in the supply chain to stimulate behaviours and to enable SMEs to participate, rather than our just being locked into large-scale providers. I am very keen that we should comment on and discuss that, and those standards are not in the technical environment; they tend to be more in the business environment, where the UK has a very strong position already in global business standards. So there is another tool in our tool shed, to be used when we come to looking at shaping the market. I am looking forward to discussing that further with you in the taskforce.
Matt Warman
Q
Charles Parton: I cannot possibly deal with this in one minute. Obviously, telecoms is a very crucial—an increasingly crucial—part of critical national infrastructure, so they are very closely linked. It goes back to what I was saying earlier. There is this question of where in the science and technology field and our research and development we allow ourselves to co-operate with China, given that its attitude is one, I think, that is really quite risky. So, when the DCMS talks about the extremely fine idea of setting up a national telecoms laboratory, I do hope that, in setting it up—it talks about co-operating widely internationally—it takes that sort of thing into account, too. I think that there will have to be great restrictions there.
This might be another example. I am well out of my field here, but we have designated high-risk and non-high-risk vendors, but what happens if some of the Chinese—they do not have to be Chinese—higher-risk vendors try to sneak under the wire by purchasing or using proxies? Again, I think that needs to be considered.
The Chair
I am afraid that brings the time for this witness session to a close. I think that we could all have done with a bit longer with both of you gentlemen, but thank you very much for your evidence. We are extremely grateful to you. That brings the formal part of the proceedings to a close.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
Telecommunications (Security) Bill (Fifth sitting)
Thursday 21st January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
The Chair
Before we begin, I have a few preliminary announcements.
Members will understand the need to respect social distancing guidance. I am told here that I shall intervene if necessary to remind everyone. Mr Speaker has asked that Members wear masks in Committee, except when speaking. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. Hansard colleagues will be grateful if Members could email their speaking notes to hansardnotes@parliament.uk.
We now begin line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. This shows how the selected amendments have been grouped together for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order that they are debated, but in the order that they appear on the amendment paper. That is often confusing for Members, young and old alike. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.
Clause 1
Duty to take security measures
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
I beg to move amendment 7, in clause 1, page 1, line 19, at end insert—
“(ba) the presence in the network or service of supply chain components which represent a threat to national security;”.
This amendment would add the presence of supply chain components which represent a security threat to the list of “security compromises” which network and service providers must take security measures against. “Supply chain components” are defined by Amendment 8.
The Chair
With this it will be convenient to discuss amendment 8, in clause 1, page 3, line 17, at end insert—
“‘supply chain components’ means the sequence of processes involved in the production, distribution and maintenance of networks and services.”
This amendment defines “supply chain components” for the purposes of Amendment 7.
Chi Onwurah
It is a great pleasure to serve under your chairship, Mr Hollobone, and to see the Bill Committee present. I thank all its members for taking part, and I observe that the room is a lot warmer than it was in December, when the National Security and Investment Bill was in Committee. I hope that we will continue like that. I also thank the Clerks and all the members of House staff who have supported us with the amendments and on the Bill more generally.
I crave your indulgence, Mr Hollobone, to start with a few opening remarks that will be helpful in understanding the Opposition’s approach to this amendment and to the Bill as a whole. To give the context, I worked as an electrical engineer for 20 years before entering Parliament. I am still a chartered engineer and proud of that. As an engineer, I worked all over the world helping to build out the networks—fixed, wireless and mobile—that became the internet and on which this Bill is intimately focused.
I should also declare an interest. Many of the provisions of the Bill deal with the regulator, Ofcom, and I joined Ofcom in 2004, just a few weeks after it was born, when it was to be a light-touch regulator, small and nimble. Over the years, it has acquired responsibility for critical national infrastructure, the BBC, the Post Office, soon the entirety of online harms and now, it would appear, national security as well. I have been calling for greater security, in particular for our mobile networks, for many years now, so I and the Opposition welcome the aims of the Bill, and the Bill itself. However, many areas within it need to be addressed.
As I have declared my personal and professional interest in the telecoms network, Mr Hollobone, you will not be surprised to hear that I am thrilled that we will spend so many hours of our parliamentary democracy time here in this room, dedicated to debating our telecommunications infrastructure. But, to my regret, the Committee is not taking advantage of the very telecoms infrastructure with which it is dealing. I would like to place on the record that we believe holding this Bill Committee physically rather than virtually is putting Members of the House, Clerks and House staff at risk from the coronavirus pandemic, and we feel that it is our duty, as a reasonable and responsible Opposition, to ensure that that risk lasts for as short a time as possible. Therefore, we are going to crack on as quickly as possible through as many clauses as possible, while maintaining appropriate levels of scrutiny. I want to put the Government on notice that we expect as a consequence to have more time on the Floor of the House on Report to consider the Bill, because we do not feel that it would be wise to dwell on many of its important themes when we are meeting physically in one room at a time of national pandemic and lockdown.
To keep all Members and staff as safe as possible, we will have a laser-like focus on three primary areas. The first is national security. Labour prioritises national security, but failings in the Bill show the Government are taking risks with our security-critical national infrastructure and economic security, and we will highlight those failings constructively whenever we can. Secondly, the security of our networks depends on an effective plan to diversify the supply chain, which should include support for UK capability, and we are very concerned that the Bill short-changes both our national security and our telecoms infrastructure by not including more references to the Government’s diversification strategy; it is a weak strategy and we will try to overcome that. Thirdly, the Bill also gives sweeping powers to the Secretary of State and Ofcom, including sweeping powers over security. As my hon. Friend the Member for Cardiff South and Penarth (Stephen Doughty) said on Second Reading, the Department for Digital, Culture, Media and Sport is not known for its understanding of or expertise on national security, and we want to take measures to address that.
Security is the primary concern of amendment 7, which was tabled by my right hon. Friend the Member for North Durham. It seeks to add the presence of supply chain components that represent a security threat to the list of security compromises that network and service providers must take security measures against. Supply chain components are defined in amendment 8, for the purposes of amendment 7.
James Wild (North West Norfolk) (Con)
Amendment 7 refers to national security. I note that the Opposition have not tabled a definition of national security, which is an issue we have considered in other debates. Is there a reason why the hon. Lady now accepts that we should not define national security?
Chi Onwurah
I thank the hon. Member for his intervention, which raises a really important point that I will say something about. As I am sure you are aware, Mr Hollobone, yesterday was the Third Reading of the National Security and Investment Bill. I refer Members to the report by the Select Committee on Foreign Affairs, published on Tuesday, on the critical issue of national security and its definition. In fact, the Opposition sought to put into the National Security and Investment Bill not a definition of national security but a minimum standard of what national security should refer to. We wanted to include elements such as critical national infrastructure—of course, telecoms infrastructure is a part of that—and supply chains, which the amendment deals with, and also human rights. I do not want to anticipate what we might table in future, but one reason we have not so far tabled a framework for guidance in national security is that we had hoped that the Minister responsible would recognise both the advice of the Foreign Affairs Committee and the Intelligence and Security Committee in giving greater guidance on what national security was, and that that was a better place for it.
Christian Matheson (City of Chester) (Lab)
The other opportunity for the definition to be addressed would be when the Government next produce their defence and security review, which comes out no more than every five years. They might address what national security is or whether it is indeed desirable, as my hon. Friend has said, to specify that in an ever-changing world.
Chi Onwurah
I thank my hon. Friend for that helpful intervention. I do not want to take up too much of the Committee’s time on the way in which national security should be defined, or guidance given, although it is relevant to the Bill. As my hon. Friend says, there are other places where a framework for understanding national security would be better placed. One of our concerns about this Bill is that, as I have alluded to, Ofcom and the Department are not experienced in security issues, and they are not the best organisations to make security decisions. Putting a framework to define national security in the Bill might not be as helpful, but if as our debates progress we see a need for greater clarity on guidance around national security, and it is not to be found anywhere else, we might take up his challenge, and I hope to have his support if that should happen.
With regard to the amendment, it is important that the supply chain components are understood. As we proceed through the Bill, we will come to understand better that the steps to remove high-risk vendors from UK networks that the Minister is in the process of taking are welcome, but that is not enough to secure our networks. We also need an effective diversification of our network supply chains. Part of the challenge here is that if we remove high-risk vendors, as the Bill enables, and leave only one or two approved vendors, our networks remain insecure because they are less resilient. In fact, they are not resilient at all. The loss of one vendor would mean that there would be only one vendor for our entire 5G network supply chain, as things stand.
Mr Kevan Jones (North Durham) (Lab)
It is a pleasure to serve under your chairmanship, Mr Hollobone. I apologise for my late arrival, but I was asking a question of the Health Secretary on the vaccine roll-out. When we look back at the time before the pandemic, would we have thought that part of our critical national infrastructure would be vaccine production? As my hon. Friend the Member for Newcastle upon Tyne Central said, that is a good example of the changing nature of these things. Will the threats to telecoms change? Yes, they will. Last night we discussed the National Security and Investment Bill, which addresses some of the same issues.
I tabled the amendment to focus on and consider the supply chain. There has been much concentration, quite rightly, on Huawei—not just the history, but the threats. As the Minister knows, I was a keen supporter of the Government’s initial response to Huawei. From a technical point of view, I think allowing 35% and making sure that Huawei was not in the core network was the right response. That all changed with the US sanctions on semiconductor exports to China, which changed the security advice. Again, I agree with that.
It will be interesting to see whether, if President Biden were to change that, we would change the security advice back. Frankly, I doubt that because of the direction of travel. I do not think there will be great change in the new Administration’s approach to China. It might be more nuanced and less belligerent, but I do not think it will fundamentally change. I know from sitting on the NATO Parliamentary Assembly and meeting fellow members from both sides of the House in the US Congress that there is a pretty unified bipartisan position on China.
The debate around Huawei has concentrated on the hardware. My amendment, which is a probing amendment, tries to see what coverage we will have in the telecoms network supply chain. There has been much talk about compromising the main components, but each of these networks are very complicated. We need only look at any electronic equipment used today, whether that is a telephone or a microwave oven, to see that they are very complex pieces of kit. The components are not all sourced here in this country—it would be impossible to do that—but are supplied from around the world. However, in terms of electronics, the major suppliers of a lot of these components are the Chinese, or Chinese companies that manufacture in different parts of south-east Asia, for example.
This is not just about how we get diversification in this sector, although trying to get some home-grown innovation is going to be important. To be honest, I think the opportunity is going to be in software and open RAN, because that is where we can get an advantage if we get our ducks in a row, not only through investment but through Government initiatives and other things. It is about trying to minimise the risk that will be there now that we are going to have two vendors. Now that Huawei is no longer in the network, we are going to have Ericsson and Nokia, both of which are going to be there for the foreseeable future. What will the regulator do to look at the supply chain around their components, for example? From the evidence we took from Dr Drew, it is quite clear that China is using not just these networks and the components that go into telecoms, but other things, including the belt and road initiative, for geopolitical purposes.
Chi Onwurah
I thank my right hon. Friend for giving way, and for the excellent points he is making. He mentioned the evidence we took in our session with Dr Drew. Is it not true that in those evidence sessions, we heard about the complexity of our networks and the extent to which network operators were not always aware of where their components were or, in this case, the level of components? Is it not the case that my right hon. Friend’s amendment will not only increase the visibility of the different components in the supply chain, but should help the Department and Ofcom understand where these components are, where they are going and the way they are changing through soft upgrades?
Mr Jones
I agree. The issue with both Ericsson and Nokia is that they will have Chinese components in their hardware. This is an incredibly complex situation, as my hon. Friend said: we are talking about not just one piece of kit that most of us have in our pockets, but hundreds of thousands of components, pieces of software and other things. What I am trying to put on the record, and what I want the Minister to respond to, is the question of how we get an understanding of any risks that are involved in that, and how the regulator and the Government are going to look at ways in which national security could be compromised, not by the main company being owned by a Chinese state entity, a Russian state entity or any actor that we feel is a threat to us, but by a key component.
I have not yet really understood how the regulator will look at that issue further down the supply chain, and whether it will ask a supplier of kit to the telecoms network, “What is the level of threshold or security that you need?” That is hard enough with hardware, but with open RAN and software—we are talking about bits of code—it is going to be incredibly difficult. One of the issues is around vulnerabilities, and various things have been said about the vulnerability that Huawei poses to our telecoms network. However, I suggest people read the Huawei assessment centre’s annual reports—I am rather sad, because I read such documents. One thing sticks out every single year, and it is not that the Chinese are doing anything nefarious. The reports are highly critical of Huawei for its shoddy workmanship and engineering, but that type of shoddy engineering and a lack of attention to security will lead to security concerns in our telecoms network.
Amendment 7 is designed to tease out from the Government their thinking about the supply chain. We do not want to be over-burdensome on it, because we want to get innovation in the supply chain. We do not want to suddenly give researchers and other people in the supply chain huge regulatory hurdles to jump over, because that would stifle the development that we are looking for. It is about how individual components and the overview of the supply chain will be regulated. I have tabled a later amendment about Ofcom, but again it comes back to the point I made yesterday about the National Security and Infrastructure Bill. What has to be at the heart of it all, every single time, is not to stifle innovation and prosperity, but what has to come first every time is national security.
As I say, amendment 7 is a probing amendment, and I want to understand where the Government are at in terms of the supply chain, the security they feel they need over the supply chain and, more importantly, the visibility of the supply chain.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to serve under your chairmanship, Mr Hollobone. I echo the thanks of the hon. Member for Newcastle upon Tyne Central to you and the House staff for facilitating this Public Bill Committee. I also echo her praise for the temperature of the room and especially her commitment to crack on and not fill it with further hot air. That is to be welcomed.
Like the hon. Lady, I will briefly talk about the broader context of the Bill before I directly address this group of amendments. As we all know, security should be the first priority for any Government, and the Bill demonstrates this Government’s commitment to securing the UK’s telecoms networks.
Clauses 1 to 14 raise the bar for security across the whole telecoms sector, and the subsequent clauses—15 to 23— provide the mechanism for the Secretary of State to manage the role of high-risk vendors. The part that telecoms plays in our security is undeniable and has become even more evident in the midst of this global pandemic. At present, the internet provides absolutely everything for workplaces, schools, families and friends, and the Government are committed to improving that through our gigabit programme. New technologies have the potential to be transformative, but they have the opportunity to reach their full potential only if they are secure, and the Bill will ensure that.
Before I explain the Government’s response to amendments 7 and 8, it is necessary to explain briefly how they would interact with clause 1. New section 105A in clause 1 places a duty on providers to take “appropriate and proportionate” measures. Those measures oblige providers to identify and reduce the risks of security compromises and require them to prepare appropriately for those risks. New section 105A also addresses the interaction between the duty and the national security and law enforcement activity, such that these activities are appropriately excluded from the definition of a security compromise. I will return to new section 105A later—I know that will excite the Committee.
Alongside the overarching security duty in new section 105A, new section 105B gives the Secretary of State the powers to make regulations that impose duties to take specific security measures. Clause 1 creates a duty for providers to take “appropriate and proportionate” measures to protect their networks and services from security compromises. “Security compromise” is then defined in new section 105A.
Mr Jones
I would, and this is really a probing amendment to get an understanding of what the Government think, but may I ask the Minister a direct question about the national security bodies—GCHQ and others? If they came across a component or something that a supplier was producing that raised concerns, how would their concerns be translated into saying that a red warning should be put on a certain component in a supply chain?
Matt Warman
I simply say that, as the right hon. Gentleman knows, the NCSC and others already work very closely with the networks. What he seems to be talking about, in some ways, is a very day-to-day way of talking about security concerns. That happens a lot already, and what the codes of practice and other documents will do is set up the framework by which that is formalised. As he knows, that process of very quick action being taken as soon as something is spotted, both by the networks themselves and by our agencies, is already well established, and the Bill gives considerably greater force to it.
As the right hon. Gentleman knows, the Bill is aimed at ensuring that providers take responsibility for the security of their networks and services in a way that has not happened, in legislative terms, in the past, and it then provides the Government with the powers that we need to enforce that. In so far as any supply chain components give rise to risks to the security of a network or service, new section 105A already requires providers to take appropriate action and proportionate measures to identify those risks. I appreciate that this is a probing amendment, but in a sense what the right hon. Gentleman is seeking to do through it is already there, and it will be enforced in the documents, such as the code of practice, that I have mentioned.
Furthermore, the addition of the presence of a supply chain component as a security compromise would not be consistent with the security framework’s definition of a security compromise, but I do not think that we need to get into too much detail about that in the context of a probing amendment. The concept of a security compromise is used in other provisions in the Bill, and it is important that we are consistent.
More fundamentally, the right hon. Gentleman’s amendment would put the onus on providers, rather than the Government, to determine a national security risk, but, as he implied, it is absolutely down to the NCSC and, ultimately, the Government and agencies to make that definition. Placing the responsibility for determining what does and does not constitute a threat to national security on the shoulders of all individual providers is not the right thing to do, and I think, to be fair, the right hon. Gentleman is not really suggesting that it is, either.
Chi Onwurah
I thank the Minister for the way in which he is addressing these important proposals. I think that his concern is that this amendment would put the responsibility on the providers rather than the National Cyber Security Centre, and I understand that, but can he say a little about the following matter, because it is the providers that know their networks? The National Cyber Security Centre is excellent, and we have huge admiration for it, but in terms of the supply chains, changes to the supply chain and new components evolving, how does he envisage that, day to day, working effectively without an amendment of this kind to put this requirement on the providers?
Matt Warman
As I have said, new section 105A partly provides the legal basis that the right hon. Gentleman seeks, but in practice no one is suggesting—the Secretary of State talked about this on the Floor of the House—that it is solely the name on the box of a piece of kit that defines international security status. We are not naive to the possibility of the supply chain being another vector of attack. That would be reflected in codes of practice and elsewhere around the legislation.
Public telecoms providers can and should consider the security of the resilience of their networks and services throughout the supply chain in a sensible and proportionate way. National security considerations are inevitably much broader than the issues that can be addressed solely by private companies. I think that is reflected in the distinction drawn up in this Bill.
The amendment would have implications for Ofcom’s monitoring and enforcement of providers’ compliance. The Bill includes provisions for Ofcom to collect information on behalf of the Secretary of State in narrow and specific areas related to national security, but this amendment would require Ofcom more actively to take some of the compliance judgments. In the evidence session the right hon. Gentleman was keen to see that it was not asked to make those judgments.
Mr Jones
Clearly NCSC does a tremendous job in terms of education of members of the public and companies —as the Minister outlined, that is a key part of its role. Does he see, therefore, a role for Ofcom as part of that, in terms of ensuring that the supply chain and operators are aware of their responsibility not only under the Bill, but to ask the right questions about supply chains from what might be deemed as high-risk vendors?
Matt Warman
In so far as codes of practice will be published by Ofcom, the answer to the right hon. Gentleman’s question is yes. The more nuanced answer is that it is a co-production between Ofcom, the Government, NCSC and others.
To conclude, the Government are immensely sympathetic to the issues that the right hon. Gentleman and the hon. Lady seek to probe, but we take the view that this amendment would do something that is, ultimately, already covered in the Bill. I hope that, in that spirit, she will withdraw the amendment.
Chi Onwurah
I thank the Minister for his response. I am concerned that there is not greater clarity on the role of the supply chain components and the supply chain more generally. We will come to that in further amendments. Given where we are and how we got here, we must take a forward-looking approach to future risks and vectors for risks. This amendment is important in probing that, but I do not seek to put it to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Mr Jones
I beg to move amendment 9, in clause 1, page 3, line 26, at end insert—
“(2A) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a report on the specified measures.”
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to specified security measures which the Secretary of State requires the provider of a public electronic communications network or a public electronic communications service to take.
We are now going to have a debate reiterating a speech I gave yesterday on the National Security and Investment Bill, because it covers the same issues. I will go into the details in a minute, but the amendment attempts to ensure parliamentary oversight of the way in which this Bill will operate. Such scrutiny traditionally comes from the Select Committee that mirrors the Department —the Select Committee on Digital, Culture, Media and Sport—but the decisions taken by the Government and the Secretary of State will be based on evidence that cannot be put into the public domain, because much of it is highly classified. In Parliament, only the Intelligence and Security Committee has the required STRAP clearance to see that evidence. It is important to ensure that the Executive is held to account for taking such decisions and for the public and Parliament to know that decisions have had parliamentary oversight from the ISC.
I do not want to give the impression that the ISC is looking for work, because I have been a member for a number of years and we are busy with a lot of inquiries—I have three to four hours’ reading every week looking through reports from the agencies. However, it is important that the ISC can at least look at the intelligence that lies behind decisions. The amendment does not propose that the ISC should have a veto or be a regulator, because that would not be correct. Decisions about high-risk vendors are for Ofcom and the Secretary of State.
We had the same debate yesterday on the National Security and Investment Bill, because the same issues come up there: decisions will be taken on national infrastructure, and the justification for them will be based on highly classified secret intelligence to which the Business, Energy and Industrial Strategy Committee will not have access. People might say, “Isn’t this the ISC getting involved in the day-to-day work of the BEIS Committee?” No, it is not. The ISC already has such a responsibility for Defence Intelligence and the National Cyber Force—military cyber-security—and we stick just to that; we do not go into wider Defence policy issues. Likewise, we scrutinise MI6, whose home Department is the Foreign, Commonwealth and Development Office. Again, we do not get into general foreign policy issues, which are rightly for the Foreign Affairs Committee. I do not think there is an easy way for the Government to provide for parliamentary scrutiny at the moment, but I want to go through and explain one.
I have some sympathy with the Minister, just like I had some sympathy with the Secretary of State for Business, Energy and Industrial Strategy yesterday on the National Security and Investment Bill. I know exactly where the problem is, and it is not in the Minister’s Department or in BEIS: it is in the Cabinet Office, which seems to have an issue with the ISC and jealously guards anything that we ask for, ensuring we get only some information even though we are legally entitled to it under the Justice and Security Act 2013. There is usually a tug of war, and on every occasion I have seen it the ISC has won—it is legally allowed the information—but that does not stop the civil servants. I must say that this is not Ministers’ fault; it is the culture in the civil service.
James Sunderland (Bracknell) (Con)
Given that most MPs do not fully understand what the ISC does, does the right hon. Gentleman not agree that the Government are probably best placed to make the decision on this particular matter?
Mr Jones
No, I do not. I know the hon. Gentleman is a new Member, and I actually quite like him, but what is he arguing for? A dictatorship? That the Executive should decide everything? Knowing you, Mr Hollobone, you would take a very dim view of that. You have form on holding the Executive to account—all Governments.
The ISC is there to look at information and provide parliamentary scrutiny. As for the nature of the information we receive, we have all the clearances from top secret going up to STRAP, including STRAP 3, which is intelligence that has a limited circulation and people have to be added to the list. We have access to that as well, which allows us to consider that information.
Our annual reports, which we supply to Parliament, can be debated by Parliament. We can produce reports. For example, most recently, there was the Russia report, which highlighted what the Government had not done rather than what it should have been doing. The contention from the Cabinet Office is that if information goes to the ISC, it is in the public domain. That is a little bit insulting. We do public reports, which have information that can be put into the public domain, but there are always secret annexes that go to the Prime Minister and are not made public, which allow us to question decisions and highlight issues that we think the Prime Minister should take notice of. It is a valuable mechanism for scrutiny.
The argument that will come from the Cabinet Office is that DCMS is not covered. It is. The memorandum of understanding says:
“The ISC is the only committee of Parliament that has regular access to protectively marked information that is sensitive for national security reasons: this means that only the ISC is in a position to scrutinise effectively the work of the Agencies and of those parts of”
the Government
“whose work is directly concerned with intelligence and security matters.”
I accept that DCMS’s day-to-day work is not covered in the description of national security, whether or not this is an issue of concern to individuals. I think it is. There could be an argument as to why the Department for Digital, Culture, Media and Sport got this legislation and whether it should perhaps be put in another Department. I do not agree with that, because I think the general issue of telecoms fits well into the Department’s wider briefs.
Increasingly, a number of Departments are getting involved in, or taking responsibility for, areas that involve national security. BEIS and the National Security and Investment Bill is a good example.
Chi Onwurah
My right hon. Friend is far too modest to set out his vast experience with and long-standing membership of the Intelligence and Security Committee. Does he agree that the geopolitical and technological shifts in the last decade in particular—perhaps the last two decades—have meant that the threats to our security come from a broader range and, more specifically in a more technologically-based range, and we have seen our defence requirements move to cyber-security? Therefore, as he said, the increased need of Departments to consider security issues means that the Intelligence and Security Committee’s ability to review items that require security clearance is important. Does he understand why the Government will not allow the Committee to do that?
Mr Jones
My hon. Friend knows that modesty is one of my trademarks, but no, I do not—I do not understand it, nor do I understand where the Government are coming from. I do not think that the problem is with the Minister or his Secretary of State; I think it is the culture of the Cabinet Office, trying somehow to test the Justice and Security Act to destruction. Its argument, basically, is that DCMS is not on the list of organisations, but the Act and the memorandum of understanding are clear: we have jurisdiction over matters that relate to national security, which this clearly does.
Christian Matheson
I am grateful to my right hon. Friend for providing inspiration for a speech that I will make later, when I will make similar points on similar provisions. Listening to him and to the hon. and gallant Member for Bracknell—whom I also like, incidentally—talk about the alternatives, it strikes me that there are only three: to provide classified information to be laid before the whole House or the DCMS Committee; to do the right thing and to provide that classified information to the Intelligence and Security Committee, which was surely established for exactly that purpose; or to have no scrutiny at all. It is one of those three alternatives. Surely the Government are not pushing for no scrutiny at all.
Mr Jones
I must say that this is the first time I have heard that one of my contributions to a Bill Committee is inspirational. I shall mark that as something to be remembered. However, my hon. Friend summarises the position very clearly: the DCMS Committee cannot deal with this, because the nature of the information garnered could not be shown to them, given its classification. We would not want to do that because this is highly sensitive information—meaning no disrespect to the members of that Select Committee. Some of it is not our intelligence; some of it will come from our Five Eyes partners, so it is about guarding not just our secrets, but theirs. Any leaking or compromise of that type of intelligence affects not only our ability with this type of work, but our relations with our Five Eyes partners. The next option, the ISC, is the obvious one. The third option means that the Government must put through a Bill that does not allow Parliament to scrutinise these matters at all. I do not think that that is what the Minister, or his counterparts in BEIS, believe. I think we will have a to and fro on this, and will get there eventually, but it will be hard work.
As my hon. Friend the Member for City of Chester says, scrutiny is important in helping to ensure that there is not only public but parliamentary confidence that the decisions are at least being looked at. Some of the decisions will be very controversial and the Government need covering. Will that be onerous for the Department? No, because all it will entail is that the report should include the decisions taken and the reasons why. We can ask, and be supplied with that, and that, I think, is important.
Yesterday, speaking on the National Security and Investment Bill, the Under-Secretary of State for Business, Energy and Industrial Strategy, the hon. Member for Stratford-on-Avon (Nadhim Zahawi) said that the ISC can ask for the information and demand that the Secretary of State comes before it. There are two important points about that. First, yes, we could do that. However, and as I said yesterday I do not for one minute suggest that the Secretary of State or the Department would want to refuse, but there is no legal justification behind it. If a future Secretary of State said “No, I am not appearing or giving you the information,” there would be nothing at all that the ISC could do.
I remind the Committee as I reminded the two Ministers in yesterday’s debate that we are all, as the great Robin Day once said, “here today, gone tomorrow” politicians, so any legislation we pass here must be future-proofed. Not only must we be satisfied with it; it must go on. The other important aspect of what the Under-Secretary said was the recognition of the ISC’s role in asking for information in relation to the National Security and Investment Bill. However, if it is possible to ask for information a mechanism is needed to guarantee it. I think that is also the case for the Bill that we are considering.
It will be interesting to see how the Minister responds, and whether he really believes what he will tell me, but there is a mechanism available and it would be easy and not burdensome. I stress that not for one minute is it suggested that the ISC would veto decisions or have any involvement in them. As with much of our work, apart from certain issues, it would be retrospective, looking back at decisions that had been taken. If mistakes, issues and concerns are raised, we can raise those directly with the Prime Minister and Departments. That is another check and balance in the system, of which I think you, Mr Hollobone, would approve, in view of your vociferous wish, whatever the Government, to hold the Executive to account. The mechanism is pretty straightforward. Either we put it on the face of the Bill or we get it into the memorandum of understanding.
There is an increasing problem with the involvement of more and more Government agencies that are not traditionally involved in national security, such as the new Joint Biosecurity Centre, which falls within Department of Health and Social Care. All the information that they will get is classified, so how, again, will Parliament scrutinise it? That will be important.
Christian Matheson
Perhaps my right hon. Friend will reflect on a third issue. The Committee cannot ask for information if it does not know that it exists. If there is no obligation to report orders to the Committee there is no way for it to know that they have been made, and that it needs to scrutinise them.
Mr Jones
There is, but to give a bit of background, we are quite tenacious on the Committee and if we do not get what we ask for we usually keep on and get it eventually. Some of the agencies are better than others, but overall the working relationship with GCHQ has always been a very good one. The amendment would help the Bill, but I think we will to and fro on this.
Chi Onwurah
I will not detain the Committee long, given that my right hon. Friend the Member for North Durham made such excellent points. I will add one point of consideration, which again, his modesty may have forbidden him from making.
The amendment goes to the heart of our concerns about the scrutiny of the provisions in the Bill. I say again for the record that we support the wide-ranging powers that the Bill gives the Secretary of State, but those powers must come with appropriate scrutiny, not because scrutiny is a “nice to have” or, as my right hon. Friend said, because the ISC needs further work, but because scrutiny of the provisions is essential to the good working of the legislation in practice.
Considering specifically the impact of the requirement to remove Huawei at this stage in our 5G roll-out—the economic impact, the cost to the providers and the cost to our economy—we recognise that it is the right thing to do, but we must also recognise the cost of doing it. Back in 2013, the ISC was one of the first parliamentary organisations to raise the issues around Huawei. I truly urge the Minister to accept this constructive amendment to support the appropriate provision of scrutiny.
My other point is more about the working of the clause, which gives the Secretary of State the power to make regulations that require providers to take specified security measures. As we know, the telecoms security framework and telecoms security requirement, to which all providers must adhere, will be set out in delegated legislation. In his response, will the Minister give us some idea of why the Secretary of State might need to set out additional specified requirements that are not in the draft of the TSR that he has published? Is the intention of the clause to enable him to set out additional specified requirements, or is it to enable him to highlight particular specified requirements that he does not think the providers are meeting quickly enough? In either case, does that not suggest that there are particular security concerns, either about providers or about the circumstances, that require these specific security measures? To come back to my first point, does that not highlight for those concerns to receive parliamentary scrutiny, with the appropriate clearance, which is to say that of the Intelligence and Security Committee?
Matt Warman
I start by acknowledging the incredibly important work that the ISC does. Its role in overseeing the work of the UK intelligence community is vital to maintaining public trust, as the right hon. Member for North Durham described, and its members make important contributions to public debates on national security matters of all kinds. The right hon. Gentleman has done that for a number of years. Because he is a member of the ISC, he will know that I have proactively engaged with it on the substance of the Bill. I did so enthusiastically—if any Minister can ever regard a Select Committee appearance enthusiastically—and in recognition of the interest that I knew that Committee would have in the Bill. I will be writing again to the ISC on a number of matters raised in the Bill, and I have instructed officials from my Department to continue to engage with the ISC as the Bill proceeds through Parliament, building on the work that it has already done and on the transparency that we have already demonstrated by publishing the draft of the security framework regulations on 13 January, copies of which have been provided to the members of the ISC and a number of other interested Committees. I hope that all that demonstrates the Department’s commitment to working constructively with the ISC, despite the fact that, as the right hon. Gentleman said, DDCMS does not normally fall within the ISC’s formal remit.
It is none the less important to acknowledge that the ISC is not the only legitimate avenue to scrutinise this framework. We fully intend to make use of all the appropriate parliamentary procedures.
The regulations and the explanatory memorandum accompanying them will all be there for the ISC to scrutinise. There is also further guidance to providers in connection with the measures specified in the regulations that can be provided in the code of practice, which must be published, with a copy laid before Parliament. Also, beyond the usual arrangements for secondary legislation, new section 105Z of the Communications Act 2003 provides for Ofcom to produce security reports. Clause 11 of the Bill enables those reports to be published by the Secretary of State, and clause 13 provides for a review of the effectiveness of the framework, including any regulations, after five years.
It is in that context that I point to the enthusiasm with which we have engaged with the ISC. We will continue to do so and ultimately—this is perhaps the reason why the right hon. Gentleman described this process as an ongoing campaign, rather than something that we should address piecemeal—the ISC is clearly defined in the Justice and Security Act 2013. I do not think it would be right to address the memorandum of understanding that he referred during our consideration of the Bill. We should not go at it in piecemeal fashion. The role of the ISC as set out in that MOU is to oversee the work of the security agencies, to provide oversight of certain intelligence or security matters within Government. Ultimately, if the right hon. Gentleman wants to change the MOU, that is a broader issue for him to take up. I note that he is not the only Member of this House to have made that point, but it is not my place to take a view on the role of the ISC; that should be for the ISC itself.
I am confident that we will continue to engage with the ISC; I personally will certainly do so. I know that the DCMS Committee will continue to take an interest, and I will simply say that we will co-operate as fully as possible. I will set out more in the letter I mentioned, and I look forward to the future salvos in the right hon. Gentleman’s campaign.
Mr Jones
I make no criticism of the Minister, because he has been very proactive, as has his Secretary of State. The problem is this: we have two pieces of legislation going through Parliament. We do not have security Bills very often in this place, and now we have two in a very short period of time. Both make eminent sense and I support them, but this is not something that comes up regularly.
In terms of the Minister’s co-operation, I have no complaints about the way he has operated, but he is not going to be there forever and neither is his Secretary of State, so we need to put in place something that will weather the passage of time, and create an arrangement whereby it will be seen that Parliament is scrutinising these measures. I do not know why the Government—I am sure it is not the Minister, or even his Secretary of State—are resisting this. Frankly, I am not really bothered whether it goes on the face of the Bill or in the MOU, but the Justice and Security Act 2013 is very clear that as a Committee, the ISC has the ability to look at this.
I accept that it would be wrong to get into issues around this Bill that are quite rightly, as the Minister said, for the relevant Select Committee—the Committee on Digital, Culture, Media and Sport—to deal with. We would never do that, so I will withdraw this probing amendment, but we will come back to this issue. I am not usually a betting man, but I suspect that by the time this Bill and the other Bill go through, we will have got to where both I and the Minister—I think, privately—think we should be. I therefore ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Chi Onwurah
I beg to move amendment 21, in clause 1, page 3, line 26, at end insert—
“(2A) The Secretary of State must make regulations under subsection (1) requiring providers of public electronic communications networks and public electronic communications services to carry out an audit of the goods, services and facilities supplied, provided or made available for the purposes of the provision of their network or service to ascertain whether they present a risk to the security of that network or service.”
This amendment is a probing amendment designed to learn how the Government plans to ensure network operators have a comprehensive audit of hardware of interest because, for example, it is manufactured by a designated or high-risk vendor.
The amendment goes to the heart of two of our key themes: the scrutiny of the powers in the Bill and the effectiveness of the accompanying diversification strategy. It is a probing amendment, designed to enable us to understand—or to have the Minister clarify—plans to ensure that network operators carry out a comprehensive audit of hardware that is relevant to the Bill because, for example, it is manufactured by a designated or high-risk vendor.
We tabled the amendment for a number of reasons. The first is the Government’s decision, which we welcome, to strip Huawei out of our telecommunications networks. There are questions about where that equipment is located, the level of software provision, and in particular the exact nature of the revision of the equipment within the network. In addition, the Government have not provided a plan for locating and removing Huawei from our networks; instead, they have opted to leave it entirely to private sector providers.
That might seem appropriate, but as someone with 20 years’ experience in the telecoms sector, I have to say that it is generally not the case—I am not insulting any individual provider—that providers know exactly where every bit of equipment is located and what level of software or build is associated with the equipment.
James Sunderland
Given that the Bill mandates that vendors could be fined up to 10% of annual turnover or £100,000 a day for violating the terms of their obligations, does the hon. Lady agree that a full audit of all goods and services supplied could be quite draconian and onerous?
Chi Onwurah
I am slightly confused, to be honest, because there was a contradiction there. It is a basic, inherent requirement under the Bill to understand the security implications of a network—the security implications, the security threat and future compromises. It goes to the amendment tabled by my right hon. Friend the Member for North Durham. Given that different components might provide different threats, it is essential to understand the kit that is in the equipment in order to meet the requirements of the security framework. So no, I do not think it is draconian that there should be an audit of the equipment. Indeed, providers should have this information already, but I know from my own experience and the experience of those who gave evidence, which I will come to in a moment, that this is not always the case because networks are so complex, and because our networks today have built up over decades and decades. There is software running in some of our networks that has been around for 40 or 50 years, as well as copper lines that have been around for even longer. So it is not always the case that this information is known.
Christian Matheson
Does my hon. Friend agree with me that having the carrot of an audit might help firms to avoid the stick of a draconian fine that the hon. Member for Bracknell referred to?
Chi Onwurah
As always, my hon. Friend makes an excellent point. Indeed, the audit, which I agree is burdensome if the information is not already in the management systems, which it should be, would, I hope, be less burdensome than the potential fines for not meeting the basic requirements of knowing what is in the network and where it is. Also, that challenge has been made more complex by the subcontracting of different parts of the telecoms networks.
For example, network providers such as Vodafone or Three have primary vendors—currently Ericsson or Nokia—but there might be subcontractors who provide particular elements of the network and particular management elements. We hope that that will be increasingly the case as we seek to open up the supply chains and make them more diverse. A basic and critical requirement for the Bill to be effective is to have a more diversified supply chain. More suppliers go hand in hand with a diversified supply chain, and therefore different types of equipment, of which we will need to keep track.
Mr Jones
The hon. Member for Bracknell has argued that regulations are somehow burdensome on business and unnecessary. It is only when things go wrong that we look back and think, “Wait a minute. That regulation or audit, which was suggested in an amendment, was vitally important.” We must get the context right. These amendments are being tabled not for their own sake but to ensure that security is improved.
Chi Onwurah
My right hon. Friend makes an excellent point. As someone who worked for a regulator for six years, I might be expected to agree with my right hon. Friend on the point of regulation; in this context, regulation should not be seen as a burden. As my hon. Friend the Member for City of Chester set out, it should be seen as a carrot—an incentive—to get things right. Imagine we had known and been able to see how Huawei’s presence in BT’s network, over the last 15 years or so, would rise from small beginnings to becoming the principal vendor. That might have rung more alarm bells and been an incentive to have transparency.
Regulation is also about levelling the playing field and enabling more effective competition. The better providers will do that, but some providers may not. We want a level playing field, particularly because the 2019 UK Telecoms Supply Chain Review said that there was not an incentive for security in mobile networks. It concluded specifically that there was no incentive for security in mobile networks. Given that conclusion and some of the points provided in the evidence sessions, the Bill does not address incentives to ensure security by design in our mobile networks. It has burdens and fines for not doing that, but it does not have positive incentives.
Christian Matheson
Was not that exactly the problem with Huawei, which has undercut and undermined so much of the telecoms sector elsewhere, either on price or on shoddy workmanship, as my right hon. Friend the Member for North Durham said? This amendment addresses that issue. By raising standards, we help existing and future contributors to the sector to come in and address the problem that Huawei caused.
Chi Onwurah
Again, my hon. Friend makes an excellent point with regard to the way in which Huawei grew in the telecoms sector. I do not want to detain the Committee on that history, but Huawei grew by under-cutting existing vendors, building up scale and making its profits by locking in network providers, despite issues with the quality of the equipment, which, as we have discussed, our security services identified.
Having visibility of network equipment, as well as the level of concentration of any one provider, will enable us, in part, not to get into such a situation of dependency in future. Again, I would emphasise that this is about incentivising what should happen but is unfortunately not always the case. That is not simply my view or that of the Labour party; it is the view of witnesses who participated in our evidence sessions. For example, Andrea Donà said:
“It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 13-14, Q10.]
Dr Bennett said:
“I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q62.]
Dr Bennett later said:
“I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]
Ofcom said that it was more or less impossible to meet the requirements set out in the codes of practice for the operators, unless it had a detailed asset register of everything in its system. We will expect to see evidence of that, and we expect that it will be regularly checked, audited and so on. We recognise the potential costs of an audit, particularly for smaller providers, although most of them have newer networks and equipment and should have a lot of this information already available. Ofcom is anticipating that this is something it would need to have access to, yet there is no requirement in the Bill or, as far as I can see, in the delegated legislation that has been published to make that requirement.
I have mentioned that this is a probing amendment. I am not sure that it is necessary to have it on the face of the Bill, and it might be that it will be provided for in delegated legislation, but we need a clear and strong strategy for the detection and removal of high-risk components, vendor hardware and software. Otherwise, the Bill will not protect our national security effectively. I hope the Minister will give clarification on that.
The Chair
Order. Mr Jones wants to speak, but he will have to wait until this afternoon.
Ordered, That the debate be now adjourned.— (Maria Caulfield.)
Telecommunications (Security) Bill (Sixth sitting)
Thursday 21st January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
The Chair
Before we resume, I have been asked by Mr Speaker to remind people that, when they are not speaking, they should wear a mask. I know this is extremely inconvenient for lots of people, not least me—my glasses steam up. I do not want to be taking names or issuing yellow cards, but may I ask you to try to be mindful of Mr Speaker’s concerns and do the best you can? Hopefully we will all be okay.
Clause 1
Duty to take security measures
Amendment proposed (this day): 21, in clause 1, page 3, line 26, at end insert—
‘(2A) The Secretary of State must make regulations under subsection (1) requiring providers of public electronic communications networks and public electronic communications services to carry out an audit of the goods, services and facilities supplied, provided or made available for the purposes of the provision of their network or service to ascertain whether they present a risk to the security of that network or service.’.—(Chi Onwurah.)
This amendment is a probing amendment designed to learn how the Government plans to ensure network operators have a comprehensive audit of hardware of interest because, for example, it is manufactured by a designated or high-risk vendor.
Question again proposed, That the amendment be made.
Mr Kevan Jones (North Durham) (Lab)
I am demasked. Welcome to the Chair, Mr McCabe. It is a pleasure to serve under your chairmanship. The amendment’s intention is similar to that of new clause 7, which we spoke about earlier. My hon. Friend the Member for Newcastle upon Tyne Central is trying to probe, like I was, how we get operators to ensure that there is a full audit of their telecoms networks. This is not an easy situation. I accept what the Minister said about trying to strike a balance between prosperity—not wanting to put undue burdens on operators—and ensuring security. As my hon. Friend said, with her huge expertise in the field, these networks are not static entities; they develop over time. The example that she cited was that some of the kit in networks is many years old, which may now create security issues that were not evident when the equipment was introduced.
We are not talking about too onerous a burden on the network operators, because they are large companies. I accept that they will be resistant to anything that adds cost because, at our insistence of wanting cheaper phone calls and mobile technology, prices are competitive between the various operators. My hon. Friend therefore makes a good point that there must be a clear level playing field between the operators.
The Bill will ensure that existing Huawei kit is taken out by 2027, even though the networks did nothing wrong by putting in that kit in the first place. Without wanting to carry on my campaign against the Cabinet Office, the Intelligence and Security Committee’s 2013 report “Foreign involvement in the Critical National Infrastructure” shows that the Cabinet Office was made aware of BT’s contract with the Chinese company Huawei in 2003. That the Cabinet Office felt it was not important enough to tell Ministers so until 2006 reinforces my point about its role. That brings me to Ofcom and its capacity, which I will come to later. If we want the most robust system, we will need a system by which we know what is in the network.
There are two issues. I think it is possibly easier for future deployments, because we know what we are putting in. In the debate around Huawei and the security risks, I think it has been very clear. Let us be honest: an operator would be very silly to put in a piece of equipment that was deemed to be high risk for any future roll-out. However, as my hon. Friend says, it is what is already in the network. We accept that some of that will be taken out as a result of the Huawei issue, but a huge amount of equipment will still be in there.
That is before we look at software. What saddens me about the entire debate around Huawei and the telecoms sector is that it has been very hardware-centric. We know that the risks to our network from software are greater in some respects; we have seen examples of where network compromise is easier, too. Again, how do we get a robust framework in terms of the audit around software—not just what has already been used, but what will be used in the future?
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
My right hon. Friend is making some excellent comments. He has raised another issue, which I perhaps did not highlight in my speech, which is that there might be existing equipment that is not necessarily seen as having a security implication but that, as the network evolves, will pose a security threat in the future. I gave an example in the evidence sessions. Say Amazon Web Services was to be bought by a Chinese company. As our networks move the functionality into the software, that will be running in the cloud over the Amazon Web Services infrastructure, which would have a huge potential security impact. An effective audit of where that equipment is now would be critical to knowing the level of that threat.
Mr Jones
I do not disagree with my hon. Friend. That is why we need to get into the idea of the audit. As I said earlier, we basically need a level playing field for operators; we do not want one to have an advantage over another. We also need a clear picture of what we are asking in terms of the audit. On the point she makes regarding web services and the cloud, there is an issue there that I think is worth referring to. It links today’s Bill with the National Security and Investment Bill, which we were discussing yesterday. There was a lot of discussion around what we define as critical—a point she has already raised.
For yesterday’s Bill, the question was what is critical to national infrastructure—for example, a company that is developing software that is then acquired by a state that we deem is a security risk to us. If that equipment or software is being used in our telecommunications network, does that mean that the network is compromised, and how do we guard against that? There are provisions in the National Security and Investment Bill that enable the Government to stop the acquisition of companies that we consider vital to our national security, but unless we know that in advance, how will we make that decision?
If we have a situation where a small company is providing software for part of our critical national infrastructure for telecoms, how will that be joined up? How will we be able to use the provisions in the National Security and Investment Bill, so that the Business Secretary can block the sale? Likewise, how do we get that connection? We can do that only by the Minister and Ofcom having a very clear indication from day one—I do not think it will be possible from day one, but from some time into it—what is in our network, not just now, but into the future. That will be important.
That brings us to the role of Ofcom. We have seen a development of regulators in this country. I am not a great fan of regulators, because I think it is a way for Ministers to palm off their responsibilities to third parties and then stand back and saying, “If it all goes wrong, it is nothing to do with me, guv—it is these independent organisations.” A long time ago—perhaps it is a bit old-fashioned—the General Post Office used to be responsible for this type of thing, and I am currently reading the excellent new history of GCHQ that has come out, which I recommend to everyone. It is fascinating to read about some of the challenges—things that apply to this Bill—such as, in the first world war, what was conceived as national security and who was responsible for it. Was it the GPO, the military or someone else?
How will Ofcom be able to look at a network and say, “Yes, we are satisfied that there is nothing in there that is a matter of national security”? They do not know. I do not think for one minute that we are going to have a situation whereby this Government or any future Government will suddenly throw so much money at Ofcom that a huge army of inspectors will be climbing up poles and going into operators’ offices to check source codes and so on. That is not going to happen.
From a practical point of view, the operators will have to be responsible for providing that information to Ofcom. Whether it is in the Bill or in the guidance, it must be clear what is expected of operators. It is no good looking back in hindsight and saying, “We should have done that,” when something happens. The operators will just say, “You did not tell us we had to do that,” or, “We didn’t know about that.” It has to be very clear, to prevent a competitive advantage between different companies, that there is one standard. They also have to know what we are asking for. Then, taking the telecoms hat off and putting the national security hat on, from the Government’s point of view, that needs to be very clear as well, because we need to be reassured that the components and software in those networks, now and in the future, are not a national security risk.
That brings us to an issue that I have already raised. I am not someone who thinks that every time we go to bed at night, we should look under the bed to see whether the Chinese are there, unlike some members of the China Research Group, but there is an issue about the way in which China will look at supply chains as a way of getting access, for two reasons. The first is national security. The second is commercial reasons—dominating the market, which is what China has done with Huawei. How will we identify that, without having some type of audit process? I do not think that everything to do with China is bad, but a huge number of the components in all our mobile phones in our pockets today will have come from China, including Ericsson and Nokia hardware.
James Sunderland (Bracknell) (Con)
I am enjoying the right hon. Gentleman’s logic. He talks a lot of sense, which is great. I am really intrigued by his insistence that the Government place these obligations on the National Cyber Security Centre and Ofcom. In my humble view, and knowing how those organisations work, it is likely to be the case that the Joint Forces Intelligence Group, GCHQ or the National Cyber Security Centre inform Government where there have been transgressions of security and breaches. I am intrigued by the counter-logic with where I think we need to be.
Mr Jones
This is a remarkable day. This morning I was told that my contribution to the debate was inspiring, and now I am being told that I am talking sense—I thank the hon. Gentleman for making my day.
The hon. Gentleman is right, but he is also wrong. He is right in the sense that there are threats that will come through GCHQ and others—they will say to operators, “You’ve got to be careful of these things.” Where he is wrong, though, is with the idea that somehow GCHQ can take a guess at what is in the network. It does not have that capability. Going forward—the emphasis in this country, in the Bill, in terms of looking at telecoms security—yes, the bar has been raised substantially.
There will be occasions when GCHQ—it does it already —contacts operators and others to say, “Beware of this software or this thing.” I accept that as a proactive approach, but handling backwards will also be important. How do we have a gold-plated system, whereby we have GCHQ doing what the hon. Member for Bracknell suggested they are already doing, but one that also matches up with operators taking responsibility to say, “We have spotted something and are doing something about it”? It is pulling the two things together.
Chi Onwurah
Part of the challenge is that the operators do not know themselves and, as we have discussed, there are no incentives for them to find out. To give an example, Virgin Media took over from NTL, which I think took over from the 13 different cable providers in the franchises of the ’80s, and the BT mobile network was bought partially from EE—so there are takeovers and acquisitions, and partners may not know, and do not necessarily have an incentive to find out unless we put in a requirement.
Mr Jones
My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.
We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.
I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to serve under your chairmanship, Mr McCabe.
We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers
“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.
That is already there and key to the issues that hon. Members have been talking about.
Chi Onwurah
I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.
Matt Warman
I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.
Christian Matheson (City of Chester) (Lab)
This is an important point. The criticism that I will articulate later is that too much of the Bill is based on an assumption that the players in the sector will automatically do the right thing. For example, there is an assumption of a dialogue between Ofcom and the major players. Will the Minister think about whether he is satisfied that an assumption goes far enough in something as important as this?
Matt Warman
The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.
The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.
In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.
Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.
Chi Onwurah
It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.
I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Matt Warman
It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.
As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.
Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.
Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.
These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.
Chi Onwurah
As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.
Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.
Matt Warman
I am happy to write to the hon. Lady on the matter she has discussed. We anticipate draft directions in due course that will be network specific, because each network is different, but the overall tenor will be in the same direction. This is probably a matter that we can talk about outside the Committee in a bit more detail to make sure she gets the answers she wants.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Duty to take measures in response to security compromises
Question proposed, That the clause stand part of the Bill.
Matt Warman
We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.
Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.
In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.
In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.
Chi Onwurah
We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.
I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
The Chair
This must be down to that productivity seminar they sent me on. Still, nothing lasts forever.
Clause 3
Codes of practice about security measures etc
Mr Kevan Jones
I beg to move amendment 6, in clause 3, page 5, line 4, at end insert—
“(ia) the National Cyber Security Centre;”
This amendment would require the Secretary of State to consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.
The Chair
With this it will be convenient to discuss the following:
Amendment 10, in clause 3, page 5, line 8, at end insert—
“(iiia) the National Cyber Security Centre;”
This amendment requires the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security measures.
Amendment 5, in clause 4, page 7, line 41, after “OFCOM”, insert—
“and the National Cyber Security Centre”.
This amendment would require providers to inform the National Cyber Security Centre, as well as OFCOM, of any security compromise.
Mr Jones
We are romping through the Bill, aren’t we? Two clauses in less than 15 minutes.
Again, these amendments are probing. I might sound like a broken record, but my aim with them is to ensure that national security and those who deal with national security decision making are at the centre of the decisions that are taken. Amendment 6 would require the Secretary of State to
“consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.”
The Minister will say, “Well, it is self-evident that they will do that,” but going back to my Robin Day analogy from this morning, legislation needs to survive him, me and everyone else. The guidance will change over time, and we have to ensure that whoever is sitting in the Minister’s seat in 10 years’ time—hopefully, it will not be the current Minister, not for any unfair reason, but because he has gone on to higher and better things—the onus is on the Secretary of State to consult. Having that on the face of the Bill, or at least some discussion about it, would reinforce that, because the Secretary of State will move on, and there will be new civil servants, who might not have as clear an indication as the Minister will give today, or perhaps a Minister who thinks that this is the key part.
It might be a bit anorak-ish, but the problem with the national security world, which I inhabit occasionally, is that people can see everything through the national security prism—although I am not sure that that is the case for everyone. It will be important to ensure that the individuals at the National Cyber Security Centre have a real input, and not just to say that they will be consulted. The NCSC, which was introduced at the tail end of the coalition Government, is the only positive thing I can think of that that Government did. We now have a world-beating centre that protects our national security and also does a very strange thing: it looks to the secret world, but also looks outwards, engaging with the industry and individual citizens, too.
That is now being replicated around the world. I chair the science and technology committee of the NATO Parliamentary Assembly. On our visit to the UK the year before last, we visited the centre, and most of my parliamentary colleagues from across the world, including the US, were quite impressed with how it balanced complete secrecy about things that need to be kept secret and having that outward-looking approach. I am really just trying to see how we can ensure that going forward.
Amendment 5 seeks to ensure that the NCSC, as well as Ofcom, is informed of compromises and breaches. I am sure the Minister will tell me that Ofcom and the NCSC have such a symbiotic relationship that that information will automatically be transferred, but again we are assuming a lot about what will be done. It is important that this Committee at least discusses how we ensure that that continues. I will come to Ofcom personnel, but various comments have been made. I asked the head of Ofcom about Ofcom’s expertise in dealing with these issues, and this comes back to the point I made to that witness. This is about mindset. Whether we like it or not, people in the security world think differently from the rest of us in how they approach things. Ofcom will have a learning curve, not only in recruiting the individuals with the capability to do this work, but in ensuring the culture to react to these issues. My two amendments seek to ensure not only that national security is at the heart of the Bill, but that practitioners have a clear focus on national security risk.
Chi Onwurah
I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.
The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.
It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:
“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]
In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.
Matt Warman
I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.
Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.
I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.
For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.
Chi Onwurah
I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.
Matt Warman
I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.
New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.
The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.
We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.
Mr Jones
I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”
Matt Warman
The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.
Matt Warman
Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.
The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.
I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.
Mr Jones
A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Matt Warman
The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.
We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.
I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.
Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.
New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.
New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.
Matt Warman
The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life,
and I would expect that to continue in the area in question as well.
Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.
Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.
We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.
Chi Onwurah
I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.
On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.
I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Informing others of security compromises
Question proposed, That the clause stand part of the Bill.
Matt Warman
As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.
We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.
New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.
Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.
The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.
The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.
Matt Warman
I will pretend I have not finished, and give way to the hon. Lady.
Chi Onwurah
I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.
Matt Warman
Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.
Mr Jones
Speaking gives me an opportunity to take my face mask off. I will make a few points about clause 4, which is broadly welcome because it clarifies for operators what their responsibilities are, not just from a national security point of view but from a consumer point of view. I think there is an issue, though, which my hon. Friend the Member for Newcastle upon Tyne Central raised.
Again, I do not want the Minister to respond now, but I think the crossover with the Information Commissioner might be one area that we need some clarity on. Is there an example of this? Yes—the TalkTalk case. People might look at this Bill and think national security is about the Russians or the Chinese hacking, but that was a criminal act that led to a lot of people’s data being compromised. From a constituency point of view, as any Member of the House at that time will know, trying to get TalkTalk to do anything about that, in terms of the losses that people incurred, was virtually impossible. That is why these clauses are so important.
Chi Onwurah
Is my right hon. Friend aware that the hack used by the young person had been around for longer than that young person had been alive? That is an indication of the low level of security TalkTalk had in their network; they had not been able to address a known hack that had existed for at least 16 years. The Bill aims, in part, to address that and the consequences of that lack of security for our constituents.
Mr Jones
My hon. Friend is correct. A lot of the debate has been about hardware, but the biggest threat to our national security, in terms of telecoms, is from hacking and cyber-attacks. The changing nature of the threat is interesting. There are state actors and there is organised crime, acting on of behalf of states, but there is also, as referred to by my hon. Friend, some poor teenager who thought it was a good idea. The TalkTalk case showed the emphasis they put on the security of their network. Not just clause 4, but the whole Bill, puts the onus on the operators, which is why it is so welcome. Never again could they be accused of not knowing their responsibilities.
New section 105J requires providers to take “reasonable” steps to inform users about the risk, the nature of the security compromise, the steps the user could take in response, and the name and details of the person to contact. That is fine, but how to respond might be a matter for Ofcom. That is important, because people might then quickly take steps to stop compromises to their security.
The Bill lays out penalties for telecoms operators, but what about the consumer and people who have lost money because of data breaches? Do I assume that the Bill does not change that? It beefs it up, but I assume that any mitigation or compensation that should be paid to individuals who have been compromised would be an issue for Ofcom. When we had the TalkTalk compromise, getting TalkTalk to do anything was like trying to get blood out of a stone. That is important from the point of view of consumers.
It is important that the Secretary of State is informed, but how will that be done? I presume GCHQ and others would do that. Would that lead to lessons learned or to a notice being given to other operators that that has happened? Would that be done by Ofcom, the National Cyber Security Centre or GCHQ, or would it be a combination of all of them? It comes back to the point made by my hon. Friend the Member for Newcastle upon Tyne Central: this is a risk and this clause puts the onus initially with the operators, where it should be.
Chi Onwurah
We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.
My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.
I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.
I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?
Those are just some general comments. We welcome the clause.
Matt Warman
I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.
On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.
Matt Warman
I am not sure I fully understand the right hon. Gentleman’s point.
Mr Jones
I raised the point, as did my hon. Friend the Member for Newcastle upon Tyne Central, that we are asking operators to inform individuals about data compromises. That is welcome, but as my hon. Friend said, there might also be a breach of the Information Commissioner’s regulations, and we just wanted to get some idea of how the two would mesh together. I do not expect the Minister to know now, but could he write to us to say how the two would interact?
Matt Warman
As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.
Chi Onwurah
The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.
Matt Warman
I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.
Question put and agreed to.
Clause 4 accordingly ordered to stand part of the Bill.
Clause 5
General duty of OFCOM to ensure compliance with security duties
Christian Matheson
I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—
“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”
This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.
It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.
I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.
From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.
Chi Onwurah
I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.
A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.
It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.
Matt Warman
The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.
The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.
James Sunderland
Does the Minister agree that the Bill in its current form is prescriptive enough already?
Matt Warman
I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.
In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.
Chi Onwurah
I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?
Matt Warman
The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.
Christian Matheson
I am most grateful for the debate on the amendment. My hon. Friend the shadow Minister made the key point that Ofcom cannot be blamed for not enforcing something that it does not know anything about. The amendment’s intent was to encourage a sense of shared responsibility in what my right hon. Friend the Member for North Durham reminded us is still a competitive industry in which businesses might want to maintain a level of confidentiality about technological changes or the deals they are doing with suppliers. However, if the Minister is satisfied that that is covered in other parts of the legislation, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 5 ordered to stand part of the Bill.
Clause 6
Powers of OFCOM to assess compliance with security duties
Christian Matheson
I beg to move amendment 12, in clause 6, page 10, line 12, at end insert—
“(3) In this section “another person” means a UK government agency or a person from a UK government agency.
(4) OFCOM may not incur costs exceeding £50,000 in carrying out, or arranging or another person to carry out, an assessment under this section.”.
This amendment restricts those who Ofcom may arrange to carry out an assessment under this section to a UK government agency or person from such an agency. It also caps the cost of an individual security assessment at £50,000 for Ofcom.
The desire of the Committee is to crack on, so I will not detain us for too long. The clause, which covers more than three pages of the Bill, is extensive in outlining the powers of Ofcom to assess compliance with security duties and will amend sections of the Communications Act 2003 to that end. The Opposition’s probing amendment intends to bring clarity in two areas in particular.
The clause will insert proposed new section 105N into the Communications Act to give authority to Ofcom or “another person” to undertake an assessment of whether a network or service provider is carrying out its duties—an inspection, spot check or audit, whatever you will, Mr McCabe. That is all fine, but the appointment of “another person” is far too vague and needs clarity. Since this is a matter of national security, we believe such an authority can be vested only in an agency or arm of the UK Government. It would be wholly inappropriate to outsource it to a telecoms, IT or other consultancy in part because of the need for full co-operation from the business being audited, which must have absolute confidence to be open and transparent and, therefore, must have confidence in the inspector. Ofcom therefore cannot appoint any Tom, Dick or Harry to do the job but only someone who rides above the industry and will not give the inspected business any reason to think that its commercial confidentiality is at stake.
My hon. Friend the Member for Newcastle upon Tyne Central, with her extensive experience of the telecoms sector, has told me that it is a tight-knit industry in which everyone has worked for everyone else at some point. We got that impression from the oral evidence as a lot of the experts had worked with or knew one another. Perhaps it is an exaggeration to say that everyone has worked for everyone else, but it is illustrative of the nature of the sector, so there will be limits on who could be appointed. Does the Minister agree that the current suggestion of “another person” is too wide?
Chi Onwurah
The impression that I have given my hon. Friend about the telecoms sector being tight-knit is absolutely right. One concern that that brings is that there will therefore be conflicts of interest. Ofcom, as a public servant with the status of a quango, has rules and regulations for declaring interests that mean previous conflicts of interest will not weigh into its work. The concern that I have articulated to my hon. Friend in the past is that that would not apply to “other persons”, so broadly defined.
Christian Matheson
I am really grateful for that intervention—not just for the context that my hon. Friend gave, but for prompting me to think that having such a tight-knit sector, and the character of the sector, works both ways. Ofcom might appoint as an inspector to undertake one of the audits somebody who is on very good terms with the business or the provider. They will perhaps take their foot off the pedal and not do quite as thorough an investigation, because they know the business and trust them. As a result, the inspection would not be as thorough.
Mr Jones
My concern is also that the Government do not have a good track record on applying the standards that have been developed over many years to ensure proprieties in public appointments. No doubt somebody who would fit the bill for the role would be Dido Harding, who was responsible for TalkTalk and is now having huge success, as we have been told by the Prime Minister, with Test and Trace. She seems to have a common thread, but success does not seem to be part of that.
Christian Matheson
Who am I to disagree with my right hon. Friend and his years of experience? So far, we have been fairly consensual in this Committee, because we want the Bill to pass. My right hon. Friend is absolutely right: we have seen a certain level of—
Christian Matheson
I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.
Chi Onwurah
My right hon. Friend the Member for North Durham raised the Test and Trace programme. I do not want to dwell on that, as it is not within the scope of the Bill, but it is important to understand the extent to which the programme has been used as a vehicle to privatise parts of the NHS by building up private sector skills as opposed to public sector skills. There must be some concern that the huge new powers for and requirements on Ofcom might effectively be used to privatise some of its duties.
Christian Matheson
My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.
This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.
It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.
Christian Matheson
Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.
Chi Onwurah
Again, I rise mainly to support the excellent contributions made by my hon. Friend the Member for City of Chester in moving this amendment. I will raise a couple of points from my experience in this area.
As I said to my hon. Friend, having worked in telecoms for 20 years, when I joined Ofcom in 2004, I had worked with, or worked with someone who had worked with, just about every operator and network provider in the business. Those personal relationships can be helpful in ensuring quick, effective collaboration, but they can also bring about conflicts of interest. Ofcom, as a public body, has processes and procedures to address those conflicts of interest. However, the Bill makes no provision for that to be applied to whoever is “another person”.
It is also the case that, unfortunately, as a regulator, one can be subject to regulatory capture by those who are regulated. The large operators often have tens or, in some cases, hundreds of lawyers and public affairs spokespeople. However, the smaller operators, unfortunately, cannot afford to dedicate so much time and resource to engaging with the regulator. It is critical that this huge increase in new powers and work for Ofcom is carried out in the right way.
As my hon. Friend said, the £50,000 figure has not been calculated on the basis of the likely costs to Ofcom, because the impact assessment does not indicate what they could be. However, it is merely the cost of five consultants at £1,000 a day for 10 days. We know that hundreds of consultants have been hired as part of the Test and Trace programme at those sorts of prices. That likely cost is within scope of any programme that is to be carried out by bringing in large private sector organisations. I hope the Minister will reassure us that he is taking these considerations into account.
Finally—I think we will discuss this point in more detail—this is a huge additional requirement on Ofcom. In the evidence session, Ofcom said that it thought it would need to hire 50 or 60 people to address the requirements of the Bill. There is always going to be an inclination to reduce internal resources, especially if they are in short supply, such as those to do with network engineering resources and the current skill set. So it is really important that the Bill should have a better definition than it currently does of who may carry out the work.
Matt Warman
I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.
The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.
The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.
I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.
As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.
Chi Onwurah
I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.
Matt Warman
Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.
Chi Onwurah
Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.
Matt Warman
If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.
On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.
Christian Matheson
I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Chi Onwurah
I beg to move amendment 13, in clause 6, page 10, line 20, at end insert—
“(aa) provide a report on the diversity of their network’s supply chains;”
This amendment gives Ofcom the power to request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.
It is a great pleasure to speak to this amendment, which goes to the absolute heart of one of our key concerns about the Bill—the lack of any reference to the diversification of our supply chain. That is absolutely critical and should be integral to our national security. Our amendment 13 affects clause 6, which we have already discussed. The objective of the amendment is to give Ofcom the power to
“request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.”
As we have heard, clause 6 amends the Communications Act 2003 to insert section 105N, which gives Ofcom powers to assess compliance with the security duties set out in earlier sections, and section 105O, which gives Ofcom the power to impose on providers the duty to do any of a significant list of things, from (a) to (k)—to
“carry out specified tests or tests of a specified description…make arrangements of a specified description…direct an authorised person to documents on the premises…”
or
“assist an authorised person to view information”.
As I have said, this is an integral part of the Bill and requires some considerable debate, so it may detain the Committee for some time, but this debate can be continued at a later time if necessary. There is a long list of requirements that Ofcom might place on network providers, but nowhere is there a requirement for those providers to give a report on the diversity of their supply chains, yet the diversity of a network provider’s supply chains is absolutely integral to the security and resilience of that network provider.
We heard that very clearly during our evidence sessions. In particular, I asked Dr Drew:
“Is it possible for the UK to have secure networks without a diverse supply chain for them?”
Her answer was:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
The reason I have highlighted that particular quote—there were a number of quotations supporting the diversification of supply chains—is that it sets out really well what might happen if a network provider has only one possible supplier. If every aspect of its network is supplied by, let us say, Ericsson, and Ericsson then has supply issues itself or is bought or acquired by another operator from a different country that we might not be so close to, or—I do not mean to imply that this is a possibility—should fail in some way, that network provider no longer has any support for their network and no longer has the ability to maintain it securely.
The dependence of our telecoms security on diversifying the supply chain was set out in the 2019 telecoms supply chain report; yet the Bill fails to mention it at all. The objective of the clause is really for Ofcom to assess how successful a network provider is in meeting our nation’s security requirements. My argument is that it is not possible to do that without understanding the diversity of that network provider’s supply chain; yet the clause as it stands makes no reference to that.
Matt Warman
I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—
Chi Onwurah
I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?
Matt Warman
The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.
Chi Onwurah
I thank the Minister for that, but I am still puzzled as to where clause 12 says that Ofcom will collect data with regard to diversification of the networks. Ofcom is given the power to collect data with regard to the duties under the Bill, but there is not a duty under the Bill to diversify networks. I am trying to speed-read clauses and subsections; perhaps the Minister can direct me to a part of the clause that specifically requires information concerning. Clause 12 mentions
“information concerning future developments of a public electronic communications network or public electronic communications service that could have an impact on the security of the network or service.”
I agree that that could be liable to an interpretation that included diversification of the network, but given that the Bill does not anywhere mention diversification of the supply chain as being part of the security of the network, I am afraid I do not feel reassured.
Matt Warman
I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.
Chi Onwurah
We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
Telecommunications (Security) Bill (Seventh sitting)
Tuesday 26th January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Chair
Before we begin, I have a few preliminary points. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind Members about the importance of social distancing. Spaces for Members are clearly marked. I also remind Members that Mr Speaker has stated that masks should be worn in Committee. The Hansard reporters would be grateful if Members could email any electronic copies of their speaking notes to hansardnotes@parliament.uk.
Today we continue line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. It shows how the selected amendments have been grouped for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.
Clause 6
Powers of OFCOM to assess compliance with security duties
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to be back under your chairmanship, Mr Hollobone. As we discussed during the debate on amendments to this clause in our previous sitting, clause 6 inserts proposed new sections 105N to R, providing Ofcom with strengthened powers to assess whether providers of public electronic communications networks and services are complying with their security duty. These powers are vital to enable Ofcom to fulfil its expanded and more active role, giving it the tools to monitor and assess providers’ compliance with the new telecoms security framework and providing the basis for commencing any enforcement action.
Proposed new section 105O provides the power to give assessment notices to a provider. Assessment notices may impose a duty on a provider to do a number of different things, which I will briefly summarise. First, providers can be required to carry out, or arrange for another person to carry out, technical testing in relation to their network or service. Secondly, they can be required to make staff available to be interviewed, enabling Ofcom to gain insights into how a provider’s security practices and policies are implemented.
Thirdly, providers can be required to allow an Ofcom employee or an assessor authorised by Ofcom to enter their premises to view documents or equipment. I recognise that that is a significant power, but it is necessary. It is subject to certain restrictions to protect legally privileged information and to limit entry to non-domestic premises only. To provide clarity for telecoms providers, Ofcom will also publish guidance setting out how and when it will use the power. Importantly, providers have a right of appeal.
The powers of assessment set out in the clause are key to enabling Ofcom to carry out the effective and extensive monitoring and assessment of providers’ security practices that is necessary.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairmanship, Mr Hollobone, and to come back to this important Bill. I thank the Minister for writing to me and reassuring me on certain matters relevant to the clause. We accept the need for Ofcom to have powers to require information from vendors, but we would like a specific requirement whereby Ofcom can ask vendors for information on the diversity of their supply chains. I will leave further discussion on that for our new clauses. I will support this clause.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Clause 7
Powers of OFCOM to enforce compliance with security duties
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Clause 8 stand part.
Clause 9 stand part.
Clause 10 stand part.
Matt Warman
I will seek to move relatively rapidly through these four clauses.
Clause 7 provides Ofcom with enforcement powers in relation to providers’ security duties. The Bill gives Ofcom new powers to impose tough financial penalties on providers who breach their security duties. The penalties range to a maximum fine of 10% of a provider’s annual turnover, which is in line with the maximum fines available for breaching other regulatory requirements. For continuing contraventions, Ofcom can levy a daily penalty of up to £100,000. Penalties that are generally lower than that but still significant will also apply for contravening information requirements, which are subject to a maximum penalty of £10 million or, for a continuing contravention, a penalty of up to £50,000 per day. These penalties ensure that there will be a real financial deterrent to poor security practices. I should also say that, in the most serious cases, or in cases where a provider repeatedly contravenes its security duties, Ofcom would be able to use existing powers to suspend or restrict the provider’s entitlements to provide a network or service. Clearly, that is a step that we hope the regulator will never need to take.
The clause also gives Ofcom an important new power to take action where security is being compromised or is at imminent risk of being compromised. Proposed new sections 105U and 105V of the Communications Act 2003 would enable Ofcom to direct a provider to take interim steps to secure its network or service while Ofcom investigates or pursues further action. This power recognises that contravention of a security duty could result in a security compromise that causes real damage to users of that network or service. Where Ofcom uses that power, it will be required to commence and complete the enforcement process as soon as is reasonably practicable. The clause gives Ofcom the tools it needs to effectively enforce compliance with the new security framework.
Clause 8 sets out the position for bringing civil claims against providers who breach their security duties, which is a matter we touched on in earlier debates. It enables providers to be held accountable not just by Ofcom but by service users, such as members of the public, in cases where loss or damage is sustained by those users as the result of a breach of a duty. Providers owe a duty to any person who may be affected by a contravention of their security duties to take security measures, to comply with specific security duties in any regulations and to inform users of security compromises.
This clause allows any affected person to take legal action should providers breach those security duties. However, any affected person can bring legal proceedings against a provider only with the consent of Ofcom, which may be subject to conditions relating to the conduct of the legal action. This reflects the existing position in the Communications Act 2003 and ensures that providers face legal action only in appropriate circumstances. The clause also makes providers responsible to their users, providing another source of accountability. It allows users to bring legal claims for any losses they have suffered, which is only fair and reasonable.
Clause 9 addresses the interaction between provisions in the Bill and other legislation, specifically national security, law enforcement and prisons legislation. The security duties created by the Bill do not conflict with duties imposed on communications providers by other legislation via these clauses. Equally, we do not want the Bill to affect adversely the important work carried out by our law enforcement agencies, criminal justice authorities and intelligence agencies. The clause gives that clarity to providers about their responsibilities.
Finally, clause 10 requires that Ofcom publish a statement of policy about how it will fulfil its general duty and use specific powers to ensure that providers comply with their security duties. This will provide welcome clarity to industry about the expected use of important new powers. I beg to move that these clauses stand part of the Bill.
Chi Onwurah
I will not detain the Committee long, as we are cracking on through the clauses. I will only emphasise that these clauses give Ofcom broad powers—very broad powers—and measures of enforcement, as well as placing duties on the network operators to all users of their network services. We support these broad powers, but it is incumbent on the Minister and indeed on the Committee to consider whether those powers will receive sufficient scrutiny, and sufficient oversight and input from our security services. We anticipate debating those particular questions in more detail later today. In the meantime, we will not stand in the way of these clauses standing part of the Bill.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Reporting on matters related to security
Chi Onwurah
I beg to move amendment 14, in clause 11, page18, line 26, at end insert—
“(aa) an assessment of the impact on security of changes to the diversity of the supply chain for network equipment;”
This amendment requires that network supply chain diversification is included in Ofcom reports on security.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Clause 12 stand part.
Clause 13 stand part.
Chi Onwurah
We start this debate where we ended our sitting on Thursday, on the diversity of the supply chain. But this is not groundhog day; this is a very different aspect of the diversity of the supply chain. I hope the Minister has noticed that there are three themes to our amendment: national security, diversity of the supply chain and appropriate scrutiny. Those are our key concerns about the Bill as it stands.
We wish to see the Bill debated as speedily as possible. For the record, I reiterate my concern that, in the midst of a pandemic lockdown, where the advice is to stay at home, the Leader of the House requires that Members of Parliament should congregate in one room for several hours. With that in mind, we are cracking on as quickly as possible, and we have made significant progress only this morning. However, we feel strongly that, given the speed at which we are providing the appropriate scrutiny, more time should be devoted to debating the Bill on the Floor of the House. We are cracking on in order to protect, as far as we can, the public health of Members of Parliament, staff, House officials and Clerks, who are doing an amazing job in the midst of a pandemic.
Clause 11 makes provision for reporting by Ofcom on security matters. That includes a duty to provide an annual security report to the Secretary of State. Amendment 14, in my name and those of my right hon. and hon. Friends, requires that network supply chain diversification is included in Ofcom’s report on security. As I said, we anticipate having a broader debate this afternoon on the importance of the diversification of the supply chain to security, as part of the debates on our new clauses, so I will only summarise our key points and concerns now.
This amendment follows amendment 13, which sought to give Ofcom the power to request reports from operators on their supply and the progress of their supply chain diversification. We support steps to remove high-risk vendors from the UK networks, but they must go hand in hand with credible measures to diversify the supply chain. I am afraid it remains the fact that we have no reference to the diversification of the supply chain in the Bill, despite the fact that, as I will briefly outline, both the Secretary of State and experts during our evidence sessions emphasised that we could not have network security without effective diversification.
We cannot have a robust and secure network with only two service providers. Supply chain diversification is absolutely vital to protecting our national security. If a vulnerability exists in one vendor or service provider, that intrusion may be limited to that one vendor or service provider alone. A diversity of suppliers in the supply chain limits the exposure of vital information. This amendment ensures that network supply chain diversification is addressed in Ofcom’s report on security. My key question to the Minister is, how can Ofcom report on security if it is not reporting on supply chain diversification?
The Minister may well say that Ofcom has the power to report on supply chain diversification and to request information on supply chain diversification. As I have said on a number of occasions, the powers in the Bill are broad. That is why effective scrutiny requires some specification of what will be reported upon.
The security report to the Secretary of State should be made as
“soon as practicable after the end of each reporting period”
and
“must contain… information and advice… to assist the Secretary of State in the formulation of policy”.
It must also include the extent to which providers have complied with security duties. That is as an example of some of what may be included in the security report. Given that the Secretary of State has said on a number of occasions that supply chain diversification goes hand in hand with the security of the network, it is essential that supply chain diversification is specifically mentioned in the Bill, so that we can have accurate and detailed reports from Ofcom on key aspects of network security.
The amendment will help provide the Secretary of State with the information to update Parliament on the progress of the Government’s diversification strategy, depending on Ofcom’s findings. The Secretary of State has promised to give Parliament such updates, so this is an enabling amendment to ensure that the Secretary of State has the information he needs to provide the reporting that he has committed to.
In support of the amendment, I would like to cite one of the witnesses in our evidence sessions. Dr Alexi Drew, from Kings College, London, was asked whether it was possible to have a secure network without a diverse supply chain, and answered:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—insecure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
That is a risk that, I am sorry to say, the Bill currently does not sufficiently address. I hope that, by accepting this amendment, the Minister will recognise that we are, as always, seeking to improve the Bill and to ensure that it provides a credible and effective means to secure our networks.
With regard to clauses 11, 12 and 13 stand part, we recognise the importance of providing Ofcom with the appropriate powers to request information, but also to share information related to security. In that respect, these provisions are ones that we can support.
Matt Warman
I welcome the spirit of the amendment. I think that the hon. Lady and I share the same ambition. I know that she wants to have the proper debate later, so we look forward to that.
Clause 11 inserts into the Communications Act 2003 proposed new section 105Z, which deals with Ofcom’s reports on security. It requires Ofcom to produce such reports within two years of the Bill receiving Royal Assent and every 12 months thereafter. As the hon. Lady said, amendment 14 is similar to the amendment to clause 6 that we discussed previously. Ultimately, when considering Ofcom’s role and specifically its reporting function, we should note that proposed new section 105Z(2) requires Ofcom security reports to include such information and advice as Ofcom considers may best assist the Secretary of State in the formulation of policy on telecoms security. That could go beyond the list in proposed new subsection (4) to include other relevant information, such as that related to diversification. The Secretary of State can also direct Ofcom to include information that goes beyond that list.
As the Committee and, indeed, Ofcom will be well aware, the Government have recently published a targeted diversification strategy, which will deliver lasting and meaningful change in the 5G supply chain and pave the way for a vibrant, innovative and dynamic supply market. We heard widespread support for the strategy from witnesses during the oral evidence sessions. The strategy demonstrates our commitment to building a healthy supply market and is backed by a £250 million initial investment.
We have publicly announced that the Government will be funding the creation of a UK telecoms lab to research and test new ways of increasing security and interoperability, and we are already partnering with Ofcom and Digital Catapult to fund the industry-facing test facility SONIC—the SmartRAN Open Network Interoperability Centre. Both of those will play a key part in our investment in diversification and demonstrate Ofcom’s existing part in it.
As already mentioned, amendment 14 would require Ofcom to include in its security reports
“an assessment of the impact on security of”
any
“changes to the diversity of the supply chain for network equipment”.
As that requirement is already essentially covered by Ofcom’s existing powers, the amendment is not necessary. The inclusion of any such information is already within Ofcom’s discretion, but I am sure that we will discuss it more later on, as the hon. Lady said.
Clause 12 expands Ofcom’s information-gathering powers for the purposes of its security functions and enhances its ability to share the information with the Government. It enables Ofcom to require a provider to produce, generate, collect or retain security information, and then to analyse that information. Any information sought using this power must always be proportionate to how Ofcom will use it.
Clause 13 makes provision in connection with the standard of review applied by the Competition Appeal Tribunal in appeals against certain of Ofcom’s security-related decisions. Ofcom’s regulatory decisions are subject to a right of appeal to the tribunal, and that will also be the case for most of Ofcom’s decisions relating to the exercise of its regulatory powers conferred by the Bill. This clause makes provision to ensure that the tribunal is not required to modify its approach in appeals against relevant security decisions, and should instead apply ordinary judicial review principles.
I hope that I have sufficiently explained to the Committee why amendment 14 is unnecessary and why clauses 11 to 13 as drafted should stand part of the Bill.
Chi Onwurah
I thank the Minister for his comments. Although we agree on many things in many areas, I think that in this case he is trying to have his cake and eat it, inasmuch as he is saying that amendment 14 is not necessary because Ofcom already has the powers, but he is reluctant or is refusing to specify that those powers will be used for the objective of reporting on the progress of diversification of the supply chain. It was good to hear the Minister reiterate the importance of diversification of the supply chain, but I remain confused about whether he agrees with the evidence and, indeed, with his own Secretary of State that diversification of the supply chain is a prerequisite of the security of our networks and, indeed, our national security—that is what we are discussing with regard to our telecoms networks. If diversification is a prerequisite, why is the Minister so reluctant to refer to it? If he is so confident in the plan to diversify our supply chains, why is he so reluctant to insert any requirements to report on the progress of that diversification?
I listened intently: the Minister said that Ofcom has the powers to report on whatever it considers to be relevant to security. During the evidence session, we heard from Ofcom itself, very clearly and repeatedly, that it is not for Ofcom to make decisions on national security. It will not make national security decisions. That is not within its remit and responsibilities; the witnesses from Ofcom stated that repeatedly and clearly. I would be happy to read from Hansard if that point is in question. Given that Ofcom will not make security decisions and that the diversification of the supply chain is essential for security, I am at a loss to understand why the Minister will not accept a reference to reporting on the progress of diversification. Although, unfortunately, the pandemic means that we are not at full strength on the Opposition side of the Committee, I wish to test the will of the Committee on the amendment.
Question put, That the amendment be made.
Chi Onwurah
I beg to move amendment 15, in clause 14, page 21, line 28, leave out from beginning to end of line 30 and insert—
“(3) The reports must be published not more than 12 months apart for the first 5 years, then not more than 5 years apart.
(4) The first report must be published within the period of 12 months beginning with the day on which this Act is passed.”.
This amendment requires the Secretary of State to report on the impact and effectiveness of clauses 1 to 13 every year for the first five years after the Act is passed, and then every five years following.
The amendment reflects another of our key concerns about the Bill, which is the level and extent of appropriate scrutiny for such broad and sweeping powers. It seeks to ensure appropriate scrutiny. Clause 14 requires the Secretary of State to review the impact and effectiveness of clauses 1 to 13 at least every five years. Our amendment would require the report to be published every year for the first five years after the legislation is passed, and then up to every five years after that.
As we have said, the Bill gives the Secretary of State and Ofcom sweeping powers. We want to ensure both that they are proportionate and that there is accountability. As we have previously emphasised, we are sure that the Minister and the Secretary of State are inclined to exercise the powers in a proportionate and accountable way, but they will not be in their posts forever, and perhaps not for the entire first five years of the legislation’s operation, so it is important that the Bill requires that Parliament be able to scrutinise its effectiveness, as that is so important to our national security. In that sense, this amendment follows amendments 5, 9 and 10 with respect to the requirement for appropriate oversight and accountability.
I emphasise—I am sure that you will understand, Mr Hollobone—that in some ways we are here because of a lack of effective parliamentary scrutiny of the presence and growth of high-risk vendors in our networks. It was only when Parliament became aware of and was able to give its full-throated input on concerns about the dominance of high-risk vendors in our telecommunications market that the Government took action. We do not want to be in the position of finding again that there has been a dramatic change in the security of our networks without appropriate scrutiny.
Clause 14 states that the Secretary of State must
“carry out reviews of…impact and effectiveness”
and that the report must be laid before Parliament for parliamentary scrutiny. However, we are to wait up to five years before it will be made possible to give parliamentary scrutiny to a Bill that is so important to national security, as both the Minister and the Secretary of State, and indeed the security services, have emphasised. We are not to review its effectiveness for five years.
Sara Britcliffe (Hyndburn) (Con)
Does not the clause state that the period is up to five years? The review could be done during that period; it would not have to be at the five-year mark every time.
Chi Onwurah
The hon. Lady is absolutely right. The clause enables the Minister or Secretary of State to choose to lay a report more frequently. Again, I do not want to impute anything against the Minister or the Secretary of State, but given the importance of the subject and of parliamentary review, why not ensure that it is more frequent?
I am sure that the hon. Lady will agree that Parliament has many things to consider, and so does the Secretary of State. There is competition for parliamentary time, particularly in a pandemic and in view of the challenges that we shall face in the next few years. How can I put this? We have concerns that the priority may slip in the face of, for example, economic challenges, investment challenges and recovery challenges. We want to be sure what is happening. We are the party of national security and we want to ensure that, in this context, national security is brought to Parliament to be debated, discussed and reviewed at least every year.
Matt Warman
I listen with interest to the points that the hon. Lady makes, and to the assertion that she is a member of the party of national security. I welcome her to this side of the House, if that is the case. [Interruption.] Thank you, but no.
As the hon. Lady says, clause 14 is a review clause requiring the impact and effectiveness of clauses 1 to 13 to be reviewed at least every five years by the Secretary of State. The review report must be published and laid before Parliament, but it is by no means the only source of parliament scrutiny, as she knows. Her amendment would increase the frequency of these reports to every year for the first five years after the Bill is passed and then every five years thereafter.
Increasing the frequency of the reports would bring its own challenges for a number of reasons. First, the framework is considerably different from the previous security regime in the Communications Act 2003. It seems to me that we will not be able fully to assess the impact and effectiveness of the new security regime instituted by clauses 1 to 13 until all parts of the framework, including secondary legislation, codes of practice and other things, have been in place for a reasonable period of time. The code of practice that will provide guidance on the detailed security measures that telecoms could take is intended to set clear implementation timelines. Some measures may require significant operational change, as we heard in the evidence sessions for telecoms providers, and we are aware that that may be costly. For that reason, we cannot reasonably expect all changes to be implemented instantly or, indeed, all necessarily at the same time.
There is a further practical difficulty with the amendment. If the first report is to be produced 12 months after Royal Assent, it will require the review to be undertaken well in advance of that deadline. That means that the report will represent an incomplete picture of the Bill’s impact, even at its very first production. Some measures will not even have been implemented by telecoms providers.
My hon. Friend the Member for Hyndburn was exactly right that the current requirement for publishing reports is at least—rather than at most—every five years. We have been deliberate in our choice of this timeframe because five years is the reasonable point by which we expect the majority of telecoms providers to have implemented most, if not all, changes. It is therefore considered appropriate to require a report on the impact and effectiveness of the framework by that time. I recognise that five years is a long time. That does not mean that the framework will be free from scrutiny in the intervening period. As clause 11(3) sets out, the Bill amends section 134B of the Communications Act so that Ofcom’s regular infrastructure reports will include information on public telecoms providers’ compliance with the new security framework. Ofcom publishes the reports annually, rendering the amendment unnecessary.
Chi Onwurah
On a point of clarification, I have the impression that the Minister anticipates that the first report under the Bill would only happen once all the requirements had been implemented. I think that that implies that it would only happen once a high-risk vendor, specifically Huawei, had been removed from the network.
Matt Warman
No is the short answer, because while this is a progress report, five years from 2021 is 2026—the deadline is 2027, even at the most extreme end, which is not where we anticipate it will end up—and it would be before the point that she identifies.
The infrastructure reports from Ofcom will help to provide Parliament and the public with a view on how telecoms providers are progressing with compliance with the new framework. As I alluded to earlier, they are not the only means of parliamentary scrutiny. We have the Intelligence and Security Committee and we have Select Committees. I suspect that there might be one or two debates on this matter over the next five years as well. To pretend that this is the only method of parliamentary scrutiny is not accurate.
Chi Onwurah
If the Minister will give way briefly, he may find it saves time. To clarify: for the first report we will not necessarily have to wait until all the provisions of delegated legislation associated with the Bill are in place. As for the infrastructure reports that Ofcom publishes, to which he refers as a form of alternative scrutiny, will they, might they or will they not reflect progress in the diversification of the supply chain?
Matt Warman
The hon. Lady asks me to predict what is in a report that has not been written yet by an organisation that is not a Government Department. I agree with the principle of what she is saying. This is an important aspect and one would reasonably expect it to be reflected in the reports that we have talked about. It is, however, important overall to say that Ofcom’s own regular infrastructure reports will, as I have said, include information on public telecoms providers’ compliance with the new security framework, which is the broadest interpretation and gives a huge amount of latitude for the sorts of information that she seeks. I hope that those infrastructure reports will help to provide Parliament with the kind of scrutiny that she seeks, and the public with the kind of scrutiny that we all seek. [Interruption.] For those reasons I hope that she will withdraw the amendment.
Chi Onwurah
I thank my right hon. Friend the Member for North Durham for an exciting intervention from his phone, and I thank the Minister for his comments. As I think I have said, I spent six years working for Ofcom with the Communications Act 2003 on my desk. I know the importance that our independent regulator places on the words of the Minister during such debates as this. As he has indicated that the reports would do well to include reference to everything that appertains to security, including the diversification of supply chain, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 14 ordered to stand part of the Bill.
Clause 15
Designated vendor directions
Mr Kevan Jones (North Durham) (Lab)
I beg to move amendment 16, in clause 15, page 22, line 12, at end insert—
“(2A) When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering when to issue a designated vendor direction.
The Chair
With this it will be convenient to discuss the following:
Amendment 17, in clause 16, page 27, line 8, at end insert—
“(3A) When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering whether to issue a designation notice.
Amendment 18, in clause 16, page 28, line 3, at end insert—
“(m) the person’s control of data flows.”
This amendment requires the Secretary of State to consider a person’s potential control of data flows when issuing a designation notice.
Clause 16 stand part.
Amendment 19, in clause 17, page 29, line 19, at end insert
“, together with an assessment of the impact the designation notice will have on supply chain diversity;”.
This amendment requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity, enabling parliamentary scrutiny.
Mr Jones
I thought I would bring some light relief to the Committee’s proceedings. Amendments 16 and 17 are both probing amendments. I might sound like a broken record, but they are really just to ensure that we get a situation where the necessary advice is taken. Amendment 16 states:
“When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
I accept that the entire purpose of the Bill is to have national security at its heart, but I still have a nagging doubt about whether Ofcom will be able to put national security at the heart of its considerations.
Amendment 17 states:
“When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This is an attempt to future-proof the Bill. As I mentioned the other day, when we pass legislation in this place it is important that it outlives present Ministers, and us all. Unfortunately, there is form on this—look at the Intelligence and Security Committee’s 2013 report on critical national infrastructure. I accept it was then the Cabinet Office, not Ofcom, that dealt with this, but when BT negotiated its contract with Huawei, the Cabinet Office was told about it but did not feel it necessary to tell Ministers for another three years, until 2006. I am concerned that national security will not be at the forefront when people look at such matters. The amendment is really just to ensure that that takes place, and codifies it into law.
I do not wish to criticise civil servants in any way, but having been a Minister myself, I know they sometimes have a tendency not to put forward things that might have a political dimension that they do not recognise. That is why it is important for national security that the Secretary of State has first-hand knowledge and information directly from the security services. We have very effective security services in this country—I pay tribute to them—but we also have the Cabinet Office. I know the Minister might think I am a bit obsessive, but I am sure he has come up against the buffer of the Cabinet Office, which seems to want to intervene in everything and anything that does not really concern it.
Matt Warman
I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.
As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.
As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2020, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.
Mr Jones
I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?
Matt Warman
In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.
The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.
Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.
I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.
It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.
The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.
I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.
Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.
The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.
Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.
Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.
Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.
The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.
Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.
Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.
To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.
Chi Onwurah
I will speak to amendments 18 and 19, standing in my name and those of my hon. Friends, and to clauses 15 to 17. As the Minister set out, the clauses are about key powers in the Bill that seek to secure our networks and to regularise requirements already in place, albeit informally or not legally, to remove Huawei as a specific high-risk vendor from our networks. The clauses give Government the powers to do what they have said they will do.
On the clauses, I will not repeat what the Minister said, and I congratulate him on clearly setting out their powers, which the Opposition believe are necessary. I also join the Minister and my right hon. Friend the Member for North Durham in paying tribute to our security services, which do such great work to keep us secure across a wide range of threats and challenges—both present and evolving—and on whose continued work and effectiveness the Bill is highly dependent. As my right hon. Friend set out, we want to ensure that national security is absolutely at the heart of the Bill.
The Chair
Order. The hon. Lady has done really well, but we are not debating clause 17 stand part. She can refer to the other clause if she wishes.
Chi Onwurah
Thank you for the clarification, Mr Hollobone. I see that we are discussing whether clauses 15 and 16 stand part. I support those clauses and look forward to the Minister’s response to the amendment.
Matt Warman
I pre-emptively covered a lot of the hon. Lady’s questions, but I will say two brief things. She talked about consolidation in the cloud sector. While the Bill is very much a national security Bill, the National Security and Investment Bill would cover consolidation in that sort of sector, rather than this one. Obviously they do work together.
Chi Onwurah
The point I am making—clearly, I did not make it effectively—is that that sector is becoming this sector. The cloud sector is becoming the telecoms sector. The reason we need this Bill in addition to the National Security and Investment Bill is to address the security concerns of the telecoms sector specifically. The cloud sector is becoming part of the telecoms sector, yet the Bill does not address those concerns.
Matt Warman
The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.
Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.
As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.
The Chair
We now come to amendment 20 to clause 17. This is Christian Matheson’s big moment. I call him to move the amendment.
Christian Matheson (City of Chester) (Lab)
I beg to move amendment 20, in clause 17, page 29, line 31, at end insert—
“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.
(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.
The Chair
With this, it will be convenient to discuss the following: amendment 22, in clause 20, page 35, line 30, at end insert—
“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 23, in clause 20, page 37, line 41, at end insert—
“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 24, in clause 21, page 39, line 9, at end insert—
“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.
Amendment 25, in clause 21, page 40, line 6, at end insert—
“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.
Christian Matheson
I am sure the Committee has been waiting with bated breath for my big moment all morning, Mr Hollobone. May I say what a great pleasure it is to serve under your chairmanship?
I had prepared some notes to help me present the amendments, but I need not have bothered; I could simply have taken the Hansard report from last week and quoted my right hon. Friend the Member for North Durham. He talked about being a stuck record, but he is not; he is being consistent. I like to think that Labour has been consistent throughout the detailed consideration of the Bill. My hon. Friend the Member for Newcastle upon Tyne Central talked about the three areas that we consistently think would improve the Bill, and the amendment falls into one of those areas: scrutiny and the role of the Intelligence and Security Committee.
I refer to my right hon. Friend’s speech last week on amendment 9, when he talked about the desire to help the Bill. He also laid down a challenge. He commented on the fact that I thought that some parts of his speech were inspirational. They were, because they made me think quite a lot. There was one lightbulb moment when he used his experience of, I believe, 20 years in the House this year—on which I congratulate him—and said that the chances are that a similar amendment will be proposed in their lordships’ House and the Government may well agree to it.
My right hon. Friend also said that it is not necessarily a good thing for the Minister—not in this case, mind you—to be a tough guy who wants to get through the Bill without any amendments, when there is a genuine desire among the Opposition to get the Bill through. I remind the Minister and Government Members that we support the Bill. There have been occasions when an Opposition have tried to scupper, delay or make mischief with a Bill. I assure Government Members—I hope it is obvious to them—that there is no such skulduggery on this side of the House, not with this Bill and not ever, and certainly not when my hon. Friend the Member for Newcastle upon Tyne Central, my right hon. Friend the Member for North Durham and I on the Bill Committee. We are genuinely keen to improve the Bill during its passage.
The amendment again falls into one of the three areas my hon. Friend the Member for Newcastle upon Tyne Central has identified as necessary. As the Minister may have guessed, the chances are that we will not put it to the vote, but we do ask that he gives it careful consideration. I refer the Committee to the speech by my right hon. Friend the Member for North Durham last week about the role of the Intelligence and Security Committee. Amendments 20 to 25 relate to different clauses, but have the common aim of ensuring that there is correct parliamentary oversight of the process outlined in the Bill, specifically by referring all orders made under proposed new section 105Z11 of the Communications Act 2003 to the Intelligence and Security Committee.
It would normally be the Digital, Culture, Media and Sport Committee that would take on telecommunications matters. Additionally, the Secretary of State may lay orders before Parliament for general consideration and scrutiny. However, the Bill has our national security at its heart, and as a proud former member of the Culture, Media and Sport Committee, I am the first to admit that it would not be at all an appropriate forum for the consideration of such reporting to take place, nor would it be the normal procedure for laying orders before this House or the other place, either in general or on the specifics of the order.
As we touched on last week, the temptation is therefore the default position that no reporting at all would take place, which is clearly not desirable. I hope the Minister will confirm that that is not the Government’s intention. To be fair, I think he touched on that point last week, but it would be helpful if he could touch on it again.
The use of the ISC is therefore an elegant and obvious solution. The Committee, of which my right hon. Friend the Member for North Durham is such a distinguished member, has worked well and has the confidence of the House. It provides a secure and trusted forum for decisions of the Secretary of State that may have far-reaching commercial and technical implications, as well as security implications, to be scrutinised and considered by hon. Members who are able to receive the full facts and make a judgement based on them, while giving nothing away to those who wish us ill and would exploit our open democracy in doing so. I see no reason why our determination to protect our communications infrastructure should be used against us by our adversaries, but nor should that determination be traded off with a reduction in parliamentary scrutiny of the Executive and agencies that act on behalf of us all.
The ISC is there for a reason: it is precisely to cover situations such as this. If the Minister can propose an alternative solution that balances security with scrutiny, we would be pleased to hear it. I suspect this solution would also make commercial UK businesses more open to scrutiny themselves by offering a level of confidentiality, although I accept that that is not the primary role of the ISC.
It should also not be option for the Secretary of State to report. Such a chaotic patchwork would undermine the integrity of the Bill and the processes that we are setting up. Failing any alternative being proposed, we believe that these amendments, which involve the ISC acting on behalf of the whole House—indeed, the whole of Parliament—would fill a glaring hole and enhance the Bill. I commend them to the Committee.
Mr Jones
My hon. Friend the Member for City of Chester said that we were going over old ground, and to a certain extent we are because some of the amendments reflect those that I moved last week.
May I say at the outset, Mr Hollobone, that the Minister has been an exemplar in engaging with and briefing the ISC? He has set something of a precedent; usually we have only Cabinet Ministers or Prime Ministers before us to give evidence. He is one of the few junior Ministers to have appeared before us, so I congratulate him. He did it because he wanted to engage with the issues. He must therefore be commended on his commitment to ensure that there is scrutiny. However—this is not to wish his demise, but to argue for his promotion—he will not be there forever. I think he does not quite understand why the Government are not at least moving on this.
The ISC’s remit is defined in the Justice and Security Act 2013. It sets out which Departments we cover, and the Department for Digital, Culture, Media and Sport is not one of them. However, as I said last week, security is increasingly being covered by other Departments, and this Bill is a good example. The National Security and Investment Bill is another one, where security decisions will be taken by the Secretary of State for Business, Energy and Industrial Strategy. Parliament must be able to scrutinise that.
If a high-risk vendor is designated as banned from the network by the Secretary of State for Digital, Culture, Media and Sport, there are perfectly good reasons why the intelligence behind that cannot be put into the public domain. The methods by which such information is acquired are of a highly sensitive nature, so it would not only expose our security services’ techniques, but in some cases would make vulnerable the individuals who have been the source of that information. I think most people would accept that that is a very good reason.
This sort of thing is happening increasingly. We have the two Bills that I have referred to, but we also have the Covert Human Intelligence Sources (Criminal Conduct) Bill, which will come back to the House tomorrow. Covert human intelligence and the ability to collect intelligence on behalf of our security services is very important. Most of that is covered by the Home Office, and covert human intelligence sources are covered by the ISC’s remit and can be scrutinised. However, there is a long list of other organisations that will be covered by tomorrow’s Bill, including—we never quite got to the bottom of this—the Food Standards Agency, for example. Again, how do we ensure that there is scrutiny of the decisions?
We also have—this has come out of the pandemic—the new biosecurity unit in the Department of Health. Again, there is no parliamentary scrutiny, because the Health and Social Care Committee will not be able to look at the intelligence that supports so much of that. An easy way out of this is in the Justice and Security Act 2013: the memorandum of understanding, which just means that, were our remit extended to look at this and other matters, the ISC could oversee and ask for the intelligence.
Having spoken to the Business Secretary and the Minister, who sympathises with us, I am not sure where the logjam is in Government. The point is that an amendment will be tabled in the Lords. Whether the provision is in the Bill or just in the memorandum of understanding between the Prime Minister and the ISC, it is easily done and would give confidence that the process at least had parliamentary oversight.
On many of these decisions, frankly, the oversight would not be onerous; we are asking only that we are informed of them. On some occasions, we might not even want to look at the intelligence. It might be so straightforward that, frankly, it is not necessary, so I do not think that it is an administrative burden. I cannot understand what the problem is. To reiterate what I said last week in Committee, it is not about the ISC wanting to have a veto or block over such things. It is, rightly, for the Government and the Secretary of State to make and defend those decisions.
It is also not about the ISC embarrassing the Government, because we cannot talk in public about a lot of the information that we receive. It is not as though we would publish a publicly available report, because of the highly classified nature of the information. However, the ISC can scrutinise decisions and, if it has concerns, write to the Prime Minister or produce a report for the Prime Minister raising them. That gives parliamentary scrutiny of the Executive’s decisions.
As I say, the report might not be made public. People might ask, “Would that be a new thing?” No—it happens all the time. For example, on the well-publicised Russia report this year, there was a public report with redactions in it and quite an extensive annex, which raised some issues that we were concerned about. That annex was seen only by individuals in Government, including the Prime Minister.
There is already a mechanism, so I fail to understand why the Government want to oppose this. From talking to Ministers privately, I think that there is a lot of sympathy with the position and I think that we will get there eventually. How we get there and in what format, I am not sure—whether the method is to put it in the Bill or to do it through the mechanism in the 2013 Act. That might be a way forward.
Chi Onwurah
I rise to support the excellent comments made by my hon. Friend the Member for City of Chester and my right hon. Friend the Member for North Durham. I did well to delay my remarks till after my right hon. Friend had spoken, because he has set out very effectively, based on his considerable experience as a long-standing member of the Intelligence and Security Committee, both why it is important that that Committee should be consulted and receive the reports, and why it is hard to understand the Minister’s reluctance both in this Bill and in the National Security and Investment Bill to involve a source of such credible security expertise and, importantly, security clearance in key issues of national security.
I want to add two points to those made by my right hon. and hon. Friends. The first is to reiterate a point made previously: our security threats are changing, evolving and, unfortunately, diversifying. We see that in changes to our defence spending, in changes in the national review of our defence capabilities, and in changes in the evolution of the geopolitical landscape—the potential source of threats. However, the Minister does not seem able to support reflecting that by ensuring that, rather than keeping to our existing modes of parliamentary scrutiny, we enable parliamentary scrutiny of issues of national security by those who are best placed to carry out such scrutiny—undoubtedly members of the Intelligence and Security Committee.
I want to point briefly to a discussion in the evidence sessions. Ofcom made it clear that it does not consider itself in a position to make national security decisions, which is understandable, and that some of the decisions and considerations about national security with regards to telecommunications networks would require people who have STRAP clearance. Ofcom’s group director for networks and communications pointed to the fact that she had had STRAP clearance previously, and she said that if the NCSC
“feels that that is needed for the type of information that we may need to handle, we would make sure that happened.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 90, Q115.]
To my knowledge, Digital, Culture, Media and Sport Committee members do not have STRAP clearance. I would like the Minister to comment specifically on the level of security clearance required for members of the Committee that he has identified as being the location for scrutiny of important issues of national security. What level of security clearance do its members have? Would that enable the scrutiny that we all agree is in the best interests of the Bill?
I would like the Minister to respond to a specific example. Amendments 20, 22, 23, 24 and 25 are designed to require that the Intelligence and Security Committee has access to the appropriate information. There is a requirement for the Secretary of State to lay before Parliament a copy of a designated vendor direction, as set out in clause 15, which inserts new section 105Z11 into the Communications Act 2003. The new section states:
“The Secretary of State must lay before Parliament a copy of—
(a) a designated vendor direction;
(b) a designation notice;
(c) a notice of a variation or revocation of a designated vendor direction; and
(d) a notice of a variation or revocation of a designation notice.”
So far, so good—we have that scrutiny. However, the new section also says:
“The requirement in subsection (1) does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.”
Chi Onwurah
We support clause 17 and our amendments are intended to make it more accountable to Parliament and therefore more successful and effective in securing our national security.
The Chair
Order. I misled the hon. Lady. We are now discussing amendments 20 and 22 to 25. When we finish the debate on those amendments, we will debate clause 17 stand part. The hon. Lady may want to save this part of her remarks until the next debate.
Chi Onwurah
Thank you, Mr Hollobone. It is sometimes confusing to know exactly what is being discussed at what point. With that, I ask the Minister to respond to our concerns about the scrutiny of the powers in the clause.
Matt Warman
I welcome the second salvo in the campaign to address this matter by the right hon. Member for North Durham. He said it would be an ongoing campaign.
This group of amendments would require the Secretary of State to provide information relating to a designated vendor direction or designation notice to the ISC. The amendments would require the Secretary of State to do this only where directions and designation notices had not been laid before Parliament, whether in full or in part, as a result of the national security exemptions in clause 17. It will not surprise the right hon. Member for North Durham or other Opposition Members that some of these short remarks will overlap with the conversation that we had earlier on a similar matter.
Amendment 20 would require designated vendor directions or designation notices to be provided to the ISC. Amendments 22 to 25 would require the Secretary of State also to provide the ISC with copies of any notifications of contraventions, confirmation decisions and so on. Although I recognise some Members’ desire for the ISC to play a greater role in the oversight of national security decision making across government, including in relation to this Bill, the amendments would, as the right hon. Member for North Durham knows, extend the ISC’s role in an unprecedented way. None the less, I thank his welcome for my unprecedented appearance.
As I said in the debate on amendment 9, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, and the accompanying statutory memorandum of understanding, to which the right hon. Gentleman referred. I do not think he thinks it is my place to take a view on that role, and I do not think this Bill is the place to have that debate.
Mr Jones
Yes, but I would ask the Minister’s civil servants to read the Act before they write this stuff for him. The Act refers to “intelligence”. Our remit is not fixed by a Department. I know the Minister sympathises with this and that we will get there eventually, but I say to his civil servants, please read the Act.
Matt Warman
I will come on to that. Accepting any of these unilateral amendments to this Bill is not the appropriate place to achieve an overall enhanced role for the ISC—
Mr Jones
I am sorry to say to the Minister that it is not looking for an enhanced role at all. It is actually doing what it says in the Justice and Security Act 2013. It is about scrutinising intelligence. A lot of the information, which will be used by him and others in these orders, will be derived from the same decisions that we oversee .
Matt Warman
Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.
In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.
Christian Matheson
I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.
The Chair
Order. If the hon. Gentleman would like to chair this afternoon’s sitting, I am sure we could arrange for him to do that. I know Members will be disappointed, but I am instructed to say that as it is 11.25 am, the Committee is now adjourned.
Telecommunications (Security) Bill (Eighth sitting)
Tuesday 26th January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Chair
Before we begin, I know this is difficult and people forget, but Mr Speaker is clear: we should be wearing our masks if we are not speaking. I ask you to do your best to comply with that, because it is sensitive. The rules under which the House is allowed to operate have been agreed with health and safety, meaning that if we are not complying, not only are you putting everyone at risk, but unfortunately all the work that has been done could be invalidated. I urge people to do their best to remember.
Clause 17
Laying before Parliament
Amendment proposed (this day): 20, in clause 17, page 29, line 31, at end insert—
“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.
(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”—(Christian Matheson.)
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.
Question again proposed, That the amendment be made.
The Chair
I remind the Committee that with this we are discussing the following:
Amendment 22, in clause 20, page 35, line 30, at end insert—
“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 23, in clause 20, page 37, line 41, at end insert—
“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 24, in clause 21, page 39, line 9, at end insert—
“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.
Amendment 25, in clause 21, page 40, line 6, at end insert—
“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.
I need to understand, Mr Matheson, what your intention is.
Christian Matheson (City of Chester) (Lab)
As you correctly say, Mr McCabe, I need to announce my intention, but just as I was about to, the Committee was halted. I am reminded of the occasion involving that notorious football referee Clive Thomas. The 1978 World Cup blew up against Brazil because, as the ball was heading towards the goal, he disallowed the goal. That was rather how I felt this morning.
That said, I do not wish to press the matter further, despite the fact that I had devastating remarks that would have swayed the Minister. I will not put my amendments to the vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 17 ordered to stand part of the Bill.
Clause 18
Monitoring of designated vendor directions
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to be back under your chairmanship, Mr McCabe.
I will try to rattle through these as quickly as I can. Clauses 18 to 23 cover monitoring and enforcement, and further provisions relating to non-disclosure and information requirements. Clause 18 gives the Secretary of State the power to give Ofcom a monitoring direction, requiring the regulator to obtain information relating to a public telecoms provider’s compliance with a designated vendor direction and to provide that information in a report to the Secretary of State.
The clause also includes requirements about the form of such reports and the procedures around their provision, but it does not create any new powers for Ofcom, which already has them under section 135 of the Communications Act 2003. The provisions in the clause are an integral part of the compliance regime. The power to give a monitoring direction to Ofcom is necessary to ensure that the Secretary of State has the ability to require it to provide the information needed to assess compliance with designated vendor directions.
Clause 19 provides Ofcom with the power to give inspection notices to public communications providers. The provisions will apply only where the Secretary of State has given Ofcom a monitoring direction. Inspection notices enable Ofcom to gather information from communications providers in relation to their compliance with a direction. The notices are a tool for Ofcom to give effect to its obligations under a monitoring direction.
Clause 19 also sets out the new duties that inspection notices can impose, the types of information that they can be used to obtain and how the duties in an inspection notice will be enforced. Ofcom may only give inspection notices in order to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to how a provider is preparing to comply with a direction. Ofcom can instead use its other information-gathering powers under section 135 of the Communications Act 2003 to obtain such information.
Clause 20 provides the Secretary of State with the powers necessary to enforce compliance with designated vendor directions, as well as with any requirement for a public communications provider to prepare a plan setting out the steps it intends to take to comply. It is the Secretary of State’s responsibility to issue directions where necessary in the interest of national security. Clause 20 is essential to ensure that the Secretary of State can carry out this role effectively and enforce compliance with any directions issued. New sections 105Z18 to 105Z21 will be inserted into the Communications Act 2003 for this purpose. The provisions set out the process that the Secretary of State will follow in instances where an assessment is made that a public communications provider is not acting in compliance with the direction or with the requirement to provide a plan. The process encompasses giving a contravention notice, enforcing it and imposing penalties for non-compliance. The clause is essential in ensuring that the Secretary of State can carry out the role effectively and deters and penalises instances of non-compliance.
Clause 21 provides the Secretary of State with the power to give urgent enforcement directions. Provisions to enable urgent enforcement are needed in cases where the Secretary of State considers that urgent action is necessary to protect national security or to prevent significant harm to the security of a public electronic communications network, service or facility.
Clause 22 creates a power for the Secretary of State to impose a requirement on public communications providers or vendors not to disclose certain types of information without permission. The provisions are necessary to prevent the unauthorised disclosure of information, which would be contrary to the interest of national security.
Finally, clause 23 creates a power for the Secretary of State to require information from a public communications provider or any other person who may have information relevant to the exercise of the Secretary of State’s functions under clauses 18 to 21. For example, the Secretary of State can require information on a provider’s planned use of such goods or information relating to how a network is provided. It can also include information about the proposed supply of goods or services. The ability to gather such information would ensure that the Secretary of State is able to make well-informed decisions when considering whether to issue designation notices and designated vendor directions. Information obtained through the use of this power can also be used to support the monitoring of compliance, with directions supplementing information gathered by Ofcom through its information-gathering and inspection notice powers.
To summarise, new sections 105Z18 to 105Z21 together establish the power and processes that outline how the designated vendor regime will be monitored and enforced. The provisions in clause 22 are needed to manage the disclosure of information, the unauthorised disclosure of which may be contrary to national security, and clause 23 will ensure that the Secretary of State is able to obtain the information necessary to make assessments to determine whether to give a notice or direction and to assess compliance.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairmanship once again, Mr McCabe. I will not detain the Committee long with a consideration of the clauses, and I thank the Minister for so ably setting out what the clauses aim to achieve. Indeed, we on this side recognise the importance and the necessity of clauses 18 to 23 in establishing the process and ensuring the powers to obtain information and enforce direction as part of that process.
We only reiterate a small number of important points to draw attention once again to the breadth of the powers, which enable the Secretary of State to require information to an almost unlimited extent. Given the breadth of the powers, the information and progress on the telecommunications diversification strategy is, once again, notable by its absence. Given the breadth of the requirements, it is notable that there is nothing on progress on the diversification strategy. Nor, if my memory serves me correctly, does the impact assessment reflect the potential costs to either the network operators or Ofcom in exercising these powers. The clauses do not set out the impact and they emphasise once again the importance of Ofcom having the appropriate resources to enable it to carry out the requirements effectively. I hope that the Minister will bear those limitations in mind in his ongoing review of the Bill.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clauses 19 to 23 ordered to stand part of the Bill.
Clause 24
Further amendment concerning penalties
Question proposed, That the clause stand part of the Bill.
Matt Warman
Clause 24 enables higher penalties than those currently set out in the Communications Act 2003 to be issued by Ofcom, and clause 25 makes two necessary consequential amendments to that Act. The penalties under clause 24 can be imposed for contraventions of requirements to provide information to Ofcom for the purpose of its security-related functions. That includes when providers do not provide information requested by Ofcom for the purpose of providing a report to the Secretary of State.
Penalties can be set at a maximum of £10 million or, in the case of a continuing contravention, up to £50,000 a day. These maximum penalties are a marked increase on the existing ones, which are capped at £2 million, or £500 a day. This clause ensures that the maximum penalties are the same as those in clause 23. The size of these penalties is appropriate given the potential impact of the situation described. Proposed new section 139ZA(5) of the 2003 Act, inserted by this clause, gives the Secretary of State the power to change, by regulations subject to the affirmative procedure, the maximum amount of the fixed and daily penalties. That will help to future-proof the framework by ensuring that penalties can be adjusted over time—for example, because of inflation.
In summary, clause 24 enables Ofcom to issue the financial penalties necessary to ensure that providers supply it with the information that it needs. Clause 25 contains the consequential amendments to that, which are necessary because the Bill creates a number of powers to make regulations and some of those regulations will amend primary legislation.
The Chair
With this it will be convenient to discuss the following:
Clause 27 stand part.
Government amendments 1 to 4.
Clauses 28 and 29 stand part.
Matt Warman
I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.
I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27 ordered to stand part of the Bill.
Clause 28
Commencement
Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.
This amendment would cause clauses 15 to 23 to come into force on Royal Assent.
Amendment 2, in clause 28, page 46, line 19, at end insert—
“(ca) section24, so far as it relates to section18;”.
This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.
Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).
This amendment is consequential upon Amendments 1 and 2.
Amendment 4, in clause 28, page 46, line 30, at end insert—
“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.—(Matt Warman.)
This amendment is consequential upon Amendments 1 and 2.
Clause 28, as amended, ordered to stand part of the Bill.
Clause 29 ordered to stand part of the Bill.
New Clause 3
Duty of Ofcom to report on its resources
‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.
(2) The report required by subsection (1) must include an assessment of—
(a) the adequacy of Ofcom’s budget and funding;
(b) the adequacy of staffing levels in Ofcom; and
(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)
This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.
Brought up, and read the First time.
The Chair
With this it will be convenient to discuss new clause 7— Review of Ofcom’s capacity and capability to undertake duties (No.2)—
‘(1) The Communications Act 2003 is amended as follows.
(2) After section 105Z29 insert—
“105Z30 Review of Ofcom’s capacity and capability to undertake duties
The Secretary of State must, not later than 12 months after the day on which the Telecommunications (Security) Act 2021 is passed, lay before Parliament a report on Ofcom’s capacity and capability to undertake its duties under this Act in relation to the security of public electronic communications networks and services.”.’
This new clause would require the Secretary of State to report on Ofcom’s capacity and capability to undertake the duties provided for in the Telecommunications (Security) Bill which would be inserted into the Communications Act 2003 under the cross-heading “Security of public electronic communications networks and services” (which would encompass all the clause numbers which start with 105).
Christian Matheson
I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.
I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.
In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.
New clause 3 provides a duty on Ofcom to report on its resources, including the
“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.
In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.
We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:
“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.
Emily Taylor of Oxford Information Labs said:
“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]
The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.
Mr Kevan Jones (North Durham) (Lab)
I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.
I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.
Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.
I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.
There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.
Chi Onwurah
I support and second the comments and contributions of my hon. Friend the Member for the City of Chester (Christian Matheson) and of my right hon. Friend the Member for North Durham (Mr Kevan Jones), who tabled new clauses 3 and 7. I would also like to congratulate the Committee on having made it through, as it were, the thickets of the Bill as it stands to the sunlit uplands of our new clauses, which are designed to improve it in a constructive and supportive way.
New clauses 3 and 7 both address the challenge of Ofcom’s resources. As Members of the Committee know, I joined Ofcom in 2004. I know that we are not allowed to use props in debates in the Chamber, but the Communications Act 2003, which I am holding in my hand, is the Act with which the Bill is concerned. The changes that the Bill makes are mainly adding to that Act.
Mr Jones
This is about resources for Ofcom as a whole, but there will also be debate within Ofcom about how its resources are spent. Without any ring-fenced moneys for security, is my hon. Friend concerned, like me, that not only the external control of the budget but that debate internally might compromise security?
Chi Onwurah
My right hon. Friend makes an excellent point. This debate is important for the Bill and important for our new clauses. It is also important that the Minister clarifies what the duties and priorities of Ofcom should be. Having worked for Ofcom at a different point in its history, I can tell hon. Members that when there is, say, a complaint about the behaviour of somebody in the “Big Brother” household that is hitting all the headlines in all the newspapers, that attracts the sudden concentration of resource—unnecessarily, one might argue. There needs to be a counterweight, if you like, to those headline-driven resourcing bottlenecks, which would be either ring-fencing or reporting on how resource is being used to support national security.
All Opposition Members are clear that national security must be the first priority of Government, and therefore the first priority of Ofcom. This is all the more relevant as I pick up the Communications Act 2003, in all its weightiness, where we find the general duties of Ofcom in section 3:
“It shall be the principal duty of OFCOM, in carrying out their functions—(a) to further the interests of citizens in relation to communications matters; and (b) to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Security is not mentioned—national security or telecommunications security. During the evidence sessions, the argument was made, although I forget by whom, that security was a necessary part of furthering the interests of citizens in relation to communication matters. That is possibly true, but I still think this important issue would be improved by clarity.
As we know, there is a significant pressure on Ofcom’s resources, which changes week by week and month by month depending on what the issues are in the many and increasing domains in which it operates. If these principal duties of Ofcom do not reflect our national security, the concern is that having no direct reporting mechanism to Parliament could mean these resources being used opaquely, with no direct requirement to prioritise national security. I hope the Minister will agree that new clauses 3 and 7 solve a problem the Bill will have in practice. I hope that if he will not agree to the clauses as they stand, he will agree to consider how Ofcom’s prioritisation of national security interests can be made clearer.
Mr Jones
As I have said before, I am not a great fan of arm’s length regulators, because it is a way of Government Departments and Ministers off-loading their responsibilities. Given how my hon. Friend has described the Bill, the way this is going means that Ofcom will be larger than DCMS in the future. Does she share my concern about accountability if things go wrong? It is a good get-out for the Government to be able to hide behind Ofcom, rather than Ministers taking direct responsibility.
Chi Onwurah
As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.
My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.
My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.
Matt Warman
I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.
The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.
As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.
Christian Matheson
Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?
Matt Warman
Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.
Matt Warman
The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.
Mr Jones
Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.
Matt Warman
The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.
The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.
As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.
Chi Onwurah
I thank the Minister for giving way and for the tone of his response to the different points we made. I will leave the reassurance about writing to the ISC to my right hon. Friend the Member for North Durham. Does the Minister recognise that that does not address the issue of Ofcom’s resources and reporting more generally, particularly lower down the pipeline, when it comes to national security? We have emphasised again and again the breadth of powers. The Minister has said that Ofcom will have the discretion, for example, to require an audit of all operators’ equipment—an asset register audit. It will take significant resource to understand the audit when it comes back. There are significant resource requirements involved that do not necessarily require security clearance but are nevertheless essential to effective security, and the Minister does not really seem to be offering reassurance on those.
Matt Warman
I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.
Christian Matheson
I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.
Matt Warman
I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.
Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.
Matt Warman
We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.
Christian Matheson
First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.
I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.
Question put, That the clause be read a Second time.
Chi Onwurah
I beg to move, That the clause be read a Second time.
New clause 5 is similar in its intent to amendment 19, which we discussed earlier. As with all our amendments and new clauses, it is designed to improve the Bill through ensuring greater scrutiny, focus, transparency and security for the diversification of our network. It would introduce a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It would also require Ofcom to produce a forward-looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.
At the centre of the new clause is a wish to reflect the importance of national security not as a snapshot in time but as something that needs to be continually monitored, considered and assessed for future impact. The new clause would require the Secretary of State to produce an annual report for the Intelligence and Security Committee of Parliament. That would ensure that the report can be comprehensive with regard to security issues that might not be appropriate to share with the public or the Digital, Culture, Media and Sport Committee. The new clause would require that the annual report should concern designated vendor directions made under new section 105Z1 and designation notices issued under new section 105Z8. The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections. That is for the Secretary of State to report.
In addition, Ofcom would be required to produce an annual report for the Intelligence and Security Committee to assess the adequacy of existing security measures within the UK public electronic communication network and services. Critically, it should assess future threats to the security of the networks.
As we have discussed, the Bill gives major sweeping powers to the Secretary of State and Ofcom. We want to ensure that they are proportionate and accountable. Like amendments 5, 9, 10, 20 and 22 to 25, the new clause seeks to address issues of oversight, scrutiny and transparency. We have taken some heart from the Minister’s recognition in the previous debate of the unique role of the Intelligence and Security Committee in assessing security implications, in that case resourcing for Ofcom. The new clause would ensure a focused accountability to Parliament, via the Intelligence and Security Committee, of the notices, designated vendor directions and designation notices made under the provisions of the Bill, and the existing security measures and future threats.
As aspects of this have already been debated, I want to focus on assessing future threats to the security of the network and services. The Minister might say that that is part of the responsibility of the National Cyber Security Centre. What we see is a massive transformation of how the UK addresses security in telecommunication networks, for very good reasons, and a significant amount of the responsibility falls on Ofcom.
Matt Warman
As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.
Chi Onwurah
Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.
Matt Warman
It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.
Chi Onwurah
This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.
Matt Warman
The hon. Lady is right, but as of 31 December 2020, section 3(4) states:
“OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services”.
It is absolutely there, but I fear we are getting into a somewhat semantic argument.
Chi Onwurah
The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.
Matt Warman
I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.
I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.
Matt Warman
Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.
Mr Jones
No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.
Matt Warman
That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.
Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.
Chi Onwurah
I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
Chi Onwurah
I beg to move, that the clause be read a Second time.
It is with some sadness that I come to the last new clause we have to present—[Interruption.]. I see that causes some hilarity in the Committee; I am sure that is just nervous laughter and everyone shares my dismay that the focus on telecommunications that the Committee has ably exhibited for the last few sittings will soon come to an end. Our consideration in some detail of the importance and implications of our telecoms network’s security must conclude, but I am pleased that we end on this new clause, which sums up one of the key themes we have focused on throughout our discussions: the importance of the diversification strategy.
Many amendments tabled by the Opposition reflect our concern that the Bill claims to seek the security of our telecommunications networks and yet does not mention once the diversification strategy. We are moving the new clause to put that right. We support the Bill and the Government’s aims in the Bill. We believe it is right to remove high-risk vendors from the UK’s networks and to take the measures in the Bill that will ensure that the Government will be able to designate vendors and require telecoms operators to comply with security requirements. However, those steps must go hand in hand with credible measures to diversify the supply chain, and that must be subject to parliamentary scrutiny.
As I said, the Bill as drafted fails to mention the Government’s diversification strategy and chooses to ignore the impact that the new powers afforded to the Secretary of State and Ofcom will have on supply chain diversity. The Minister recognises that they will reduce diversity, yet there is no reference to the steps that will be taken to diversify the supply chain. The new clause would require the Secretary of State to report on the Government’s diversification strategy’s impact as it relates to the security of telecommunications networks and services.
The Opposition have argued throughout our deliberations that the sweeping powers afforded to the Secretary of State and Ofcom by the Bill must be put under proportionate scrutiny, and the new clause would do that. It would bring about a debate in the House on the findings of the Secretary of State’s diversification strategy report and require a ministerial response no more than two months after the report’s publication. The new clause would therefore provide accountability for the diversification strategy’s progress and lead to real action, not just talk.
It has been said that
“it is essential that we create a more diverse and competitive supply base for telecoms networks”
because reliance on two providers creates “an intolerable resilience risk”. Those are not my words, but the words of the Secretary of State. Members from across the House agree that we cannot have a robust and secure network with only two service providers. That is something we were repeatedly told in the evidence sessions. The chief technology officer of BT Group, the director of emerging technology at Ofcom and the former head of cyber-security at GCHQ think so, and even the Secretary of State thinks so, yet the lack of link between the diversification strategy implementation and the security of our networks is ongoing cause for concern. Now we have the chance to take action, and I am glad to offer the Minister the opportunity to put this right.
This is not new information. The dependence of our telecoms networks on diversifying the supply chain was set out in the 2019 telecoms supply chain report. A leak from that report caused a Cabinet resignation, so important was it considered to be. Unfortunately, in the intervening year and a half, the Government have failed to act, refusing to take the necessary steps to ensure the diversification of our national supply chain, leaving us at real risk of being short-changed on national security. I emphasise, once again, that we place national security at the heart of everything that we do in this Committee.
The UK defence industry seeks to encourage, support and create markets for UK small and medium-sized enterprises, supporting the very best in innovation and helping innovative small and medium-sized enterprises to grow. We would like to see the UK’s telecommunications industry do likewise, to ensure a sovereign security capability. We want the Bill and the diversification strategy to create significant opportunities for UK businesses, linking them to global supply chains.
I welcome the Government’s diversification strategy. After all, I have been calling for a strategy to grow and diversify our telcoms sector for a long time—even before I came to this House. Although the Government have been talking about such a strategy for some time—there was an awful lot of talk about a diversification strategy and bigging it up before it was published—as is often the case with this Government, the strategy that was published was a bit of a disappointment. It lacked the clear commitment and funding that one would expect to find in any effective strategy.
The £250 million committed by the Government over five years came with little detail on how it would be spent. I have now had assurance that the funding is focused on integration and testing facilities, which are necessary, but there is no emphasis on supporting research and development, and particularly supporting our start-ups in the telecommunications sector. In the evidence sessions, Mike Fake of Lumenisity highlighted that the first year of the £250 million diversification funding was equivalent to only 10% of BT’s annual research and development budget. This is not the bold action of a Government committed to network diversification and our telecommunications security.
The diversification strategy declares itself
“a clear and ambitious plan to grow our telecoms supply chain while ensuring it is resilient to future trends and threats.”
That is a bold ambition. It says it will do that by focusing on three main areas:
“Supporting incumbent suppliers to ensure their resilience and ability to supply the market in the near term, while supporting their transition into the emerging market structure; attracting new suppliers into the UK market to build resilience and competition, prioritising deployments that are in line with our longer term vision; accelerating open-interface solutions and deployment so that we are not reliant on any single vendor and begin to realise our long term vision for a more open and innovative market.”
These are all highly laudable. They are not easy. I recognise the challenge that the Government face. As we discussed in the evidence sessions, this comes after decades of neglect of sovereign capability, not only in the UK but by other countries, which is why we find ourselves with only two vendors, both from Scandinavian countries, and no UK, US or other European capability.
We have heard just how difficult this challenge will be. Will the Minister tell me how we can possibly achieve that bold ambition if we fail to monitor the impact of the strategy? We need an annual report on the progress made by the diversification strategy, so that we can apply appropriate parliamentary scrutiny. After all, the strategy commits the Government to regular reports on progress, which is what the new clause asks for, while adding a focus on the diversification strategy’s impact on our national security. That is what it is all about. The Secretary of State tells us that the Government are implementing one of the toughest telecommunications security regimes in the world, but why is there to be no scrutiny applied to this key part of the regime?
When I asked the Minister in parliamentary questions why the diversification taskforce was not diverse in terms of geography—it includes no one from north of Watford—or discipline, having on it no equipment supply chain expertise, I was told that geography did not matter, and that the taskforce was focusing on cyber-security skills. To be fair, the Minister did say that Ian Livingston, the chair, was Scottish, but I think he will acknowledge that he has not lived in Scotland for some time. Geography does matter. We need to build up concentrations of skills and expertise—clusters. Cyber-security is very important, but focusing on it suggests that we are not serious about developing sovereign capability in other very important areas.
We are agreed that diversification is essential, and I hope that we are agreed that that should include UK capability. We also agree that it is challenging. How do we do it? In an evidence session, Professor Webb said:
“If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, ‘You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.’ The stick might be some kind of licence condition that said, ‘In order to meet your licence, you have to have at least x number of vendors in your network.’”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 73, Q87.]
We also heard from Chris Jackson, who said:
“Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 38, Q43.]
The Government have chosen not to do that. They have chosen to focus on big sticks for security, as set out in the Bill, such as designations, enforcements and fines of up to 10% of turnover, but they have left diversification very much to the market, providing it with a sweetener of £250 million over five years. Surely we have a right—indeed a duty—to monitor how and whether that is successful.
We heard in the evidence sessions that we have significant national promise in terms of capability. Dr Andy Sellars, the strategic development director for the Compound Semiconductor Applications Catapult, said:
“In the UK we have something like 5,000 companies that design and manufacture electronic systems. Something like 600 of them are involved in telecoms. I am not suggesting that all of those 600 become equal players. That would be a crazy scenario. But there are certainly some parts of the telecom network where the UK is pre-eminent. There are some backhaul and fibre technologies that we are very good at. As we deploy 5G into rural communities, that is likely to require low Earth orbit satellites; we are very good at satellite communications.”––[Official Report, Telecommunications (Security) Public Bill Committee, Tuesday 19 January 2021; c. 109, Q142.]
Matt Warman
The hon. Lady raised an important issue. Fundamentally, however, the issue of diversification is twofold. The Government want to see greater diversification within our telecoms supply chain. The £250 million allocated for the first three years of that programme to support the diversification strategy is a hugely important part of it.
As we are already seeing in the increased use of open RAN, whether with Vodafone in Wales or the NeutrORAN project with the NEC, there is already significant progress. I think that demonstrates that the industry does regard this—whether the hon. Lady wants to call it as an incentive or a carrot—as something that is making things happen to a greater extent. The Government cannot legislate for the diversification of the market; that is something that we can incentivise and work with the market to do.
We can monitor the diversity of networks, as Ofcom has the powers to do. We can set requirements on what the minimum standards might look like. For instance, NCSC guidance already says that two vendors should be the minimum, rather than one, for a telecoms network. That gives you an indication of what we will be monitoring and looking at, potentially, in codes of practice in the future. The hon. Lady is right to focus on this important issue, but it is wrong to pretend, important though Secretaries of State are, that any Secretary of State could legislate in the way she describes for the greater diversification that we all seek.
The focus of the Bill is on setting clear and robust security standards for our networks that telecoms providers must adhere to, and they must be met regardless of the diversity within any of those networks. To be fair, the diversity within a provider’s supply chain, in and of itself, does not offer the guarantee of network security. A provider using a diverse supply chain needs to be held to the standards set out in this Bill, so that the provider is able to offer the security standards that we need, regardless of the number of suppliers that they have available.
It is important to reassure hon. Members that Ofcom will have the ability to collect information relating to the diversity of suppliers’ networks under section 135 of the Communications Act 2003, as we have discussed. I do not think it is necessary to specify the need to collect information relating to diversification, as that is just one set of information that Ofcom may collect; it is just as important as several others in monitoring and reporting the security and resilience of networks. It is also important to clarify that, although greater diversity is critical in ensuring that we reduce our national dependence on a small number of suppliers, it is part of a broader approach to building security and resilience across the global supply chain that sits outside the Bill, important though it is. Diversification is an issue broader than the make-up of supply chains for UK providers alone, as the hon. Lady knows.
Chi Onwurah
I thank the Minister for his comments; having spoken for so long myself, I was reluctant to interrupt him. I am pleased that he has clarified that the £250 million is over three years, as opposed to being over five years—I had not seen that before. That is welcome, and I anticipate further funding.
However, the Minister says that the Government cannot legislate for the diversification of the network. Why not? The Government can legislate to break up consolidation in other markets, and they have legislated to do so—for example, competition law does exactly that. We heard in evidence sessions from some who felt that diversification could be achieved only through direct intervention. He implies that I am arguing that diversification delivers telecoms security on its own, but I am not arguing that. I am arguing that it is necessary though not sufficient—clearly, other methods are needed.
The Minister suggests that diversification is one of many things that Ofcom can report on, if it so chooses. That is equally important, but let us be clear that it was the diversification of a supply chain that was the critical report—a report so important that the current Secretary of State for Education was forced to resign because of its leaking, which is why we are here today. The diversification of the supply chain is absolutely critical.
The Minister says that we heard from operators that were committed to diversification, but we also heard that there were real challenges in their commitment to diversification. We would not be where we are today if they were so committed to diversification of their supply chain. That is why there is a need for incentives and intervention. On that basis, it is important to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
The Chair
Mr Jones, new clause 7 has already been debated. Do you want to put it to a Division?
The Chair
I realise that this will come as a devastating blow to all of you, but the final question I must put is that—
Chi Onwurah
On a point of order, Mr McCabe. I put on the record my gratitude, and that of my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester, to you and your colleague, Mr Hollobone, for the way in which you have expertly chaired proceedings in the Committee. I also sincerely thank all House staff who have supported our work here, including those representing Hansard, and particularly the Clerks, who have been absolutely invaluable in setting out our desires to improve the Bill in clear and orderly amendments and new clauses.
I also thank all members of the Committee from both sides of the House. This detailed, technical Bill is critical for our national security, coming at a time of national crisis, when we are braving—all of us: staff and Members—a pandemic in order to be here. We have had an orderly and constructive debate.
Matt Warman
Further to that point of order, Mr McCabe. What fun we have had! It is a pleasure to come to this point in the Bill’s passage. I echo the hon. Lady’s thanks to the House staff and to yourself, Mr McCabe, and Mr Hollobone. I also reiterate her point that this is a crucial Bill—one that I am glad enjoys cross-party support. I look forward to debating its further stages in the House.
Bill, as amended, to be reported.
Telecommunications (Security) Bill
Tuesday 25th May 2021
(2 years, 10 months ago)
Commons ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Amendments as at 25 May 2021 - large print - (25 May 2021)
16:38 - The House divided: - Ayes: 263 / Noes: 365 - Question accordingly negatived.
16:49 - The House divided: - Ayes: 263 / Noes: 363 - Question accordingly negatived.
16:56 - The House divided: - Ayes: 271 / Noes: 357 - Question accordingly negatived.
Chi Onwurah (Newcastle upon Tyne Central) (Lab) [V]
I beg to move, That the clause be read a Second time.
Madam Deputy Speaker (Dame Rosie Winterton)
With this it will be convenient to discuss the following:
New clause 2—Provision of information to the Intelligence and Security Committee—
“The Secretary of State must provide the Intelligence and Security Committee of Parliament as soon as is reasonably practicable with a copy of—
(a) any direction or notice (or part thereof) that is withheld from publication by the Secretary of State in the interests of national security in accordance with section 105Z11(2) or (3) of the Communications Act 2003;
(b) any notification of contravention given by the Secretary of State in accordance with section 105Z18(1) of the Communications Act 2003;
(c) any confirmation decision given by the Secretary of State in accordance with section 105Z20(2)(a) of the Communications Act 2003;
(d) any reasons for making an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in the accordance with section 105Z22(5) of the Communications Act 2003; and
(e) any reasons for confirming or modifying an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in accordance with section 105Z23(6) of the Communications Act 2003.”
This new clause would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security.
New clause 3—Network diversification—
“(1) The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.
(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—
(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;
(b) likely changes in ownership or trading position of existing market players;
(c) changes to the diversity of the supply chain for network equipment;
(d) new areas of market consolidation and diversification risk including the cloud computing sector;
(e) progress made in any aspects of the implementation of the diversification strategy not covered by subsection (a);
(f) the public funding which is available for diversification.
(3) The Secretary of State must lay the report before Parliament.
(4) A Minister of the Crown must, not later than two months after the report has been laid before Parliament, make a motion in the House of Commons in relation to the report.”
This new clause requires the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and allow for a debate in the House of Commons on the report.
Amendment 1, in clause 14, page 21, line 27, at end insert—
“(3) The Secretary of State must, in the process of carrying out reviews and drafting subsequent reports, consult the appropriate ministers from the devolved governments.”
Chi Onwurah
It is a great pleasure to speak in this debate on Report. As I may have mentioned before, I am a chartered electrical engineer; before I entered Parliament, I worked for 20 years helping to build out the networks—fixed wireless and mobile—that became the internet. I am proud of that work and of the immense contribution that the telecommunications sector makes to our society, our economy and our security.
I am very pleased that today we are dedicating parliamentary time to our telecommunications sector. I thank all Members across the House who served on the Bill Committee for our many hours of fruitful debate as we strove to secure improvements to the Bill. I also thank the officials of this House, particularly in the Public Bill Office and the Library, who have provided such excellent support.
I declare an interest: many provisions in the Bill deal with the regulator Ofcom, and my last telecommunications role was with Ofcom. I joined it in 2004 just a few weeks after it was born, when it was to be a light-touch regulator, small and nimble. As a consequence of my time in the sector, I have been calling for greater security, particularly for our mobile networks, since I first entered this place in 2010.
The Labour party and I welcome the intention behind the Bill, but a number of areas in it need to be addressed. We are here today because of the Huawei debacle of the Government’s making. The Government have been forced to require the removal of Huawei, at an estimated cost of £2 billion and a delay of two to three years to our 5G roll-out, after overseeing Huawei’s rapid rise to be the foremost supplier to the telecoms company that carries our country’s name and universal service obligation: British Telecom.
The telecoms supply chain review found that there were no incentives for our mobile network operators to provide secure networks. Moreover, successive Tory Governments have squandered the world-leading position on broadband infrastructure left to them by Labour in 2010, as the United Kingdom has fallen down the league table from 27th to 47th in the world for average internet speeds. This lack of sovereign capability and absence of an effective telecoms strategy has resulted in our dependency on high-risk vendors, which the Bill seeks to address.
I am sure that you will be pleased to know, Madam Deputy Speaker, that I will not repeat the same arguments on Huawei that have dominated the debate over recent years. Given where we are now, we support the aims of the Bill. National security is the first duty of any Government, and Labour will always put national security first. Our telecoms infrastructure is clearly critical to our defence and security, as well as our economic prosperity.
We agree that, as the Bill sets out, the Secretary of State should have powers to designate vendors of concern and require mobile network operators to take appropriate action, and that Ofcom should have the power to monitor and enforce those directions. However, we wish to improve the Bill in three key areas, which our new clauses 1, 2 and 3 seek to address.
The first area is national security. Labour prioritises national security, and the sweeping powers that the Bill gives the Secretary of State must be used in the interests of securing our critical national infrastructure. Removing Huawei does not, in and of itself, make our networks secure now or protect them against future threats; that requires a number of additional measures, some of which are in the Bill and some of which are not. For a start, if our telecoms network is to be secure, there must be expert democratic oversight of the measures that make it secure—yet the Bill makes no provision for Parliament’s experts, the Intelligence and Security Committee, to be informed or consulted. We want to fix that.
Secondly, the security of our network depends on an effective plan to diversify the supply chain. We are very concerned that the Bill does not even mention diversification and thus risks short-changing our national security, our technological sovereignty and our telecoms infrastructure. We want to ensure that progress is made in diversification as a prerequisite for the security of the telecoms network and a UK sovereign capability should be a part of that.
Thirdly, the Bill gives many new responsibilities and powers to Ofcom. That follows a vast expansion of Ofcom’s remit over the past 10 years. We want to make sure that Ofcom is appropriately resourced to carry out its duties and to be forward looking, not simply looking back.
One of the great failings of the Bill is that the Government are so fixated on fighting the last battle—the Huawei battle—they are not looking to the future. That is, in part, because various Government Back-Bench Members have very real concerns about the rise of China and its influence on our infrastructure. But these concerns, however well justified, seem to be blinding the Government to threats that are not Chinese in origin. We want to fix that. We want Ofcom to have the resources and the will to monitor the evolution of our telecoms networks, so that future threats, wherever they come from, can be identified and we do not find ourselves forced, as we are now, to make a huge change to our networks, at a huge cost to our economy.
I turn to new clause 1. As I said in my opening remarks, I joined Ofcom in 2004 when it was in its infancy as a slimline regulator. I kept a copy of the Communications Act 2003 on my desk. Since then, that Act has already doubled in size as Ofcom has acquired responsibility for critical national infrastructure: the BBC; the Post Office; online harms—that Bill is coming down the road; and, in this Bill, parts of national security as well. This latest expansion of Ofcom duties will necessarily add a strain not only to its budget, but to its resources. In January, in response to my written question, the Government stated that Ofcom would have the resources that it needs to do the job, in which case the Minister should be keen to support new clause 1, which requires Ofcom to report on the adequacy of its resources in fulfilling its functions under the amendments made in the Bill.
Ofcom lacks experience in national security measures—this was discussed during the evidence stage—and the expansion of duties will require the recruitment of people with the required level of security clearance and experience. That is not going to be easy, as we heard during the evidence sessions. Emily Taylor of Oxford Information Labs said that Ofcom
“will have to acquire a very specific set of skills and capabilities and that will require substantial investment and learning as an organisation”.––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 72, Q84.]
These skills are rare. The memo from the Minister, for which I am grateful, sets out how Ofcom and the National Cyber Security Centre will work. While it is welcome that they will work together, it did not provide the reassurance that we need. Indeed, it suggests that Ofcom will be entirely dependent on the NCSC for cyber skills and therefore, presumably, unable to understand the advice that it receives from the organisation.
New clause 1 requires Ofcom to report annually on the adequacy of measures taken by network providers to comply with changes introduced in the Bill, empowering the Government to track the effectiveness of the legislation. However, new clause 1 does more than that. It ensures that Ofcom has the human and informational resources to be forward looking. As I said, we are concerned that the Bill is backward looking and does not look to future threats. New clause 1 requires Ofcom to provide an assessment of emerging or future security risks based on its interrogation of network providers’ asset registers.
I am pleased that the Government are taking steps—as I understand it from the Minister—to formalise existing best practice in the telecoms sector and ensure that national providers maintain asset registers. I can tell Members that that has not always been the case. As the Minister said during the Committee stage, asset registers are an
“important part of the existing landscape”––[Official Report, Telecommunications (Security) Public Bill Committee, 21 January 2021; c. 162.]
But I ask him: why does he not take this further? We need to ensure that we have a good understanding of our national assets and so can assess emerging threats. Doing so would have made Huawei’s dominance visible earlier and it would now enable warning signs of future concerns—and there are future concerns. Again, Emily Taylor said:
“I feel a little like we have been fetishising 5G and a single company for the last two years, perhaps at the expense of a more holistic awareness of systemic cyber-security risks… Healthcare systems probably would not have been top of the list two years ago, but now they are. The SolarWinds attack shows that the identity of the vendor is not always the key risk point. SolarWinds is a very trusted vendor from a like-minded, close ally country, and yet it turns out to be a critical single point of failure across key, very sensitive Government Departments, both in the US and the UK.––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 74, Q88.]
So I want the Minister to consider that in his response on this proposal.
Dr Julian Lewis (New Forest East) (Con)
The shadow Minister is a considerable specialist in this field; I particularly endorse what she says about the importance of a non-partisan approach to national security in this and other legislation. As noted on Second Reading, the Intelligence and Security Committee of Parliament has long been concerned about the security of the UK’s telecommunications networks. Our 2013 report “Foreign Involvement in the Critical National Infrastructure” identified serious failings in the way that successive Governments had managed the entry of foreign telecommunications companies into the UK market—Huawei especially—and we urged the Government not to sacrifice security in the pursuit of investment when it came to our critical national infrastructure.
Stephen Flynn (Aberdeen South) (SNP)
It is a pleasure, once again, to follow the Chair of the ISC, the right hon. Member for New Forest East (Dr Lewis), as I did during the passage of the National Security and Investment Bill. He speaks with great wisdom and experience on these matters, and the Minister would do well to heed such advice from his Back Benches. It is also a pleasure to follow the shadow Minister, the hon. Member for Newcastle upon Tyne Central (Chi Onwurah), who also speaks with great experience in this field. I have been fortunate enough to sit on a number of Bill Committees with her, and it is clear that telecommunications is very much her forte.
Let us consider the Bill in a wider context, before I drill down on the new clauses. We are essentially looking at foreign investment in our critical, national infrastructure. In real terms this is not a new thing. We are all aware, I hope, of the ISC report from 2013 on that very matter, and Huawei, and its role within our infrastructure, did not necessarily come as a surprise to anyone. I read the Bill’s Second Reading with much interest. The Labour party was trying extremely hard to absolve itself of any blame in that regard, which made for light entertainment over the past evenings. Of course, the Government are just as complicit in that regard, and complicit with a small c, because they were not necessarily looking at things with the view that they have now.
From my experience in this House, the Government have not covered themselves in glory when it comes to this topic. When I came into this place in 2019, one of the first key issues that was talked about—aside from Brexit, of course—was Huawei’s role within the UK, and we have seen the Government flip-flop from one view to another. It is testament to the hard work of many Government Members that they got the Government to realise just how serious this topic is and, indeed, was in years gone by.
Although there are concerns, the only thing that has really changed in the many years since 2013 is the seriousness with which the Government are treating this matter, and that seriousness extends to my colleagues and me. As my hon. Friend the Member for Gordon (Richard Thomson) made clear on Second Reading and in Committee, we are supportive of the Government’s efforts in this regard, as we were with the National Security and Investment Bill, but there are a couple of areas where the Government still need to provide a level of assurance. Notwithstanding the remarks that have rightly been made in relation to scrutiny by the ISC, importantly we need to be clear that the Government are going to pick up the tab in Scotland for all the equipment that will now be made surplus to requirements. We cannot have a situation where that is not the case, because it is their actions that have led to the situation we are in. We also need to ensure that the replacement strategy is both safe and secure, so that we do not find ourselves in a situation such as this ever again.
Notwithstanding the justified security concerns that we all have, perhaps the key thing lies in and around the issue of telecommunications. As was referenced by the shadow Minister, although not in the same detail, there are around 1 million people in rural Scotland who do not even have access to 4G. Of course, telecommunications is reserved to the UK Government—it is the responsibility of the Under-Secretary of State for Digital, Culture, Media and Sport, the hon. Member for Boston and Skegness (Matt Warman), and he will be cognisant of the fact that the 4G roll-out has not been as good as it should be. We all want to see the 5G roll-out, to ensure that we are in as advanced a position as possible, but we must ensure that the same mistakes are not repeated. I would certainly welcome assurances from the Minister in that regard.
That leads me to the SNP’s amendment 1, which seeks to ensure that the Government consult in full with the Governments in Scotland, Wales and Northern Ireland. It is vital that we have that link and that, while we remain a part of the United Kingdom, the UK Government work in partnership with the Scottish Government on such serious matters.
It will come as no surprise to the Minister that we are supportive of the new clauses tabled by Labour on ensuring that there is diversification, that there is parliamentary oversight and scrutiny, and that the ISC plays a key role. I would like to hear from its Members that they are equally supportive of the view that the devolved Administrations should play a key role in telecommunications.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
It is always a pleasure to return to old arguments and ensure that they are still live, and I intend to do just that. From the beginning, I have supported the process and initiative taken by the Government; it was not without struggles early on. I do not intend to go into the details, but I will refer to them. Back in 2019 and early 2020, it became quite a battle over whose advice was better. It seemed to me at the time—and, in a way, I do not blame the Government for this—that the National Cyber Security Centre gave the Government poor advice about the security risk, which was tempered by the Government’s need to go ahead and get 5G moving.
That is always the problem that we face. If organisations are to give Government advice on security risks, it must be completely separated on the basis that that is their advice; they must not temper it to suit the Government. We have seen that happen all the way through—it is not just this particular Government. They have made the right decision, and I will come back to that, but if we go back, this has happened also with Labour Governments and Conservative Governments of the past. Successive Governments have underestimated the growing risk that is coming particularly from China, but also from other countries. They were already aware of the risk from Russia.
Ms Nusrat Ghani (Wealden) (Con)
No, but I will never waste an opportunity, as it is obviously a joy to intervene on my right hon. Friend, who was asking how much deeper our relationship can go with a country that has sanctioned parliamentarians in this House for basically raising human rights abuses and security concerns.
Sir Iain Duncan Smith
I am getting so used to just doing what I am told by my hon. Friend when it is necessary that she only has to look in this direction and I give way to her—my apologies.
What I was really trying to get to the bottom of is that I do not think that this is feasible any longer. The Bill illustrates the dichotomy that lies at the heart of the Government’s position. We are trying constantly to talk about these trade relationships, but at the same time we recognise that the country that we are discussing them with is a totalitarian state that is guilty of what many, including myself, believe is a genocide of a whole ethnic group—more than one ethnic group. It is a state that is intolerant, that is suppressing democracy and free speech in Hong Kong, that is threatening Taiwan and India, and that has said that it is in possession of the South China sea. I could go on with that list. We can recognise the compilation of all those things and that there is a security risk, and yet at the same time in the other place we are told, “Don’t worry. We are still trying to do trade deals.”
It is quite interesting that we have reopened an economic and financial dialogue under a JETCO—a joint economic and trade committee—which was originally paused because of the imposition of the national security law in Hong Kong. The discussions have now restarted, although we did not hear much fanfare. We sort of discovered that they had restarted, but there was no announcement from the Dispatch Box that we were restarting them. There are no dates involved, but the discussions are restarting, despite the sanctions against individuals and so on, and despite our sanctions against Chinese officials—although I still wish that we could do more.
I note also that the European Union was heading in the same direction with its agreement, only now, because of the sanctions on its MEPs and so on, it has decided that it is not going to do that. I simply raise the question: if we think that this country and this Government —the Chinese Communist party, the Government of China—are such a potential threat, should we really be trying to reopen those doors, despite the sanctions that we have in place, the sanctions that they have put in place, and the very clear threat that they now pose to our security?
I simply say to my hon. Friend the Minister that I was going to move my amendment, which would have said that the Government should immediately declare many of these companies high-risk vendors by the very nature of the security law that exists in China. However, I would also say, in support of what has been said already, that the Government need to use the internal possibilities in our Parliament. We have a Committee that is cleared to the highest level of security in these areas, and it is important that we use that Committee. If the Government get private advice from the Committee about what it thinks is going wrong with their position, I think that will benefit and improve them.
I therefore ask my hon. Friend to take my amendment into consideration and to answer that point, to think seriously about how we can strengthen the Bill further and, if he can, to make the reservations of this place felt to his colleagues in Government. We are deeply concerned about trying to ride two bicycles at the same time: recognising a deep and growing threat to democracy not just here but around the world from the Chinese Communist party, while trying to beg China to do trade deals with us, notwithstanding the fact that it behaves so badly.
Jamie Stone (Caithness, Sutherland and Easter Ross) (LD) [V]
It is a pleasure to join you, Madam Deputy Speaker, from the far north of Scotland. Before I make two points that will be familiar to the House, may I compliment the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith) on a most interesting speech? I afford myself a wry smile; we are where we are today, which is rather different from where we were when I attended the Westminster Hall debate in which he made the same point. I think that he would be allowed some quiet satisfaction at having changed the Government’s course as significantly as he has, because—I shall return to this point—this is about the defence of the realm.
Let me make a second initial remark, with reference to the hon. Member for Aberdeen South (Stephen Flynn). As a former Member of a place based in Holyrood, in Edinburgh, I wholeheartedly support the notion of working with the devolved Administrations. It makes absolute sense. If we believe in the security of the realm, we all have to work together for the better good.
As I have said already, my two points will be familiar to the House. The first is that, having done the armed forces scheme, I know it is very useful in bringing elected Members face to face with the realities of the defence of this country. For me, it was something of a wake-up call. There is no doubt, as the right hon. Member for Chingford and Woodford Green said, that there are nations out there—Russia, China, North Korea and others—that do not concern themselves with the good health of the United Kingdom. We have only to look at the hijacking of the Ryanair airliner in recent days, or indeed the crime that was committed in Salisbury, to see that the actions of states can be very bad indeed for us as a country, so in some ways this whole debate is a bit of a wake-up call. We have to ask ourselves where we stand in the world, what we can do and whether we are going to stand up for what we believe is right.
The Bill has the support of my party, in that it helps to protect the vital interests of the United Kingdom and the people who live in and love our country, as we all do. The key point emerging from that is that, as others have said, there will have to be an element of co-operation with other countries that share our ideals and interests. We think of the Five Eyes countries, of our European friends and of other countries all over the globe—perhaps India, perhaps South Korea, perhaps Japan—that we could work with more closely to further the best interests of us all.
My second point—yes, I am going to talk about this yet again, so perhaps I should offer an apology to the Chamber—is on something that the hon. Member for Aberdeen South referred to: we talk about 5G in the UK, but there are parts of Scotland that do not have 4G. As the shadow Minister, the hon. Member for Newcastle upon Tyne Central (Chi Onwurah), said, there are bits of Scotland where connectivity is very poor indeed. In the past, I have made the perhaps not very clever joke that in parts of my constituency, we might even be better off with two tin cans and a length of string, so there is a lot of work to be done, to say the least.
Ms Nusrat Ghani (Wealden) (Con)
It is an honour to contribute to this measured debate, Madam Deputy Speaker. I am fearful of lowering the tone, but I have been speaking to the Minister—I congratulate him on the amount of communication he has had with us Back Benchers about our concerns—and when I was thinking about how best I could sum up our dialogue, I recalled that Ronald Reagan once said:
“The…most terrifying words in the English language are: I’m from the Government, and I’m here to help.”
I think that, for a Minister, the most terrifying words are: “I’m a Back Bencher and I really am just here to help”. So without our removing the momentum, we really are here to help.
First, I need to put on record my thanks to my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) for tabling the amendment, which, unfortunately, was not selected today. I also put on record my support for what my right hon. Friend the Member for New Forest East (Dr Lewis) has proposed, with the support and expertise that he can bring to the debate and legislation, and I hope that the Minister can reflect on both those opportunities down the line. There is much to welcome in the Bill, but I fear that technology can sometimes move faster than we can legislate in this country. I want to touch on two issues: one is national security and the other is resilience and diversifying our supply chain.
I will start by being very helpful as a Back Bencher. I know that the Minister may have cast his eyes on a report that I recently produced for NATO. I sit on the Science and Technology Committee and I was tasked to put together a report on science and technology threats, looking particularly at east Asia. In the report, there is a puff box that he may want to reflect on; it talks about South Korea and the amount of work that it has done in innovating and developing new technology so that it is truly resilient in its national 5G infrastructure. I believe that 85 cities will have coverage by the end of 2021, and they are not reliant on any external Government to provide them with that service, so I urge him to go away and look at what South Korea is doing and possibly see how we can become more resilient in this country.
I want to raise the subject of resilience and security because I sit on the Business, Energy and Industrial Strategy Committee and we have been undertaking a report on links back to Xinjiang. However, companies also gave evidence to us that should cause some concern for the Minister, and with regard to this piece of legislation. This is basically about companies headquartered in China that have access to data we are using or manipulating, and to algorithms we are creating here in the UK.
In particular, I want to reflect on the evidence given to the Select Committee from TikTok. We invited TikTok to come in and give evidence about its algorithms and whether it is distorting them to stop information about Xinjiang and Uyghur being out on the platform. Unfortunately, the more we dug into TikTok, the more complex and concerning it got for us.
TikTok is a media company and a platform. Most kids will have access to it, and most people here may have access to it as well. However, it has a very complex ownership structure, which is why it is important that it is reflected somewhere in the Telecommunications (Security) Bill. It is important because TikTok is a subsidiary of a global parent company, ByteDance Ltd, which is incorporated in the Cayman Islands, but there is a China-based subsidiary of the same global parent company called ByteDance (HK) Ltd.
The reason why this should be of some concern is that when we took evidence from TikTok UK’s branch, we were told that ByteDance could in no way have access to UK data and that the two things were completely separate. However, the problem is that we can legislate in this country for what we want to do to keep our country and our people’s data safe, but when a company we are working with has headquarters in China, it has to abide by completely separate sets of rules and regulations, so we end up in a two-tier system.
Let me just reflect on what a company such as ByteDance has to adhere to. I am talking about China’s National Intelligence Law 2017. My right hon. Friend the Member for Chingford and Woodford Green spoke about article 9, and I want to reflect on article 7. It states, and this has been translated into English so it may not be perfect:
“Any organization or citizen shall, in accordance with the law”—
the Chinese National Intelligence Law 2017—
“support, provide assistance and cooperate in national intelligence work, and guard the secrecy of any national intelligence work they are aware of.”
Fundamentally, companies have to hand over data when they are asked, but when they are asked by another Government—say, our Government—they have to deny that they are doing it. I am concerned about how robust our legislation is today or how robust our legislation will be going forward if companies are abiding by separate sets of intelligence laws based in China.
On a similar theme, let us take a closer look at Hikvision in particular. There was a very good recent report by Reuters, which basically states that half of London councils are using Hikvision, even though Hikvision is banned in the United States. Last week, Italian media reported that Hikvision equipment in the country was “communicating with servers” in China despite being on a supposedly closed network. I am not quite sure what “communicating with servers” means, but for me alarm bells are ringing.
The points I want to land with the Minister are: how robust is the legislation we have in place for today, let alone tomorrow, and how can we ensure that the processes to legislate in this country keep pace with the threats we are facing? I suppose the fundamental point is that China has its own National Intelligence Law, which completely contradicts what we are trying to do here in the UK. Does the Minister have any thoughts about how we can ensure that our security is not undermined by China’s National Intelligence Law? What guarantees can the Government give to constantly look at, review and update this, and also to hold to account the companies we may be anxious about?
We seem to be setting up a two-tier system: one for us in the west with the countries we work with, and a completely separate system for China and the companies it wishes to work with. I fear that, unless we put down a marker, we are going to lose out to a country such as China, and I hope that the Minister can comment on that when he comes to the Dispatch Box at the end of the debate.
Jim Shannon (Strangford) (DUP)
It is a pleasure to speak in this debate and to follow all the right hon. and hon. Members who have made contributions.
First, new clause 1 is designed to ensure that there is an obligation on Ofcom, in legislation, to report on the adequacy of its resources and assess the adequacy of the measures taken annually by telecommunications providers to comply with their duty to take the necessary security measures. The hon. Member for Wealden (Ms Ghani) referred to security, and I will speak briefly about that shortly. It also requires Ofcom to assess future areas of security risk based on its interrogation of network providers’ asset registries. That does seem to me to be standard, but it is essential that there is regulation and control of these providers, on which so many of us—indeed, probably all of us—rely so heavily. The Minister may well believe that this obligation is already included in the Government’s Bill, and if that is the case, perhaps he will confirm that that is the position. If that is the case, I am sure that that will highlighted subsequently.
I have seen, during the privatisation of water services and other public bodies, that private companies have little desire to provide any more information than is legally required. They just give us the basics of what they want us to know. I believe that there is an obligation for Ofcom to actively regulate, and to do this we must provide adequate funding. To make this happen, is it a funding issue or can we legislate to ensure that they tell us all we need to know? I will consider the words of the Minister on this imperative regulatory function.
I want to echo the concerns of the hon. Member for Wealden, who comprehensively addressed the issues that concern us all. She referred to companies that have their headquarters in China and how that impacts on us here in the United Kingdom. Our duty in this House is to our citizens: to the citizens of Strangford, to the citizens of Wealden and to everyone across the whole of the United Kingdom of Great Britain and Northern Ireland, and we probably all seek assurances on these matters. Again I look to the Minister to do that in his summing up.
New clause 2 relates to the provision of information to the Intelligence and Security Committee. Does the Minister agree that it is imperative that the appropriate Committees have the right information on security matters? I am a firm believer in the need for information share. It has always been my policy to ensure that those around me in my political life, my social life and my personal life are aware of all the issues that concern them. It is also important that MPs have all the information on board. I am also a firm believer in the chain of command. This may well be due to years of part-time service in uniform; I spent 14 years as a part-time soldier. It is really important that the chain of command is in place. However, there are also times when it is in the interests of the nation that not all is revealed, and there will be a reason for some things being classified as top level only. I understand that; I often ask the police about things that have happened back home, and I say, “Don’t tell me anything I don’t need to know, but if you can tell me, and I can tell others, let me know that.”
Our job as parliamentarians is to scrutinise the Government, to hold Ministers to account and to strive for the good of the nation, and I ask the Minister to clarify why the Government do not feel that new clause 2 is necessary. Does he, for instance, believe that this is already accounted for? If it is, perhaps he could tell us the position on that. I would like to understand the rationale behind withholding information from a regulated Committee and what constitutes high-level information that should be withheld. Again I look to the Minister, as I often do in debates in this House, for a response to satisfy me that new clause 2 is not needed.
My final point relates to amendment 1 to clause 14, which proposes:
“The Secretary of State must, in the process of carrying out reviews and drafting subsequent reports, consult the appropriate ministers from the devolved governments.”
As a Member of Parliament, I have always wished to know what the devolved Administrations are doing. In my case, that relates to the Northern Ireland Assembly. When I saw the amendments and new clauses, I assumed that this provision would have been included as a matter of course. Surely it is a matter of the greatest importance—especially in Northern Ireland, which is fast becoming the capital of Europe’s cyber- security—that the devolved Administrations, and in this case the Northern Ireland Assembly, should have a full understanding of any emerging cases. I say with great respect to everyone else in this Chamber that the cyber sector in Northern Ireland is leaps and bounds ahead of other parts of the United Kingdom. Maybe only the south-east of England can match our level of advancement. We have incredible skills and staff available in Northern Ireland, and the cyber-security sector has grown greatly. So can the Minister reference the mechanism by which this information share can take place without any amendment? Can the Minister confirm that the Northern Ireland Assembly will have a key role to play in this, and tell us how that will work within the legislation before us today?
Sir John Hayes (South Holland and The Deepings) (Con)
Chillingly, the head of military intelligence recently concluded that the difference between being at war and being at peace is becoming increasingly blurred. In short, Britain is under perpetual attack.
Dr Lewis
In support of what my right hon. Friend says, he will recall that one of the main reasons why the Government felt it so difficult to rid themselves of Huawei was that there would then be only two remaining possible suppliers, and if one of them got into difficulty, we would have total dependence on a single supplier. If we do not diversify, it really has knock-on effects: we sometimes have to improperly consider using suppliers that are really a risk to our security.
Sir John Hayes
As my right hon. Friend knows, it is not only the Committee on which he and I serve that has highlighted that point; other Committees of this House have, too, and the Government themselves have acknowledged it. We really need to look at how, having accepted the thrust of his argument, the Government intend to respond. What is the action plan? I know that the Minister will have much to say about this, but my right hon. Friend is absolutely right.
This is part of a wider problem of the concentration of power in the hands of what I described earlier as a handful of unaccountable corporate monopolies. There is a curious assumption that somehow those organisations will be intrinsically virtuous, but that is simply not the case. Commercial organisations are just that: they are interested in commerce. They are not there to do what Governments and this Parliament exist for, which is protecting the interests of the whole of the people.
Bob Stewart (Beckenham) (Con)
One thing that worries me a little is that Huawei is Chinese-owned. Nokia and Ericsson are not, but they get a lot of their kit from China, so they are not pure either. That is a worry for diversification.
Sir John Hayes
It is. I referred a moment or two ago to the provisions of the Bill that extend existing powers to take account of supply chains, so the point is acknowledged in the legislation. It brings me neatly—it was not scripted, I hasten to add—to the next part of my speech, because in that process much powerful regulation is put into the hands of Ofcom. I have questions about that for the Minister as this is not territory that traditionally Ofcom has navigated. It will require a step change in Ofcom’s capability and approach to manage the additional responsibilities.
Ofcom was previously responsible solely for assuring the resilience of networks. No list of mandatory standards has previously existed and historically Ofcom produced guidance that merely directed communication service providers towards the main source of advice and best practice. The responsibilities to ensure that providers comply with the new security duties will, as I said, require a step change in what Ofcom does, given that it will now have the authority to practically assess the security practices of large telecom providers, take action where security is at risk of being compromised, and make information available to the Government and provide annual security reports to Ministers.
That brings me to the issue of scrutiny, which has been addressed with by various contributors to the debate so far. Given Ofcom’s new powers, the means by which it can be held to account becomes salient. Of course, Ofcom is accountable to Ministers, but we need Ministers to be accountable, in an effective way, to this House. There is a long debate to be had about the role of various Select Committees in that regard, and it is a debate to which I have contributed previously and the Chairman of the ISC, my right hon. Friend the Member for New Forest East (Dr Lewis), has already spoken eloquently. I simply say to the Minister that there needs to be a well-established and rigorous process by which the new powers can be assessed and checked not only by Ministers of the Crown but by those to whom Ministers of the Crown are accountable. Confusing accountability and scrutiny risks weakening both by obscuring the first and diluting the second.
I know, Mr Deputy Speaker, that you would not want me to conclude any speech without some literary reference. C. S. Lewis said: “Experience: that most brutal of teachers. But you learn, my God do you learn.” The experience that I have had over 25 years in the House—of being a shadow Minister trying to hold Ministers to account, a Minister being held to account and now a Back Bencher trying hold both to account—is that unless the process is right, scrutiny simply will not be effective.
I have talked about vulnerability and the recognition of the need for greater regulation. By the way, if anything, the Bill does too little. It is a good Bill and it does a great deal that I welcome, but over time we probably need to go further. I have previously drawn the House’s attention to the history of legislation affecting security here: it has typically been periodic with few big Bills having been brought to the House that became Acts concerning matters of security. But I repeat what I have said before: I suspect that over the coming years we will have more and more legislation to ensure that our country remains secure, given the dynamism and character of the threats we now face.
I end simply with this. The Bill is good work, but it is—if I might put it as generously as I possibly can to the Minister—work in progress, and I hope that during that progress we see further attention given to the issues of both diversity in the marketplace and scrutiny by this House. A fundamental requirement of Government is to protect our infrastructure and economy and, by doing so, protect our people, for in doing that we protect all our futures.
Bob Stewart
It is a real pleasure to follow some of the speeches we have heard, particularly those from the Chairman of the ISC, my right hon. Friend the Member for New Forest East (Dr Lewis), and from my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith).
I rise to support the Government, but I do so with some reservations, which largely reflect concerns that I still have as a member of the Intelligence and Security Committee. I am concerned about oversight and the scrutiny of decisions made by the Department for Digital, Culture, Media and Sport that will have an impact on national security. The issue is growing as commercial companies get more and more involved in such matters. The Government’s current view is that DCMS, Ofcom and the Digital, Culture, Media and Sport Committee could probably watch over these matters. Yes, they probably can, but I am not so sure.
Bob Stewart
Good. When my right hon. Friends the Members for South Holland and The Deepings (Sir John Hayes) and for Chingford and Woodford Green start talking, I know I am in trouble.
So we on the ISC are subject to section 1(1)(b) of the Official Secrets Act 1989, and, whatever side of the House we sit on, we have all been appointed to the Committee by the Prime Minister with that in mind. However, not every Member of Parliament or Clerk has signed the Official Secrets Act—some have, but many have not. Obviously, I am not being personal about colleagues because a lot of them can keep secrets far better than I can: as my wife says, I have a big mouth. Okay—but I do keep secrets of the state, Minister.
ISC Clerks have something called developed vetting security clearances, but not all DCMS Committee Clerks would. Developed vetting security clearances require the individual concerned to undergo a lengthy and somewhat intrusive investigation—some of the questions are appalling. Assuming that DCMS Clerks were to have such developed credentials and were able to handle top secret material in hard copy, such as documents that need to be secured in security-accredited lockable cabinets within a security- accredited office, anything with a top secret grading on it or an IT system with such grading would need to be accredited and checked out very carefully.
May I also raise the matter of meetings where top secret material is discussed? I may be wrong, but I do not think there is such a meeting room in the Palace or in Norman Shaw—[Interruption.] Sorry, I meant Portcullis House—I have only been here 11 years. A room with clearance would be required even for us to be able to look these documents, store them or discuss them. I do not think it is a secret that the ISC cannot meet here—we have to meet somewhere else. We go to a place that is accredited and checked, where documents can be stored and to which our Clerks have ready and easy access. All discussions concerning such a level of security take place in that room. We are not allowed to write something down and walk it out—everything has to be left there, unless it is specifically on a certain kind of paper and we are informed of that very strictly.
The product of ISC investigations can be laid before Parliament only after a redaction process with the intelligence agencies and confirmation from the Prime Minister that nothing in them might breach national security, so I think it would be rather difficult for the DCMS, Ofcom or the Digital, Culture, Media and Sport Committee to be able to oversee top secret material produced by the Department and still obey national security rules. In short, we parliamentarians might not have oversight of some key decisions made by Ofcom and DCMS. That can work—I have no doubt the Minister will say that—but we could be blindsided. The Government think otherwise at this stage, and I am prepared to accept that promise, but this might quickly run into difficulties when classified material has to be examined by people from Parliament who are specially selected to do it.
In summary, I repeat that I will be supporting the Minister—of course I will, as I am loyal, just like a dog—but it does not stop me raising a flag of concern. There will always be problems around these matters. I hope that that will not be the case but I would not be surprised if, as my right hon. Friend the Member for South Holland and The Deepings has said, we are only at the start of a process and we have to revisit this shortly.
Finally, may I apologise, Mr Deputy Speaker, as I do not feel great and I am a bit dizzy, so my voice is not the usual? I am going to sit down now.
Mr Deputy Speaker (Mr Nigel Evans)
We heard you loud and clear, Colonel Bob.
James Sunderland (Bracknell) (Con)
It is a great pleasure to follow my eminent right hon. Friend the Member for Beckenham (Bob Stewart)—if only I were as good.
As the final Back-Bench speaker this afternoon, it is incumbent on me to be supportive of the Government, which of course I am, and this excellent Bill. We are where we are today for two reasons. First, it shows that the Government do listen to Back Benchers. Secondly, the Bill is a pretty good bit of work and it ticks the box, as indeed it should. As defence and national security become ever more virtual and online, it has never been more important to secure our lines of communication, both domestically and internationally, with our allies. I urge all Members to consider the notion of strategic independence, which we have spoken a lot about during the covid crisis. As we go forward, it is really important that we aspire to be able to operate autonomously as a global nation alongside our allies.
I believe that the Bill is important for three reasons. First, it will allow for better security both domestically and internationally. It kicks out the high-risk vendors from our network—what’s not to like? Secondly, it placates our allies. New Zealand, Australia, the USA, Canada and others were quite noisy when Huawei was originally admitted to our network, so let us hope that this will placate them, cement that relationship and, perhaps in time, even enable us to admit Japan and other close allies. Thirdly, it opens the door for other 5G providers to come in, which is a good thing, and I support the UK’s diversification strategy.
Having sat on the Committee for this excellent Bill, it is a pleasure to see it back here on Report. The Bill takes forward the Government’s commitment to the UK telecoms supply chain review, introduces a new security framework, amends the Communications Act 2003, introduces new security duties, brings new powers to the Secretary of State and strengthens Ofcom’s regulatory powers, allowing it to enforce the new framework. That is all very positive. It also introduces new national security powers for the Government to impose, monitor and enforce controls. Again, that is a positive step.
I am pretty happy with the Bill as it stands, but in the interests of objectivity, I will talk to a number of the new clauses and amendments. On new clause 1, the Government are aware that the Bill gives Ofcom significant new responsibilities, and it will need to increase its resources and skills to meet those new demands. Ofcom’s budget is approved by its independent board, and the Minister has today confirmed that the budget limit set by the Government will be adjusted to allow Ofcom to carry out new functions effectively. Ofcom is already engaged in this space—we are already proactively looking over the horizon and scanning for future threats—so I am happy that the Government have got this about right.
New clause 2 would ensure that the Intelligence and Security Committee of Parliament is provided with information relating to a designated vendor direction. I am sympathetic to this, but the Government know what they are doing. As the Minister said, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, so the Bill is not the appropriate place to achieve an overall enhanced role for the ISC.
Dr Julian Lewis
I am sorry to have to reiterate this point. There are other ways in which our concerns could be addressed, such as by adjusting our memorandum of understanding, rather than putting it on the face of the Bill, so I am with my hon. Friend as far as that is concerned. However, it is very clearly within our remit to oversee not only the agencies but those parts of other Departments where highly classified information is concerned. That is just a matter of fact—it is in the agreement between us and the Prime Minister.
James Sunderland
I empathise with my right hon. Friend’s view, and I agree that he has a point. My position is the same as the Government’s: I do not think that this Bill is necessarily the vehicle through which we should look at the future of how the ISC operates. I am a keen follower of the ISC and its output. Its work is eminent, and my right hon. Friend’s point is well made.
Sir John Hayes
Let me cement that point but also perhaps offer an olive branch to the Minister, if I might be so bold. If the Minister, when he sums up, were to make a firm and binding commitment that he, for example, and others will appear before the ISC at our request to be scrutinised on these and other matters, that might go some way—not the whole way, but some way—to assuaging doubts and fears.
James Sunderland
I thank my right hon. Friend for his intervention. Again, I empathise with the point. I will happily leave it to the Minister to make his view known in his summing-up later.
Mr Deputy Speaker (Mr Nigel Evans)
Before I call the Minister, may I say that I am anticipating three Divisions, on new clauses 1, 2 and 3? If there is to be an additional vote, I would like to be informed so that I can call it, but I understand that there are going to be only three Divisions.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
I thank all those Members who have contributed to the debate today. It is an important debate because digital connectivity is an integral part of all our lives. For countless people across the country, having fast and reliable broadband and a good mobile connection is vital to our way of life, but for us to truly reap the benefits of the gigabit-capable broadband and 5G, we need to have confidence that they are secure and that means securing the networks on which they are built, the supply chains on which they depend, and the equipment and services that support them. The Bill demonstrates clearly the Government’s commitment to ensuring the security and resilience of our telecoms networks.
Let me turn to the new clauses and amendments. I shall start by addressing new clause 1. As the UK’s communications regulator, Ofcom already plays an important role in ensuring the ongoing security and resilience of our networks by enforcing the current security duties under the Communications Act. This Bill will build on that experience, giving Ofcom new responsibilities and a range of new powers. What the new clause would do is require it to publish an additional statement as part of its annual report. Happily, I can reassure hon. Members that the Bill already has various reporting mechanisms included within it. Under the new and snappily named section 105Z, Ofcom will need to regularly report to the Secretary of State. Subsection (4)(a) makes it clear that that report must include information on the providers’ compliance with the duties imposed on them by the Bill.
Ofcom will also need to report on telecoms security in its annual infrastructure report, and clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new sections 105A to 105D. The Secretary of State will also need to regularly report to Parliament on the effectiveness and impact of the new telecoms security framework.
On the final point in the new clause of the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) about publishing information on emerging and future security risks, that is not of itself necessarily the most productive way of handling security risks, but the principle that she is trying to get to is very much part of what the Government are seeking to do and, of course, it would be part of what we intend to make sure that we talk about as much as we can within the bounds of national security.
I turn specifically to budget and resources. The hon. Member has set out her concerns about Ofcom’s access to resources and capabilities. It is an issue that my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes) also touched on. I can tell the House today that Ofcom’s security budget for this financial year has been increased by £4.6 million on top of its current security budget. This funding will allow Ofcom to more than double its headcount of people working on telecoms security, ensuring that it has the necessary capability and capacity to deliver its new responsibilities under the Bill. The hon. Member for Newcastle upon Tyne Central is aware that I have written to the Intelligence and Security Committee about that security resourcing. It was at a level that I cannot go into on the Floor of this House, but I hope that provides the kind of reassurance that she seeks.
Specifically on the future risks that I alluded to a moment ago, we have ensured that the Bill is looking to the future. For example, clause 12(3)(b) amends Ofcom’s information-gathering powers under section 135 of the Communications Act to ensure that it can request information from providers concerning future developments in their networks that could have an impact on security and, when reporting on security, Ofcom must include any information that assists the Secretary of State in the formulation of security policy, allowing him or her to make an informed decision about what should be published as well in due course.
New clause 2 has been the subject of the majority of this debate, and rightly so. One of the phrases used about the ISC was that it adds value; this Government do not dispute for a second that it adds huge value, and I welcome the tone with which the Chairman of the ISC, my right hon. Friend the Member for New Forest East (Dr Lewis), has approached this. I appeared before the ISC with some trepidation, as is probably appropriate for all Government Ministers, but it was a hugely productive part of this process and something that I am more than happy to do again. I do not think that my right hon. Friend necessarily thinks that piecemeal changes to the ISC’s role are the way to pursue what he seeks, but the annual report that he has mentioned will certainly be looked at closely by the Government.
Dr Julian Lewis
I am very happy to agree with what the Minister has just said. It would not be necessary to keep trying to put these provisions on the face of each individual Bill every time a new unit is set up in a different Department, or a new duty laid on a different Department, if it could be agreed with the Government that the memorandum of understanding would be adjusted as it is meant to be adjusted when these changes occur. However, sadly, no Front Bencher has yet been able to give us an assurance that that is going to happen, and I know that the Minister will not be able to do so, either.
Matt Warman
As I say, I am sure that my right hon. Friend will make that point in the annual report, and the Government will look closely at it. However, Members can take some comfort from the fact that much of the advice in relation to the more sensitive technical and national security matters within the scope of this Bill will be provided by the National Cyber Security Centre, and its activities already fall within the scope of the ISC, as my right hon. Friend knows. However, I welcome his approach to this, and I hope that his mechanism, rather than that of new clause 2, will be the one he will support today.
I turn to the last of the new clauses tabled by Opposition Members. New clause 3 aims to include the diversification strategy in the scope of the Bill. Diversification is crucial to the future of our UK networks, which is why the Government set out their plans to diversify those networks in the 5G diversification strategy in November 2020. That strategy includes steps to invest in research and development, to remove technical and commercial barriers to entry for new suppliers, and to increase our influence in standard- setting bodies—all issues that my right hon. Friend the Member for South Holland and The Deepings and others on the ISC are keenly aware of the importance of.
We are pursuing a huge range of different mechanisms to enable diversification, because the Government are fully committed to ensuring that their strategy comes to fruition. However, the diversification strategy moves the whole market forward by broadening the supplier base in many ways that are beyond the security measures that are the purview of this Bill, including increased innovation and competition and the overall growth of the telecoms supply mechanisms.
To give the House an idea of some of the non-legislative measures that we are already pursuing, they include the investment in R&D development facilities such as the National Telecoms Lab and the SONIC—SmartRAN Open Network Interoperability Centre—lab that is jointly at work with Ofcom. We are also working to remove barriers to entry for vendors such as by co-ordinating the sunsetting of legacy network technologies, working internationally to co-ordinate diversification objectives, and exploring the use of commercial incentives to address the cost of incorporating new suppliers into a network.
Jim Shannon
I asked a question to do with the Northern Ireland Assembly and how cyber-security in Northern Ireland will be protected. Can we have an assurance on the Floor of the House today and through Hansard that that will happen?
Matt Warman
I will come on to the devolved aspects in amendment 1 in a moment, but it is of course vital that we continue the collaborative relationship with the Northern Ireland Executive and with the Welsh and the Scottish Governments as well.
The Bill places security requirements on individual operators. They are hugely important, but they are not diversification requirements on the Government’s national scale. Defining diversification in legislation would be limiting in a hugely rapidly evolving market. I know that the hon. Member for Newcastle upon Tyne Central understands the need for agility, and putting what she proposes into legislation would run counter to that ambition.
On the devolved Administrations, amendment 1 would require the Secretary of State to consult Ministers from the devolved Governments when reviewing the impact and effectiveness of clauses 1 to 13. As the hon. Member for Aberdeen South (Stephen Flynn) noted, telecoms is a reserved matter under each of the devolution settlements. I say that, however, in the full knowledge that a constructive and close working relationship with each of the devolved Governments is hugely important, be it in Project Gigabit, in the shared rural network, or indeed in matters such as this. I look forward to that collaboration continuing; it will drive forward our connectivity.
I turn briefly to the amendments that were not selected. My right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) has spoken passionately about these matters, both privately and publicly. I do not want to go into a huge amount of detail on amendments that were not selected, but I simply say that the actions the Government are taking in the Bill speak powerfully for themselves.
On the specific matter of issuing designation notices to vendors headquartered in other countries, it is important to consider not just whether the kinds of laws that my right hon. Friend mentions exist, but how the Government in question intend to use them. A friendly democracy may, as indeed many do, have laws that would enable it to yield information and data from companies headquartered within their territory. The conduct of such a Government, and our relationship with them, may reassure us that they would not use those powers to do harm to the UK, but there are other cases where Governments that have these laws have acted contrary to the national interest of the UK in the past. As we set out in the illustrative notice for Huawei, there is a law in China that enables the Chinese Government to collect information from companies headquartered within its territory. As the Foreign Secretary has stated, we know that the Chinese state has in the past used its power to undertake malicious cyber-activity. The designation notice that I mentioned demonstrates how the Government could take those sorts of laws into account when exercising the powers that are already in the Bill.
I thank my hon. Friend the Member for Wealden (Ms Ghani) for her work on the NATO Science and Technology Organisation. We very much welcome her preliminary draft report. I would like to express the Government’s commitment to deepening our co-operation with partner nations such as Japan and the Republic of Korea.
I thank all hon. Members on the Government Benches, and indeed on the Opposition Benches, for their constructive engagement throughout this debate. This is an important Bill that enjoys strong cross-party support, in the main. The sooner we can pass it, the sooner we can set about the crucial work of ensuring that our public telecoms networks are secure and resilient. I commend the Bill to the House.
Chi Onwurah [V]
This has been a very well-informed debate. I am sorry if my own digital connectivity did not enable my contribution to be heard as perfectly as it should have been, but I hope we have corrected that.
There were many excellent contributions from both sides of the House. It is important to note that the House is in quite rare agreement on a number of questions regarding the Bill, particularly on the importance of national security. The representatives of each of the parties in the debate—the hon. Members for Aberdeen South (Stephen Flynn), for Caithness, Sutherland and Easter Ross (Jamie Stone) and for Strangford (Jim Shannon), and the Minister himself—shared support for the primacy of national security and recognition of the importance of our telecoms networks in our national security, and I was pleased to listen to their contributions. I thank the Minister for his response and for the tone in which the debate has been conducted.
However, I will say briefly, with regard to new clause 1, which seeks to ensure that Ofcom has the skills and expertise needed to undertake its new duties in the midst of all the other responsibilities that Parliament is asking, as well as reviewing future provision and threats to the network, that the Minister’s comments on the increase in the cap on Ofcom’s budget did not begin to address our concerns. We have, effectively, a snapshot of the financial resourcing available now. The new clause seeks to ensure that we have an understanding of the resourcing as it continues—as threats evolve in the future—and particularly that we are able to look forward to new and evolving threats on the basis of a thorough understanding of the assets in each network operator’s network.
Indeed, the right hon. Member for South Holland and The Deepings (Sir John Hayes) emphasised the step change in the requirements of Ofcom that the Bill represents. The Minister implied that Ofcom would be able to do everything requested in the new clause when it comes to looking at asset registers, for example. I simply do not understand his reluctance to put that in the Bill, given the important role that Ofcom is to play in our telecoms security. I am afraid that I do not feel that he answered my points on new clause 1.
On new clause 2, members of the Intelligence and Security Committee—its Chair, the right hon. Member for New Forest East (Dr Lewis); the right hon. Member for Beckenham (Bob Stewart); and the right hon. Member for South Holland and The Deepings—eloquently articulated many of the arguments for why the ISC needs to be part of the scrutiny of this Bill. Indeed, the right hon. Member for Beckenham was particularly detailed in his description of the very room requirements for assessing national security issues. Having worked at Ofcom, I know its rooms very well, and I do not think that they meet the requirements that he set out.
It is worth noting that the ISC was one of the first parliamentary organisations to raise issues around Huawei, back in 2013. It seems very wrong that it should be excluded from involvement in scrutinising how the Bill is implemented, given that it is the only parliamentary grouping with the appropriate security clearance. Although I appreciate the Minister’s constructive tone, I do not think that he answered the questions raised or sufficiently justified the Government’s aversion to ensuring a process for ISC scrutiny, so I will press new clause 2 to a vote.
Finally, the most complex of our new clauses is new clause 3, which would ensure that the diversification of our telecoms networks was achieved as a prerequisite for their security. We heard from the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith) about how telecoms markets have been constructed to enable the consolidation and monopoly power of particular players, and particularly Huawei. Unfortunately, he did not go on to say how in the Bill the Government would deliver on a UK sovereign capability, but he was absolutely right about how the market has effectively failed.
The hon. Member for Wealden (Ms Ghani) used her experience on NATO’s science and technology committee and on this Parliament’s Business, Energy and Industrial Strategy Committee to encourage the Minister to truly examine our network resilience. New clause 3 is designed to ensure the ongoing ability to examine network diversification and resilience.
We heard from the right hon. Member for South Holland and The Deepings about the impact of the unaccountable power of monopolies. Again, since the Bill does not mention a diversification plan or diversification strategy, we cannot see that it will do anything to address that issue. The hon. Member for Bracknell (James Sunderland) said that the Bill supports network diversification. I know that that is the intention, but without our new clause I cannot see how it will actually achieve it.
The Minister reiterated the diversification plans, which are not a plan—as I set out, they have no detail and no action. As for his attempt to explain why the Government have omitted from the Bill any reference to diversification, I have to say that I found it entirely incomprehensible. It was as if referring in the Bill to diversification would limit the meaning of diversification; if that were the case, we would be unable to refer in any Bill to many of its intentions or outcomes.
I remain convinced, and there is agreement on all sides of the House, that we need to ensure that diversification of our telecoms supply chain goes hand in hand with ripping out Huawei and reducing our dependence on the two remaining providers. It is very important that we take this opportunity to change the Bill so that the diversification of our telecoms networks is an integral part of Ofcom’s reporting on the progression of those networks, so I will also press new clause 3 to a vote.
Mr Deputy Speaker (Mr Nigel Evans)
As I announced earlier, there will be three Divisions. As usual—if anything is usual these days—the first will take eight minutes and each subsequent Division will take five.
Question put, That the clause be read a Second time.
Matt Warman
I beg to move, That the Bill be now read the Third time.
I thank right hon. and hon. Members for their contributions today, and I also thank the excellent team of Clerks of the House, those at the Department for Digital, Culture, Media and Sport, and all those involved in the preparation of the Bill. In particular, I thank those who work at our agencies to support so much of what goes into our national security: they are the best among us, and all of us in the House are grateful for their service.
The first priority of this Government is to keep people safe and this Bill is just one step in achieving that objective. It is a precise and technical Bill but an important one none the less. While we might have disagreed on some of the details, it is encouraging that there is such broad consensus across this place and I hope that that spirit of co-operation continues when the other place considers the Bill.
The Bill will ensure the security and resilience of the UK’s telecoms networks for years to come. Bringing it into force on Royal Assent cannot come soon enough. It will create one of the toughest regimes for telecoms security in the world. It will protect our networks and shield our critical national infrastructure both now and in the future, as technologies grow and evolve. With this Bill, we are delivering on our commitments in the 2019 telecoms supply chain review, which were informed by the advice from the world-leading NCSC and GCHQ. Today, we have taken an important step towards putting those commitments on a statutory footing and taking action to protect and secure our important networks.
I hope that, in my response to the amendments and new clauses, I provided reassurance on the role of Ofcom, the importance of diversification and the other matters raised. I welcome the constructive challenge of Members on those points, and I hope I have reassured them that we are pushing in the same direction. I thank all Members for their contributions. I commend the Bill to the House and look forward to it passing through the other place.
Chi Onwurah [V]
I thank the Minister for his statement and echo his remarks in thanking all the Clerks and officials of the House and the Department who worked on the Bill, as well as our security services for the protection they provide day and night and for the input of the NCSC and GCHQ to the Bill.
I want to make it clear that the Labour party supports the Bill as a necessary step in protecting our telecoms national security. It is important that we legislate to ensure that Government have the power to act when faced with circumstances such as those presented by Huawei or, even better, to prevent dependency on high-risk vendors from arising in the first place. We will therefore not oppose the Bill on Third Reading. We recognise that national security is the first duty of every Government, and we support the measures to promote national security in the Bill.
At every stage of the Bill’s passage, we have seen an engaged and informed level of debate. As a chartered telecoms engineer, I particularly welcome the time that the House is spending on considering our telecoms infrastructure, even in these circumstances, which are to be regretted: we should not have got here. Parts of our debate have resembled a wake for the telecoms sector we could have had with a UK sovereign capability. The telecoms sector should have been subject to a more active, proactive interest for years now—or, shall I say, 10 years? We have lacked a telecoms industrial strategy and that, together with a focus on foreign investment over national security, is why we are here. Successive Conservative Governments have allowed the telecoms sector in the UK to be dominated by a high-risk vendor. Competition on price rather than security has become the rule for the telecoms operators. The market failed, but Ministers did not notice; they thought that security could be left to the market.
This is at a time when digital has become part of every part of our lives. We now spend a quarter of our waking hours on the internet. The UK telecoms industry contributes £32 billion to the economy and directly provides nearly a quarter of a million jobs. It has an impact on all our lives. As we are experiencing during the pandemic, it is an enabler of almost everything we do, and in the future—by which I mean in the next few years—it will bring about even more significant changes to how we live, work and engage with one another.
From driverless cars to advanced manufacturing, digital connectivity is essential. Indeed, we can argue that the pandemic has given us a taste of the future and moved the future closer. It has shown us how important good, fast, stable connectivity is, with millions still depending on it to work from home and stay in contact with friends and family. The pandemic has encouraged—indeed, required—a mass migration online, with businesses that were not digital-ready suddenly forced to operate online. It is salutary to recall that before covid there was a question of whether broadband was a vital utility. That was a matter of debate; it was debated as part of the Telecommunications Infrastructure (Leasehold Property) Act 2021. The pandemic has since proved beyond doubt that telecoms is an essential utility, but, although our telecoms infrastructure has held up during the pandemic—I congratulate telecoms operators on that—it could have been so much better. Many in rural areas or unable to afford decent broadband will not thank me for praising our telecoms networks.
When Labour left office, we had world-leading infrastructure. That is no longer the case. We are now 47th in the world for broadband speeds. I say that to emphasise the significance of the upheaval that the sector is facing after the Government’s decision to strip Huawei out of the network, at a cost of £2 billion and two to three years delay to 5G roll-out. It is a decision that we supported and continue to support, but we cannot let solving one problem give rise to numerous more. Unfortunately, the holes that remain in this Bill will do just that. Let me emphasise how important this Bill is in ensuring that we get regulation and investment right for a sector that contributes so much to our economy, as well as to our work and social lives.
We must make sure that we do not find ourselves in a similar position again, and that our telecoms network and supply chains are resilient and protected in future—even, critically, as the geopolitical environment evolves. Our telecoms infrastructure lacks security and resilience. The Government have taken no steps to maintain or develop a sovereign telecommunications capability, and their broadband strategy—if we can call it that—has far more U-turns, dither and delay than meaningful policies.
The Bill is passing to the other place with significant failings. The first is national security. Labour prioritises national security. The Secretary of State and the Minister both agreed during the proceedings that the Bill needed to include sweeping powers to address matters of national security, so we remain concerned that the Committee that provides parliamentary oversight on matters of national security is being excluded from oversight of the measures in the Bill.
Secondly, the security of our networks depends on an effective plan to diversify the supply chain. As our amendments have fallen, the Bill still does not even mention supply chain diversification or the diversification taskforce, even though we all agree that we cannot have a robust and secure network with only two service providers, which is the number that we will have left once Huawei is removed from our networks.
I am going to say this once more for the Minister: we need a diversified supply chain and that means a diversity of suppliers at different points of the supply chain. Britain has great start-ups that are just desperate to help address this issue. Where is the support for them? The future of telecoms networks is moving away from closed, proprietary boxes to open interfaces and innovation in the cloud. That provides a real opportunity for some of our innovative companies, but the Government have still not laid out how this is to be realised, as their own diversification taskforce report recently made clear. Is the UK going to benefit from the costly debacle of ripping out Huawei—an integrated supplier? Right now, the only beneficiaries would appear to be Ericsson, Nokia and lawyers. We put the Government on notice that we will be holding them to account on that.
Thirdly, the Bill gives sweeping new powers and responsibilities to Ofcom. This follows a vast and continuing expansion of Ofcom’s remit. Ofcom lacks experience in national security, and changes to its duties will require the recruitment of people with the required level of security clearance and experience. The Minister and the Government have sought to evade scrutiny on that. We will seek to hold them to account. As part of that, we are very concerned that the Bill in its current form is not forward thinking enough. It lacks the processes to provide the foresight needed to ensure that we are not in this same position again. Where is the horizon-scanning function to identify emerging threats and potential weaknesses in UK telecoms providers’ asset registers? If our networks became dependent on one cloud service provider, such as Amazon Web Services, how would we know?
To conclude, we support the Bill as a necessary measure to protect our telecoms national security interests, but we are concerned that the Government have allowed ideology to undermine effectiveness when it comes to this Bill, and we will continue to seek to improve it.
Bob Stewart
I agree with the hon. Member for Newcastle upon Tyne Central (Chi Onwurah): this is a Bill to try to block hostile states and organisations from breaching our national security, and its intentions are absolutely on target, and all of us agree with them.
I do not believe that we will not have to revisit parts of the Bill to ensure that in the end Parliament is sovereign over information. For instance, it does not seem right that Ministers and Ministries keep the information to themselves and it is not passed on, albeit in redacted form or through the ISC.
We have to get oversight right, so in the end we may have to revisit the legislation in the next few months and years as a result of the experience we have. I hope not—I hope the Minister is right that we will be able to have oversight without having to revisit the legislation, but I suspect we might not. There it is—I promised to be short, and I will sit down now.
Stephen Flynn
I am a strong believer that brevity is a great charm of eloquence, so that is a statement that would be well taken on board by the shadow Minister in future. I was hoping for a power cut in Newcastle—I am being kind.
First, I place on record my thanks to my hon. Friend the Member for Gordon (Richard Thomson) for his partaking in the debate on Second Reading. He did us a great service in that regard. I also thank Josh Simmonds-Upton in our research team, who put a great deal of effort into the Bill.
This is a Bill that we will support. We will give it close scrutiny moving forward, and I hope that the Government will work on good terms with the Scottish Government moving forward in this regard.
Question put and agreed to.
Bill accordingly read the Third time and passed.
Mr Deputy Speaker (Mr Nigel Evans)
I am going to suggest that as we go through the next motions, the Serjeant at Arms sanitises just the Government Dispatch Box in order for us to save a little time.
Telecommunications (Security) Bill
Wednesday 26th May 2021
(2 years, 10 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Amendment Paper: Consideration of Amendments as at 25 May 2021 - large print - (25 May 2021)
Telecommunications (Security) Bill
Tuesday 29th June 2021
(2 years, 9 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Amendments as at 25 May 2021 - large print - (25 May 2021)
Baroness Barran
That the Bill be now read a second time.
Relevant documents: 5th Report from the Constitution Committee and 4th Report from the Delegated Powers Committee
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Baroness Barran) (Con)
My Lords, this past year has put into sharp focus the importance of digital connectivity, which has been vital in keeping both people and industries going in these challenging times. In the other place, my right honourable friend the Secretary of State spoke about the potential for 5G and gigabit broadband to transform our lives. The Government are investing billions of pounds into these cutting-edge technologies. However, we can be confident in the technology only if we know that it is secure.
That is why we have introduced the Telecommunications (Security) Bill. The Bill will create one of the toughest telecoms security regimes in the world. It will protect our telecoms networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future. I will briefly outline the context for the Bill and why it is necessary, before turning to the intent of its clauses and delegated powers.
The security and resilience of 5G and full-fibre networks is not just in the national security interests of the UK. It is also crucial to the UK’s economic interests and future prosperity. The House will recall that this Government published the UK Telecoms Supply Chain Review Report in July 2019. It found that telecoms providers lack incentives to apply security best practices and recommended a new framework for the UK’s public telecoms providers that will respond to new and emerging threats to the security of our networks. The review also recommended new national security powers for the Government to control the presence of high-risk vendors in UK networks. The Bill is our response to those recommendations.
I will now outline the intent of the Bill’s clauses, which can be broadly separated into two groups. Clauses 1 to 14 introduce a stronger telecoms security framework, placing new security duties on public telecoms providers. Clauses 15 to 23 introduce new national security powers to address the risks posed by high-risk vendors.
I turn first to Clauses 1 to 14. The Bill amends the Communications Act to create a tough new telecoms security framework, which consists of three layers. First, the Bill places strengthened overarching telecoms security duties on public telecoms providers in primary legislation. Secondly, specific security requirements will be set out in secondary legislation. Thirdly, guidance on the detailed technical measures that providers could take to comply with their legal obligations will be set out in a code of practice. The new legal duties in the Bill and the measures in the secondary legislation will apply to public telecoms providers operating within the UK.
To illustrate the specific measures that providers may be expected to adopt, we published an illustrative first draft of the security framework regulations on GOV.UK in January. We have been, and continue to be, in close contact with industry following the publication of the draft regulations. Comments received as part of this engagement are being considered in the drafting of the final version. We will launch a public consultation on the draft code of practice once the Bill achieves Royal Assent. This will ensure that views from all impacted groups are heard ahead of the new framework coming into force.
The Bill provides Ofcom with a new general duty to seek to ensure that telecoms providers comply with their new security duties and builds on Ofcom’s existing security duties. Ofcom will have new powers to assess providers’ compliance. In cases of non-compliance, Ofcom will be able to issue a notification of contravention and, ultimately, financial penalties of up to 10% of turnover. Recognising that Ofcom will have expanded duties, DCMS is working with it to ensure that it has the necessary capability and capacity to deliver those vital functions. We have already increased Ofcom’s security budget for this financial year by £4.6 million to reflect its enhanced security role, in addition to its existing funding. Ofcom will also continue to work closely with the National Cyber Security Centre in the delivery of its security functions. The two organisations have published a statement, available on Ofcom’s website, which sets out how they plan to work together.
Clauses 15 to 23 introduce new national security powers to manage the risks posed by high-risk vendors in our telecoms networks. The Bill includes new powers for the Secretary of State to designate specific vendors in the interests of national security and issue directions to public communications providers. Those directions will place controls on a provider’s use of goods, services and facilities supplied by a designated vendor. Once a designated vendor direction is issued, the Secretary of State can direct Ofcom to collect information from providers and report back so that the Secretary of State can determine whether a provider is complying with a direction. Government amendments were passed in Committee in the other place to bring the powers in Clauses 15 to 23 into force immediately upon Royal Assent.
The Government have announced that UK telecoms providers should cease to install Huawei equipment in 5G networks after September 2021 and remove all Huawei 5G equipment by the end of 2027. We published an illustrative direction and designation notice in November 2020 to demonstrate how the powers in the Bill could be used in relation to Huawei in line with these announcements. Once the Bill receives Royal Assent, any proposed designated vendor directions and notices will be subject to the relevant consultation requirements set out in the Bill.
I will now turn to the delegated powers in the Bill. It contains nine delegated legislative powers to make secondary legislation and two administrative powers. Six of the delegated legislative powers are to amend the maximum penalties specified in the Bill. These are Henry VIII powers and are subject to the draft affirmative resolution procedure. A further two are powers to create regulations setting out specific measures to be taken to comply with the new security duties and are subject to the negative resolution procedure. Finally, one power is to make regulations commencing certain provisions in the Bill and is not subject to any procedure. The two administrative powers are the power to issue codes of practice and the power to give designated vendor directions to providers.
Our approach to the delegated legislative powers is in keeping with precedent. The powers to amend maximum penalties in the Bill are consistent with those in the Communications Act 2003. I appreciate the need for Parliament to have the right mechanisms to scrutinise the powers that we are taking in the Bill. I am confident that the approach we have taken finds the appropriate balance. As the House would expect, we have submitted the delegated powers memorandum to the Delegated Powers and Regulatory Reform Committee. I thank it very much for its prompt report on the memorandum, which I read with interest. The Government will consider the committee’s recommendation concerning the power to issue codes of practice about security measures and aim to respond to the report fully in due course.
To conclude, the Bill has not been designed around one company, one country or one threat. Its strength is that it will create an enduring and effective telecoms security regime that will be flexible enough to keep pace with changing technology and changing threats. I hope that noble Lords on all sides of the House will welcome it. I beg to move.
Lord West of Spithead (Lab)
My Lords, those of you who participated in this House’s consideration of the National Security and Investment Act may, I am afraid, detect a few similarities in the nature of my contributions to this legislation. That is an unfortunate consequence of the Government’s failure to listen to the strength of feeling in the House on the subject of oversight during those debates.
Like that Act of Parliament, the Bill seeks to address concerns first raised by the Intelligence and Security Committee some seven years ago in its report, Foreign involvement in the Critical National Infrastructure, namely that there were serious failings in the way in which successive Governments managed the entry of foreign telecommunications companies into the UK market. Clearly, the Government have been listening to what the ISC, with its unparalleled access to highly classified material, has been able to discover on behalf of Parliament, leading to both pieces of legislation.
The ISC therefore welcomes this Bill. We strongly support the principle behind it and the new safeguards it introduces. However, as with the National Security and Investment Act, we are concerned that the Bill does not provide for sufficient parliamentary oversight of these important new powers. As noble Lords are aware, the Bill provides significant powers for the Secretary of State to designate certain vendors as high-risk and to direct telecommunications providers to abide by certain requirements about the use of equipment from designated vendors. When the Secretary of State issues, varies or revokes a designation notice or a designated vendor direction, he will lay it before Parliament, except when this is contrary to national security.
This is a perfectly reasonable provision. I, for one, would not wish the Government to publish information that would damage national security. However, as things stand, this results in a significant gap in Parliament’s ability to scrutinise the Government’s decision-making and use of these powers. I am sure noble Lords agree that this is not what Parliament expects.
There is a simple and elegant solution to this problem: any designation notices or designated vendor directions that cannot be laid before Parliament for reasons of national security should be provided instead to the ISC for scrutiny. Parliament established the ISC for this purpose. Indeed, it is the only committee of Parliament that has regular access to the most sensitive protectively marked information. ISC colleagues have made these points repeatedly in the other place but they, again, have fallen on deaf ears. The Government’s resistance to this idea, coming so swiftly after their resistance on the NSI Act, gives the unfortunate impression that they are seeking to avoid scrutiny—an impression I am sure Ministers will wish to correct.
The Government have been clear that they do not think the ISC’s scrutiny role should be included in the Bill. This is regrettable. We should not knowingly be passing legislation that has holes in it. However, once again, there is a ready solution to that problem. As noble Lords are aware, the Justice and Security Act 2013 requires the ISC’s specific remit to be set out in a memorandum of understanding between the committee and Prime Minister. The Government told Parliament that the MoU would provide the ISC with oversight of substantially all the Government’s intelligence and security activities. However, with the passage of the NSI Act and now this Bill, the MoU is self-evidently out of date. It is a very simple matter to update it to provide the ISC with oversight of these powers in the specific and limited way I described a few moments ago.
The committee has formally raised this issue with the Government and asked them to take forward updating the MoU to ensure that it meets the commitments the Government made to Parliament during the passage of the Justice and Security Act. For that reason alone, I do not intend to table an amendment that would put the ISC’s essential oversight role on these powers in the Bill. However, the Government should be in no doubt that they must address this issue; the current situation is not tenable. If the Government do not wish to amend the Bill to fill this oversight gap, they must give a commitment to update the ISC’s memorandum of understanding and provide the oversight that Parliament requires in that way.
A large body of opinion from all corners of the House feels strongly about this and, should another Peer table an amendment on it, I would support it. The Minister will recall the strength of feeling in the House when the Government failed to provide for ISC oversight of the powers introduced by the National Security and Investment Act. I urge the Government to work constructively with the ISC on this issue.
Lord Fox (LD)
My Lords, I thank the Minister for her very clear exposition of the purposes and modus operandi of this Bill. It is a great pleasure to follow the noble Lord, Lord West—Admiral West—and I look forward to working with the noble Baroness, Lady Merron, who is on the Front Bench.
During late summer last year, we debated the Telecommunications Infrastructure (Leasehold Property) Act, when this security Bill was held out as a carrot, largely to try to curtail discussions of a Chinese nature. It did not work, of course, and we had those discussions, but here we are at last with this Bill. As we have heard, it provides the Government with considerable new national security powers to issue directions to privately-held public telecommunications providers, primarily with the aim of managing issues arising from high-risk vendors. As such, the Minister will acquire wide and sweeping powers.
The Bill also gives Ofcom wide duties and legal powers to monitor and assess the security of telecoms providers. For teeth, as we have heard from the Minister, companies that continue to use high-risk vendors could or will face very heavy fines. Perhaps the Bill’s headline outcome is the new controls on the use of Huawei 5G equipment, including a ban on the purchase of new Huawei equipment from the end of 2021 and a commitment to remove all Huawei equipment from 5G networks by 2027.
How will these Benches respond? First, I am happy to confirm that Liberal Democrats are strongly in favour of having secure telecommunications networks. I am sure the Minister is relieved to hear that. Secondly, Liberal Democrats want to see Huawei technology removed as quickly and expediently as possible. However, I note, as the Minister hinted at but did not detail, that the issue is with more than one supplier and more than one country. I add that the issue of the treatment of Muslim Uighurs does not stop with this Bill. The genocide going on there creates much wider implications for our relationship with China than the issue of which technology makes our phones work. These implications are very important, but I understand that they are beyond the scope of this Bill.
Thirdly, Liberal Democrats strongly believe that the Government must now invest in developing telecommunications technology in the UK. We want to see an increase in the diversity of the UK’s telecoms supply chain. We also believe that a strong relationship with the European Union and the intelligence alliance Five Eyes will help us to ensure that security risks are dealt with quickly. Finally, Lib Dems want to see stronger protections for the privacy of people in the UK.
What we will be testing in Committee is threefold. First, does the Bill effectively shut out the technology it is meant to shut out? The trick to making communications secure will be the nuts and bolts of the Bill. Secondly, do the Minister and Ofcom have the right powers, and the necessary checks and balances, to make this Bill work? Thirdly, when it comes to supply chain diversification, can we actually shut out Huawei et al and have an effective communications network?
One at a time, first let us look at the prime intent of the Bill: to keep our networks secure. On the face of it, this is another skeleton Bill. With the presentation of a few statutory instruments here and there, the Government should theoretically be able to react swiftly, but are the Minister and Ofcom placed to pre-empt issues, rather than react to them? There is a technical difficulty here: in 5G particularly, the distinction between the core and edge of networks is blurred. With technology moving faster than government can, that distinction is almost meaningless and the threats will change from week to week. So can the Minister explain how Ofcom can ever successfully be ahead of the game and not chasing issues?
As we know, plans for removing Huawei have been announced, but this does not stop with Huawei. For example, legislation in the US is considerably broader. It identifies specific companies, including Huawei, but also ZTE Corporation, Hytera Communications Corporation Limited, Hangzhou Hikvision Digital Technology Co. Limited and Dahua Technology Co. Limited. Also, US legislation covers telecommunications and video surveillance and services. Given the news this weekend, the Minister might like to review where we source CCTV cameras from in this country—I note that that was discussed in a previous debate. Can the Minister assure your Lordships’ House that this legislation will cover the full range of security threats that we need to cover or will we see another Bill to broaden it yet further into surveillance and surveillance services?
Turning to the powers granted by this Bill, it gives wide-ranging powers to the Secretary of State and next to no oversight to Parliament. Included are sweeping powers to address matters of national security and it is not clear, although the Minister has hinted, how Ofcom will really interact with the intelligence community. Furthermore, as we have heard from the noble Lord, Lord West, the committee, which has express oversight of national security, has been excluded from scrutinising how this legislation will operate. I support the words of the noble Lord, Lord West. In addition, there is no dedicated role for judicial or technical oversight. This is very different from the Investigatory Powers Act 2016, in which such provision exists. I expect my noble friend Lord Clement-Jones to comment more on this issue.
The Bill also gives sweeping powers to Ofcom. We heard from the Minister how Ofcom will be co-operating with the intelligence services, but this creates a conflict of culture within Ofcom and will inevitably lead to more opaque operations which will, in turn, create issues elsewhere. I am still not clear how that interface will work. It will be useful to investigate that in Committee.
Finally, I turn to supply chain diversity. The Minister in the Commons said:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”—[Official Report, Commons, 30/11/20; col. 75.]
Fine words, I am sure, but they come from a Government whose Chancellor and Secretary of State for BEIS have cancelled the industrial strategy and disbanded the Industrial Strategy Council. Undaunted, alongside the Bill the DCMS has published a diversification strategy. I suggest that Oliver Dowden, who adorns that document, is rowing somewhat in the opposite direction from the Chancellor of the Exchequer. Assuming that this strategy makes some headway against a running tide within government, it has three legs: “supporting incumbent suppliers”, “attracting new suppliers” and accelerating “open-interface solutions”.
I will take those legs one at a time, beginning with “supporting incumbent suppliers”. I am bemused by the term “incumbent”. I think it means domestic suppliers, because Huawei is an incumbent supplier and we have heard that it will not be getting support. Assuming domestic suppliers is what is meant—there are world trade rules that make it difficult to preferably treat domestic suppliers, but assuming these can be surmounted —can the Minister give us the current estimate of how many incumbent domestic suppliers are in our network and what percentage, in terms of value, they represent?
To fill that gap, we are going to need pretty rapid innovation. Innovation is not easy and the speedy innovation we have just seen with the Covid vaccine, for example, was helped by two important conditions: first, a very strong existing R&D base in this country and secondly, a guaranteed private sector market for the vaccine. I do not think these conditions exist for telecoms technology. So, what is Her Majesty’s Government’s assessment of telecoms research and development in the UK? How will the private networks be encouraged to guarantee a market for any UK-based and UK-developed products that emerge?
The second strategic leg is “attracting new suppliers”. I suspect this is going to be an easier job than building an industry from scratch in this country. Will the Minister confirm how the vetting process will work? I assume this will be in the code of conduct. Will the networks have to be externally cleared? Will they be subsequently audited, and how deep does approval go? Does every component of every sub-assembly need to go through a process, and how will this all unfold in building the networks? It begins to sound quite cumbersome if there is going to be a nuts and bolts check of the technology.
The third leg is accelerating “open-interface solutions”. The Government are moving ahead at speed with open-access radio networks and open RAN piloting, and should be congratulated. If it goes to plan, when will we start to see this becoming significant? How will the Government get the existing vendors to increase the scope of their interoperability? What, in a sense, is in it for them?
We overwhelmingly support the objectives of this Bill. There are serious issues, particularly in the absence of detail and scrutiny. The regulations remain a mystery until they are published, and the process is potentially pretty bureaucratic. I think the Government have recognised that there are issues, which probably reflects why there are four days in Committee ahead of us. We may need all four of those days.
Lord Stirrup (CB)
My Lords, I welcome this Bill. It is not only necessary, it is also overdue, but it is just one step on a path along which we have much further to go. By itself the Bill will have only a limited impact. If we are to realise its benefits, we need to think about the wider questions it leaves unanswered. Addressing these questions is crucial to our future safety and prosperity.
Throughout history, technological advances have brought with them exciting new opportunities, but they have also introduced serious vulnerabilities. Meanwhile, as our society has grown more complex, interconnected and interdependent, so its ability to weather shocks has grown more fragile—to the point now that serious technological disruptions could have catastrophic consequences. This should not be taken as an argument against embracing technology and the benefits it confers. It should, though, make us think very seriously about the new vulnerabilities we create and how we might mitigate the associated risks.
The Bill goes some way towards meeting that responsibility, but it does not provide the whole answer. As the title of the Bill tells us, the issue we confront is one of security, but we have to ask ourselves what exactly we mean by that term. In my view, we do not mean invulnerability. We should certainly seek to defend critical areas such as our telecommunications from attack, but a defender always has certain disadvantages. The choice of when, where and how to attack lies with the assailant and the defender is, at least at first, on the back foot. This problem is particularly acute when the space or activities to be defended are widely spread, as with our telecommunications network. We cannot therefore assume that an attack will fail, no matter how well we prepare. Quite the opposite: we have to assume at least a degree of success. So, the security of our national telecommunications infrastructure becomes a question less of how to prevent attacks entirely and more of how well we can absorb and recover from them.
In its first report of May last year, the National Infrastructure Commission acknowledged as much and recommended an architecture which can “anticipate” challenges, “resist, absorb” and “recover” from attacks and adapt accordingly. It calls on the Government to set “resilience standards”, appoint regulators to “oversee regular stress testing” and require that:
“Infrastructure operators produce long term resilience strategies”.
Can the Minister tell the House what progress has been made in implementing these recommendations?
All of this seems to throw up two different categories of question: what policies and actions would best protect our infrastructure from attack and achieve the necessary resilience, and how do we provide appropriately rapid assessments and directions to counter the effects of such attacks?
On the first point, at which this Bill is aimed, the Huawei experience would seem to suggest restricting the provision of parts of our infrastructure to trusted suppliers and operators, but who are they and how are they to be engaged? They cannot be drawn solely from the ranks of “British” companies—whatever that means in today’s globalised business environment—since we do not have the mass, the spread or the technologies within our economy to meet all our own needs. It is certainly possible to identify less risky 5G suppliers than Huawei, but not ones that are risk free.
Even where we do have a national capability to provide and operate parts of our infrastructure, problems remain. Are the Government to identify such national champions in selected areas of business? This may be necessary in some very restricted areas, but such dirigisme has a poor track record in the UK for two principal reasons. First, the Government are not very good at identifying winners. Secondly, in order to remain in business, such champions need a regular drumbeat of UK orders, which, in turn, stifles competition and efficiency. There are many salutary examples of this in the history of defence procurement.
A more productive approach might be to decrease reliance on one or even a few suppliers and thus build a degree of redundancy into the most critical parts of our infrastructure. This would not be the cheapest solution, at least in the short term, but the level of insurance that it provides might be well worth paying for. The Government need to develop an approach that balances cost, risks and resilience—that constantly monitors and rebalances this equation in the context of our complex and dynamic world.
This requirement, alongside the observation that some of our judgments will inevitably prove to be wrong, and in the expectation that some attacks will succeed, at least in part, brings me to my final point. Things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, if we are to absorb the first blow, recover from it and reshape ourselves for the future, we will need two things: agility and adaptability. Agility in this sense is our ability to respond quickly to those things we did not or could not foresee—to change our systems, plans and, indeed, our thinking on the fly to check and outmanoeuvre our opponents. Our resilience and ability to recover will depend on this. Adaptability, by contrast, is about our ability to change our longer-term posture in the light of emerging threats and opportunities and to learn from both failure and success. Agility keeps us in the fight and helps us master immediate challenges. Adaptability maintains our readiness in a changing world.
Provision of these crucial attributes cannot be left to the individual service providers, but neither can they be delivered by the Government or by a regulatory body such as Ofcom. Those organisations can and should formulate policies, allocate resources and check compliance, but we also need a much more flexible arrangement to provide effective command and control of both our detailed preparations for, and our response to, attacks. Perhaps there is a role here for an expanded National Cyber Security Centre. So, while I welcome and support this necessary Bill, I urge the Government to view it as just one stage of a much longer journey. It is a good plan, but like all plans it will not survive first contact with the enemy. If we are safely to reap the benefits of new technologies, we need ways not just of regulating them but of dealing swiftly and competently with the dangers presented by their malign exploitation. This Bill goes only so far; we need to go much further.
Baroness Morgan of Cotes (Con)
My Lords, it is a pleasure to speak in this debate. In the time available, I want to welcome the Bill, which, as we have already heard, delivers on promised made by the Government and Ministers in 2019 and 2020: that a comprehensive telecoms security framework would be put in place. As my noble friend the Minister said, this is a comprehensive security framework that will provide an opportunity to look beyond just one company or one country of concern. As we have heard from previous speakers, over the years there will of course be more threats and more areas and companies of concern that will arise.
I agree with the noble and gallant Lord, Lord Stirrup, that of course this is a first step. As we know, with security threats and with emerging technology, over the years a more comprehensive response will be needed, but I think the Government are to be congratulated that the midst of the disruption over the last 15 months, this telecoms security framework Bill has been brought forward as was promised. The other side to this, as we have already heard, is noble Lords’ desire to hear about the pace and rollout of the diversification strategy. My noble friend the Minister will, I hope, be taking this from the House and be able to address it in her comments.
As noble Lords will be aware, the use of 5G technologies, the importance of 5G to the delivery of the internet of things, the use of artificial intelligence and other technologies, are only going to grow. Just this morning, I was part of this House’s Covid-19 Committee listening to evidence about the increase, as we have seen, of course, of people working from home over the last year, running their businesses from home and, as some of us have seen more closely than others, home schooling—which we all hope there will be no need for again in future. Without secure, reliable and resilient broadband internet and 5G connectivity, we will put ourselves at a disadvantage as a country.
The need for that resilience—as well as having secure networks—means that if we are asking companies to take out the technology from a particular other supplier, or to not use technology from particular countries in future, for extremely understandable, wise and prescient security reasons, we will need to make sure that we build up a secure, long-lasting and sustainable supply chain strategy in this country. This may not relate only to domestic companies; we have allies around the world and will want to be able to work with other companies and countries around the world to make sure we have that diversity of the supply chain. The lack of diversity has been referred to as a market failure, and I think that was correct. The Government have now very much got on top of this and got ahead of this. I hope the Minister will, as the Bill goes through this House—I will have great pleasure in supporting it as it does—and in future, be able to keep the House updated about the delivery of that diversification of the supply chain, as was announced by my right honourable friend the Secretary of State in November last year. I wish the Bill every success as it proceeds.
Lord Maxton (Lab)
My Lords, I hope to be very brief. We ought to remember three things. First, our lives are very short—although I am 85—in comparison with the 300 years of the Industrial Revolution. Secondly, that is 0.1% of Homo sapiens’ existence on this world. Thirdly, the world is much older still. Is the Minister assured that the development of innovation that is part and parcel of what we want to see over the next few years is going to continue, or is this going to be a block on the continuation of that?
More importantly, much of what Ofcom deals with is international, not national. Therefore, it is going to be much more difficult to respond to an entitlement of that nature internationally than nationally. It is easy to deal with four or five companies that deal with telecommunications within this country, but it is not so easy to deal with them internationally, particularly with Facebook and Twitter and all the other things that go with that. I have no idea where they come from. Does anybody know where they come from? Netflix is a massive organisation, now producing more than the BBC, but where does it come from? Where exactly is it, in terms of telecommunications generally? Amazon Prime—again, where does it come from? I pay my bill to Amazon Prime regularly, but where on earth do I pay it to? Where does it go?
I suggest three things: first, that we deal with the international issue; secondly, that we deal with the issue that I raised to start with; and thirdly—more importantly—that we ask whether our democratic system keeping up with the improvements in science and technology that are happening around the world at present. Yes, in 1820, two-thirds of people in Britain lived below the level of absolute poverty. Now, the United Nations is talking about abolishing that term because that level no longer exists. Poverty exists, of course, but absolute poverty does not exist. On vaccines, even in the present crisis, the number of people who are vaccinated now is higher than in the past. The number of people who can read and write is also higher. So, why are we not tackling the problem of changing our constitution to ensure that we keep up with the scientific and technological improvements happening around the world?
Lord Young of Cookham (Con)
My Lords, I am grateful to the Minister for her clear and convincing explanation of the need for this Bill, which I support. I have a possible interest as a beneficiary of the British Telecom pension scheme but, as it was a nationalised industry when I worked for it and our main preoccupation was the introduction of subscriber trunk dialling in the 1960s, I fear that much of my knowledge of the technical side of the telecommunications industry is 60 years out of date.
I mention in passing the report by the Delegated Powers and Regulatory Reform Committee, which says, on the power in Clause 3, that the committee is unconvinced by the department’s case and recommends a negative procedure for the code of practice. That seems to me to be a concession that the Government could consider. I noticed with approval the Minister’s conciliatory response when she spoke about the committee’s report.
There are three issues I want to raise briefly. The first concerns whether the Secretary of State’s directions and designations under the Bill are justiciable and whether issues of national security could end up being decided not by Ministers but by the courts. For example, could a potential supplier, such as Huawei, assert that there was no risk to national security in any ministerial designation, that decisions were being taken to protect domestic suppliers and that no reasonable Secretary of State could have reached such a conclusion and seek an injunction? In which case, despite the passage of the Bill, we would find that there was extensive and time-consuming litigation, during which time investment in telecoms infrastructure would be frozen and potential security issues would be ventilated in the courts. Can my noble friend say that every precaution has been taken to avoid such a scenario?
Related to this is whether the Secretary of State has to give reasons for his decisions. We are told in the Explanatory Notes:
“Designations and directions may only be made in the interests of national security.”
Paragraph 35 then sets out the factors that the Secretary of State will take into account, which presumably could give ammunition to a potential litigant. Subsection (5) of new Section 105Z1 of the Communications Act 2003 inserted by Clause 15 says:
“A designated vendor direction must specify … the reasons for the direction”.
However, the next subsection says that “specifying reasons” need not be given if it
“would be contrary to the interests of national security”,
while, in new subsection (2)(1) we are told that a direction can be given only
“in the interests of national security”.
So, we seem to be going round in circles. I wonder whether my noble friend can shed some light on this paradox.
My second question relates to responsibility for telecommunications security within the Government. The Explanatory Notes tell us:
“The security of telecoms infrastructure needs to be considered within an international context”
and we read how cyberwarfare is going to displace conventional warfare. The powers given to the Government in the Bill to protect the integrity of our communications network rest with DCMS but, at the moment, the Secretary of State is not on the National Security Council, which to me seems a surprising omission. The National Cyber Security Centre, whose work is central to the operation of the Bill, is part of GCHQ, which reports to the Foreign Secretary. The Cyber and Government Security Directorate sits within the Cabinet Office, leading on the co-ordination and delivery of the classified national security risk assessment, which assesses the most significant risks to the UK. When I answered Questions for the Cabinet Office in Your Lordships’ House, I had to answer Questions about Huawei—or, if I did not answer them, I at least replied to them. Finally, a significant proportion of telecommunications research is led and funded by the Department for Business, Energy and Industrial Strategy and its external bodies, such as UK Research and Innovation and Innovate UK, report to BEIS. Can my noble friend explain, perhaps in a letter, the inner wiring of responsibility for dealing with cyberwarfare between the FCDO, the Cabinet Office, the MoD, BEIS and DCMS?
My last point concerns the ambition to create one of the toughest security regimes in the world and set up the UK as a global leader in the telecoms supply chain, a point made by my noble friend Lady Morgan of Cotes. I very much welcome this. Other countries in the free world face the same challenges as the UK in protecting the integrity of their national networks and others are reducing their dependence on Huawei. So, there is a real opportunity here to win new markets, create fresh investment and employment in the UK on the back of this Bill and build back better. To what extent is the UK liaising with other countries to ensure that the standards—the codes of practice mentioned in the Bill—are recognised by other countries, so that the new supply chains that we plan to create in the UK enable us to penetrate new markets? Can my noble friend amplify what she told us in her letter of 2 June about the steps we are taking to set up the UK as a global leader in this field? What progress has been made in attracting new suppliers to the UK market? What is the follow-up to the telecoms diversification task force under my noble friend Lord Livingston? It reported in April with a wide range of recommendations: the co-ordination of government activity, a targeted international engagement strategy, joint working on standards and buy-in by other countries.
I conclude by quoting from that report—-:
“It is therefore essential that the UK coordinates its efforts with like-minded nations and focuses investment in areas that can succeed on an international, not national scale. … If the Government is to move the dial towards the UK’s long-term vision for the market, it will require buy-in and support from a critical mass of nations.”
I have not seen a government response to those thoughtful and wide-ranging recommendations. Perhaps, again in a letter, my noble friend could set out how we plan to build on the recommendations in that report.
With these comments, I wish my noble friend well as she pilots this Bill on to the statute book.
Lord Clement-Jones (LD) [V]
My Lords, I thank the Minister for her very fair introduction to the Bill. As a former member of Huawei’s international advisory board, I am somewhat conflicted in a discussion about the principles of the Bill, especially following the various twists and turns in government policy. I very much support the 5G supply chain diversification strategy, but the questions raised by my noble friend Lord Fox and the noble Lord, Lord Young, need to be answered. How it is progressing and where any financial support is going need to be the subjects of regular report by government, given that in the short term we are faced by a stark dual-supplier market.
As my noble friend Lord Fox has indicated, however, I want to focus on, and confine myself to, a debate about the wide-ranging new powers in the Bill for the Secretary of State and Ofcom and the lack of adequate checks and balances, especially in terms of oversight, whether parliamentary, judicial or, indeed, technical, which permeates the Bill. If there are going to be these extensive new powers, we need to make sure that they are exercised properly and with due process and consultation.
The Delegated Powers Committee report referred to by the noble Lord, Lord Young, is just the tip of the iceberg. It draws the attention of the House to the proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
I am glad to say that the committee, in the light of the importance of the code in assessing compliance and in enforcement by Ofcom, was unconvinced by the department’s claim that this was too detailed and technical, and “not legislative”. As the committee says,
“The Bill provides for codes of practice to play a significant role–both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings - in supplementing the important duties to take security measures that the Bill imposes on providers.”
It concludes:
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
I differ from the committee simply in that, in my view, the procedure to be adopted must, at minimum, be the affirmative procedure. As Comms Council UK has pointed out, Section 105E is not the only proposed new section which gives the Secretary of State extensive powers; there are others. Proposed new Section 105Z1, for example, gives power for the Secretary of State to outlaw the use of individual vendors, where there is potentially no parliamentary oversight, if the Secretary of State considers it would be contrary to national security—as has been referred to by other noble Lords. Surely that is exactly where oversight by the Intelligence and Security Committee, as the noble Lord, Lord West, has so cogently said, or by the Investigatory Powers Commissioner, as the Constitution Committee has suggested, would be not only appropriate but essential. The whole area of enforcement of compliance and, under proposed new Section 105Z27, as regards power to require information and the requirement not to disclose, needs similar oversight.
Nor is there any dedicated role for judicial oversight. Unlike similar legislation, such as that under Part 8 of the Investigatory Powers Act 2016, there are no provisions for judicial oversight of the Secretary of State’s powers. This is compounded by the fact that, under Clause 13, in any appeal to the Competition Appeal Tribunal, the tribunal cannot take account of the merits of a case against the Secretary of State, the rationale for which, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
Can the Minister make a better fist of the explanation today?
With regard to Ofcom’s new powers to ensure compliance with security duties, as set out in the proposed new Section 105M, how will these relate to Ofcom’s existing powers under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency, and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under proposed new Section 105Y? What assurance can the Minister give? Will we see a draft during the passage of the Bill?
Similar considerations apply to the new Ofcom powers to assess compliance under Clause 6 and in regard to inspection notices under Clause 19. As the council has also pointed out, there are no clear mechanisms for technical feedback or expertise to be fed in. It observes that many of the technical requirements that will be placed on its members are not in the text of the Bill but in accompanying documents which are either yet to be published or are receiving very little scrutiny.
Already it is clear that, in the draft Electronic Communications (Security Measures) Regulations, which are to be made by virtue of the proposed new Sections 105B and 105D, giving the Secretary of State power to make regulations to require telecoms companies to take “specified security measures” and “in response to security compromises”, there are real issues with regard to provisions about patches and supply chains and definitions regarding audit and monitoring of foreign network operations centres, and it is not clear that expert technical industry comments are being taken on board. What further consultations are planned? Is this not exactly where a technical advisory board and/or panel, as under the 2016 Act, is needed? Will they even be subject to the affirmative procedure in Parliament?
This lack of clarity and transparency is causing a great deal of uncertainty within the industry. Measures are being proposed that are either technically unworkable or potentially damaging to the strength and health of the UK telecoms industry. Particular concerns arise for providers whose networks are not based purely in the UK and who do not have the relationships with the department, Ofcom and the NCSC that domestic providers may have if there is no structured consultation, oversight and update process when codes are being drawn up. BT itself says:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
It also makes the point that the flexibility in the Bill should not be used to bring forward any deadlines for removal of equipment. What assurance can the Minister give on this?
As well as concerns about the new powers, there is also concern reflected by the Constitution Committee about the width of crucial definitions such as “security compromise” and “connected security compromise” contained in the Bill, and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I think that I have gone into enough detail at this Second Reading to amply demonstrate that we have quite an amendment job ahead of us in Committee and on Report.
Lord Alton of Liverpool (CB)
My Lords, I thank the noble Baroness, Lady Barran, for making time to see me and the noble Lord, Lord Forsyth, last week. The noble Lord is chairing his Select Committee this afternoon but intends to speak at later stages. By way of follow-up, the Minister will have seen the letter to her from the right honourable Sir Iain Duncan Smith MP, sent yesterday. Like them, I want to speak about human rights, which was referred to by the noble Lord, Lord Fox, and the strengthening of national resilience and diversification, referred to by the noble Baroness, Lady Morgan of Cotes.
On its front cover, the Bill begins with a declaration from the Minister referencing the Human Rights Act 1998 and stating that the Bill is compatible with the European Convention on Human Rights. The European Convention for the Protection of Human Rights and Fundamental Freedoms—to give it its full title—was originally proposed by Winston Churchill and drafted mainly by British lawyers, and it is based on the Universal Declaration of Human Rights. Among other things, the convention insists on the right to life, freedom from torture, freedom from slavery, the right to liberty, the right to a fair trial, the right to respect for family and private life, freedom of thought, conscience and religion, freedom of expression, freedom of assembly, the right to marry and start a family, the right to participate in free elections, and the abolition of the death penalty. In considering a Bill which has been framed to explicitly rule out, in 5G provision, the future involvement of a company with close links to the Chinese Communist Party but which enables other links with other companies, it needs to be restated that every single one of these articles are broken each and every day by the Chinese Communist Party, and that they affect citizens outside its territory as well.
Although the Government may say that the ECHR is not the instrument with which to test their commitment to human rights, the compatibility statement should be read in line with other international law obligations, not least the prohibition on violating peremptory norms of international law, genocide, crimes against humanity, slavery and torture. The UK is, of course, a signatory to the 1948 Convention on the Prevention and Punishment of the Crime of Genocide and is bound by its own law on modern slavery. All provisions of customary international law and conventional law are binding on the UK Government, so we need to know what due diligence has been undertaken when considering their duty to prohibit and prevent genocide, along with the commissioning of other grave crimes.
The inadequacy of the compatibility statements led to an amendment to create a human rights threshold being tabled to the Telecommunications Infrastructure Bill. Later, in the Trade Bill, the House voted overwhelmingly for the all-party genocide amendment. Perhaps the Minister can say what has happened to the promised committee to examine genocide determination. In this context, the Joint Committee on Human Rights should re-examine the purpose of those declarations.
One year ago, the Minister pointed me to Section 54 of the Modern Slavery Act, and she will recall promises to examine supply chain transparency and export controls. As I was assured:
“The Home Office keeps compliance under active review.”
Supply-chain transparency has been referred to in our debate by the noble Lord, Lord Young of Cookham, and the noble Baroness, Lady Morgan of Cotes. In the absence of any progress on that promise to tackle the issue of supply-chain transparency, on 15 June I presented a Private Member’s Bill in your Lordships’ House to amend the Modern Slavery Act. To honour the Government’s undertaking, perhaps the Minister will consider adopting that Bill and providing it with parliamentary time.
Although this legislation is not specifically about China or Huawei, those were the country and company that have featured heavily in our debates. I welcome the explicit references to Huawei in the illustrative draft designation notices and designated-vendor direction to which the noble Baroness, Lady Barran, referred in her introductory remarks.
The situation in Xinjiang has not improved. The Government continue to say there are
“systematic human rights violations in Xinjiang, including credible and growing reports of forced labour”,
and the Foreign Secretary says this is “on an industrial scale.”
In 2019 and 2020, I specifically asked about Huawei’s compliance with the Modern Slavery Act and drew attention to China’s national intelligence law requiring Chinese organisations such as Huawei to support, assist and co-operate with state intelligence work. I also asked about reports that UK investors hold shares totalling £800 million in companies that supply CCTV and facial-recognition technology used to track Uighur Muslims in Xinjiang. The Government admitted that they were aware of those reports but complacently said they had
“not undertaken analysis of British investor shareholdings in Chinese surveillance companies.”
Meanwhile, however, Foreign Office Ministers were telling me the department had
“serious concerns about the human rights situation in Xinjiang, including extensive and invasive surveillance targeting Uyghurs and other ethnic minorities. An extensive body of open source evidence suggests such surveillance, including the use of facial recognition technology, plays a central role in the restrictive measures imposed in the region.”
The House should recall that the House of Commons Foreign Affairs Select Committee wrote to the Foreign Secretary, Dominic Raab, urging him to
“cease consideration of Huawei as a contractor or partner for the UK’s 5G infrastructure until investigations have been conducted into Huawei’s work in Xinjiang and its relationship to the mass persecution”.
Has that investigation taken place, and what were the conclusions?
Professor Adrian Zenz, a German scholar who recently gave evidence to the independent Uyghur Tribunal, says:
“Huawei is directly implicated in Beijing police state and related human rights violations in Xinjiang … it has lied to the public about this … In 2014, Huawei received an award from Xinjiang’s Ministry of Public Security for its role in establishing citywide surveillance systems.”
Professor Zenz says that Xinjiang represents
“the largest detention of an ethno-religious minority since World War II.”
The Australian Strategic Policy Institute meticulously details the global expansion of 23 key Chinese technology companies. One of its researchers, Vicky Xu, says the idea that Huawei is not working directly with the local governments in Xinjiang is “just straight-up nonsense”.
Since the Second Reading of this Bill in the Commons last November, there have been a number of developments that make it even more important to address the implications of being joined at the hip with any company operating under the auspices of the CCP. How do we justify deepening trade relations, as the noble Lord, Lord Grimstone, has told us he is seeking to do, with a country found by the House of Commons, in a vote on 22 April, to be complicit in events in Xinjiang where a genocide is under way? That was a vote in the House of Commons. It is not just my view or that of a group of human rights advocates; it is a view reached by the Commons. What action have we taken following that vote?
Last month, following that vote, Amnesty International issued a devastating report detailing arbitrary detention, forced indoctrination, torture, mass surveillance and crimes against humanity while the Daily Telegraph recently carried major first-hand reports from Xinjiang, including the destruction of 16,000 mosques. Harrowing evidence has been given to the independent Uyghur Tribunal, chaired by Sir Geoffrey Nice QC, some of whose sessions I was able to attend with the noble Baroness, Lady Kennedy of The Shaws, and whose brave witnesses and their families are now experiencing threats and intimidation.
If we add to the charge sheet reports of forced organ harvesting and the destruction of the rule of law, free speech and democracy in Hong Kong, along with the outrageous incarceration of legislators, lawyers, journalists, and campaigners, it is obvious that as well as security questions the House should give close attention to the human rights dimensions of this Bill. Although Huawei equipment in respect of 5G must be removed by 2027, and since the beginning of the year there have been prohibitions on purchasing any Huawei equipment, I hope we will probe how the installation prohibition will work from September and whether companies have been purchasing stockpiles with the intention of installing such equipment until 2027. How will the Government monitor this? Will some parts of the network—the most sensitive parts—be prioritised?
Earlier this month the Sunday Telegraph revealed that UK local authorities will review contracts for CCTV equipment from Hikvision, a Chinese tech firm that makes cameras used to monitor Uighur Muslims in China’s detention camps. The company is blacklisted in the United States but not here. This weekend the Washington Post reported on how Hikvision had recruited former legislators to extend its power and influence despite President Biden banning Americans from investing in the company, citing its links to the Chinese military. The UK is not immune to the influence of organisations such as The 48 Group Club, with a network of links to former and current politicians—including one who now publicly urges us to tone down our criticism of the treatment of Uighurs.
Beyond such influence, the role of hidden cameras was dramatically illustrated last week, as others have said, from the office of the former Secretary of State for Health. Yesterday the Lord Speaker wrote to us all saying that there are several hundred CCTV cameras in Parliament. I hope that in Committee we will consider the implications for civil liberties of placing such power in the hands of companies that install or own these cameras.
We should also consider the implications for security of giving such power to a regime intent on the overthrow of parliamentary democracy and which makes no secret of its goal of global hegemony. The hidden hands on the levers of power was a theme explored by the admirable Dr Julian Lewis MP, chair of the Intelligence and Security Committee, at Second Reading in the Commons. He asked
“in view of the revolving door, via which too many businessmen and ex-civil servants effortlessly glide between their former roles and the Huawei boardroom, what assurance can we have that the Government will be immune from lobbying campaigns by those on the payroll of high-risk vendors?”—[Official Report, Commons, 30/11/20; col. 84.]
That question was not answered in the Commons, and I would like to hear the Minister’s opinion on it. I have another question that I shall ask her directly: why have not we, like the United States, banned Hikvision? The company has been accused of helping to build the CCP’s surveillance state and profiting from human rights abuses. Does the Minister agree with that description or not? What will the Bill do to take back control of CCTV equipment in our high streets, public buildings and even government offices?
I shall speak briefly about the implications of this Bill for diversification and national resilience. During the Commons stages, Oliver Dowden, the Secretary of State, said the Bill recognises that there are real threats to the UK’s security and interests, a point that my noble and gallant friend Lord Stirrup explored in his excellent speech. I welcome what Oliver Dowden and my noble and gallant friend have said about security and diversification. In addition to the diversification of telecoms to companies such as Ericsson and Samsung, is that not a principle that should be applied across government?
I will give two brief examples. In May, I asked how many Covid lateral flow tests we had bought from China. The answer was a staggering 1 billion—not 1 million but 1 billion. The Government declined to say how much they had cost taxpayers or to reveal the names of the companies involved, saying “It’s commercially sensitive”. I tabled a further Question asking why we could not be told how much 1 billion lateral flow tests had cost us and which companies had carried out that trade. Are we seriously saying that we could not have used taxpayers’ money to make those tests in the UK and to give British workers jobs doing it?
My second example raises equally troubling issues. I was recently contacted by a librarian in Wigan, a lady of 34 years’ standing, who has been suspended after using social media to criticise her council’s decision to award redevelopment contracts to Chinese companies. She was fearful that they might have links to Xinjiang.
The Communities Secretary, Robert Jenrick, should require all local authorities to provide details of such deals, and demand to see whether subsidised lowest bids for council developments have undercut unsubsidised UK companies, just as has happened in the telecommunications sector.
The persistent breaking of WTO rules on subsidies and competitions has enabled CCP dominance in telecoms, and now it is happening in other sectors as well. The Minister should tell us when we are going to raise this at the WTO and across Whitehall. Does he personally believe that it is ever licit or right to deepen trade with a country credibly accused of the crime-above-all-crimes: genocide. Diversification, national resilience and the upholding of our values, especially on fundamental human rights, are all reflected in the way we trade. Genocide is a line we should never cross. I support the Second Reading of this Bill today. I hope to return to these and other issues when we get to Committee and later stages.
Baroness Stroud (Con)
My Lords, it is a privilege to speak after my noble friend Lord Alton, following his extraordinary commitment to the Uighur community and to issues of human rights. I too will speak in support of this hugely important and timely Bill.
The UK stands at a reset moment in an increasingly changing world. We have delivered on Brexit, confronted a global pandemic and have an ambitious levelling-up agenda. It is in this context that we are looking now to empower those who have been left behind, revolutionise our critical information infrastructure with the rollout of 5G and see us become a more prosperous and innovative nation. Yet, as we get ready to build back better, it is also time for a rethink of our geopolitical, strategic and technological approaches to make a more honest assessment of the world we find ourselves in, ensuring that we harness the opportunity to become stronger, safer and more prosperous than before.
I support this Bill, as it is the first of many steps that will be needed in adapting to our changing geopolitical landscape. The provisions in the Bill are necessary, as we need to act quickly to ensure our security apparatus is configured for today’s challenges. According to MI5, the UK has at least 20 foreign intelligence services actively operating against the UK’s interests. The Government’s own telecoms supply chain review, published by DCMS in 2019, found that the telecoms market was not working in a way that incentivised good cybersecurity. In its October 2020 report, the Defence Committee concluded that the current 5G regulatory situation for network security was “outdated and unsatisfactory”.
We have a world-class security and intelligence community but, as we enter this new era, we must accept that enabling it to adapt to emerging threats will be the defining feature of its success. This Bill needs to mark a national security turning point, where key infrastructure decisions are based on fact-based risk assessments, and not on commercial or political convenience.
This Bill also recognises the threat posed by high-risk vendors such as Huawei. We have known that Huawei is a security risk since 2013. A report from the Intelligence and Security Committee concluded back then that Huawei posed a risk to national security and that private providers were responsible for ensuring the security of the UK telecoms network.
According to Ofcom, Huawei accounted for about 44% of the equipment to provide superfast full-fibre connections directly to homes, offices and other buildings in the UK. Although it is not in the text of the Bill, the Government have now accepted, as we have already heard, that 2027 needs to be the end point for Huawei as a provider. This is an important moment in taking back our information technology sovereignty.
The reason behind this is clear. We have entered into a new era of geopolitics, with the battle for control of information technology at the forefront. The recent integrated review acknowledged that China’s growing international stature was by far the most significant geopolitical factor in the world today, with major implications for British values and interests and for the structure and shape of the international order. It recognised China as the biggest state-based threat to the UK’s economic security. Yet that same review remains ambivalent as to the action we should take. We need to rethink our relationship with China into a more robust foreign policy strategy that prioritises both our security and our sovereignty.
While I support this Bill, there is more that needs to be done. There needs to be a more formal structure embedded in the Bill with regard to the powers given to Ofcom and the Secretary of State, as other noble Lords have said. Could the Minister outline what powers the Government intend that Ofcom and the Secretary of State should have, and how they will work with the ISC and the security sector to ensure accountability and to ensure national security is not compromised through lobbying?
Even beyond the Bill, we also need to invest in diversifying competition. As part of this Government’s ambitious levelling-up agenda, they have promised the nationwide rollout of 5G across Britain. But we have become hamstrung by our dependence on Huawei for this critical infrastructure. It did not need to be this way. This situation has been constantly described as a “market failure”, but it was not really a market failure. The failure was in the reality of one country breaking WTO rules on subsidies. The key problem has been that China has subsidised its providers dramatically, destroying the market over the past 10 years.
The diversification of our telecoms network, working in close partnership with our Five Eyes allies, needs to be a priority for this Government and an integral part of Ofcom’s reporting. When we genuinely open up the market to competitors, we create the environment for the innovation and dynamism that will be required as we move into the next quarter of the 21st century.
Huawei, however, needs to be stripped out quicker. While it is encouraging to see that the Government have set the 2027 target as the date by which Huawei should no longer be a provider, we cannot afford to wait until 2027 to remove Huawei from our existing networks. The process of removing Huawei’s influence from the UK is an extensive task, but an absolutely necessary one.
The Government should take the opportunity to consider other high-risk vendors such as TikTok and other companies operating here. This problem goes beyond Huawei. We face the existential question of how we coexist in a world with a technological superpower that does not share the same values of privacy of personal information, freedom of speech and democracy.
Chinese national intelligence laws dictate that private companies must share their data, when asked, with the CCP. The White House has sanctioned 11 Chinese companies, including suppliers to Apple, Google, HP and Microsoft. The list features companies that work with major fashion brands, along with technology giants such as Amazon, according to a report by the Australian Strategic Policy Institute. I would like to ask the Minister what assessment the Government have made of other high-risk vendors that could compromise UK citizens’ safety and security due to reporting requirements that exist in China.
Although this Bill encompasses all security threats and high-risk vendors, it is impossible not to address the need for a reshaping of our relationship with China. That country has overtaken Germany to become the UK’s biggest single import market for the first time since records began. The worth of goods imported from China rose 66% from the start of 2018 to £16.9 billion in the first quarter of this year. As we witness events in Hong Kong, which absolutely break my heart, because I used to live there, and we learn more about the ongoing genocide against the Uighur people, observe the breaking of WTO protocols in ongoing trade wars with our closest allies and uncover espionage across our universities, tech and innovation sectors, it is perplexing to me that we continue to sit on the fence.
The much-vaunted belt and road initiative has united authoritarian leaders across Eurasia in providing a forum to plan strategically, without being held back by discussions of human rights, freedom of speech or rule of law. It is in that policy programme that China’s tech giants, such as Huawei, export their communications infrastructure. I would encourage us to take the lead in the build back better world initiative, as discussed in the G7, to create stronger diplomatic alliances across Africa and the developing world but also to facilitate a viable alternative to the belt and road initiative, which threatens our geopolitical and economic security. The UK also needs to strengthen its ties with its Five Eyes allies and south Asian neighbours in the region such as Japan, India and South Korea, as well as approaching this issue with our European friends.
Safety and security is the first building block for the prosperity of a nation. Without secure defence measures at the heart of our critical infrastructure and online, our country runs the risk of opening itself up to foreign intelligence working against our nation’s interests. This Bill is an important step to creating that foundation, and I encourage the Government to use its passage to ensure that the foundation is as strong as possible.
Lord Vaux of Harrowden (CB)
My Lords, it is a pleasure to follow the noble Baroness, Lady Stroud. I find myself in agreement with everything that she said.
Anything that improves the security of our tele- communications systems must be welcome, so I support this Bill, but I think it misses a golden opportunity. Telecommunications security covers a wide range of risks: from the resilience of the system to risks such as weather or power outages, through resilience to malicious attacks from hostile states or criminals, to the misuse of systems to access, alter or destroy data. From a consumer point of view, all those are really important, but the one security risk that impacts on people’s daily lives the most is the misuse of telecommunications networks and services by criminals and, apparently, by certain states, to facilitate fraud.
I explained during Second Reading of the Online Safety Bill that fraud is so widespread because it is easy, and it is easy because there is no incentive for a whole range of service providers to take the necessary steps to stop it. Those service providers include the search engines and social media companies, web-hosting companies, banks and more, but the list also includes telecommunications companies, which in effect facilitate fraud through three key weaknesses.
First, the most serious weakness is when a criminal is able to convince the service provider to transfer someone’s phone number so that they can control it. This is known as sim-swap fraud, which gives the criminal complete access to the victim’s emails, bank accounts, one-time passwords, contacts and so on. Indeed, with the ever-growing list of things that we can access and control from our phones, it could also give access to our front-door locks, our burglar alarms, our cars, which can now be unlocked and started by phone, and more. In fact, imagine the possibilities for criminals once we have genuinely self-driving cars all connected by 5G.
The second security weakness that telecommunications companies are allowing is the falsifying of caller IDs, when a criminal is able to appear to be calling or texting from a legitimate number, such as a bank or HMRC. As a result, the victim, believing the call to be genuine, is persuaded to provide bank details or transfer money.
The third security issue is allowing criminals to send out bulk malicious texts and calls using the networks, often in conjunction with false caller IDs. We are all bombarded with these all the time. I received one that I had not heard before just this morning; apparently, my national insurance number is being used for criminal purposes, and I must call the number or I shall have my assets seized and be arrested—so there we go. The calls can lead to fraud being perpetrated, and texts can include links that result in malware being loaded on to the victim’s phone, which allows access to emails and bank accounts. As well as fraud, they cause very real anxiety, yet we seem to have to accept them as an irritant of modern life. I probably receive more fraud calls than genuine ones, which might be a reflection on my social life. I have not been able to find any reliable statistics, but it seems that at least a material proportion of all calls and texts made over the networks are fraudulent.
This Bill seems to be a perfect opportunity to try to make life harder for the criminals who are exploiting mobile phone networks and services to perpetrate fraud. The best way in which to do this is to provide a real incentive for the telecommunications providers to prevent it; they should be liable for the penalties—although I hesitate to use that word, given what is happening in an hour or so—and for the losses incurred as a result of allowing the service to be misused, unless they have taken reasonable action to prevent it. At the moment, it is arguably in the telecommunications companies’ interests to allow the activities to continue, as they are being paid by the criminals for all the calls and texts.
Reading the Bill, I find myself unsure as to whether it covers these types of risks or not. I understand from a letter that I received from the Minister earlier today that it is not intended to, although I think that it could with not much change. Her letter, for which I am grateful, only refers to the issue of fraudulent calls and texts; it does not cover the other risks that I have mentioned. Clause 1 introduces a duty on communications networks and service providers to take measures to identify and reduce the risks of security compromises occurring. It then goes on to define what a security compromise is, with a pretty wide range of definitions. Among them, new subsection (2)(f) refers to
“anything that occurs in connection with the network or service and causes any data stored by electronic means to be … lost … unintentionally altered; or … altered otherwise than by or with the permission of the person holding the data”.
As far as I can see, nothing in the Bill limits security compromise to those that come from hostile states, and that is a good thing, since security compromise could well come from criminals. The risks that I have described do occur in connection with the network or the service, and they may cause electronically stored data to be lost or altered. So on my first reading, it appears that the risks that I have described may be covered or could easily be covered in the Bill if a suitable code of practice was issued.
In passing, on that subject, I share the concerns raised by the Delegated Powers and Regulatory Reform Committee that the codes of practice will not be subject to meaningful parliamentary scrutiny.
If the security risks that I have described are not intended to be covered by the Bill, we are missing a golden opportunity to make it harder for criminals to use our communications networks and services to perpetrate fraud on consumers. The Government are planning to produce a fraud action plan, but not until after the spending review. In the meantime, people will continue to lose their money, with all the mental and personal impacts that brings. It may not currently be intended to do this, but this Bill with very little change could be used to cut off one of the major facilitators of fraud with very little delay. Would the Minister be willing to consider how the Bill could be amended to meet that goal, and would she be willing to meet to discuss what actions we can take to safeguard users of the services from criminal misuse of telecommunications networks or services?
Lord Vaizey of Didcot (Con) [V]
My Lords, I am grateful to have the opportunity to take part in this important debate. This Bill is, broadly speaking, uncontroversial. No one would seek to oppose legislation that makes our telecommunications networks in the UK more secure. Certainly, if one looks at the debates in the other place, amendments were very few and far between, and they were tweaking amendments rather than fundamental.
It is a great pleasure to follow the noble Lord, Lord Vaux, and I have a great deal of sympathy with what he said about combating online scams; whether the Bill can be used as a method to test the Government’s resolve in combating this issue remains to be seen. I certainly recall when I was the telecoms Minister working closely with Ofcom and the Information Commissioner’s Office to try to combat nuisance calls. There are a variety of factors in play in trying to combat this kind of plague. One is the willingness of the regulators to roll up their sleeves and get their hands dirty in carrying out prosecutions, and another is certainly technology solutions, which can and should be encouraged by all the operators.
The third—the noble Lord referred to the Government’s review of action on fraud—is a much wider landscape approach from the Government on how to combat this. For example—and this is no criticism of the police—it seems to me that we still have a Victorian police structure in the 21st century. We should be thinking about leaning in and recruiting cyber specialists far more effectively to work in the police force to combat these kinds of crimes, not simply bringing people to justice but combating this kind of work on the network.
I will begin with one of the elements that lies behind this Bill: the concern over Huawei and its presence in our telecoms network. Many noble Lords have set out strong views on Huawei and the Chinese industry in general during this debate. I was particularly struck by the excellent speech of my noble friend Lady Stroud. When I was a Minister, I worked closely with Huawei, in the sense that we had in place a protocol with the security services to check the kind of equipment Huawei was installing in the networks. It was a transparent process; nobody was pretending that Huawei was not involved in selling equipment to our telecoms providers, nor that it was not being installed in the UK telecoms networks. That equipment was reviewed in a very transparent way and Huawei was forced to put in place a UK board made up of UK citizens to supervise its work.
While I wholly condemn Chinese behaviour as far as the Uighurs and Hong Kong are concerned, one should be cautious in assuming that every piece of Chinese commercial activity is somehow linked to espionage. I certainly do not think that, when one of my children uses TikTok, they are somehow being caught by the Chinese state. There is some irony that we often debate these issues while looking at our iPhones, which of course are manufactured in China, or perhaps using a Dell laptop supplied by the Parliamentary Estate, which has been made in China as well. One must be open-eyed and transparent about this, but not assume that everything coming from China will undermine our national security. Nevertheless, I wholly agree with my noble friend that one of the problems with Huawei was that it was effectively an unfair competition. Our markets are much more open to foreign investment than the Chinese market, and Huawei was certainly heavily subsidised by the Chinese state, so a pushback in that sense is very welcome.
The key to this Bill is ensuring that we have secure telecoms infrastructure, and I echo the remarks of noble Lords about the general resilience of our infra- structure. It is not only state actors who can provide malign effects on it; we have only to look at the recent SolarWinds attack on a critical piece of US infrastructure to see how easy it is for criminal groups, sometimes tacitly supported by the states in which they reside, to attack our networks. To make those as robust and secure as possible must be an absolute priority for the Government as we move more and more into the digital age.
It is quite right that this Bill comes forward to put security duties on our telecoms companies for the first time. I note that the detail of those security duties will be contained in regulations and hope that the Minister will bring us up to date on how those regulations are progressing. I also note that Ofcom will take a key role in overseeing how those duties are fulfilled, working closely with the National Cyber Security Centre. I am delighted to see that Ofcom’s budget has been increased to take account of those new duties.
Given the recent political furore over Ofcom, this is a useful reminder that it is not a political regulator; it is a boring but essential regulator that carries out vital work to keep our network secure and our communication markets competitive. I hope the Government take that point on board and give Ofcom as much freedom as possible to carry on doing the excellent work it has done for some 20 years. Ofcom is working more and more with other regulators such as the Information Commissioner’s Office and the Competition and Markets Authority. This is partly out of necessity, because to hire the talent that these regulators need, they will sometimes now have to hire employees who work across all three regulators. It is an illustration of how regulation is becoming more and more intertwined.
With that in mind, I hope that the Minister will bring us up to date on how Ofcom is working with other regulators to keep all our essential infrastructure secure—and with regulators across the world, because this affects us all, particularly western democracies. I also hope the important work carried out by the noble Lord, Lord Livingston, on supply chain diversification will be leaned into. I particularly support his call for government-sponsored research into how open RAN networks can play a vital role.
Finally, can the Minister bring us up to date on how well new vendors are doing in coming into the market? With Huawei effectively expelled from our market over the next five years, I hope we will see many more European vendors able to take up the slack and provide the equipment that our infrastructure providers need.
The Earl of Erroll (CB)
My Lords, this Bill is generally welcomed and very well intentioned, but it really lacks any effective parliamentary or judicial oversight, as has been quite forcefully pointed out. I agree with everything the noble Lord, Lord West, said on this issue. We should use the ISC for this. As regards the excuse that designating a vendor or something might leak too early, it will leak anyway—something as big as that will be all over the place in five minutes.
This is not without cost and pain, and we are already seeing it. The Government have already revised their target for rolling out full fibre from 100% coverage to only 85% by 2025. The disruption caused by a rule to, say, extract Huawei or anything from the network has far-reaching consequences. After all, way back at the end of the 1990s, I think, we gave the contract for redoing the BT 21st Century Network to Huawei and not Marconi. We bankrupted a British company and gave it to China. That decision was taken a long time ago, so it is embedded in all our ordinary telecoms at the moment—not 5G, but the ordinary stuff that our telecoms are running over. We must be careful about this revising down of our targets, because it will affect our global competitiveness. We must be careful not to cut off our nose to spite our face. It is very easy to take a high moral stand, but at the end of the day we also have to survive on the global stage.
What this Bill does may be very effective for blocking foreign access, in trying to ring-fence the UK, but we could also create a single point of failure if we are not careful. There are not many suppliers of equipment of the type that will run the backbone of the internet. We are basically talking about Cisco and Huawei; Samsung also has a whole load of stuff out there; there are a whole lot of others—such as Nokia, Juniper and Hewlett Packard Enterprise—but nothing is quite as big as Cisco and Huawei. One of our problems is knowing whether Cisco is okay; some of its components, such as motherboards and other things, are manufactured in China. With the global supply chain, it is not as simple as it seems.
The second thing that worries me is this assumption that, just because we do not have Chinese equipment in the UK network, we are safe. First, China is not necessarily the only one interested in what we get up to; when you get into trade wars, many people who may appear to be our allies are maybe not on our side entirely when we are negotiating international contracts, so we should be careful of that. The other thing is that, if we create a monolith with one supplier—it does not matter who it does not include—it is vulnerable. The way the internet works at the moment is that, if you have multiple suppliers sitting in Britain, it does not matter whether they are hostile or not. Routing over the internet is inherently vulnerable because of the way it is constructed. However, it splits your message up into lots of packets that go over different routes. If they are going through lots of different people’s equipment, it is impossible for any of them to get the whole message; if it is all with one supplier, there might be technical ways they could do it. Funnily enough, one of the better security solutions is to mix them all together and keep it that way.
Next, there is a lot about trying to have the right rules and regulations and all that, but ensuring best practice cannot guarantee network security. Our current communications network has grown like Topsy; it is a mixture and mishmash of digital infrastructures all sitting on top of a whole lot of analogue stuff. It is very complex, with lots of ill-defined interfaces sitting in there. If you are going to start ripping some of it out and say that we have to do it by a deadline, you need to know what is there before you do it. This means we will have to maintain very accurate and secure databases—otherwise that is a vulnerability—probably down to component level, but certainly batch level, of what is in there, so that if you suddenly discover a vulnerability somewhere, you can get the other stuff out as well. We must do this categorisation of our assets in the network. That in itself is a security risk because it is very interesting to a foreign supplier, so that part of it is very difficult.
As for Ofcom—I am interested in this—we need some further clarity on how it will interpret the legislation, impose penalties and all the bits and pieces like that. The manner in which it develops its role as regulator will be vital for it to be a success, and how it decides what the significant risks are will be very important. On my noble friend Lord Vaux’s point, I have been told by someone that Ofcom’s reach could be extended because the legislation is very generally written to cover services—for instance, they were talking about banking fraud—and public electronic systems. In fact, it could drag in non-telcos, because they are services. It is not just about the hardware and equipment behind it, though it all started off with Huawei. There is a lack of clarity.
Someone had a very good idea, which has been adopted for some fintech stuff, that we could maybe have sandpits, where new entrants to the market could develop new stuff—new equipment, et cetera—and try out their ideas in a realistic environment to make sure that they are okay and will work before they put them into the network, if it is a secure network. I think that is a very good idea. Another very good idea put to me is that we should have the assistance of an independent commissioner and a technical panel overseen by Parliament and the judiciary. It is needed here. This model is used by the ICO and would probably be very helpful, so I would like it considered.
Baroness Bennett of Manor Castle (GP)
My Lords, I should perhaps declare my position as the co-chair of the All-Party Parliamentary Group on Hong Kong. I will begin with a short list of things to agree with. I very much agree with the comments of the noble Lord, Lord Fox—not currently in his place—and particularly his remarks about privacy. I associate myself very much with the remarks of the noble Lord, Lord Alton of Liverpool. When we are talking about trade and commerce, we have to think about the human rights aspects as well. That and the environment, as in the Environment Bill, all interlinks together. The targeting of the Uighurs—the situation in what the locals called Altishahr—is a situation of genocide, and we simply cannot stand by.
To finish the tick list of issues that were covered in the other place and that a number of noble Lords have also covered, once again we find ourselves, as we do on pretty much every Bill, saying that there is not adequate scrutiny of the Secretary of State’s powers. Whether Ofcom will have the resources to complete the role foreseen for it in the Bill is a very familiar story. We also do not have sufficient consultation with devolved Governments written into the Bill.
However, I want to start today’s remarks with a bit of a longue durée perspective, an overview, because we are once again in the context of privatisation. We are talking about what used to a public service run for public good—our telecoms network—which was, for ideological reasons, handed over to the private sector through a privatisation that has been allowed to become a wild west. Now we are trying—to coin a phrase—to take back control of that wild west. It is increasingly clear, and the Government are acknowledging this by actions if not words, that telecoms are now an essential service or a utility just as much as water or energy supplies are, and that we need to think about these issues for a larger future and about running them for public good, not private profit.
I will focus particularly on Clause 1 of the Bill, which amends Section 105 of the Communications Act. The focus here is on compromising security. The noble Baroness, Lady Morgan, and the noble Lord, Lord Vaizey, among others, talked about the idea of security being comprehensive. Indeed, new subsection (2)(a) says that a security compromise is
“anything that compromises the availability, performance or functionality of the network or service”.
To think about what might compromise our services, I invite noble Lords to look across at America right at this moment: there is a massive, record heat wave. To cite one set of figures, the city of Portland has had three days in which it has broken record temperatures—not by points of degrees but by degrees. Today, the top temperature in Portland is 46.6 degrees Celsius. For those who prefer a more old-fashioned system, like the Americans, that is 116 degrees Fahrenheit. The infrastructure is melting in a very literal sense. You have what are being described as non-linear and threshold effects, where systems go utterly, totally and completely down because they just cannot cope with the environmental conditions.
Looking back to new Clause 1(2)(a) on compromising
“the availability, performance or functionality of the network”,
I agree with Boris Johnson, who said as he was chairing the UN Security Council earlier this year that climate change is a threat to our security. It seems to me very clear that the Bill should tackle these kinds of issues. I ask the Minister: do the Government regard it in this way? If they do not, what other steps are the Government taking to tackle these issues?
I stress that I have seen this first hand, not just in distant structures. I happened to be in Lancaster a few days after it was affected by very serious floods—well, the flooding was not that serious; what was really serious was that it took out the city’s electricity supplies for about two and a half days. When I saw the people about a week or so later, the city was shocked about all the effects that no one had really thought of. Nearly all the student accommodation had electric security doors; with no electricity you have a massive access problem. In a flood, you normally put people into emergency accommodation in hotels, but with electronic key cards there is no access to hotel rooms without electricity. Of course, the cash machines went down, and the pumps did not work at petrol stations.
I come to a broader question about security and telecoms, and indeed our whole increasingly digitalised world. I think we are all agreed that this is a fairly small and modest Bill, but we also know that the Government are planning what is being described as an internet of things Bill; I believe it is called the product security and telecoms infrastructure Bill. These are big, existential issues about our security, our survival and the ability of our basic systems to function—to provide people with food, water and the essentials they need. I think this is an ideal time to ask the Government whether they have really considered how much IT, telecoms and digital integration we actually need. I refer here to the words of the noble and gallant Lord, Lord Stirrup; he said we cannot assume that any attack will fail. The kind of breakdowns I am talking about are not necessarily an attack in those terms, but they can be absolutely disastrous, as Lancaster illustrated.
Yesterday, in debating the Environment Bill, the noble Lord, Lord Berkeley, talking about damage to the environment, said that the first question we should ask is: do we actually need the thing we are building that is destroying the environment? We really have to ask about the digitisation of our society, the incorporation of everything linked together through 5G. Do we actually need these linkages, and what vulnerabilities are they creating? That is the main point I want to make, but I shall pick up a couple of other small points.
I forget which noble Lord said that what we have now is a situation of market failure. The Government are saying explicitly, associated with the Bill, that they have a diversification strategy to see that we have more different producers and suppliers. Are the Government looking at direct research funding—direct support for that kind of diversification? Market failure has got us into the situation where there is very little diversity, and relying on the market to fix that is, I suggest, very difficult and will not necessarily be successful. I point out that if we go back to the origins of all the things that got us to this point today, it was government funding that created the TCP/IP protocol and that funded the people whose research created the world wide web. We really have to think about ensuring that we put government funds into things if we really believe that they are needed.
That is pretty well all I wanted to say, but I have one final thought, coming back to the issue of resilience. We are in a situation now of huge supply problems. We are talking about not allowing certain supplies into the country, but we have a global chip shortage. I am relying on anecdote here, but I have a friend who is a manager in a fairly large public service and who simply is not able to upgrade the wi-fi because it is impossible to get the technology, to buy the bits of kit needed to do that, because of the chip shortage. Going beyond anecdote, there was a report in the Financial Times quoting the major infrastructure manufacturing company, Flex, which says that this chip shortage is likely to continue for another year. We are stuck in a situation where we have very fragile, just-in-time, complex supply chains, we are saying there are companies we cannot use any more, and we are in a situation where resilience needs to be thought about a great deal more.
Lord Balfe (Con)
My Lords, one of the great advantages of speaking late in a debate is that virtually everything has been said. I just want to light on a couple of things that have been said but I think could be said again.
First, I welcome the Bill. It is a useful Bill, but I do not think we should exaggerate where it is going to take us. At most, it covers a few bases. I was very pleased to hear the contribution of my good friend, the noble Lord, Lord Alton, because we do need to start looking much more carefully at the human rights and social practices in the countries we are buying from. The fact that it will take until 2027 for Huawei to be eliminated from our system shows just how interdependent we have become in this very small area, and how inter- dependent the whole world is becoming.
I was recently on a conference call with some people in Taiwan. One of the advantages that Taiwan has in its stand-off with China is Taiwan’s production of chips, just mentioned by the noble Baroness. The interdependence of this technological world is now really quite enormous. My concern, looking at the Bill, is that it is fine for us but it does not actually advance our security outside the United Kingdom.
Some years ago, when I was in a different party from the one I am in now, I was given the job of being defence spokesperson for the Labour Party in the European Parliament. If there were ever a non-job, that was it, because of course the European Parliament had no defence capacity whatever, and at that time the Labour Party thought that anything more advanced than a bow and arrow was not really an acceptable means of defence anyway. John Smith rescued me and I became, for my sins, the first leader of the European Parliament delegation to NATO—or the NATO Parliamentary Assembly, to be exact. One thing we had to look at there was the list of prohibited exports. If we are to safeguard our future, we will have to look again at getting like-minded countries together to look at how we can restrict the export of certain technology. It is going to be even more difficult now because technology is much more a worldwide thing.
There is a tremendous fragmentation of views in Europe. Germany still thinks it should be co-operating with China. It still thinks that the business side is more important than the human rights or the social side, but we have to bring the Germans back on board. We cannot force them; we do not have any levers any more. In fact, now that we are not in a place that is never mentioned any more in this Chamber, we do not even meet them in political co-operation. We do not meet them, and we never really understood how important it was that, on a regular basis, all our Ministers met European Ministers to exchange views, to keep up to date and just to keep knowing each another. We never seemed to grasp that and we have now lost it. Everything we do can move forward only if we can carry other people with us.
I make no excuse whatever for saying, as I have said in this Chamber several times before, that China is going to be the main threat, probably for the next 50 years, and it is going to get worse. We have to get ourselves a foreign policy that actually makes sense. A foreign policy that concentrates on a country with the GDP of Italy and the social organisation of, let us say, southern Italy—namely, Russia—is not the way forward. These people have to somehow be brought on board and that is what I, in my own small way in the Council of Europe, as a delegate, tried to do—to intervene in this huge debate that is going on in Russia: should we look west, should we look east? That is a debate, but at least it is a debate: it is not a debate in China.
If we look at the countries between the two—the “stans”—they are also countries that we have to put some diplomatic effort into. It is no good pretending that we do not know they are there; we have to put some effort into them. That is some way away from the Bill but it is part of what the Bill is about—trying to build a secure world. I would say, in the words of the old film, “You ain’t seen nothing yet.” We have not really had a sustained cyberattack in this country. Our cashpoints have not stopped working yet. The computer system has not crashed completely yet, but the technology is almost there to make it happen, and that has to be part of our challenge.
I have great admiration for the Minister, but I question whether DCMS is the correct department of state to be looking at our future and our preparations to deal with the technological, technical challenges that lie ahead. I have a lot more confidence in looking at the noble Lord, Lord West, and the strategic and security services to lead on this measure than in DCMS, which I think has a very different job and I am not sure, frankly, is the right department to be handling this. Having said that, I look forward to helping my noble friend the Minister get the Bill through the House as a contribution—I think it will turn out to be a very small contribution—to the journey that we have to embark upon.
Lord Holmes of Richmond (Con)
My Lords, it is a pleasure to follow my noble friend Lord Balfe and I declare my technology interests as set out in the register.
I have four quick points for this stage of the debate. First, on diversification, it is clear that if there is a monopoly, duopoly or triopoly, it does not matter what the market is, the results are highly likely to be suboptimal, and that is what we see in our modern telecoms situation. Can my noble friend the Minister update the House on what is happening on the national telecoms lab and what is at the core of its mission? To build on the words of the noble Earl, Lord Erroll, I completely agree on the need for a telecoms sandbox and to build on the firms that would go through it. A scale box to follow on from that would seem an excellent idea for the United Kingdom. As he said, it has worked tremendously successfully in fintech, led by the Financial Conduct Authority, and could have a significantly positive impact on our telecoms business.
As many noble Lords have commented, cyber is the future, and that future is now—whether it comes from fraud by individuals or from state actors, it will become an increasingly invasive part of everything that we do. Does the Minister believe that we are doing everything that we can to leverage the cyber capabilities we have in this country, not just those excellent public resources at GCHQ and the NCSC but across the private sector? On that note, can she update the House on when the review of the Computer Misuse Act may be coming through and what positive impact it will have for all the people who work to try and keep us safe in cyber- space?
Other noble Lords have mentioned the levelling-up agenda, and mobile telephony is certainly not just a part but a critical part of that. If one does not have that connectivity or the skills to operate in that world, what hope is there of securing the employment, lives and social connections that everyone should be entitled to have a right to aspire to and achieve? I give one small specific example in terms of telecoms security. BT is due imminently to shut down the copper network, which is what we all consider to be landlines. Is my noble friend the Minister assured that everything is being done to protect all, not least vulnerable, citizens, particularly those currently at the sharp end of digital exclusion? What is being put in place to ensure that when that copper network is switched off—“retired” is the term being used—those citizens are not left at the extraordinary sharp end of exclusion? Imagine, for example, in the area of security, if they find themselves in need of a 999 service and need broadband to have a new connection, or they do not have the digital skills. What will occur if that is the case?
Finally, building on what my noble friend Lord Young talked about on the justiciability of decisions, does the Minister agree that if the Secretary of State had alongside him the NSC, that could only be positive in terms of the determinations that would be likely to come out of those deliberations?
Telecoms matter massively, as do all new technologies that we have in our hands. The crucial thing is that there are threats that we can know about, Rumsfeldians that we could go into and much that we cannot know about the future. But the most important thing that we can know is that the future is in our hands—all our hands.
Baroness Northover (LD)
My Lords, this has been a thoughtful debate, with contributions from several former Ministers who have worked in this area, including the noble Lords, Lord Young and Lord Vaizey, and the noble Baroness, Lady Morgan. Their insights into the challenges here are welcome. As this Second Reading has shown, we have a problem and the Bill is put forward as the solution. I thank the noble Baroness, Lady Barran, for laying out its provisions and intentions clearly.
The problem identified is the security risk potentially embedded in our telecoms systems, as exemplified by Huawei and other companies. Set against that, especially as we seek to make our own way outside the EU, is the Government’s aim that the UK should be at the forefront in science and technology, as laid out as the strategic direction for the UK in the integrated review. Therefore, there is a need to draw on the best telecoms systems, as the noble Baroness, Lady Morgan, clearly laid out.
However, in addition, balancing the ability to use whatever is best in the market globally and the need to protect our security is another vital strand. We cannot and must not use technology built on human rights abuses and thus become complicit in those abuses, rather than fight to address them. Noble Lords have set out the challenges, particularly from the rise of China, as well as the necessity of not using companies built on abuse. The experience of the middle of the 20th century marks a huge warning to us. We need only look at the history of the chemical and pharmaceutical giants that multiplied in size in Germany and were built on the appalling slave labour in the extermination camps.
We know that genocide and gross human rights abuses are not things of the past. We need to be ever vigilant. Up to 1.5 million Uighurs have been forcibly removed by the Chinese state by mass transit and put into forced labour camps in which components used in Huawei technology are made. The noble Lords, Lord Alton and Lord Balfe, and the noble Baronesses, Lady Bennett and Lady Stroud, all emphasised those important points. When the Minister winds up, as the noble Lord, Lord Alton, requested, I should like her to outline what further action the Government will be taking that regard, given the international obligation to take such action once a country becomes aware that genocide may be occurring. We have signally failed to challenge China in regard to Hong Kong. What lessons have we drawn from that? Does the Minister agree that the Bill should not simply set technological advance against security but incorporate that concern? Can any other position be justified?
The key issue is whether the Bill achieves what it sets out to do and whether it brings its own risks and possible unintended consequences. As my noble friend Lord Fox and others have said in this Second Reading debate, we support the principles of the Bill. I note that the noble Lord, Lord West, the House of Lords member on the Intelligence and Security Committee, said that the Bill rightly seeks to address concerns first raised by his committee seven years ago in its report, Foreign Involvement in the Critical National Infrastructure. He feels that the Government are finally listening to those warnings. However, as with the National Security and Investment Act, he reports that his committee is
“concerned that the Bill does not provide for sufficient parliamentary oversight of these important new powers.”
The noble Earl, Lord Erroll, and others also warned on that.
The noble Lord, Lord West, made the sensible point that if the material is sensitive, it should be submitted to the ISC—that is the very purpose of the committee. The noble Lord, Lord Holmes, just reiterated that. Alternatively, of course, we could just look behind bus stops in Kent and then gather it up and pass it to the noble Lord, Lord West.
The theme of scrutiny came through from other noble Lords. The Delegated Powers Committee has expressed reservations and my noble friend Lord Clement-Jones went further in his criticism in this regard. The Bill gives Ofcom new powers to monitor and assess the security of telecoms providers, with very heavy fines if companies are deemed to have transgressed. It introduces new controls on the use of Huawei 5G equipment, including a ban on the purchase of new equipment from the end of 2021 and a commitment to remove all equipment from 5G networks by 2027.
My noble friend Lord Fox set the Bill several tests. He asked whether the Bill’s effect can be shown to shut out the technology it is meant to shut out. Can we be assured that the Government and Ofcom have the right powers, the necessary checks and balances, and the resources to do such work? When it comes to supply chain diversification, are we able to shut out Huawei and others but still have 5G in a timely manner? My noble friend Lord Fox, the noble Baroness, Lady Morgan, and others also noted the lack of diversity we face here—the noble Baroness, Lady Morgan, identified it as a market failure—and the risks that this poses to the economic position of the United Kingdom. The noble Lord, Lord Young, pointed to the report of the noble Lord, Lord Livingston, which sets out clearly the ways in which the UK might be able to develop this industry and how that requires working with other like-minded countries so that there are common standards and codes of practice. I look forward, as no doubt others do, to receiving the letter which the noble Lord suggests the Minister should write on the matter.
We have already heard concern about the powers given to the Government and to Ofcom. We also hear of concerns about the lack of clarity and transparency, which, as my noble friend Lord Clement-Jones said, is causing great concern within the industry. The criticism is that the proposed measures are either technically unworkable or damaging to the industry. One area which my noble friend flagged is in relation to providers whose networks are not based only in the United Kingdom and which would therefore find it challenging to engage as codes might be drawn up if there is no formal structure through which this might be done. My noble friend argues for a technical advisory board, and I note also that concerns were expressed about the flexibility and future-proofing of the Bill.
The Minister spoke of the Bill applying not just to one company, one country and one threat. That clearly must be the case. I note, for example, what the noble Lord, Lord Young, said about the number of departments which might be relevant here and the newly pressing risks of cyber rather than conventional warfare, yet the absence of the DCMS Secretary of State from the National Security Council points to our being behind the curve.
Questions have been raised which will need to be considered in areas beyond the Bill. There is a wide challenge here, as the noble and gallant Lord, Lord Stirrup, the noble Lord, Lord Balfe, and others emphasised. As we move to green technology, China is far ahead of us, controlling the raw materials as well as the technology needed to power it. That competitive advantage has probably been given rocket boosters by the pandemic, as the noble Lord, Lord Alton, noted in relation to lateral flow tests. I took one the other day; it was a sort of strange little pregnancy test. Clearly, all this has brought economic benefit to the Chinese economy from our reliance on its traders for so much of the resources needed in the pandemic. As the noble Baroness, Lady Stroud, pointed out, we are moving into a different geopolitical landscape, although the noble Lord, Lord Maxton, put us as perhaps a little point in a very long historical process.
We are indeed in challenging times, out of the EU and unable therefore to strengthen our position as we could before as part of the richest trading bloc in the world. Instead, we need to find allies as the headwinds of changing superpower strengths buffet us. How closely then are we working with the EU on this as well as with the United States? The Bill marks a recognition of that challenging position, but in Committee and on Report there will no doubt be challenges as to whether it can deliver that security and moral compass which the Government claim, at the same time as we face major financial pressures, out of the EU and recovering from the pandemic. I look forward to the Minister’s response.
Baroness Merron (Lab)
My Lords, new technologies have long transformed the way we work, live and travel, but our experiences during the pandemic have upped the ante on the degree to which we rely on telecommunications networks. Today we have heard an enlightening and probing debate in which noble Lords have considered the number one priority of any Government: our national security.
The risk we face is as significant as it is real. The noble and gallant Lord, Lord Stirrup, spoke with insight about the need for agility and adaptability to meet the risks that we face in a resilient manner. The most recent UK Cyber Security Breaches Survey found that 62% of information and communications companies surveyed identified breaches or attacks in just the last 12 months, compared with 46% across all sectors. Many of us have first-hand experience of these security risks, as described in the Bill’s impact assessment. The noble Lord, Lord Vaux, thoughtfully brought that reality to life by describing the horrors that so many people face, day in, day out, which will be very familiar to many of us in this House.
When O2 suffered a major network failure in 2018 due to an expired software certificate, over 32 million users in the United Kingdom had their data network go down for up to 21 hours. In 2015, hackers targeted TalkTalk, stealing the personal data of over 1 million customers. In the same year, security was undermined when internet traffic for BT customers, including a UK defence contractor that helps deliver our nuclear warhead programme, was illegally diverted to servers in Ukraine. Understandably, these incidents and many others generate deep unease and a lack of national and individual security, which the Bill must address.
We can reflect that a sector that should have been subject to rather more attention over a decade ago is now the subject of this Bill. During this period we have lacked a telecoms industrial strategy and have seen a focus on foreign investors over and above our national security. Since 2010, successive Governments have allowed the sector to be dominated by a high-risk vendor, taking us from what were golden times to the current ice age. Regrettably, competition on price rather than security has become the order of the day, while security has been left to the market.
As the impact assessment identifies, the telecoms industry provides opportunities for new and wide-ranging applications, business models and increased productivity, whereby 5G will be used for everything, from autonomous cars to remote medical examination and health monitoring. This is crucial. Clearly, we will not achieve the Government’s aim of becoming a science and tech superpower by 2030 without it.
Let us also remember that the complex UK telecoms industry contributes £32 billion to the economy and directly provides nearly a quarter of a million jobs. It is therefore important that we legislate for the Government to have the power to act to prevent dependency on high-risk vendors such as Huawei, and to recognise the blurring of the lines in the grey zone, where cyber- attacks on critical infrastructure will become, regrettably, increasingly regular.
This Bill is a necessary step and, in general, we welcome it. However, I have some words of caution, many of which chime with the themes highlighted during this debate. There cannot be a scattergun approach to security, and it is the absence of a joined-up approach that I want to pursue first. I was interested that the noble Lord, Lord Young, raised points about the number of departments that telecoms security touches and the need to resolve this interface in a co-ordinated fashion. I hope that the Minister can explain how this will be resolved and how this Bill interacts with the National Security and Investment Act, which recently passed through this House. How will the Government’s stated intention of having complementary regimes that protect telecommunications’ critical national infrastructure from national security threats be achieved?
The Government have said that the National Security and Investment Act was needed as the Tele- communications (Security) Bill does not extend to investments in the communications providers themselves or investments in other infrastructure used to provide communications. It also cannot prevent the acquisition of vendors by hostile actors. To this end, are the Government actively considering further redrafting of the communications supply chain definition, potentially listing the specific components of the supply chain that should be caught? When will we see the final sector definition for the communications sector?
Concerns have been expressed today, which I share, about what is not in the Bill as much as what is in it. The exclusion of the cross-party Intelligence and Security Committee from oversight of the measures in the proposed legislation, despite its remit in relation to national security, is baffling at best and deliberate at worst. As my noble friend Lord West so ably highlighted, this came up in the National Security and Investment Act and yet the relevant parliamentary committee is well and truly parked out of sight. It is hard not to suggest an unhealthy aversion by the Government to the committee since failing to secure the post of chair for their preferred candidate, which, if so, would be a failure of duty to do the right thing. On the matter of scrutiny, I was interested in the thoughtful considerations from the noble Earl, Lord Erroll, and I am sure these matters will be debated further.
On the continuing theme of what is missing, diversity of suppliers is needed at different points of the chain with sufficient support for the UK’s own start-ups. However, the Bill does not even mention supply chain diversification or the diversification strategy, even though we all agree that we cannot have a robust and secure network with only two service providers, which is the number that we will have left once Huawei is removed from our networks. Support for Britain’s start-ups is needed to deliver this diversity, but the Government’s investment of £250 million will surely not be enough. As the Science and Technology Committee has called for, will the Government produce an action plan with clear targets and timeframes for how that funding will be spent?
This Bill provides a vast and continuing expansion of Ofcom’s remit. It also gives the regulator sweeping new powers and responsibilities. However, Ofcom lacks experience in national security. These changes will demand the recruitment of people with specialist skills and the required level of security clearance. How will this be handled? The impact assessment states that the cost of monitoring compliance for Ofcom is up to £49.4 million from now up to 2029. Can the Minister assure the House that Ofcom will have the relevant resources?
The security of our telecoms network sits firmly within an international context, as my noble friend Lord Maxton said. As the impact assessment states:
“The most significant cyber threat to the UK telecoms sector comes from states. The UK Government has publicly attributed malicious cyber activity against the UK to Russia and China as well as North Korea and Iranian actors”.
This concern is clearly shared with our key allies, as confirmed in the recent NATO summit’s communiqué.
This Bill was published in November—before the integrated review of security, defence, development and foreign policy had concluded. The review states:
“Under the provisions of the Telecommunications (Security) Bill, supported by the 5G supply chain diversification strategy, we will … work with partners, including the Five Eyes, to create a more diverse and competitive supply base for telecoms networks.”
Can the Minister advise how this work is proceeding? How many companies in our supply chain sector have Russian or Chinese owners?
The noble Lord, Lord Alton, made a powerful intervention, echoed by other noble Lords, about the need for due diligence in respect of human rights—something that has been of great and continuing concern to this House. The continuing persecution of the Uighur Muslims and their plight shames the world. I am sure that the Minister will wish to reflect on this matter.
In the course of this debate, your Lordships have heard much about Huawei being the perfect illustration of why this Bill is needed. We support the action to protect the UK from the threats presented by this high-risk vendor that has huge strategic significance. As a Chinese company it could, under China’s national intelligence law of 2017, be ordered to act in a way that is harmful to the UK, and the Government state that,
“the Chinese State (and associated actors) have carried out and will continue to carry out cyber attacks against the UK and our interests”.
Despite this clarity, the telecoms supply chain review of 2018 recommended that Huawei equipment should be removed only from the sensitive part of the core network and could still make up a maximum of 35% of the non-core systems with a deadline of 2023.
In 2020, UK telecoms companies were latterly told by the Government that they would be banned from buying Huawei’s 5G equipment from January 2021 and that the Government want complete removal of Huawei equipment from our 5G networks no later than 2027—as we have heard, at a cost of £2 billion and a delay to 5G rollout by two to three years. Can the Minister indicate how the UK is going to benefit from the costly debacle of ripping out Huawei?
On spreading the risk, the Government’s vendor diversity task force said that the UK must ensure that smaller telecoms equipment makers become key suppliers of Britain’s 5G mobile phone networks once kit from Huawei is stripped out of the infrastructure. It said that smaller equipment manufacturers should provide 25% of the kit used in 5G networks. Have the Government accepted this target? We cannot end up in a similar situation again as we saw with Huawei.
This Bill must be future-proofed and provide for a horizon-scanning function to identify emerging threats and potential weaknesses in UK telecoms providers’ asset registers. We will be seeking amendments to the Bill that fill in the many missing gaps and will work across all parties to do so. As I have said, it is as much about the glaring omissions as it is about what the Bill contains. The UK cannot end up in another costly security debacle as we did with Huawei. The Government need to look to the future rather than letting it continue to overtake us. Let us hope that this Bill can do that job.
Baroness Barran (Con)
My Lords, I thank all noble Lords who contributed to this rich debate for their contributions, for the warm welcome they offered the Bill, and for the way in which, in very different ways, they highlighted the importance of the issues which the Bill seeks to address.
Today’s debate has been wide-ranging. We have debated the principles and the practice of the Bill and we have touched on a number of issues that are beyond its scope. I shall start my closing remarks by focusing on those matters that speak directly to the Bill, as well as those that are closely adjacent to it, such as diversification, before moving on, if, as I hope, time permits, to other matters raised in the debate. Some of the issues raised sit beyond my department’s remit, but I will do my best to respond to them and will write to all noble Lords on any matters that time does not permit me to address today. I stress that I and my officials are very open to continuing these discussions in more detail ahead of Committee.
As my right honourable friend the Secretary of State said at Second Reading in the other place, the Bill raises the security bar across the board and protects us against a whole range of threats. Although there may be disagreement on some points in the Bill, I welcome the fact that it clearly has strong support in this House and, as we saw, the other place. We are all committed to putting the UK’s national security interests first.
Before I go into the detail of the Bill, the noble Baroness, Lady Merron, rightly asked how it fits with wider regulation of critical national infrastructure. This is indeed one of a number of measures that the Government are taking to protect the security and integrity of that infrastructure. So, while this Bill focuses on telecoms security, there is already a range of regulations governing the security of other critical sectors, each tailored to different risks. The Bill will complement those pre-existing regulations by ensuring the security and resilience of the public telecoms networks on which our critical sectors rely.
The recently enacted National Security and Investment Act, to which the noble Baroness referred, empowers the Government to scrutinise, impose conditions on or, as a last resort, block foreign investment wherever there is an unacceptable risk to Britain’s national security. Rather than addressing investment, the Bill would enable the Government to protect our networks from risks posed by vendors who supply, provide or make available goods, services or facilities to public telecommunications providers. Once it is passed, the Bill will work alongside the National Security and Investment Act to protect our networks from threats, both now and in the future. My noble friend Lord Young of Cookham also asked how different government departments were co-ordinating their policy responses in this area. I will take up his kind invitation to write to him, and will of course copy other noble Lords into my response.
A number of your Lordships, including the noble Lord, Lord Clement-Jones, my noble friends Lord Vaizey and Lady Stroud, the noble Lord, Lord Alton, and the noble Baroness, Lady Merron, all asked how we were managing the risk posed by Huawei in the interim, ahead of the Bill becoming law. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecom networks compared with other vendors. There has been a risk mitigation strategy in place since Huawei first began to supply equipment to the UK’s public telecoms providers.
The Government have announced extensive advice to manage the security risk posed by Huawei, based on the analysis of our world-leading experts at the National Cyber Security Centre. The Secretary of State has announced advice that providers should remove all Huawei equipment from 5G networks by the end of 2027 and, in order to clearly set out the pathway to zero, he also announced advice that providers should stop procuring new 5G equipment from Huawei after 31 December 2020 and stop installing Huawei equipment in 5G networks after September 2021. Together, all this advice will protect our networks from the risks posed by Huawei. Once passed, and subject to the relevant consultation requirements, the Bill will enable the Government to give legal effect to all this advice.
My noble friend Lady Stroud asked about other high-risk vendors. The Bill responds to the threats and risks that we outlined in the telecoms supply chain review. It gives us the ability to manage any high-risk vendor, both now and in future. We have named Huawei and ZTE as high-risk vendors, but we will continue to keep the presence of high-risk vendors under review.
A number of your Lordships, including the noble Baroness, Lady Merron, my noble friends Lord Vaizey and Lord Young of Cookham, and the noble Lord, Lord Fox, talked about the role, resources and capacity of Ofcom. We are confident that Ofcom will have the capability and resources to undertake its expanded role, although we recognise the competitive market for recruitment in this area. As I mentioned in my opening remarks, the Bill places a new, general duty on Ofcom to ensure that providers comply with their new security duties. We are working closely with Ofcom to ensure that it has the required resources to meet its new responsibilities, and we will keep that under review.
I shall now cover the issues relating to scrutiny in the Bill. The first of these relates to the Secretary of State’s ability to issue designation notices and designated vendor directions. This issue was discussed at length in the other place throughout the passage of the Bill, and more recently was referred to by the Constitution Committee, and I will address the remarks of both that committee and the Intelligence and Security Committee.
The noble Lord, Lord Clement-Jones, raised the recommendation from the Constitution Committee to increase oversight of the Bill’s powers by making them fall within the remit of the Investigatory Powers Commissioner. I can reassure noble Lords that the Secretary of State will use the power to issue designation notices and designated vendor directions only when it is necessary to do so in the interests of national security and where the requirements to be imposed are proportionate. The Bill already contains effective mechanisms for oversight of the Secretary of State’s use of the powers to give a designated vendor direction or designation notice.
The Bill requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament. This will provide Parliament with the opportunity to scrutinise the use of these powers. On very rare occasions, the Secretary of State may choose not to lay a designation notice or direction before Parliament, because to do so would be contrary to the interests of national security. Where this is the case, the DCMS Select Committee will be able to view such directions and notices.
The Investigatory Powers Commissioner has responsibility for reviewing the use by public authorities, such as intelligence agencies, police and local authorities, of the powers in the Investigatory Powers Act. However, the Investigatory Powers Act regime is not directly comparable with the new powers and framework set out by the Bill. Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act: they are focused on protecting public telecoms networks and services from the threats posed by high-risk vendors.
The noble Lord, Lord West, the noble Baronesses, Lady Merron and Lady Northover, the noble Earl, Lord Erroll, and others raised the issue of scrutiny by the Intelligence and Security Committee. I pay tribute to the noble Lord, Lord West, and all other members of the Intelligence and Security Committee for the important work they do. We recognise the importance of effective scrutiny of the use of the Bill’s powers, and I am happy to correct the impression that the noble Lord, Lord West, suggested—that the Government want to avoid scrutiny in the Bill. That is why, as I said, the Bill requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament, unless doing so would be contrary to the interests of national security. I referred to circumstances where this might be possible in my remarks on the advice of the Constitution Committee.
As noble Lords are aware, the activities of DCMS are not within the remit of the Intelligence and Security Committee. That committee’s remit extends to the intelligence agencies and other government activities related to intelligence or security matters, as set out in its memorandum of understanding. But the advice of the intelligence agencies will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the advice of the National Cyber Security Centre, the Secretary of State will consider, among others, the economic impact, cost to industry and impact on connectivity of the requirements in any designated vendor direction.
The ISC does not have a remit to consider non-security issues, such as the economic and connectivity implications of the requirements in designated vendor directions, but the DCMS Select Committee can consider those wider impacts. That is why, despite my noble friend Lord Balfe’s caution in this regard, we believe the DCMS Select Committee is the correct and appropriate body to see copies of designation notices and designated vendor directions that are not laid before Parliament.
My noble friend Lord Young of Cookham asked whether a designation notice or designated vendor direction is justiciable. Designated vendor directions and designation notices are subject to ordinary judicial review principles. However, the Secretary of State will issue designation notices and designated vendor directions only where they are necessary in the interests of national security and where the requirements in the direction are proportionate. As I mentioned, there are exceptions, which we expect to be rare, where it could be harmful to national security to lay a direction before Parliament, for example where doing so would expose particular security vulnerabilities.
The noble Lord, Lord Clement-Jones, asked about the delegated powers in the Bill and the recommendations of the Delegated Powers and Regulatory Reform Committee, as did my noble friend Lord Young of Cookham. The committee has made one recommendation relating to the power to issue codes of practice about security measures. I am sure that the House will appreciate that we need some time to consider the recommendation. We will respond once we have done that.
A number of noble Lords, including the noble Earl, Lord Erroll, the noble Lord, Lord Fox, and my noble friends Lady Morgan and Lord Vaizey, raised issues about the Government’s work on diversification. Although this is not a matter that the Bill speaks to directly, as your Lordships pointed out, I am delighted to address it. The Government recognise the importance of a diverse supply chain for creating a resilient national telecoms network, which is why we published the 5G diversification strategy alongside this Bill. That takes forward the Government’s commitment in the telecoms supply chain review to respond to the lack of diversity in the supply chain. We are leading the way in solving this through our ambitious diversification strategy.
The diversification task force, led by my noble friend Lord Livingston of Parkhead, has now concluded its initial work. Its findings and recommendations were published on 20 April. As my noble friend Lord Young pointed out, they raise the opportunity for our businesses in this area to win new markets through the creation of shared standards. The Government will respond to the task force’s findings and set out our next steps in this ambitious programme this summer. My noble friend Lord Holmes asked for an update on our UK telecoms lab. We will be able to say more on that later this year, but we plan to respond to all of the priorities raised in the very helpful report from the diversification task force.
The noble Lord, Lord Fox, asked for a definition of “incumbent suppliers”. The diversification strategy defines them as those present in the network that are not high-risk vendors, which therefore would include non-UK businesses such as Nokia and Ericsson.
The noble Baroness, Lady Northover, and the noble Lord, Lord Clement-Jones, asked about our engagement with business. We continue to engage regularly and closely with public telecom providers, including the largest companies, such as BT, and the trade bodies representing small businesses. Their feedback has been invaluable in our policy development. We will consult with them further on the draft code of practice after Royal Assent to ensure that all those affected can make their voices heard.
The noble Lord, Lord Maxton, asked about our international engagement. We have engaged with partner countries throughout the drafting of this Bill and will continue to do so once it has passed. As he rightly pointed out, our networks face similar challenges to those of networks in other countries. It therefore makes absolute sense to find international solutions to them.
The noble Lord, Lord Vaux of Harrowden, obviously has a similar social life to mine. I definitely get more fraudulent calls than I do any other type of communication. As I wrote to him, this Bill is not intended to address the extremely important issues that he raised. The Government are exploring a range of different measures aimed at tackling criminal abuse of the telecommunications network, including fraud. This work is led by the Home Office. I am happy to meet with him to discuss it further if that is helpful or co-ordinates him being in touch with the right colleagues at the Home Office.
Turning to the issues of human rights, the noble Lord, Lord Alton, asked about the compliance of the ministerial statement on the face of the Bill with the Human Rights Act. As printed, I made a statement under Section 19 of that Act that:
“In my view the provisions of the Telecommunications (Security) Bill are compatible with the Convention rights”
as defined by Section 1 of the Act. I stand by my statement. I do not think there are any provisions in this Bill that are incompatible with the convention rights. The statement is about the content of the Bill. The noble Lord has implied that actions of another country might bring the Bill’s compatibility into question, but I think that is a misunderstanding of the purpose of the statement.
Many of your Lordships rightly raised issues of human rights in China, including the noble Baronesses, Lady Northover and Lady Merron, the noble Lord, Lord Fox, and my noble friends Lady Stroud and Lord Balfe. I start by paying tribute to the noble Lord, Lord Alton, for his ongoing commitment to standing up for human rights around the world, including in Xinjiang. The Government stand in complete solidarity with him and the eight others who were sanctioned by China. This House has debated these issues at length and rightly so, as they are important. The Government share the noble Lord’s serious concern about the human rights situation in Xinjiang. Indeed, he recently secured a Question for Short Debate on this topic, to which my noble friend the Minister of State for South Asia and the Commonwealth responded.
It is because this issue is so important that we have, as a Government, taken a wide range of actions this year and I cannot accept his suggestion of complacency on the part of the Government. The UK Government have led international efforts to hold China to account for its human rights violations in Xinjiang. We led the first two statements on Xinjiang at the UN and have utilised our diplomatic network to raise the issue up the international agenda. Most recently, on 22 June, the UK joined 43 other countries at the UN Human Rights Council to condemn China’s human rights violations in Xinjiang and Tibet, as well as the deterioration of fundamental freedoms in Hong Kong referred to by the noble Baroness, Lady Bennett, and others. On 13 June, the G7 leaders’ communiqué called on China to
“respect human rights and fundamental freedoms, especially in relation to Xinjiang”.
Noble Lords will be aware that in January the Foreign Secretary announced a package of measures to help ensure UK businesses and the public sector are not complicit in human rights violations or abuses in Xinjiang. Those measures include robust and detailed new guidance to businesses, a review of export controls as they apply to China, a commitment to introduce financial penalties under the Modern Slavery Act and increasing support for UK government bodies to exclude suppliers complicit in violations.
I know the noble Lord is particularly interested in hearing more about the review of export controls. He will be aware that export controls are already applied to a range of goods which may be used for internal repression or to breach human rights, as set out in the Export Control Act 2002 and accompanying secondary legislation. The review announced by the Foreign Secretary in January will ensure that we have captured the full range of goods as applicable to the current situation in Xinjiang and will determine which additional specific products will in future be subject to export controls. The Government will report back to Parliament on the outcome of the review in due course.
I also note the Private Member’s Bill introduced by the noble Lord, Lord Alton, regarding the duty on businesses to produce modern slavery statements. The Government have already committed to strengthening Section 54 of the Modern Slavery Act 2015 and I know that the noble Lord engages regularly with the Home Office on this matter. I can reassure all your Lordships that tackling modern slavery continues to be a priority for this Government. This is why the Government announced a review of our modern slavery strategy earlier this year.
A new strategy will cover our cross-government response, including how business and government can effect change through their supply chains. In September 2020, the Government committed to take forward an ambitious package of measures to strengthen the Act. As I have mentioned, this was followed in January 2021 by a commitment to introduce financial penalties for organisations that fail to meet their statutory obligations to publish modern slavery statements under the Act. Legislation to take these reforms forward will be introduced when parliamentary time allows.
The amendment tabled and adopted during the passage of the Trade Act further highlights that the Government take these issues seriously. The amendment ensures that a debate and vote in Parliament can happen in response to credible reports, expressed by a responsible Committee, about genocide in a country with which we are proposing a new free trade agreement. I can now confirm that the Foreign Affairs Select Committee in the other place has agreed to be charged with this role, subject to agreement by the House. Discussions are still ongoing in the other place and will begin in this House when there is a willing Committee.
This Bill, however, is focused on the security of the UK public telecoms network and services. It is not the right legislative vehicle to address concerns about human rights and modern slavery. Clause 16 makes it clear that designation notices can be issued to vendors only where the Secretary of State considers that it is necessary to do so in the interests of national security. The Government consider that the Secretary of State should be required to assess national security as strictly about the security of our nations.
I apologise to noble Lords: I know that I have overrun but it was a rich debate. I hope noble Lords will accept that it was worth addressing some of the important points raised. I look forward very much to working with your Lordships across the House to pass this important legislation. As I have said, the Bill will create one of the toughest regimes for telecoms security in the world. It will enable us to protect our critical national infrastructure and shield our networks for years to come. The noble and gallant Lord, Lord Stirrup, gave the Government a helpful and powerful challenge: to be forward-looking as we think through this legislation; to recognise the need for a balance between cost, resilience and risk; and to adopt an approach that combines agility and adaptability. Again, I invite noble Lords who wish to talk about any particular issues related to the Bill to contact me or my officials, and I look forward to debating this further in Committee.
Telecommunications (Security) Bill
Tuesday 13th July 2021
(2 years, 9 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-II(Rev) Second marshalled list for Grand Committee - (13 Jul 2021)
Lord Alton of Liverpool
“(1A) The duty under subsection (1) includes a duty to review—(a) vendors of goods or services to public telecommunications providers which are prohibited in other jurisdictions on security grounds, and(b) the reasons for such a prohibition.”
Lord Alton of Liverpool (CB)
In moving Amendment 1 and speaking to Amendments 20 and 27, I first thank the noble Lords, Lord Blencathra and Lord Coaker, and the noble Baroness, Lady Northover, who have signed one or all of the amendments. This is a clear signal from across the Committee that the Bill must be strengthened to deal, first, with companies that have been banned in other jurisdictions, secondly, the need to dig deeper into the ownership and investment of companies and, thirdly, the desirability of acting in concert with our allies in Five Eyes.
These amendments sit comfortably alongside the call that we heard at Second Reading for additional parliamentary scrutiny, which the Intelligence and Security Committee has called for. At Second Reading, the noble Baroness, Lady Morgan of Cotes, said that we should focus on what other nations are doing:
“we have allies around the world and will want to be able to work with other companies and countries around the world to make sure we have that diversity of the supply chain.”—[Official Report, 29/06/21; col. 716.]
On 30 November 2020, the Secretary of State told the House of Commons:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”.—[Official Report, Commons, 30/11/20; col. 75.]
During our debate, the noble Lord, Lord Young of Cookham, told us:
“Other countries in the free world face the same challenges as the UK”.—[Official Report, 29/06/21; col. 718.]
The noble Baroness, Lady Stroud, urged us to work
“in close partnership with our Five Eyes allies”,
reminding us that
“We have known that Huawei is a security risk since 2013.”—[Official Report, 29/06/21; cols. 726-7.]
That should enable us to avoid what the noble Baroness, Lady Merron, described as “another costly security debacle”. My noble and gallant friend Lord Stirrup told us that we
“need to develop an approach ... that constantly monitors and rebalances this equation in the context of our complex and dynamic world.”—[Official Report, 29/06/21; col. 715.]
These amendments seek to address many of those points.
At Second Reading, noble Lords referred to companies that have caused security concerns in other jurisdictions, including Huawei, TikTok, ZTE Corporation, which the Government have named a high-risk vendor, Hytera Communications Corporation Ltd, Zhejiang Dahua Technology Company Ltd and Hangzhou Hikvision Digital Technology Company Ltd. I will return to Hikvision later. The noble Lord, Lord Fox, said that the Bill’s headline is
“a ban on the purchase of new Huawei equipment”.—[Official Report, 29/06/21; col. 711.]
Like the noble Baronesses, Lady Northover and Lady Bennett, he referred to the genocide against Uighurs in Xinjiang. I serve as vice-chair of the All-Party Parliamentary Group on Uyghurs and am a patron of the Coalition for Genocide Response. Following the House of Commons’ decision to name a genocide in Xinjiang, only last week the Foreign Affairs Committee published a damning report calling for a much stronger response from the Government. These amendments, like those to the Trade Act, which the House passed with three-figure majorities, are a modest attempt to force that stronger and effective response.
The noble Lord, Lord Blencathra, has frequently pointed to the way Chinese companies can fundamentally compromise our infrastructure and, through subsidies, asphyxiate UK industry. The one billion lateral flow tests that we have bought from the CCP are a glaring example. These amendments specifically address the telecommunications sector, but they provide a road map that could be emulated in other strategic sectors.
Finding ways to protect our strategic industries has never been more important. Last week, we learned that, in a deal estimated to be worth £63 million, the Newport Wafer Fab, the UK’s largest producer of semiconductors, has been acquired by the Chinese-owned manufacturer Nexperia. Nexperia is a Dutch firm but is owned by China’s Wingtech. Newport Wafer Fab is the UK’s largest producer of silicon chips, which are vital in products from TVs and mobile phones to cars and games consoles.
This acquisition is happening during an increasingly severe global shortage of computer chips. Kwasi Kwarteng, the Business Secretary, said that the Government are monitoring the situation closely, but do
“not consider it appropriate to intervene at the current time”.
When she comes to reply, perhaps the Minister could tell us why it is not appropriate, when the right time would be to protect a key national asset, and whether, following the Prime Minister’s subsequent expression of concern, the acquisition is being reviewed under the National Security and Investment Act, which at Second Reading we were all told would protect key national assets from dangerous foreign takeovers.
There is a lamentable lack of strategic coherence or consistency in our approach. On one hand, we have the noble Lord, Lord Grimstone, saying that he wants to deepen trade deals with China, while the Foreign Secretary tells us that slave labour in Xinjiang is “on an industrial scale”. We have the integrated review telling us that China is a threat to the United Kingdom, but the Business Secretary telling us that it is not appropriate to do anything at the present time.
This predatory absorption of our semiconductor industry is inimical to the material interests of our technology companies and to national security. Our Committee should consider carefully what is at stake here and why these amendments are so very relevant. Have the Government examined what is happening within the same sector in other jurisdictions, for instance? What assessment has been made of the dependency of United Kingdom manufacturers on China for imports of critical technologies such as semiconductors and semiconductor devices? The applicability of these amendments, by generating a review of other practices in other regions, is of course self-evident. We are starting with telecoms, but the same lessons apply across the board.
I also want to pursue an issue which the noble Lord, Lord Fox, and I raised at Second Reading. The Minister was asked about companies that operate and own CCTV security networks. UK local authorities are reviewing contracts for CCTV equipment made by Hikvision. This is being used to enforce China’s surveillance state in Xinjiang, but it is also operating CCTV equipment the length and breadth of Britain. Is that wise? Hikvision is banned in the United States but not here. I put a simple question to the noble Baroness at Second Reading, and I put it again: why not?
Last week in its report Never Again: The UK’s Responsibility to Act on Atrocities in Xinjiang and Beyond, the Foreign Affairs Committee said:
“Cameras made by the Chinese firm Hikvision have been deployed throughout Xinjiang, and provide the primary camera technology used in the internment camps.”
The committee heard concerns that facial recognition cameras made by companies such as Hikvision operating in the UK—I repeat: operating in the UK—are collecting facial recognition data, which can then be used by the Chinese Government. Dr Hoffman, who was one of the witnesses giving evidence to the Select Committee, said that Hikvision cameras are operating “all over London”. The committee said:
“Independent reports suggest that Hikvision cameras are operating throughout the UK in areas such as Kensington and Chelsea, Guildford, and Coventry, placed in leisure centres and even schools.”
The committee concluded:
“Equipment manufactured by companies such as Hikvision and Dahua should not be permitted to operate within the UK. We recommend that the Government prohibits organisations and individuals in the UK from doing business with any companies known to be associated with the Xinjiang atrocities through the sanctions regime. The Government should prohibit UK firms and public sector bodies from conducting business with, investing in, or entering into partnerships with such Chinese firms”.
So will we? It would be good to hear from the Minister.
In parenthesis, the committee also registered concerns about
“substantial research connections between the Chinese organisations responsible for these crimes and UK universities”,
and said that,
“the role of advanced technologies in the use of oppression in Xinjiang cannot be ignored.”
At Second Reading, the Minister referred to the report into export licences. The Select Committee complains that
“the Government has not made clear when the urgent export review will be concluded. The crisis in Xinjiang is far too urgent for delay.”
Again, it would be good to hear from the noble Baroness on that specific point about export licences. Can we at least be told what plans the Government have to impose import and export controls on firms linked to China’s military-civil fusion programmes? Are we acting in concert with our allies, as these amendments require, over Hikvision? As in the US, will this Bill be used or amended to enable us to ban it?
The Select Committee also referred to our duties under the Modern Slavery Act 2015. I refer to my interests as a trustee of the Arise Foundation. The committee report says:
“the issue of forced labour in Xinjiang is pervasive, widespread,”
and that
“In the Government’s own words, ‘no business can consider themselves immune from the risks of modern slavery’.”
This, too, is information that has been assessed in other jurisdictions and deemed to raise ethical and security issues of which we should make ourselves aware, as these amendments would require us to do. I can think of no compelling reason, other than vested interests, as to why we would not want to know what other jurisdictions are doing about these issues.
I turn again to telecoms. The argument for more concerted action was put well, in the context of Huawei, by Senator Marco Rubio, who said:
“Rejecting Huawei would not mean the UK going it alone, but joining a coalition of like-minded countries determined to ensure effective, market-based alternatives to Huawei are available.”
He is right. Have we examined this? Are we doing the same?
As long ago as 2018, the US put in place a block on ZTE, China’s second-largest maker of telecommunications equipment, because of violations of sanctions against Iran and North Korea. It has designated ZTE as a “national security threat” with government telecommunications funds banned from buying equipment from ZTE. Are we doing the same? In April, the Department of Commerce added seven Chinese supercomputing entities to the list, with Gina Raimondo, the US Secretary of Commerce, insisting that
“The Department of Commerce will use the full extent of its authorities to prevent China from leveraging U.S. technologies to support these destabilizing military modernization efforts.”
The US has gone further in examining investments, as these amendments do. Proposed new Clause 15 would require us to examine what others are doing in this respect. President Biden has issued an executive order banning US investors from trading shares in China Mobile, China Unicom and China Telecom. The list of firms in which US firms cannot invest comes to more than 60. I will not read out the full list today, but I have sent it to the Minister, who has kindly acknowledged receipt, for which I am grateful. Among those firms listed are a number specifically connected to surveillance technology including China Telecommunications Corporation, China United Network Communications Group, Hangzhou Hikvision Digital Technology, Huawei Technologies, Semiconductor Manufacturing International Corporation, China Mobile Ltd and China Telecom Corporation Ltd.
However, it is not just the US. Australia is another of our closest allies and a core member of Five Eyes, which is specifically mentioned in these amendments. In blocking a A$300 million takeover offer by China State Construction Engineering Corporation, Australia cited national security grounds. As long ago as 2016, Australia forbade a deal on the basis that China’s subsidies rendered it difficult for Australian bidders to make a competitive bid, with the Treasurer saying that it may be
“contrary to the national interest”.
In 2020, the Guardian Australia reported links between companies operating in sensitive sectors including the national science research agency and technology companies and operatives from the Chinese intelligence agencies, with one reported as having ties to the CCP’s United Front Work Department, a foreign-influence body described by President Xi Jinping as an “important magic weapon”.
Baroness Northover (LD) [V]
My Lords, we move into the scrutiny of the Bill, which seeks to balance the need for the United Kingdom to be at the forefront in technological development and connectivity—requiring the fastest and most efficient broadband, for example—with the need to ensure that we do not inadvertently open ourselves to malicious actors or states as we do so. It is therefore appropriate that the first group of amendments seek to strengthen the security side, recognising the complexity of modern threats. The noble Lord, Lord Alton, has as ever laid out the case extremely clearly and in detail, and I look forward to the noble Baroness, Lady Barran, replying as comprehensively. He has long made sure that in the Lords we delve deeply into these issues as we challenge the Government and hold Ministers to account.
These are sensible amendments intended to set the Bill in the context of what our allies are doing, drawing from their knowledge and experience and, as the noble Lord said, most importantly, working together. They propose actions that should be happening anyway but which we know can be easily set aside or overlooked as Governments address many pressing issues. Amendment 1 includes a duty to review telecoms vendors
“which are prohibited in other jurisdictions on security grounds”.
It is important that we both learn from other jurisdictions and act together. We have seen how China, for example, seeks to pick off states, as in its recent threat to ban Australian beef on the basis of what it had judged to be interference in its internal affairs. We also saw the Foreign Minister of New Zealand at first indicate that her country should go its own way in relation to China, clearly worried about China’s possible actions, before stepping back from that position in recognition of the fact that we really are stronger together.
There are clear risks. We see Canadian citizens used as pawns in a wider concern about Huawei. As China becomes ever more dominant economically, and under its current leadership, resistance to its positions will become ever more difficult. We have been unable even slightly to hold it back in relation to Hong Kong, and it is therefore vital that like-minded countries work together. Therefore, there are two reasons for seeing what other like-minded countries are doing: first, to see what risks they identify and, secondly, to decide whether we should act together, as we would hope they would act when we saw risks. We are of course in a weaker position globally as we are out of the EU, which has strength in numbers and economic power.
Amendment 20 would expand the powers to include ownership or investment, and this clarifies further where risks might be; for example, through the investment clout of certain players. This is clearly vital.
Amendment 27 would require the Secretary of State to review the UK’s security arrangements with countries banned by a Five Eyes partner and decide whether to issue a designated vendor direction or take similar action with regard to the UK’s arrangements with that company. This updates previous legislation where this risk was not so apparent as it is now, with the hugely increased economic and other associated power, for example, of China. Of course, the Five Eyes of the US, Canada, Australia, New Zealand and the UK are very much aligned on this. Certainly, the risks identified by the Five Eyes should be front and centre in our thinking. I would say that we should add in the EU. Had we still been in it, we would have had that major sphere of influence to strengthen our position further. That makes these amendments even more important.
As the noble Lord, Lord Alton, laid out, we have become very dependent on China in many areas. That is true not only in the area of the Bill but in the new green industries, for example. We need to be much more strategic than we have been in this regard up to now. As he also set out, we cannot build our business on human rights abuses even up to genocide.
I am sure the Minister will say that these amendments are not needed as all these actions will be taken, but they are tabled to make sure that they are. We know that this has not happened adequately up to now; we need to strengthen the Bill, as the noble Lord, Lord Alton, has stated. I therefore look forward to the Minister’s reply.
Lord Naseby (Con)
My Lords, I apologise to my colleagues that I was not able to speak at Second Reading. I am quite clear, as I suspect we all are, that the security of the UK’s telecoms infrastructure is vital. Sadly, we come pretty late to the scene. The expansion of 5G and full-fibre broadband should have happened years ago, so this is not before time.
I read economics at Cambridge and looked at a number of aspects of economic expansion there, particularly in relation to business sectors. It is all very well saying that we will try to prevent the supply chain to the UK network being dependent on a limited number of suppliers. That may be a good idea in theory, but I just reflect that we have a national grid which is every bit as important as 5G; we have one or two aircraft manufacturers, and we have a couple of shipyards, so I just wonder whether there are a whole lot of suppliers out there for the telecoms world—there will be others who are better qualified than me to judge that. However, it is clear that we need to identify areas of risk, and Huawei is clearly one of them.
I would just ask a couple of simple questions. The noble Baroness, Lady Northover, mentioned Five Eyes. Is there a co-ordinating structure for Five Eyes in relation to this particular structure? If so, where is it based, what is our contribution to it and who exactly is doing it?
Some of our colleagues may have read the recent trading standards report that has just come out—I read it only last evening. A massive number of scams is happening at this point in time and we are dealing with the trouble they cause.
Amendment 20 refers to
“a specified country or … sources connected with a specified country, including by ownership or investment”.
I have worked overseas, including in a fair number of countries in south Asia such as Pakistan, India and Sri Lanka, so I ask: who on the ground will actually be doing the work? Quite frankly, I know of nobody in any of our high commissions capable of doing that sort of analysis. Do we have a floating investigatory system? How are we going to judge the evidence properly?
On Amendment 27, we need to take care, clearly, but we must recognise that there may be a valid opportunity in a company that has upset the host Government. You and I would not know the situation, but we should be aware of that fact.
I am a bit sceptical about the security check. I made a freedom of information inquiry—it was nothing to do with telecoms—and, at the end of the day, the reason given for not producing all the evidence following my FoI request was the security of the country. It was never explained in words of one syllable—or indeed in any syllables at all—what aspect of my inquiry would affect the security of the UK. I would like to know this from the Minister: are we relying on Five Eyes or are we relying on Ofcom? Who is it specifically that will be doing this analysis?
The Earl of Erroll (CB)
My Lords, I want to say a few words on this. It is highly relevant that we keep a close eye, but on all vendors, including the ones that may seem okay at any given moment—the world keeps changing. I am not an apologist for, and nor do I wish to promote, China in any way whatever, but it happens to be there and it happens to have ripped off a lot of Cisco stuff a few years back and improved it. The Japanese did this to our cars, many years ago—nothing changes.
The real problem is that we do not manufacture this sort of stuff here; some of it is manufactured in Europe, and of course we are no longer part of that, but does that matter anyway? We are reliant for the supply of all this electronic equipment, and the components—such as chips, which I mention specifically —on China and many other places. The Americans also rely on China to manufacture components which they then put in their equipment. We had a security compromise a few years ago, when compromised components were put into some Cisco equipment. It is more complex than trying to ban one company or one country. But there are not many alternatives for us here, and that is the real problem. We need to get some home-grown stuff going and we need to get it done very quickly if we want to be really secure.
What are we going to do about it? The thing that worries me is that you cannot assume that your allies are always your friends in everything. We have to be particularly careful of being dragged into a trade war under the cover of security or defence—and this does happen. The cost of this whole thing is not so much that Huawei will try to cause us problems in some way unknown if we remove it from our system completely; there is the other side of it. If its technology is working and is better, and we can make sure in various ways that we are secure against what Huawei might do, its technology might get us to where we need to be in an internet world a lot quicker. I notice that we have already delayed quite substantially the rollout of broadband everywhere and 5G—everything seems to be stalling because of these rows, which to me are trade rows.
I fully understand the points of the noble Lord, Lord Alton, about supporting regimes that are doing appalling things around the world. The trouble is that there are an awful lot of them. Take the situation he mentioned, to do with cameras. It is actually the software that does the facial recognition, not the camera; it is purely a bit of hardware that takes a very good, high-quality photograph, and there are many alternatives to it. Who is supplying that facial recognition software? That is where I would really target, and I would bet it is China. If there are bits that are useful to us, we need to use them. We need to stay in the world and we need to get ahead. We are not ahead and we are going to drop behind more and more.
The other difficult thing about picking a fight with China is that, if we are really going to go net zero and start going all electric in the next few years, lithium supplies and processing are from China. There is already a shortage of chips and other things in the automotive industry; I am sorry, but we are reliant on an intertwined global supply chain which stretches all over the place. We must be very careful about singling out one country, but we are—and that is why the amendment is useful. We must have something that says that we are keeping a proper eye on the whole lot of them.
Lord Fox (LD)
This is an interesting debate—one that we started about a year ago. During the summer, on the then Telecommunications Infrastructure (Leasehold Property) Bill, many of these arguments were rehearsed. This Bill was held out, in a sense, as the carrot that would address these issues, and it has been some time coming.
To some extent, the initial issues that came up last year have been discounted, with the Government largely moving on the Huawei issue. However, as we have heard—and will hear over the course of Committee—many questions are unanswered. We should once again thank the noble Lords, Lord Alton and Lord Blencathra, and my noble friend Lady Northover for bringing forward these amendments, as well as the noble Lord, Lord Coaker. I will be interested to hear his perspective as, having been a Minister, he understands some of the trade-offs in decision-making—it is interesting that he chose to sign this amendment none the less.
I thank the noble Lord, Lord Naseby, for his Second Reading speech. He could not give it to us at Second Reading, so we got it anyway. There are some issues around industrial capacity which I will come back to.
The noble Earl, Lord Erroll, picked up a point on which I queried the Minister and did not get a response: at what point are we examining this technology? You have systems, sub-systems, components and software. Frankly, if we are doing this, it must be done at all levels. The capacity to do that and track a chip, a piece of software or something in the software which we do not even know is supposed to be there is a huge task. Do we have the capacity in the intelligence services, and the industrial ability, to do it? It is a very important question, as there is not much point having this if we cannot actually do it.
Before speaking to Amendments 1 and 20, I will say a few words on Amendment 27, the Five Eyes element. As we know, this requires the Secretary of State to review the UK’s security arrangements with companies banned by Five Eyes partners and to decide whether to take similar action on the UK’s arrangements with those companies. As I think my noble friend Lady Northover said, the Minister will no doubt say that we do this anyway. If we do this anyway then, to some extent, we should not be afraid of putting it in the Bill. It is important that we walk in as lock-step a way as we can with our Five Eyes partners, but the point of the noble Earl, Lord Erroll, is apposite; China understands that and will play the Five Eyes against each other. We must be aware of that; we must not be slavish in how we respond but canny, and work with our partners so that they understand why we are moving in the right direction.
Again, this comes down to capacity. The noble Lord, Lord Naseby, asked who does it. The NCSC is supposed to provide the ammunition for the Secretary of State and Ofcom to operate on. There are big questions around the interface between the NCSC and Ofcom and how they relate to each other. How, for example, does the highly secret information the NCSC is dealing with get to DCMS and Ofcom without either breaching security or eroding transparency, or both? We have big concerns about that, and obviously it will come up later.
The noble Lord, Lord Alton, raised Newport Wafer Fab, which until recently I thought was an ice cream firm somewhere in Aberystwyth. However, now I find that, as he set out, it is our only supplier of this equipment. That is an object lesson in itself but it is also completely appropriate to this point. In its response, BEIS confuses manufacturing capacity with technical novelty and has the idea that, because this is not technically novel, that somehow stops it from being valuable to this country. However, manufacturing capacity is central to the delivery of future technical novelty, and if you want somewhere to look, look at the communications industry. We were pre-eminent global leading companies in analogue communications technology; no country could match us. We lost that manufacturing capacity and the ability to innovate in the digital space, and that is why we have the supply chain issues we have today. If the Government have not learned this lesson, and it seems that BEIS has not, we have a long way to travel yet before we get to a sensible place.
In a sense we have heard from the noble Lord, Lord Alton, and others about specific issues but I would like to rise up a bit and look at the bigger picture slightly. In his Mansion House speech on 1 July 2021, Rishi Sunak crystallises the challenge and perhaps the dichotomy, and points us in a number of different directions at the same time. Your Lordships must excuse me, but I will read out a fairly lengthy passage which is appropriate to this debate. He says:
“And our principles will also guide our relationship with China. Too often, the debate on China lacks nuance. Some people on both sides argue either that we should sever all ties or focus solely on commercial opportunities at the expense of our values. Neither position adequately reflects the reality of our relationship with a vast, complex country, with a long history. The truth is, China is both one of the most important economies in the world and a state with fundamentally different values to ours. We need a mature and balanced relationship. That means being eyes wide open about their increasing international influence and continuing to take a principled stand on issues we judge to contravene our values. After all, principles only matter if they extend beyond our convenience. But it also means recognising the links between our people and businesses; cooperating on global issues like health, aging, climate and biodiversity; and”—
here we come to the rub—
“realising the potential of a fast-growing financial services market with total assets worth £40 trillion”.
What does a mature, balanced relationship look like in context? How nuanced are the examples that we have just heard about the Chinese? First, we can see that because of advanced concerns around the security of at least one Chinese vendor, the UK Government are mandating equipment to be torn out of our existing infrastructure and thrown away at the cost of several billion pounds. That is not a nuance. Secondly, we have heard from the noble Lord, Lord Alton, this time and previously, and we have seen the evidence of malevolence within China to its own people on a scale that is, let us say, unusual even for the age in which we live. Thirdly, we can see transparently what is going on in Hong Kong. That in itself is not a nuance either. Fourthly, we have the Chancellor’s stated desire to realise the potential of a fast-growing financial services market.
All this is the context in which Amendments 1 and 20 have been tabled. This gives the chance for the Minister to explain where she and the Bill sit on that nuanced scale, as the Chancellor puts it. He clearly sets out that the Government’s principles will guide our relationship with China, so what are those principles?
Lord Coaker (Lab)
My Lords, this is my first Grand Committee appearance, and I hope that I do not disappoint the noble Lord, Lord Fox. I have been in a number of committees, but not at this end of the building. I am still getting used to some of the processes and procedures, but I am very pleased to be speaking on this Bill.
From our perspective, the Bill is very welcome. The Government are clearly addressing a very real security concern that our nation has, and, in trying to deal with it, have not just my support but that of every single Member of the House of Lords. It is our country, and we want it looked after and defended properly. Many of the amendments and the comments that have been made so far today, and which will be made throughout the Committee and no doubt at Report and beyond, are about challenging the Government, not from an oppositional point of view but from one of trying to improve the legislation. We want to ask the Government testing questions to see where their thinking is. That is what all the various speakers have done so far today.
There are a number of particular issues. As others have said, the amendments in this group, from the noble Lord, Lord Alton, deal with the international context for the security of the telecommunications sector, however you define that. This is really important, because it affects—not infects—every single part of our lives. The noble Lord, Lord Alton, gave the example of Hikvision and CCTV. Whether it is the hardware or the software, this demonstrates that there are examples of new technology and telecommunications which impact on all our lives but which many of us probably do not view as causing a potential security threat to our country and nation. We have only to look at where that is going—whether you look at this sphere or the defence sphere—to know that we are going to see an increase in telecommunications, and in the use of space, drones, artificial intelligence and all those sorts of aspects.
One thing that I will talk about in other debates on other amendments is how you future-proof this—and that is part of some of the later amendments. Hikvision, which the noble Lord, Lord Alton, raised, is an interesting instance. At the nub of it is that, if our allies, who we depend on for our collective security, are banning companies such as Hikvision, as in the United States, how is it in our interests to defend our own security to not do the same? It is unfair to say that it has not been thought about, but there is something of a disjointed approach when one of our closest allies—if not our closest—has banned a tech company that we use. I am sure that there are very good reasons for it, and the Civil Service and others will no doubt tell the Minister X, Y and Z, but it defies common sense. Whatever the reality of it, it just does not appear to be a sensible option, so I very much support the example that the noble Lord, Lord Alton, gave. That is one of the reasons why I added my name to Amendment 27.
With regard to NATO and Five Eyes on a domestic and international level—I shall return to this point on Amendments 18 and 25—who actually holds the ring? Who is the person or what is the department that co-ordinates all this activity across government? Who holds the ring across government? You could say that it is the Prime Minister, but the Minister will know what I mean. Out of all the various aspects of government, who actually in the end decides? And if there is a conflict of interest between them, who then is the judge of that and how does that work on an international level? But as I say, that is more to do with Amendments 18 and 25.
Amendment 27 in particular, as I said, ensures a review of telecoms companies when a Five Eyes partner bans the operation of a vendor of goods or services to public telecommunications providers in its country on security grounds. That is eminently sensible. It a review. The amendment is, essentially, testing the Government by asking, “Why wouldn’t you have a review?” Why would you not—to use a security term—keep that under surveillance?
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Baroness Barran) (Con)
I thank all noble Lords for these amendments, which seek to strengthen the resilience of our telecoms networks by putting a new monitoring requirement on providers in relation to vendors in other jurisdictions, adding to the list of matters to which a requirement in a designated vendor direction may refer, and requiring the Secretary of State to review decisions taken by Five Eyes partners to ban vendors on security grounds.
We recognise the aim of having a comprehensive approach to telecoms security that includes the provider and government. The Bill follows this approach. A number of your Lordships said that I could be advised that the amendments are not unnecessary, but one issue the amendments raise is that of clarity of responsibility in the Bill. We believe genuinely that these amendments would blur some of that clarity.
The Bill as drafted is clear that it is the responsibility of government, not public communications providers, to set security duties and to designate vendors who pose a national security risk. In doing so, the Government, via the National Cyber Security Centre and other agencies, will monitor companies globally, including, of course, in the Five Eyes countries. It is then up to the providers to implement the security duties placed upon them and to comply with any designated vendor directions issued to them.
Amendment 1 in particular risks blurring these lines of responsibility and requiring telecoms providers to spend disproportionate resources on monitoring vendors internationally. This amendment seeks to place a new duty on public telecoms providers to review vendors of goods or services to those providers which are prohibited from other jurisdictions on security grounds, and to review the reasons for the prohibition. This would require public telecoms providers to monitor the policies and regulations of all other jurisdictions to understand whether those jurisdictions had banned certain companies from operating. This would be an onerous, disproportionate duty to place on industry.
Furthermore, in some cases, it may be impossible for telecoms providers to comply with the duty. The amendment states that telecoms providers must review the reasons for a vendor’s prohibition from a jurisdiction. As noble Lords will be aware, many jurisdictions have opaque decision-making processes, where it may be difficult, if not impossible, for telecoms providers to review the reasons for the prohibition of certain companies. Moreover, new Section 105A, which is inserted by Clause 1, places a strengthened overarching security duty on public telecoms providers. This duty is centred on an appropriately future-proofed definition of security compromises. Clause 1 therefore already ensures that telecoms providers undertake appropriate risk management to guard against any relevant threats to network security. In the light of this, I do not consider that this amendment is either proportionate or necessary, given the burden that it would place on telecoms providers and the duties already contained in the Bill.
Amendment 20 seeks to clarify that a requirement in a designated vendor direction may make provision by reference to the sourcing of goods, services and equipment from a specified country, or from sources connected with a specified country. While it is important that we protect our networks from the threats posed by hostile state actors, I do not consider this amendment to be necessary. As currently drafted, the Bill already allows for requirements to be included with provisions relating to the “source” of goods, services and facilities supplied by a designated vendor. I would consider that countries, and sources connected to countries, would already be captured by this wording.
Further, the list of matters that the noble Lord seeks to amend is explicitly non-exhaustive. The Bill is clear that the provisions of a requirement may refer to matters other than those listed in the Bill. It is therefore already possible for a requirement in a direction to refer to the country from which goods, services and facilities are sourced, if the Secretary of State considers that such a requirement is necessary in the interests of national security and proportionate to the aim that is sought to be achieved. As such, this amendment would not achieve anything that is not already possible under the provisions of the Bill as drafted.
Amendment 27 seeks to add a new section to the Communications Act 2003. This amendment would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecoms vendors on security grounds and consider whether similar action is required in the UK.
A number of Members of the Committee, including the noble Lords, Lord Alton and Lord Coaker, and the noble Baroness, Lady Northover, stressed the importance of co-operation. She asked whether this was happening anyway. The short answer is that it is. The UK is already committed to a close partnership, and engages regularly with the Five Eyes. The UK’s telecom networks face similar challenges to networks in other countries.
The Government have engaged with partner countries on the approaches to high-risk vendors throughout the drafting of the Bill and will continue to do so once it is passed. I reassure the Committee that we are in regular contact not only with the Five Eyes nations but with other key partner nations—for example, Japan, France and Germany, to name but a few. Therefore, a requirement to review their decisions to ban a high-risk vendor and consider whether to issue a designated vendor direction in the UK would be unnecessary.
The noble Baroness, Lady Northover, asked more broadly how we worked with other countries in relation to national security. We have always maintained that each country needs to implement the mitigations that are right for their national circumstances. Of course in practice, Governments are adopting similar measures to address the risks, and adapting them to meet their own national circumstances. For example, the Netherlands, Germany and Australia have all either adopted or are planning to adopt security measures comparable to those set out in the UK’s draft secondary legislation, which the Bill would allow us to implement.
In July 2020, following advice from the National Cyber Security Centre, the National Security Council considered the impact of US sanctions in relation to Huawei. It considered that further action was needed, as the new US restrictions made oversight of Huawei products significantly more challenging and potentially impossible. That is another example of how the UK already regularly reviews security advice and requirements in response to international considerations.
Some of the issues raised were closely linked to the Bill, while others were slightly less so. The noble Lord, Lord Fox, asked how Ofcom and the NCSC would work together in practice. To formalise the relationship between the two organisations, they are in the process of developing a memorandum of understanding and have published a statement, available on the Ofcom website, that sets out the three key principles that they will follow. They are: first, that the National Cyber Security Centre will provide expert technical cybersecurity advice to Ofcom to support the implementation of the new telecoms security framework; secondly, that they will exchange information where necessary and permitted by law; and, thirdly, that the National Cyber Security Centre will continue to provide incident management support during serious cybersecurity incidents, both to telecoms operators and to Ofcom as needed.
The noble Earl, Lord Erroll, suggested that our broadband rollout programme had stalled—forgive me if I misheard—but I do not accept that. We as a Government remain committed to delivering nationwide gigabit and mobile connectivity as soon as possible. We have put in place £5 billion of funding to roll out next-generation gigabit broadband and have already connected more than 1 million hard-to-reach homes and businesses. Despite the pandemic, the expansion has been extraordinary, with 40% of premises now having access to gigabit-capable broadband, which will rise to 60% by the end of this year.
The Deputy Chairman of Committees (Baroness Healy of Primrose Hill) (Lab)
I have received a request to speak after the Minister, so I call the noble Lord, Lord Fox.
Lord Fox (LD)
I congratulate the Minister on introducing the Barran scale of nuance, which will no doubt become a classic in future. She did not address the issue of componentry, if you follow my drift. It seems to me, in analysis, that what tipped the balance in the sense of Huawei was the absence of American-made chips. Were that not to have happened, the NCSC would not have recommended the widescale removal that we have seen. That appears to be the implication. There seems to be an element of component monitoring going on, although in this case the monitoring appears to have been done more by the Americans than by the United Kingdom. It comes back to that fundamental point: at what level is the Bill going to be applied? Will it be applied on the overall capability of the system? In other words, is it a systems capability issue? Is it a subsystem operational outcome view, the individual pieces that go to make those subsystems, or the software that drives the overall system? How will the Bill actually be put into process?
Baroness Barran (Con)
I may need to write to the noble Lord about the technical details he has set out. I think for the approach to be effective it needs to incorporate all elements of that. An overall system cannot be a capable system if the subsystem is not. There needs to be coherence across the equipment that is supplied and our understanding of how it operates in practice and the component parts to inform the judgment about its security or not. I am happy to follow up in writing if he is agreeable.
Lord Alton of Liverpool (CB)
I thank all noble Lords who have participated in the debate and the Minister for her replies. I thought that the intervention just now by the noble Lord, Lord Fox, was important. It drives at one of the issues that we have debated today in the context of Nexperia and what is happening to a British company that has been acquired by a Chinese company through its Dutch affiliate. It is about computer chips. It is about semiconductors. It is about our ability to be able to control what goes into the technology that the Bill is very much about. That is not an on-the-side question; it is a very important central question and I look forward to seeing the response that the Minister gives to the noble Lord, Lord Fox, when she looks at it further.
I turn now to some of the contributions made today. The noble Baroness, Lady Northover, in a typically powerful and thoughtful intervention, invited us to delve more deeply. That is what we have been doing during this afternoon’s proceedings. She emphasised the importance of countries working together. She regretted, with sadness, that we have been forced to make some of these decisions about our own individual ability to acquire intelligence as a result of our decision to leave the European Union.
I thought it was interesting that, earlier today, the European Commission issued new guidance to combat forced labour in supply chains. It rather puts our laggardly and perfunctory efforts to shame. The guidance provides concrete, practical advice on how to identify, mitigate and address the risks. This issue has been referred to and the noble Baroness has said that she is going to write to us further on modern-day slavery and supply chains. High Representative/Vice-President Josep Borell says that the guidance
“will help EU companies to ensure their activities do not contribute to forced labour practices in any sector, region or country.”
It paves the way for future legislation which will have enforcement mechanisms and should introduce a mandatory due diligence duty, requiring European Union companies to identify, prevent, mitigate and account for sustainability impacts in their operations and supply chains.
Our amendments today would gather that kind of information. I simply do not accept that it is impossible for companies, in partnership with government—a point made by the noble Baroness in opposition to these amendments was that this would place too much responsibility on companies—or countries such as our own to collect this information. Like other noble Lords around the table, I have no staff. The information I gave to the Committee today is publicly available and, with a little bit of research, it can be obtained without too much difficulty. It is absurd to suggest that it is beyond the ability of companies or countries to collect information and share knowledge. The example from the European Union underlines what the noble Baroness said to us today.
The noble Lord, Lord Naseby, was, as always, asking all the right questions. From our many years together in another place, as well as here, I am always happy to stand with the noble Lord, not least because of his experience in many parts of the world. It is important to ensure that our people who are in post in many of our embassies are given the ability to ask these searching questions and to ensure that the information comes back to us, to prevent many of the expensive mistakes that have been made around Huawei, and which have been referred to during the debate, happening all over again.
My noble friend Lord Erroll was right to say that there are human rights abuses in many countries. Like him, I become indignant about some of those abuses; I do not argue, though, that we should no longer trade with those countries. I always prefer that we trade with countries that are on a trajectory to reform, that are law-abiding and that believe in human rights and democracy, but I accept that it would be impossible to take out of supply chains any country that carries out any kind of human rights violation.
However, there are certain markers that we can look to. One of them is our legal duty under the 1948 convention on the crime of genocide. This is not a word to be used lightly. The word “genocide” came into our vocabulary thanks to a Polish Jewish lawyer, Raphael Lemkin, who had seen over 40 of his own family murdered in the Holocaust. During the proceedings on the telecoms infrastructure Bill last year, I gave examples from that period of how companies such as Philips had their own forced labour in the camps where people were dying. I gave the example of Corrie ten Boom, a Dutch woman who had given refuge to escaping Jewish people trying to flee the Holocaust. She and her sister were arrested and sent to work in that factory; her sister died there. Corrie ten Boom wrote a deeply moving book called The Hiding Place. That is the comparison I seek to draw.
It is not just me. In April this year, the House of Commons said that what is taking place in Xinjiang is genocide—it is only the second time that it has ever made such a declaration, so this is of a different order. Where there is genocide, we, as signatories to an international treaty—the 1948 convention on the crime of genocide—have a legal obligation to predict the signs of genocide, prevent it from happening, protect those affected and prosecute those responsible. I accept my noble friend’s argument—we are not going to stop trading tomorrow with Gulf states or whomever it may be who is doing fairly odious things—but the crime of genocide is surely in a different league.
Lord Clement-Jones
Member’s explanatory statement
This amendment, along with similar amendments to Clause 1 in the name of Lord Fox, seeks to narrow the scope of the definition of “security compromise”.
Lord Clement-Jones (LD)
My Lords, I hope the Committee will forgive me if I move on to drier but—I hope the Committee will agree—important ground. In moving Amendment 2, I will also speak to Amendments 3, 4, 5 and 6.
Amendment 2, along with similar amendments to Clause 1 in the name of my noble friend Lord Fox and myself, seeks to narrow the scope of the definitions of “security compromise” and “connected security compromise”. As well as having concerns about oversight of the new powers of the Secretary of State, which we will debate later, there is also concern, reflected by the Constitution Committee, about the width of these crucial definitions and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I say this in the context of the impact assessment of 9 June, which stresses the large degree of uncertainty surrounding the costs to be incurred by business, amplified by the report of the Regulatory Policy Committee under its new chair. The Constitution Committee says:
“Clauses 1 and 2 impose duties on providers of a public electronic communications network or service … These include taking such measures as are appropriate and proportionate for the purposes of identifying and reducing the risk of security compromises occurring. The Bill defines security compromises, but the Explanatory Notes acknowledge this definition is broad and do not explain their intended scope. The consequences of a security compromise for providers are potentially significant, including substantial and costly duties of due diligence”—
this echoes the impact assessment. It goes on:
“The House may wish to consider whether narrowing the definition of security compromises would be appropriate.”
BT gave evidence to the Public Bill Committee in the Commons. Of course, BT is a provider which will need to comply with the provisions of the Bill, so I take the liberty of reading out much of its evidence:
“As currently defined, a ‘security compromise’ … would cover any planned network outage that may be required for maintenance or upgrading of the network, or any unplanned outages due to faults or wear and tear. These types of outages are relatively regular occurrences given the scale of our network and we always seek to minimise customer impact and restore service as quickly as possible. The duties on operators in the Bill that flow from this definition are significant—including network issues that cannot reasonably be considered as security compromises (rather resilience or availability issues) would create undue burdens on operators and potentially on OFCOM.
These outages are not the result of any unauthorised access or malicious intent, nor do they have consequences for the confidentiality of data or signals carried over the network. We do not believe it is the intention of the Bill to apply the same requirements (e.g. with respect to reporting or notification to stakeholders), or to make the same powers available to OFCOM, in relation to these types of incidents, as are intended to apply to ‘security compromises’.”
It goes on:
“The definition also seeks, we understand, to capture any compromise to the integrity of signals conveyed over a network. However, the way that this is expressed—by reference solely to compromises of the ‘confidentiality of signals’—is unclear and confusing. It could be significantly improved by making a simple amendment to refer to ‘confidentiality and integrity’.
The definition of ‘connected security compromise’ … is a simple definition referring to something that ‘occurs in relation to another public electronic communications network or a public electronic communications service’. Given the potential breadth of this definition, building some specifics on how the ‘connected’ element will be assessed in the overall Government/OFCOM guidance on ‘security compromise’ will be important.”
So a provider that will be considerably impacted by the Bill and the Constitution Committee have raised important issues about the width of these definitions. These amendments perhaps do not go as far as some providers would like, but they attempt to give greater certainty by specifying that compromises which involve security issues are covered, but not wider outages which do not have security implications. I very much hope the Government will heed both the providers and the Constitution Committee by narrowing the width of these definitions. I beg to move.
Lord Naseby (Con)
My Lords, I had the privilege of being an RAF pilot. The instructions we received as pilots in methods of security included the word “anything”. In other words, if you are flying a jet on a mission and you suspect something, “anything” is reported back, or you take remedial action. You do not try to refine that security by, in this case, reducing it or leaving any element of doubt. Thinking about it a little further, the “anything” could be technical. In this context, it could be competitive; it could be a company being taken over; it could be lack of finance; it could be fraud. Above all, it could provide a loophole. Therefore, Her Majesty’s Government are absolutely right in putting in the word “anything” and not trying to restrict it further.
The Earl of Erroll (CB)
My Lords, I rather agree with the noble Lord, Lord Clement-Jones, on this matter. The Bill is meant to be about security, not about “anything”. I have seen this happen with other legislation—that it suddenly becomes convenient to take something never intended for another purpose and, because it is very broadly worded, use it to beat some company or someone over the head over something completely unrelated. I am afraid that I agree that the Bill needs to be tightened up and brought down to security issues, not just “anything”.
For starters, a powerful, predominant supplier of routing equipment in the IP network would be a security risk. If anyone relies too much on one supplier—and they may unfortunately be pushed in that direction—it becomes a security risk, and we may have to close down some providers: “Oh dear, that’s our network finished”. That would be stupid. We are going to be anti certain companies. Companies get based or controlled elsewhere as takeovers happen internationally, so I see a certain amount of difficulty with this if it is very wide.
I come to what the noble Lord, Lord Fox, said. The reason we lost our manufacturing, of course, was that BT selected Huawei as the preferred supplier of the 21st-century network rewrite in 2005. That is the point at which we closed down our capability, effectively being blackmailed by America to get rid of Huawei while potentially blackmailed by Huawei, which could get too much control. We need to look at these strategic decisions where private companies that used to be government suddenly make companies that affect UK security. I have never been happy about that.
Lord Fox (LD)
My Lords, in response to the noble Earl, Lord Erroll, I say that it is also a huge issue when you have, essentially, a near-monopolistic private sector supplier, which makes any decision completely catastrophic for the under-bidder. I am speaking not to that but to Amendments 2, 3, 4, 5 and 6, which, as my noble friend Lord Clement-Jones pointed out, bear my name. He set out a very clear rationale for these amendments, which back up the concerns of the Constitution Committee and, indeed, some suppliers. Rather than reiterate those, I beg noble Lords’ indulgence to illustrate the point, inviting them to join me in a thought experiment. They need not worry—it is not going to hurt and I will not be pushing them into a Petri dish or anything like that. I simply ask your Lordships to imagine things the other way around: imagine that the Telecommunications (Security) Bill did indeed include the words currently proposed by my noble friend Lord Clement-Jones and myself, words that clearly identify that the focus of the Bill should be on the security of telecoms.
I ask noble Lords to continue to use their imagination that it was my noble friend and I who were proposing changes to include the words that are currently there; in other words, imagine that we were proposing to take the word “security” from this imaginary Bill and turn it into “anything”. Broadening the cover, as we have heard, would broaden the problem around any interruption very widely. I do not know but I dare say that, if we tried to do that, the Public Bill Office would have something to say, pointing to the Long Title of the Bill, which is:
“To make provision about the security of public electronic communications networks and public electronic communications services”
—in other words, security. Were we to try to take that word out and put in “anything”, I dare say the PBO would not allow us to do so.
If we did however slip it past the PBO, I guarantee that the Minister of the day would tell us that this would subvert the Bill’s intention and would take away the Bill’s focus from security to some of the imaginary things that the noble Lord opposite suggested—or, indeed, a digger backing into a green box somewhere in Kent. This is not the “Telecoms (Mishaps) Bill” but the Telecommunications (Security) Bill. These simple and modest amendments focus the Bill on its stated objective.
Lord Coaker (Lab)
This is a really important discussion. I do not want to speak for too long but the noble Earl, Lord Erroll, was right to say that the Bill is about security and not just “anything”. None of us on the Committee wants to compromise the nation’s security or compromise the ability of our military personnel to conduct necessary operations. However, sometimes in legislation words really matter—they are the law of the land. That is why scrutiny of legislation in Committee like this is so important, word by word and line by line, otherwise—and I will have a series of questions for the Minister on this—down the line in one, two, three or five years, something will happen and everybody will go, “How was the word ‘anything’ included?” The unintended consequence of legislation is something that we need to consider, or people will ask how something happened—how that word was allowed.
With that in mind, it is important that the Minister explains to the Committee how this definition is arrived at. The starting point would be to ask her to explain the differences between having the word “anything” and having the phrase “security issue”. Can she give examples of how the Bill would be weakened by having that term rather than “anything”, and what “anything” means—apart from saying that it means “anything”? What does it actually mean, given that the Bill is supposed to be about security issues, as the noble Earl said?
The Government argue that the duty on providers is appropriate and proportionate to ensure that the effects of compromise are limited and to act to remedy the impacts. I understand why Ministers are keen to keep the definition wide, but on its own it is not good enough. For example, can the Minister explain whether there are any thresholds to what amounts to a security compromise, or is it “anything”, and what does that mean to an individual who might stray into territory that they are not sure about? How was the Bill’s definition arrived at? Who came up with it and what advice did they receive? Were alternatives suggested to it, what did security experts say to the Minister was necessary, and were there dissenting voices?
In seeking clarification, I wonder whether the Minister can explain why the definition does not include, as I understand it, the presence of supply chain components, as the noble Lord, Lord Fox, mentioned on the earlier group of amendments, if they represent a security threat. Maybe it does—but could the Minister clarify that? We need to know that to understand the diversification of the supply chain and how effectively or not it is proceeding. It is important to consider the components of the supply chain, particularly when identifying where they are a threat to our national security. As I see it, that is not included in Clause 1, but perhaps the Minister can tell me that it is and that I have not read the clause correctly. If so, where is it?
I go back to where I started. These amendments are important in testing how the Government have arrived at this use of “anything”. I know it sounds like semantics —what does “anything” mean?—but the point made by the noble Earl, Lord Erroll, is crucial. The Bill is a security Bill. That being so, why does “anything” appear and why is “security issue” not the appropriate way to describe this? Why is it not included in the Bill? It is necessary for the Committee to understand the Government’s thinking on this for us to consider whether we need to bring back this matter on Report.
Baroness Barran (Con)
My Lords, the Committee will recall that the UK Telecoms Supply Chain Review Report in July 2019 found that telecoms providers lack incentives to apply security best practice. This Bill is our response to its recommendations and takes forward the Government’s commitment in the report to introduce a new security framework, including new legal duties and requirements, to ensure that telecoms providers operate secure and resilient networks and services.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for tabling these amendments to Clause 1. Before I address them directly, I hope that it will be helpful if I set out some brief context for the clause as it appears in the Bill and try to address the challenges posed by the noble Lord, Lord Coaker.
Clause 1 inserts a new Section 105A into the Communications Act 2003. New Section 105A places a duty on public telecoms providers, first, to identify the risks of security compromises; secondly, to reduce the risks of compromises occurring; and, thirdly, to prepare for the occurrence of security compromises. To support the duty, new Section 105A creates a new definition of “security compromise”. The definition is purposefully broad and includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. I thank my noble friend Lord Naseby for his support for this approach.
I am genuinely slightly puzzled by the remarks of the noble Lord, Lord Coaker, about what is included and excluded, because Clause 1 goes into great detail—which I shall not read out now, but I know the noble Lord has looked at it. Not only do we define what is included in “compromise” but we are explicit about what is excluded. This comprehensive approach will help ensure that telecoms providers protect their networks and services properly in the future. It creates a new duty on providers to take steps to reduce the risk of incidents and attacks seen globally in recent years.
As we have heard, the amendments tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would narrow the definition of a security compromise. As both noble Lords noted, this was also a matter that the Constitution Committee recommended the House consider in its recent report. As I have said, the definition is designed to support a long-term approach to security. It aims to be focused enough to address risks that are specific to telecoms networks. At the same time, it is broad enough to ensure the Bill is future-proof and has flexibility to enable us to address new and evolving threats.
I appreciate that the noble Lords are seeking to ensure that legal obligations on telecoms providers are targeted and appropriate to specific risks, but it is important to remember that the framework within the Bill is designed to do exactly that. Certainly, we are not aiming, in the words of the noble Earl, to bash suppliers over the head. Rather, the broad definition in the Bill helps future-proof the legislation, whereas the specific security measures which narrow that focus will be set out in secondary legislation. I tried to get my head around the thought experiment from the noble Lord, Lord Fox, but I got stuck at the idea of trying to fit inside a petri dish, which would definitely be impossible.
The Deputy Chairman of Committees (Lord McNicol of West Kilbride) (Lab)
I have received one request to speak after the Minister, from the noble Lord, Lord Fox.
Lord Fox (LD)
The Minister brought up the review, which was very clear that there are huge potential market failures within the security and resilience telecoms market, the reason being that security is not valued by the networks. It is other things, such as network connectivity and price, which are of maximum importance to those networks—things that might come under the word “anything”, for example.
Let us be clear about the four reasons given by the review that security is undervalued by networks: insufficient clarity on cyber standards and practices; insufficient incentives to internalise the costs and benefits of security; lack of commercial drivers, because consumers of telecoms services do not tend to place a high value on security; and the complexity of delivering, monitoring and enforcing contractual arrangements in relation to security. All four of those issues, which I think are driving the purpose of this Bill, involve the word “security”. Far from these amendments watering down the intent of the Bill, the Minister is watering it down herself by including the word “anything” and ignoring the word “security”. I do not expect her to accept these amendments now, but I would like the department to go away and think about this very carefully, because a catch-all Bill catches nothing.
Baroness Barran (Con)
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
Lord Clement-Jones (LD)
My Lords, I see a slight chink of light, perhaps, that may be opened by opened by a meeting with the Minister on this subject—because she will appreciate that none of the amendments tabled to the Bill, which we think is important, has been put down lightly, and definition is crucial.
I was somewhat baffled by the noble Lord, Lord Naseby, flying in his jet—I was thinking of perhaps pressing the ejector button, but I thought better of it. The idea that there is an analogy between flying a jet and what we are talking about here was a bit baffling. The only way that I could think of the analogy for a planned outage, which is exactly what the providers are worried about being subject to under this definition of “security compromise”, is where a jet does a planned manoeuvre and everyone scrambles and treats it as an incident—so I cannot see that his analogy holds at all.
I much prefer and give thanks for the contributions of the noble Earl, Lord Erroll, the noble Lord, Lord Coaker, and my noble friend Lord Fox, who, in doubling down on the points raised about the purposes of the Bill, illustrated exactly why we seek to have a much more precise definition. The big problem is that the flexibility demanded by the Government is effectively at businesses’ cost and causes uncertainty. That is the worry about the way that the Bill is currently drafted.
The Minister talked about future-proofing and doing it more precisely, in a sense, by setting out the duties by secondary legislation—but, of course, there are great concerns about the way that the secondary legislation is to be agreed and the codes of practice. So I suppose that, if I were going to ask for a quid pro quo, if there is to be a loose definition of “security compromise”, there must be a very tight way of agreeing the codes of practice and the secondary legislation—but I wonder whether the Minister will actually agree to that trade-off, as we go through the afternoon. I would like to have all of the amendments that we have tabled for today.
I really think that, when the Minister said that this would “undermine the whole approach”, it is good to have it in her script, but that is absolutely not the case. The last thing that we are doing by trying to tighten this definition is to undermine the whole approach; we are trying to create certainty for the providers so that, when they plan outages and there are other planned events, they are not caught by a sidewind when trying to comply with the terms of the Bill. This is a practical issue.
I understand what the Minister says about resilience and, to some degree, that is the case, but there is clearly a great deal of uncertainty surrounding the providers’ interpretation of the Bill, as it currently stands—and they are the ones that will be subject to this. As I said—without wishing to repeat myself too much—the Government’s impact assessment itself makes it very clear that the costs of this exercise, of having to comply with the Bill, are extremely uncertain at this point, and there is quite a lot of concern about that.
I am sure that, if we have a meeting with the Minister in due course, we will be able to persuade her to accept these amendments, and I look forward to it. In the meantime, I beg leave to withdraw Amendment 2.
The Deputy Chairman of Committees (Lord McNicol of West Kilbride) (Lab)
We now come to the group beginning with Amendment 7. Before I call the mover, the noble Lord, Lord Clement-Jones, I will run through the speakers’ list, so that everyone is clear: the noble Lord, Lord Clement-Jones, will be followed by the noble Lord, Lord Naseby, the noble Earl, Lord Erroll, the noble Lord, Lord Fox, the noble Baronesses, Lady Merron and Lady Barran, and finally the noble Lord, Lord Clement-Jones.
Amendment 7
Lord Clement-Jones
“(1A) Regulations under subsection (1) may not be made unless a draft has been laid before, and approved by a resolution of, each House of Parliament.”Member’s explanatory statement
This amendment would require Parliamentary approval before regulations regarding the duty to take specified security measures are made.
Lord Clement-Jones (LD)
My Lords, I beg to move Amendment 7 and will speak also to Amendment 12. New Section 105B introduced by Clause 1 affords the Secretary of State the ability to make regulations that have highly onerous provisions, laying down that a provider must take specified security measures. This is under the negative procedure, which is of course a near 100% guarantee of their coming into force. There is no provision for any independent or specialist oversight of these regulations, as we will discuss later. They cover a huge range of issues in great detail, including
“Network architecture … Protection of data and network functions … Monitoring and audit … Supply chain”.
These are all in the draft regulations, along with
“Prevention of security compromise and management of security permissions … Remediation and recovery … Governance and accountability … Competency … Testing … Assistance”.
Very helpfully—in a way—to my case in the last group, the Minister said that the whole purpose of the regulations was to specify in greater detail what the duties of providers would be. But, already, particular issues have been identified in the draft regulations by providers relating to patches, audit and monitoring, supply chains, foreign network operating centres—and the list goes on. So, there is already a feeling not only that these regulations are very detailed but that they should not be subject to the negative procedure. It seems extraordinary that regulations of such importance are not to be subject to greater parliamentary scrutiny.
Noting, obviously, that the noble Baroness, Lady Merron, will be speaking to her Amendment 11, I move on to my Amendment 12. The fourth report of the Delegated Powers Committee drew the attention of the House to proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises under Sections 105A to 105D. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
In her letter to us after Second Reading, the Minister of course assured us that:
“Government will consult with affected public telecoms providers and Ofcom on any codes of practice that are issued. This will ensure that we have a full understanding of the code’s impact before it is finalised. A consultation on the first code of practice will take place after the Bill receives Royal Assent.”
I am glad to say that the Delegated Powers Committee, in the light of the importance of the codes to assessing compliance and in enforcement by Ofcom, were unconvinced by the department’s claim that this was too detailed and technical and “not legislative”. As the committee said:
“The Bill provides for codes of practice to play a significant role—both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings—in supplementing the important duties to take security measures that the Bill imposes on providers.”
It concluded:
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
As the UK communications council said, the combined effect of the two proposed provisions that I have talked about in these two amendments amount to a near-unfettered ability for the Secretary of State to interfere in the normal operations of what is an otherwise innovative and successful industry. Amendment 7, in particular, seeks to ensure that these regulations need to be approved by Parliament by the affirmative procedure. Amendment 12 would require approval from Parliament for codes of practice under the Bill. Where I differ from the committee and, it seems, the noble Baroness, Lady Merron, is on the procedure to be adopted. In my view, at minimum, it should be by the affirmative procedure. I beg to move.
Lord Naseby (Con)
My Lords, I am sorry that the noble Lord, Lord Clement-Jones, does not like my analogy of flying. I just remind him of a recent series of Boeing airliners that crashed with a huge loss of life when the security of flying was overridden by a piece of machinery. I stick by my analogy but I will not progress that any further in relation to these amendments.
The Bill says clearly:
“publish the code; and … lay a copy of the code before Parliament.”
However, it does not allow Parliament by right to debate that code and any amendments that come. This is a fast-moving market, as we all know. New opportunities have come up that will have a security dimension to them. There will be new developments, I hope, from our own technical universities so there must be some provision for the expertise that both the House of Commons and the House of Lords have within them to debate. Those of us who have been in Parliament for a few decades know that quite often there are unusual people who have a particular niche that they know something about. That is the benefit of the experience of Parliament.
I agree with the noble Lord that it ought to be done on the affirmative procedure. I sat in the chair for five years during the passage of all the Maastricht and other Bills and there are certain areas where it is absolutely crucial that it should be done by affirmative resolution. Therefore I certainly support that dimension.
The Earl of Erroll (CB)
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.
Lord Fox (LD)
My Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
Baroness Merron (Lab)
My Lords, I speak to Amendment 11 in my name and welcome Amendments 7 and 12 in the names of the noble Lords, Lord Fox and Lord Clement-Jones. I was interested that the noble Lord, Lord Fox, referred to a chorus of agreement, which I certainly heard ringing out, expressing concerns about the role that Parliament should have in scrutinising on codes of practice that this Bill currently does not provide for. To me, the codes remind us that the Bill can provide us only with something of a framework, and for many areas there is a wait for the details to be filled in later. As the noble Earl, Lord Erroll, said, the devil, as always, is in the detail.
Clause 3 allows the Secretary of State to issue new telecom security codes of practice that will set out to providers the details of specific security measures that they should take. As we have heard referred to, the impact assessment states that these codes are the way in which the DCMS seeks to demonstrate what good security practices look like. However, I note that Ministers are proposing only to demonstrate but not actually to secure good practice, which I am sure is the real intent—and it would be very helpful if, through this debate, we could get to that place.
I am interested also to note and draw the Minister’s attention to the fact that the Government have said that these codes will be based on National Cyber Security Centre best practice security guidance. The Government have said that they will consult publicly, including with Ofcom and the industry, as we read in the Minister’s letter following Second Reading. That public consultation will be on implementation and revision. However, it strikes me as very strange that the National Cyber Security Centre is not a statutory consultee; can the Minister say why it is not?
I particularly make the point that, as the codes of practice will be admissible in legal proceedings, they have to be drafted accurately and we have to ensure that security input and expertise is fed into them. The National Cyber Security Centre, which is described as a bridge between industry and government and is, indeed, an organisation of the Government, would seem to be a body that should be, in a statutory sense, invited to make the input and offer its expertise, along with other departments and agencies. After all, we can see, when reading about the centre, that its whole reason for being is that it provides widespread support for the most critical organisations in the United Kingdom as well as the general public, and they are absolutely key when incidents, regrettably, occur. We are trying to address those incidents in respect of this Bill.
As we have heard from all noble Lords who spoke in this section of the debate today, the input needs to come from Parliament, which is why I tabled Amendment 11. As the Bill is drafted, the current reading is that a code of practice must be published and laid before Parliament, but there is no scrutiny procedure. I put it to the Minister that if codes have legal weight, why is Parliament being denied the chance to scrutinise them? We seem to have a complete mismatch there. I was taken by the words in the Delegated Powers Committee report, mentioned by the noble Lord, Lord Clement-Jones, in his introduction, which stated that this way of being was “unacceptable” and called for the negative procedure for codes. That is what Amendment 11 does. Can the Minister address specifically the words of that committee report? I refer her to paragraph 27, which says:
“In our view, the Department’s reasons are unconvincing … the fact that codes of practice would be produced after consultation with interested parties cannot be a reason for denying Parliament any scrutiny role; and … the Department appears not to have recognised the significance of the statutory effects of the codes of practice”,
as has been highlighted today. I therefore hope that the Minister will both comment on the report and seek to make what is a very important and significant change in this regard.
I will pick up on one additional point. The impact assessment also says that the codes of practice will have a tiering system for different-sized operators. The initial code will apply to tier 1, which serves the majority of businesses of critical importance to the United Kingdom. This will also apply to tier 2 medium-sized operators but with lighter oversight by Ofcom and longer timetables. Can the Minister offer a draft list of the operators in tiers 1 and 2, and can it be shared with noble Lords? I would also be interested to know whether the Minister has any concerns that tier 2 operators will somehow be worse at compliance. If she has those concerns, what support will be provided to small and medium-sized enterprises? I look forward to her reply.
Baroness Barran (Con)
My Lords, I have heard with interest the contributions of your Lordships regarding the parliamentary oversight of the secondary legislation and codes of practice associated with the Bill. I will try not to disrupt the harmony that broke out so agreeably.
Amendment 7 tabled by the noble Lord, Lord Fox, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require secondary legislation to be laid in Parliament in draft and to be subject to a debate and a vote in both Houses. Both Amendment 11 tabled by the noble Baroness, Lady Merron, and Amendment 12 tabled by the noble Lord, Lord Fox, would require a statutory instrument to be laid in Parliament for the Secretary of State to issue or revise the codes of practice, under the negative or affirmative procedure respectively.
I will first address Amendment 7 and the procedure for the regulations. The Bill currently provides for the statutory instrument containing the regulations to be laid using the negative procedure. This is the standard procedure for instruments under Section 402 of the Communications Act. The only delegated powers in the Bill currently subject to the affirmative procedure are Henry VIII powers to retrospectively amend penalty amounts set out in the primary legislation.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for that rather depressing reply. I also thank the noble Lord, Lord Naseby, for his support—I think we will have a fly-by in celebration. I thank too the noble Earl, Lord Erroll, my noble friend Lord Fox and the noble Baroness, Lady Merron, who raised some very interesting points, all supportive of greater scrutiny in both respects, which was very helpful. As my noble friend illustrated—the impact assessment is a mine of information—the lack of robust and specific data is one of the areas of great uncertainty, and there is the risk of running the industry by remote control without adequate scrutiny. There is great uncertainty about cost, and therefore there needs to be that level of scrutiny, and there is great concern about the role that Parliament should have.
I was fascinated by the Minister’s argumentation. It does not really matter whether a committee recommends something or not; the Government are not going to accept it. Apparently, it is not good enough to have the affirmative procedure because the committee did not recommend it; on the other hand, it is not good enough to have scrutiny of the codes of practice even though the committee did recommend it. Basically, the Government are saying, “Well, what the hell? We’re not going to agree with the committee on any basis.”
The Deputy Chairman of Committees (Lord McNicol of West Kilbride) (Lab)
My Lords, the Grand Committee will now resume. I think we were just about concluding the remarks of the noble Lord, Lord Clement-Jones.
Lord Clement-Jones (LD)
I might take that hint, but there is still a little bit of water to flow under the bridge.
The Minister knows that there is already a great deal of concern about both the regulations, which I have specified and gone through to some degree, and the forthcoming codes which we are assured will come out, so there is no doubt that the Government are fully aware of the providers’ concerns.
I thought the point made by the noble Baroness, Lady Merron, on the NCSC’s lack of involvement was very strong. That absolutely must be bolted into the Bill; it is fundamental in so many ways, and I do not think any of us really understands why that should not be bolted in.
I come on to the substance of what the Minister said: that using the negative procedure for the regulations was fine because we are not amending primary legislation. Do we now make a virtue of a non-Henry VIII power? Are the only powers that we think should now be subject to the affirmative procedure Henry VIII powers? We have moved some way. I am clearly getting far too long in the tooth to see those sorts of arguments being made by Ministers, especially when it is a matter of scrabbling around to keep the Bill as it is. I understand the “not invented here” principle, but it is a bit depressing to see it when the merits of a case are so strong.
The other time-old argument is “Don’t worry your pretty little heads; these are technical regulations. Parliamentarians can’t have too much oversight of a technical regulation—they might not understand it. They might get confused and lose sleep.” I do not know what the arguments are, but they are clearly bogus. We should go for the affirmative, and someone with the experience of the noble Lord, Lord Naseby—I am sorry to see he is not here—as a Deputy Speaker in the Commons knows full well that that is the appropriate form.
The words “legislative effect”, which the noble Baroness, Lady Merron, emphasised, as I do, are important in this context, and were raised by the Delegated Powers Committee. On this point about having no delay, regulations needing to be updated, and a code of practice needing to be flexible and updated, we have seen that this Government can pass Covid-19 regulations in a blink; they can do virtually anything they feel like at the drop of a hat and nobody says boo to a goose, so I do not think that is a very useful argument.
The other point the Minister made was that the code needs to be understood by its audience. Again, that is a “Don’t worry your pretty little head” argument—“Parliamentarians will not understand the code—it is not relevant to them; only the providers need to worry about it.” But providers are worried about the code, and they would be much reassured if they saw that there was proper scrutiny.
I am really sorry to say that I did not even see a chink of daylight in that group, sadly. I hope that we can move a bit further as the Bill progresses but, in the meantime, with great disappointment, I beg leave to withdraw the amendment.
Baroness Merron
“(7) In making regulations under this section, the Secretary of State must take the utmost account of the advice of the Technical Advisory Board and a Judicial Commissioner concerning the proportionality and appropriateness of any measure or description of measure specified in the regulations.”
Baroness Merron (Lab)
My Lords, I move Amendment 8 in my name and welcome the similar Amendments 9 and 19 in the names of the noble Lords, Lord Clement-Jones and Lord Fox. The Minister will recognise some similar themes in this group to those in the previous debate. The amendments are to Clause 2, which gives the Secretary of State the powers to make regulations which require providers to take specified measures in response to a specified security compromise and where a security compromise has a specified adverse effect on the network or service. The Minister will not be surprised that the amendments seek to understand what advice the Secretary of State will receive and where that advice will come from when making these regulations.
I am sure that we have all heard concerns about how these regulations are widely shared. For example, Comms Council UK has said that this represents an
“unprecedented shift of power from Parliament to the Minister in relation to how telecoms networks operate”,
and argues that
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
Unsurprisingly, there has been a call for technical and judicial oversight, as reflected in these amendments, just as the Investigatory Powers Act 2016 established a Technical Advisory Board to advise the Home Secretary on the reasonableness of obligations imposed on communications providers. There is precedent here to which we can usefully refer.
Other concerns were expressed in Committee in the other place. The Digital Policy Alliance is familiar to a number of parliamentarians, especially the noble Earl, Lord Erroll, who is chair of that august organisation. I am sure that he is aware of the comments of its Dr Louise Bennett, who said:
“There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition.”—[Official Report, Commons, Telecommunications (Security) Bill Committee, 14/1/21; col. 49.]
I agree. Such a board would, for example, be able to point out that new types of components were coming down the track. Does the Minister feel that such a board would be a helpful addition? If not, why not?
Have the Government considered expanding the remit of the current Technical Advisory Board to cover the powers in the Bill? Amendment 19 in the name of the noble Lord, Lord Clement-Jones, gives us a useful steer on how any such new board could be constituted. Without such a board, what technical advice will the Secretary of State receive? Who will it come from, and will it be published? I look forward to the Minister’s reply.
Lord Clement-Jones (LD)
My Lords, I am delighted to be on the same page as the noble Baroness on the insertion of a technical advisory board and judicial commissioner into the process. I note that she quoted Dr Bennett of the DPA; I am proud to be a DPA member and sitting opposite my chair. Others from the industry have made the same points. Comms Council UK has pointed out that there are no clear mechanisms for technical feedback or expertise to be fed into the drafting of the regulations and the codes of practice, which we discussed on the last group. It makes the point that many of the technical requirements that will be placed on its members are not in the text of the Bill but are in the accompanying regulations and the code, which we have heard has yet to be published. It is clear that, in these draft regulations made under Section 105B and 105D—
The Deputy Chairman of Committees (Lord McNicol of West Kilbride) (Lab)
My Lords, the Grand Committee is resumed—third time lucky. I call the noble Lord, Lord Clement-Jones.
Lord Clement-Jones (LD)
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
The Earl of Erroll (CB)
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
Lord Fox (LD)
In quick response to, or doubling up on, the noble Earl, Lord Erroll, my understanding is that the code is enforceable by law. If it is not, perhaps the Minister can explain how the operators are expected to deliver.
This is relatively simple. The Minister has asserted that this is a technical issue. She has asserted that it is too technical for Parliament to be able to manage, but at the same time, as it is currently structured, there will be a self-referential group of people. If the Covid crisis has told us anything, it is that a self-referential group of people is not good at horizon-scanning. Security is a great big horizon scan. You normally know you have not got security only when you lose it and it is essential to take advantage of the diversity of technical opinion that exists in this country and elsewhere. It is extremely arrogant to believe that the sum of human knowledge is contained in one department, and probably one subsection of one department.
For those reasons alone, a technical advisory board is vital to secure the future of this country. That seems to me self-evident, but clearly it is not, so perhaps the Minister can explain. Was this discussed, when was it discussed and why was it dismissed as an option?
Both these amendments have very cunningly taken advantage of existing structures; they have looked at the Investigatory Powers Act 2016 and read across, with ready-made structures that can deliver both the technical advisory board and the benefits that I have just set out and a judicial commissioner to make sure that there is sufficient proportionality and appropriateness in those measures. It seems to me that it is for the Minister to explain, if this was good enough for the 2016 Act, why it is not appropriate to put it in this Bill for these issues.
Lord Parkinson of Whitley Bay (Con)
My Lords, I am grateful to noble Lords who have taken part in the debate on these amendments, which seek to require regulations and codes to reflect advice provided by technical advisory boards and a judicial commissioner. The amendment to Clause 2, tabled by the noble Baroness, Lady Merron, requires any regulations made under new Section 105D to reflect advice provided by the existing Technical Advisory Board to the Home Office and a judicial commissioner. Similarly, the two amendments tabled by the noble Lord, Lord Clement-Jones, would require regulations to reflect advice provided by a new technical advisory board and a judicial commissioner.
Each of these amendments concern regulations made under new Section 105D and codes of practice issued under new Section 105E. I appreciate that noble Lords are seeking to ensure that any regulations and codes of practice are appropriate and proportionate before they are made or issued. However, there are several difficulties with what they propose. First, Clause 2 already requires the Secretary of State to make these measures only when he actively considers that they are appropriate and proportionate, under the wording of subsections (2) and (4) of new Section 105D. To ensure that is the case, the Secretary of State would have to consider relevant advice, which could include technical security assessments provided by the National Cyber Security Centre. The noble Baroness, Lady Merron, asked whether the advice would be published. As is usual practice, we would not publish advice given to the Secretary of State on the new framework, but we will consult on the code, and we feel that is the best and appropriate way in which to draw together the views of all relevant parties and their expert advice.
Advice to the Secretary of State could also include relevant representations by public telecoms providers. To reassure the Committee on this point, we have received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. DCMS continues routinely to engage with telecoms providers about this Bill and telecoms security more widely.
Similarly, Clause 3 requires that any codes of practice are finalised only after consultation with affected providers. The process of consultation, when taken together with the fact that codes can only give guidance on legal obligations and not expand their scope, as noble Lords noted, means that any final codes in effect will be appropriate and proportionate. The noble Lord, Lord Fox, asked whether it was enforceable by law. It is guidance, not law, but the code has certain legal effects, as set out in Clause 3. In that context, further advice from a technical or judicial panel would therefore be unnecessary.
We understood the amendment proposed by the noble Baroness, Lady Merron, to refer to the Technical Advisory Board to the Home Office. That board provides advice regarding the reasonableness of obligations imposed on telecoms providers under the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016. Each of these amendments risks confusing two separate sets of security arrangements.
Section 227 of the Investigatory Powers Act provides for the Prime Minister to appoint the Investigatory Powers Commissioner and judicial commissioners. The role of the Investigatory Powers Commissioner is to authorise and oversee the use of the investigatory powers, in the public. The Investigatory Powers Act regime is not comparable with the new framework set out by this Bill. Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers.
The powers to make regulations under this Bill are very different to those in the Investigatory Powers Act. They are focused on protecting public telecoms networks and services by improving the security practices of telecoms providers—so those two sets of arrangements should not be confused. Indeed, there are specific provisions in the Bill designed to ensure that it does not adversely affect lawful activity carried out by law enforcement authorities and the intelligence services under the Investigatory Powers Act. The judicial commissioner would therefore be the wrong body to advise the Government on the Bill’s regulation-making and code-issuing powers. For those reasons, the Government are not able to accept these amendments, but I hope that that explains why and reassures the noble Lords sufficiently for them to be content not to press their amendments today.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
I call the noble Lord, Lord Clement-Jones—sorry.
Lord Clement-Jones (LD)
I must admit that I am somewhat baffled by the Minister’s response. The argument on the technical advisory board seems to be, “Oh, we’ve got enough technical advice, so we don’t need one”—but, clearly, it seems that there is a need for this. I quoted providers—I can go into the papers that we have received from them—as saying that real issues arise out of the regulations. These are technical and relate to things such as patches and audit and monitoring issues. There is a feeling that the department is just not listening on those issues, and what is needed is someone who is rather more dispassionate and can advise on the technical issues that are arising—perhaps, if it is seen as a conflict, someone like the noble Earl, Lord Erroll, who can genuinely advise on this kind of thing. It seems to me to be extraordinarily dismissive to say, “We’ve got enough advice. We don’t need a board of this kind”.
In the Investigatory Powers Act 2016, there is a very useful technical advisory board—it is not usable for this purpose because its function is rather different under that Act. When the Minister comes to the point about the judicial commissioners, saying, “Oh, no, they are for an entirely different purpose”, I say that, actually, if you read their function, it is four square with the kind of thing that would be useful under this Bill. They are talking about not technical issues but proportionality, appropriateness and so on—very much the kind of thing that they are dealing with under the 2016 Act.
So I am afraid that I do not buy what the Minister has to say, sadly; I just think that it is pushback based on the thinking that, “Well, the Bill’s the Bill and it’s all drafted, so we don’t really want to do very much with it by way of amendment”. That is the time-honoured government response to this kind of suggested amendment, but I believe that, constructively, both these aspects—a judicial commissioner and a technical advisory board—would make a great difference to the functioning of the Bill and would lead to much better regulations and codes of guidance at the end of the day.
Lord Fox (LD)
I thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
Lord Parkinson of Whitley Bay (Con)
First, if I may, I will take back the point made by the noble Lord, Lord Fox, about new Section 105H under Clause 3; I will write to him to, I hope, alleviate any concerns and confusion. There are certain legal effects set out; I will write to him to clarify the point about legal enforceability.
I am grateful to the noble Lord, Lord Clement-Jones, for his appreciation. Part of the confusion here may be that two technical advisory boards are mentioned in these groups of amendments. As I think he noted, the one set up under RIPA has a different function, but we are certainly not being dismissive of the points that have been raised. Indeed, as I said, we have spoken to the industry and received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. We will also be glad to look at the information that he mentioned—the views that have come his way—to make sure that these are reconciled; if he is happy to share them, we will look at them and come back him.
Baroness Merron (Lab)
I thank all noble Lords for their contributions. In view of the pandemic restrictions on the numbers that might sing in a choir inside, it is dangerous now to say that we are singing from the same hymn sheet—as the noble Baroness, Lady Barran, will recall from her time at the Dispatch Box. I do not know whether we would count as amateur or professional, so perhaps I could venture in that direction, but there is a sense among noble Lords of wanting to strengthen the Bill by ensuring that the Secretary of State has the best technical advice.
I thank the Minister, the noble Lord, Lord Parkinson, for his response. However, I take from it that a technical advisory board is not required. I share the confusion that was referred to earlier by the noble Lord, Lord Clement-Jones. On the one hand, in the previous set of amendments, we were advised that this is so technical that it is not appropriate for a particular aspect of parliamentary scrutiny, yet suddenly, it seems, it is not quite as technical but we need further advice. I am reminded of the words of the then Lord Chancellor, Michael Gove, who we will recall commenting in a debate over Brexit that we have “had enough of experts”; I suspect the Minister will have picked up from the amendments today that we feel we have not had enough of experts. I hope he will reflect on the fact that these amendments seek to assist the Secretary of State, and to assist this Bill to do the job it is here to do to very best effect. With that, I beg leave to withdraw the amendment.
Lord Clement-Jones
“(d) must ensure that the code of practice is necessary and proportionate to what it intends to achieve and does not place an undue burden on any electronic communications networks or electronic communications services.”Member’s explanatory statement
This amendment seeks to ensure codes of practice are necessary and proportionate.
Lord Clement-Jones (LD)
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
The Earl of Erroll (CB)
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
Lord Fox (LD)
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
Baroness Merron (Lab)
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments. As before, it is a pleasure to follow their contributions and that of the noble Earl, Lord Erroll.
On the codes of practice and Amendment 10, I understand the importance of not wanting to put undue burdens on businesses. We should make particular reference to the exceptionally difficult and testing times that businesses and the economy have had to suffer over the past year due to the pandemic. Obviously, a balance needs to be considered. We have to ensure that if the codes are going to be used, they are the most effective way of implementing security measures. How will the Government consider the impact of codes on businesses? For example, will there be specific consultation about undue costs in respect of businesses?
The concerns that we have heard in this debate give a further nod to concerns about lack of parliamentary oversight, which is missing from the codes. I again say gently to the Minister that by giving parliamentarians the opportunity to provide scrutiny there might also be the ability to review the impact on businesses.
Amendments 16, 17 and 21 would ensure that Ofcom’s new powers in the Bill were subject to requirements in Sections 3 and 6 of the Communications Act 2003. Section 3 focuses on the general duties of Ofcom, while Section 6 focuses on reviewing regulatory burdens. It would be helpful to hear from the Minister whether the Bill has been deliberately drafted for the new powers to fall out of scope of those sections in the Communications Act and, if so, why.
What review process will be faced in respect of Ofcom’s new powers? It is very important that, when new powers are given, there is an opportunity to review, reflect and amend, and to keep a close eye on whether those new powers are doing the job intended.
Lord Parkinson of Whitley Bay (Con)
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments, and all noble Lords who have spoken in the debate. The amendments focus on the need for the regulations and code of practice to be proportionate, and to ensure that the duties of Ofcom are carried out in a transparent and similarly proportionate way.
I turn first to Amendment 10, tabled by the noble Lord, Lord Fox. This amendment to Clause 3 seeks to ensure that codes of practice are necessary and proportionate to what they are intended to achieve, and do not place an undue burden on telecoms providers. The Bill already includes provisions in Clauses 1 and 2 to ensure that security duties placed on public telecoms providers in the primary legislation and specific security measures set out in regulations must be considered to be appropriate and proportionate by the Secretary of State. The code of practice will provide the technical guidance on the steps that public telecoms providers should take to meet their security duties. I certainly agree with the noble Baroness, Lady Merron, about the extra—and indeed extraordinary—work that providers have done over recent months to keep us all in contact during the pandemic.
To help ensure that technical guidance in the code of practice is appropriate and proportionate, Clause 3 requires the Secretary of State to publish a draft version of the code of practice before it is issued, and to consult on its contents. This public consultation will take place after the Bill has attained Royal Assent; it will enable the voices of telecoms providers of all sizes—as noble Lords rightly pointed out—the wider sector, Ofcom, and any other affected groups to be heard and taken into account before the code of practice is finalised. Subsequent versions of the code of practice, which will be revised as technology evolves and new threats emerge, will also be subject to the same process of consultation before being issued.
An impact assessment is also being conducted for proposed secondary legislation to be laid as part of the new framework, which will take into account the initial cost assessments from providers to ensure that the framework is balanced and proportionate. The precise make-up and design of each provider’s network remains a commercial decision. The Bill makes it clear that providers are responsible for the security of their own networks and services; providers also remain responsible for deciding how they recover their costs. As such, we expect the costs of ensuring adequate security to be met by individual providers.
I turn to Amendments 16, 17 and 21, tabled by the noble Lord, Lord Clement-Jones. These seek to apply Sections 3 and 6 of the Communications Act 2003 to Ofcom’s duties and powers under Clauses 5, 6 and 19 of this Bill. Section 3 of the Communications Act sets out Ofcom’s general duties; these include a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Section 6 of the Communications Act requires Ofcom to review the burden of its regulation on telecoms providers. These are all principles that we think are essential to the functioning of the new security regime created by this Bill. I am glad to repeat the reassurance given by my noble friend in her letter, which the noble Lord, Lord Clement-Jones, mentioned, that Ofcom is already bound by its general duties in Sections 3 and 6 of the Communications Act when carrying out its security function under new Section 105M, and when using any of its powers in this Bill. This will include Ofcom’s power to carry out an assessment of public telecoms providers’ compliance with their security duties under Clause 6 of this Bill, and powers for Ofcom to give inspection notices under Clause 19. As my noble friend said in her letter, if Ofcom fails to carry out its security functions in line with these duties, it could be subject to legal challenge.
The provisions in the Bill already ensure that the regulations, code of practice and duties of Ofcom are proportionate. Therefore, we do not think that these amendments are necessary, and we hope that noble Lords will be happy not to press them.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for that—he pierced through the gloom of the afternoon, giving an assurance that existing duties of Ofcom will cover the new powers.
I think we have a Pepper v Hart situation that works for the other aspects on the code of practice. It is not just the regulations and the duties and powers of Ofcom that are subject to it; the way in which the code of practice will be drawn up is covered also by the duties under Sections 3 and 6 of the existing Act. I very much hope so, and I need to take away and read what the Minister had to say.
Baroness Merron
Baroness Merron (Lab)
My Lords, Amendment 13 seeks to speak up for consumers and to probe possibilities as to how we may act in their interests. After all, they are the ones who are, on an individual basis, and often in very large numbers, at the receiving end of security threats.
Amendment 13 would amend Clause 4, which places a duty on providers to take steps to inform users about security compromises or where there is a significant risk of a security compromise occurring which may adversely affect the user as a result. As we see in the clause, the provider must inform the user about the existence of the risk, the nature of the security compromise, what steps could be reasonably taken by users in response, and of course the name and contact details of a person who may provide further information. All those are welcome, and such a duty being placed on providers to report security incidents is right and proper. After all, for many years, we have heard calls from all sides to place a clearer and more comprehensive duty on providers to share information with users, who should not be kept in the dark. When they are affected by a breach, there are not just practical considerations; as we all know, such security breaches are extremely distressing and worrying, as well as compromising for those affected. It is right for them to have some sort of redress.
Let us reflect on the high-profile incidents where users have not been told of security incidents. For example, TalkTalk failed to inform 4,500 customers that their personal information, including bank account details, was stolen as part of the 2015 data breach. That was revealed only in 2019, when details were found online. I am sure that, like me, the Minister will completely understand how distressing this must have been for those people, who were not only affected but were given no opportunity by the company to do anything about it.
Clearly, we know that such behaviour by telecoms companies is unacceptable. However—and this is what the amendment seeks to assist with—Clause 4 does not give a timeframe for providers to inform consumers. This probing amendment suggests a 30-day window to do so. I understand that we have to be aware that this cannot lead to further security compromises that could result from informing the public, so that point has to be taken into account.
How quickly does the Minister think providers should inform the public of a security breach? I ask that because under Clause 4, which is very open, it could be months before users find out that their personal data has been stolen. How much worse for people to find out in that way and in that sort of timeframe?
The amendments we are debating today and the Bill we are considering are all about the protection of national security. In all that, let us remember consumers too, whose interests are key to these debates. The public have to know that their data is safe and when to take necessary steps if their privacy has been threatened in some way.
On Amendments 14 and 15, I should be interested to hear from the Minister whether an Ofcom backstop to halt providers speaking to users on security grounds already exists. Does Ofcom have the expertise already to make such a judgment, or would new experts—I use that word carefully but definitely—and new expertise be needed? I look forward not only to the Minister’s reply but to the comments of noble Lords participating in this debate.
Lord Clement-Jones (LD)
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
The Earl of Erroll (CB)
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
Lord Fox (LD)
My Lords, this is an interesting and nuanced—to coin a word we used earlier—debate. I am probably the only person here who has had to deal with a national security issue that impacted a consumer brand in real time on television. I must say that 30 days was not an option—30 minutes was not an option. Picking up on the point of the noble Earl, Lord Erroll, the time is entirely dependent on the nature of the crisis or security breach. My fear is that 30 days becomes a target rather than an injunction.
I think the point here is “no burial”. I assure colleagues and others in this Room that our amendments do not intend to bury the issue either, but to introduce some equivocation in the event that not announcing something makes things more secure than announcing them. The point of this is not to protect the reputation or otherwise of the network, but to protect consumers and the integrity and security of the network. That is the decision Ofcom would need to make. That would be its call. Its default position would be that it needs to be communicated to consumers as quickly as is sensible, unless there is a reason not to communicate it, and it would be up to the network providers to put their position forward. However, there are definitely times when it should not be communicated. At the moment the Bill seems rather unequivocal in its approach.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
I call the noble Baroness, Lady Barran.
Lord Fox (LD)
Sorry, I have not quite finished.
I would call Amendment 15 a “good manners” amendment. If Ofcom possesses information that the network provider does not, it simply calls for that network to be brought into the loop before the rest of us are. That seems good manners to me—you do not necessarily have to legislate for that, but these days it always helps. I have now finished.
Baroness Barran (Con)
My Lords, I thank the noble Baroness, Lady Merron, and the noble Lords, Lord Clement-Jones and Lord Fox, for tabling these amendments to Clause 4 and for their considered remarks. As we have heard, these amendments speak to reporting requirements placed on industry in the event of a significant risk of a security compromise and the powers bestowed on Ofcom in the event of a compromise or the risk thereof.
Amendments 13 and 14 amend new Section 105J. As the noble Baroness, Lady Merron, summarised, new Section 105J is designed to give users of telecoms networks and services relevant information when there is a significant risk of a security compromise, including the steps that they should take to prevent such a compromise adversely affecting them. Giving users this information will help ensure that, where possible, they can take swift action to protect themselves. It will also contribute to greater awareness of security issues, supporting users to make more informed choices about their telecoms provider.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
I have received a request to speak after the Minister from the noble Lord, Lord Clement-Jones.
Lord Clement-Jones (LD)
My Lord, until the Minster replied, “nuance” was the word being used in the context of information being provided and required and so on. I am afraid that nuance was completely lost in that response. The response to Amendment 14 was that the NCSC, the Government, the Secretary of State and Ofcom know best and that is it. They have to release the information. They do not believe there are any circumstances where it should not be released. It is all there in the NCSC guidance and well, too bad—tough. That seemed to be just about the Government’s position. That is pretty extraordinary considering that the relationship with the providers is extremely important, particularly in these circumstances where there have been breaches. We have heard from noble Lords during the debate that the timing of giving the information is important but the very fact of giving the information may also be important. I am afraid that is part 1 of a rather depressing response.
Part 2 was almost worse because the amendment being put forward is the mildest possible one. Ofcom must consult the provider in question
“where reasonably practicable to do so.”
As for the idea that this is going to lead to horrendous delay, the Minister really had to scrape away to find a suitably negative response to that amendment. I am afraid that her response in both respects does not engage with the real issues and I think it is grossly unsatisfactory in the circumstances.
Baroness Barran (Con)
My Lords, I am sorry, as ever, to disappoint the noble Lord, Lord Clement-Jones. With regard to his first point, of course the relationship with providers is important, which is why we have worked so closely with industry throughout the preparation of the Bill. However, as the noble Baroness, Lady Merron, said so eloquently, the relationship with users is also very important; it is that balance that we are seeking to strike. I am sorry if the noble Lord found my remarks grudging or negative; there was a lot of thought behind them.
Baroness Merron (Lab)
My Lords, this has been a healthy debate. I thank all noble Lords who have contributed on the various amendments. I certainly noted from her response to Amendment 13 in my name that the Minister shares my understanding of the issues for consumers. The debate has shone a light on the fact that it is not possible to simply put one set of interests above another. I felt in the course of the debate that it has been understood that, while fixed time periods may create an unintended consequence, as the noble Earl, Lord Erroll, said, they do ensure that things are not swept under the carpet. That is really where the amendment was seeking to probe.
I appreciate the point made that, while timescale is at the discretion of telecoms providers, there are certain requirements on them. I still have a sense of nervousness; I hope that, as we proceed with this legislation, the telecoms providers will understand the importance of acknowledging and responding to the very real concerns, interests and threats to consumers when they consider what the words “reasonable and proportionate”, as well as the words “timely manner”, mean. With that, I beg leave to withdraw my amendment.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
We now come to the Question that Clause 13 stand part of the Bill. As many as are of that opinion will say, “Content”—
The Deputy Chairman of Committees (Lord Rogan) (UUP)
I apologise to the noble Lord, Lord Clement-Jones.
Clause 13: Appeals against security decisions of OFCOM
Lord Clement-Jones (LD)
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
The Earl of Erroll (CB)
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
Lord Fox (LD)
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
Baroness Merron (Lab)
My Lords, I have been very interested to hear the arguments put forward by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Erroll. As we heard from the noble Lord, Lord Clement-Jones, in his opening remarks, concern about oversight is driving this section of the debate. As we know, Clause 13 ensures that when deciding an appeal against certain security-related decisions made by Ofcom, the tribunal is to apply judicial review principles without taking any special account of the merits of the case.
I understand that this does not apply to appeals against Ofcom’s enforcement decisions and that the Government have said that this ensures that it is clear that the tribunal is able to adapt its approach as necessary to ensure compatibility with Article 6, the right to a fair trial. My questions to the Minister are about the legal advice that the Government have received on this clause. What legal advice has been received? Is this external legal advice as well as internal legal advice?
The clause states that
“the Tribunal is to apply those principles without taking any special account of the merits of the case.”
Can the Minister explain what “special account” is expected to mean?
Baroness Barran (Con)
I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment to Clause 13. I am aware that the noble Lord, Lord Clement-Jones, has spoken extensively on the standards of appeal in this House. As the noble Lord remarked, this matter was also raised in the Constitution Committee’s recent report, where it asked for further clarification about the reasoning for the changes made by this clause. I will attempt to address this point today and answer the questions from the noble Lord, Lord Fox, about what we are worried about.
Lord Clement-Jones (LD)
My Lords, I have heard some ministerial pushbacks but, I must say, that circularity more or less takes the biscuit: “The Government believe that we need to change the standard and therefore we have changed it.” There is very little that one can get one’s teeth into in terms of the argument. It is simply that the Government believe that JR in its unlawfully rational or unfair incarnation should apply in this set of circumstances—and that is it, whereas, for the rest of the 2003 Act, the merits version of JR continues unabated.
The Minister made a few points. I thought “merely” was rather extraordinary; it is a very important change to the way the tribunal will operate in those circumstances. Providers will not appeal against these decisions unless they are of major importance. The process of going to the Competition Appeal Tribunal is not lightly undertaken. She used the words “a smooth regulatory process”. Of course Governments always love smooth regulatory processes, but how big is the steamroller employed in these circumstances? There was also the use of “appropriate”—a splendid weasel word.
This is the end of a very entertaining afternoon so I cannot really comment heavily on the Minister’s reply. However, she really could have done better. The noble Earl, Lord Erroll, and I asked for evidence of why in these circumstances—we have all just asked why—but nothing was forthcoming: no evidence, precedent or, “We did it that way and it didn’t work”. We have just decided within the bowels of Whitehall to do this—splendid, but the Government need to do better than that, even with their current majority. However, this is the end of a splendid set of debates this afternoon and I hope for better on another occasion.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
My Lords, that concludes the work of the Committee this afternoon. I remind Members to sanitise their desks and chairs before leaving the Room.
Telecommunications (Security) Bill
Thursday 15th July 2021
(2 years, 9 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-III Provisional third marshalled list for Grand Committee - (14 Jul 2021)
Lord Coaker
“Horizon-scanning body
(1) Within three months of this Act being passed, the Secretary of State must establish a body corporate with a remit to consider emerging and future developments for the telecommunications sector for the purposes of identifying current and emerging security threats.(2) The body must include representatives from, but is not limited to— (a) the National Cyber Security Centre;(b) the intelligence services;(c) the National Cyber Force;(d) the Ministry of Defence(e) the Home Office;(f) the Department for Digital, Culture, Media and Sport;(g) the National Security Council;(h) the Investment Security Unit;(i) the Armed Forces;(j) OFCOM;(k) relevant industry bodies and companies;(l) relevant telecommunications and security experts.(3) The body must publish a report annually which is laid before both Houses of Parliament.”
Lord Coaker (Lab)
Good afternoon, everyone. I am looking forward to the Committee session this afternoon. Two days ago was my first Grand Committee sitting as a Member of the House of Lords, and I was impressed by the quality of the contributions. I have been moved by the intellectual power of the people here and I look forward to that. I was grateful to the Minister for her contributions and the way she tried to answer the questions, even if one or two of them were not as well put as her Civil Service brief. I appreciated that, and it helps the Committee enormously when we have that positive, constructive engagement, even if there is a measure of disagreement at times. As I said at the beginning, a Bill like this unites us all in wanting to contribute in a way that defends and secures our country and democracies across the world. It is in that spirit that I move Amendment 18 and table Amendment 25 in my name, and I know the Minister will take it in that spirit.
I also thank the noble and gallant Lord, Lord Stirrup, very much for supporting both the amendments. I know the Committee is looking forward to his informed and experienced contribution to our discussions. Although the noble Lord, Lord Alton, is not present—he will no doubt read Hansard—I also thank him for his support for Amendment 25.
These are probing amendments that challenge the Government to explain to the Committee and the wider public their thinking and why these amendments are not necessary. Their various measures are contained elsewhere in the Bill, but it is an important debate for us to have because, as all of us have said, national security is the first duty of any Government and that includes Her Majesty’s Opposition and other parties. That is what “Government” means in total—the responsibility of us all to our citizens.
These amendments are also saying that, to secure democracies across the world in the face of the autocratic challenges and threats we see, it is necessary for us to work well not only in our own country but with our allies. That is clearly something the Government wish, as well.
Our telecoms infrastructure, as I saw yesterday when I went to Airbus—a brilliant company in Portsmouth—is clearly critical to our defence and security as well as our economic prosperity. The Bill’s impact assessment rightly highlights the threats we face, stating that the
“most significant cyber threat to the UK telecoms sector”
comes from other states. It is not a terrorist threat in the normal sense of a threat from individuals; but when powerful states can take action against us, that is significant for our country and for democracies across the world. The impact assessment continues:
“The UK Government has publicly attributed malicious cyber activity against the UK to Russia and China as well as North Korea and Iranian actors”.
That is worrying and significant for all of us.
Both amendments say that our approach to security has to be co-ordinated domestically and with our allies. That is, frankly, a challenge for any Government. As to the list of bodies I have included in the amendment, I am sure the Minister could say that I have not mentioned this or that body. However, those that I have listed are based on my own research. I am sure that other significant bodies should be on it. However, the point is that the challenge is significant. How will cross-departmental co-ordination on the current security infrastructure work at a domestic and international level? I know that the response is often that we have the National Security Council and that is why it was set up, and the Prime Minister chairs it. It is obviously incredibly important and it would be ridiculous to say that it is anything other than an effective co-ordinating body. However, that does not alter the fact that coming to the table are significant actors in their own right within the sphere. It is right to ask, how do the Government expect the new duties placed on the telecoms sector to work and be policed by all the various bodies?
The amendments also highlight the question of how we future-proof this legislation against current and emerging threats. To be blunt, it is hard enough to deal with the current threats as we understand them. At security levels far higher than those we have in this Committee, there will be those who will not only be trying to deal with the current threats but looking at what might happen, five, 10 or 15 years down the road. That is a real challenge for anyone. How do we stop those threats?
We have come to a view about Huawei. Some may argue that perhaps we should have done so two, three or four years ago but we are where we are and we have now concluded that all Huawei equipment should be out of our country’s networks by 2027. Would it not have been better to have predicted that several years ago, so that we would not have to try to stop that company’s involvement now? How does the Minister believe that the current structures and those envisaged in the Bill will deal with not only current but future threats?
The concern is shared by our allies. The recent NATO summit communiqué stated:
“NATO and Allies…will maintain and enhance the security of our critical infrastructure”,
including “communication information networks” such as 5G. I should say to the Minister—the noble and gallant Lord, Lord Stirrup, will have much greater understanding and awareness of this issue—that one of the most significant moves that the alliance made in that communiqué was to confirm that a cyberattack, including on our own telecoms networks, could trigger an Article 5 response.
With the Committee’s permission, I will read from paragraph 32, as it is so important:
“We reaffirm that a decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognise that the impact of significant malicious cumulative cyber activities might … be considered as amounting to an armed attack.”
I emphasise “armed attack”. We and our allies are saying, quite rightly, that the theory of deterrence is now being applied to the world of cyber. The Minister will understand the principle that an attack on one is an attack on all, so theoretically it could be one of our allies that is subject to that attack and that we come to the defence of. Again, I think that is quite right. Does the Minister have any comment highlighting how the Government see that being taken forward?
Amendment 18 seeks to establish a horizon-scanning body for our telecommunications sector, to identify current and emergent threats and produce an annual report for Parliament. The body would include representatives from the Armed Forces, relevant departments, the intelligence services and the National Cyber Security Centre, as well as industry and security experts. Can the Minister explain how the Government will watch out for future threats without such a body? How will cross-departmental work be managed? Will the new telecoms advisory council include security experts or ex-military personnel?
The Spectator is not a magazine whose political opinions I agree with, but this is so serious. The front page this week features the relationship between China and Cambridge. Whatever the rights and wrongs of it, I am just reporting to the Committee what is said in a well-regarded magazine that I and many other noble Lords read. To have that on its front page, and then inside, significant articles about the relationships and the potential difficulties that they may cause for us on a security level, shows to the Committee and the wider public how difficult this is becoming. You have one of the most brilliant universities in the world being questioned in terms of its relationship with China, in a well-regarded publication. That is a challenge for us as we take this Bill through and what it means for us in maintaining our security to defend our democracy.
Amendment 25 seeks to ensure that the Government publish a long-term strategy for our telecommunications security and resilience. Can the Minister outline how she expects that to happen? We should consider how to collaborate more effectively with our allies—NATO and the Five Eyes—and consider proper resourcing of UK security infrastructure. I believe DCMS is now developing a long-term strategy to consider how international standards can be developed. Can the Minister explain how the UK will work with our allies on R&D or adoption and deployment? This is critical for the security of our nation, so it would be helpful for the Committee to understand.
I hope that the Minister takes my contribution in the spirit in which it is meant, which is to challenge in a way that I hope is helpful to the security of the nation and of our telecoms infrastructure and businesses. The last year or two have been a bit of a wake-up call for all of us, including me, as to the potential threats that there are. Given the security level that we are all at, what some people working at STRAP levels know and understand about the threats to our nation one can only begin to imagine. I look forward to the Minister’s response and to the contributions of the noble and gallant Lord, Lord Stirrup, and other Members of the Committee. This is meant to be a probing, challenging amendment. I hope that the Minister will be able to respond in that spirit, and that we can all look forward to seeing how the security of our nation can be effectively maintained against the threats as we understand them now and as they may emerge in the future. I beg to move.
The Earl of Erroll (CB)
My Lords, I do not want to bang on for a long time because, in a way, this falls in with things such as the technical advisory committee. It is all part and parcel of the same thing, and we have to keep our eyes open and start forward scanning and see what else is out there.
Ofcom is not in fact a department; I seem to remember that it was set up by Europe through regulations and that originally, it reported via Parliament to the European regulators. I am not entirely sure what Ofcom’s chain of command is; I must do some research into it. Having this buried inside such a body without proper parliamentary scrutiny is unwise, so it is only sensible to embed the principle of having proper advisory committees. This is an obvious no-brainer: we need people with these abilities and skills to be advising on this stuff, and I cannot understand why there would be any objection to it.
Amendment 25 covers the very good point about long-term strategy. As was pointed out on Tuesday, our relationship with the Five Eyes could easily change. There have been efforts from time to time to drive a wedge between us, and we need to start looking at that. One cannot assume that the status quo regarding who is an ally or friend will continue for ever. The fact that we are in different parts of the globe and therefore perhaps in different trading blocs could cause undue pressure, so we must have this horizon-scanning, long-term attitude.
The speech of the noble Lord, Lord Coaker, reminded me of the Tallinn Manual and the question of when cyberwarfare escalates to actual warfare because your entire infrastructure and systems have been taken down. It is a very interesting document. I skimmed through it a long time ago, but it was very eye-opening and before we just leap in, people should take a look at it.
That is really all I have to say. This is so obvious, and I just hope that the Government are going to do something about it.
Lord Stirrup (CB)
My Lords, in speaking to Amendments 18 and 25, to which I have added my name, I have in mind the very purpose of the Bill itself, which is, I take it, to ensure the security and resilience of our telecommunications capability here in the UK. The Bill as drafted places certain duties on the providers of those capabilities and gives powers to the Secretary of State to make regulations and issue codes of practice. This is all well and good, but these somewhat mechanistic, albeit welcome, measures will not by themselves result in the necessary degree of security and resilience.
As I said at Second Reading, things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, we will need to be both agile and adaptable. The measures in the Bill will, by themselves, not ensure this.
One of the reasons why we are even considering this Bill is concerns over the position of Huawei in our telecommunications architecture, the clear channel that runs through that company to the Chinese Communist Party, and the ensuing vulnerability of our system. None of this comes as a great surprise, but we have allowed ourselves to get into a position where we are now having to play catch-up. This is largely because we spent the first half of the last decade thinking almost exclusively of the economic opportunities offered by China and very little about the associated security risks; in other words, our decision-making process was unbalanced and distorted. Without proper safeguards, we could easily find ourselves in a similar situation with regard to some future threat.
What sorts of safeguards might help prevent such an occurrence? There is no single answer to this question but at the very least we need a process that provides an appropriate degree of horizon scanning and that, importantly, draws in expertise from across technology, business and security organisations and, indeed, from across different government departments, to give us the best chance of coming to a balanced view.
That is what Amendment 18 seeks to do. It will not cure all ills but it will provide us with a mechanism to drive adaptability, not just in our architecture but in our thinking, something that is traditionally hard to achieve. Of course, the Minister may say that the Bill is not the place for setting out this kind of thing. My response to that would be: if not here, then where? The responsibilities outlined in the amendment must be met if we are to achieve the Bill’s laudable purpose.
Amendment 25 is in many ways a follow-on from Amendment 18. It calls for the deliberations of a horizon-scanning body and the ensuing policies and actions to be presented to Parliament in the form of a comprehensive strategy. Most importantly, it seeks to ensure that such a strategy is coherent with other elements of government policy, as set out in various documents, such as the integrated review, and in other legislation, such as the National Security and Investment Act. It also seeks to encourage international co-operation in this regard. I believe this is essential, since we rely so heavily on collective security for our national safety. The noble Lord, Lord Coaker, has already highlighted the importance that NATO now attaches to the whole area of communications and cyberspace.
Taken together, these two amendments put in place measures that would improve our agility and adaptability and thus strengthen the Bill in terms of its ultimate purpose. If the Government are going to set their face against such measures in this legislation, I ask the Minister to explain how the essential functions they prescribe are to be carried out and how Parliament can be confident of their success.
Baroness Stroud (Con)
My Lords, it is a privilege to speak after the noble and gallant Lord, Lord Stirrup. I support Amendment 18, in the names of the noble Lord, Lord Coaker, and the noble and gallant Lord, Lord Stirrup, and Amendment 25, which is also in the name of the noble Lord, Lord Alton.
These amendments propose a pathway forward that would ensure we are well equipped to handle the challenges that will inevitably come our way in the next decade. Amendment 18 places a requirement on the Secretary of State to create a body designed to analyse and consider existing and emergent threats in the telecommunications sector, incorporating representatives from the major bodies of our national security matrix. This body would then be required to lay an annual report before all Members of Parliament, ensuring adequate parliamentary scrutiny and oversight. Indeed, if not for Back-Bench agitation, we might still be aimlessly integrating Huawei into our critical infrastructure, lagging behind our Five Eyes allies in recognising the security threat that such high-risk vendors pose.
Amendment 25, building on the horizon scanning outlined in Amendment 18, requires the Secretary of State to publish a long-term telecommunications strategy in partnership with the aims and outcomes of our closest Five Eyes and NATO allies. In alignment with the integrated review of security, defence, development and foreign policy, this strategy would ensure that long-termism is built into our thinking across both our economic and strategic aims in the coming decade.
We have one of the most sophisticated and advanced intelligence-gathering apparatuses in the world. We are a significant asset to our Five Eyes and NATO allies and a crucial linchpin in ensuring the international order. Yet we have been slow to respond to the rapidly changing digital landscape that we find ourselves in.
An obvious example of this is the much-discussed high-risk vendor, Huawei. It is extraordinary to think that all the way back in 2013 a report from the Intelligence and Security Committee concluded that Huawei posed a risk to national security and that private providers were responsible for ensuring the security of the UK telecoms network. Yet now, according to Ofcom, Huawei accounts for about 44% of the equipment used in providing superfast full-fibre connections directly to homes, offices and other businesses in the UK.
In a Statement to Parliament last year, the Foreign Secretary made the welcome announcement that
“high-risk vendors should be excluded from all safety- related and safety-critical networks in critical national infrastructure”—[Official Report, Commons, 28/1/20; cols. 710-11.]
and yet, due to how embedded this vendor has become in our critical infrastructure and the lack of competition, Huawei, as we have heard, is not set to be removed as a provider until 2027. It should never have reached this point. A horizon-scanning body and deeper parliamentary oversight would ensure that we are not left sleeping at the wheel again. How was it that our Five Eyes allies were significantly more alert to this risk than we were?
Furthermore, without cross-body co-ordination, the rapid advances in technology we are set to witness over the coming years will make it even more difficult to adapt to threats as they manifest themselves. GCHQ Director Jeremy Fleming suggests that the UK needs to prioritise the advances in quantum computing, as well as working with allies to build better cyber defences and shape international standards and laws in cyberspace. With quantum computing becoming more mainstream, there is a risk that a sudden increase in processing power could render existing encryption methods useless.
These are just some of the challenges we face. The future of our security and sovereignty will depend on the steps we take in this Bill. According to MI5, at least 20 foreign intelligence services are actively operating against UK interests. We have a remarkable security and intelligence community but, as we enter this new era, we must accept that our ability to adapt to emerging challenges will be the defining feature that drives us forward and keeps us ahead of other nations that would challenge our national interests.
We have seen how easy it is for a digital attack to break down our critical systems. Just last month, a ransomware attack in the US took down the entire Colonial Pipeline infrastructure, which transmits nearly half the east coast’s fuel supplies. Analysts have suggested that hackers could have been inside Colonial’s IT network for weeks or even months before launching their ransomware attack.
This issue extends into the digital space. A 2018 report commissioned by the US Senate intelligence committee, The Tactics & Tropes of the Internet Research Agency—a Russian propaganda unit—revealed that there was:
“A sweeping and sustained social influence operation consisting of various coordinated disinformation tactics aimed directly at US citizens, designed to exert political influence and exacerbate social divisions in US culture”.
I posit that we may not even be aware of the scope of the disinformation and destabilisation occurring online that is challenging our sovereignty and internal security.
I support these amendments in light of the fact that it has taken considerable Back-Bench activity to alert us to the security issues posed by high-risk vendors; that we are still not thinking clearly on China; and that we need systems and structures to ensure that long-termism is built into our thinking across both our economic and strategic aims in the coming decade.
Baroness Northover (LD) [V]
My Lords, Amendment 18 would require the Secretary of State to
“establish a body … to consider emerging and future developments for the telecommunications sector for the purposes of identifying current and emerging security threats.”
Amendment 25 would require the Secretary of State to
“publish a long-term strategy on telecommunications security and resilience.”
These are very sensible proposals, and the speakers have made a cogent case. I thank the noble Lord, Lord Coaker, for his wide-ranging and positive introduction to these amendments.
This is an extremely complex area, as we have heard, not only within our discussions of the Bill but beyond. We know from bitter experience that something can be flagged as a risk and then, without proper focus on it—given all that Governments have to focus on —follow-through is less than systematic. Think of pandemics, flagged, not least in the 2015 strategic review, yet followed through with little or no preparation. This picks up a theme that the noble Baroness, Lady Stroud, emphasised in relation to Huawei: awareness but lack of action. Therefore, the case for a body that looks at this area in the widest sense is compelling.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Baroness Barran) (Con)
My Lords, I thank the noble Lord, Lord Coaker, for tabling these amendments and for his very generous opening remarks. He reminds us that we must remain vigilant about current and emerging threats to our telecoms networks. Rightly, he also urged the Government to communicate how we will do that in a way that makes sense to the public. Today, we are focusing on this Bill and how it is designed to protect our networks now and into the future.
As we heard, Amendment 18 calls for a body to be set up for the purposes of monitoring current and emerging threats to our telecoms sector. The amendment lists a number of committees, departments, organisations and agencies that should be represented on this body.
The noble and gallant Lord, Lord Stirrup, asked: if not here, where? I will try to answer that question in my remarks.
I assure noble Lords that we already have established procedures to monitor current and emerging threats to the telecoms sector. The National Cyber Security Centre undertakes regular risk assessments of such threats, and those assessments are used to inform government policy. For example, the code of practice the Bill will allow us to issue will be informed by the National Cyber Security Centre’s assessments.
In addition, the Government already have forums in which emerging threats and new technological developments are discussed with industry. The noble Lord, Lord Coaker, asked me to give examples of a particular domestic focus. This is one of them. For example, the National Cyber Security Centre’s network security information exchange is a trusted community of security professionals from across the telecoms sector who come together on a quarterly basis to discuss openly and share information on security issues and concerns. There are also established channels for the kind of cross-government and interagency working that the noble Lord’s amendment seeks to formalise. The Government do not see that it would be necessary to establish a new body corporate, which would simply risk duplicating the work of existing forums.
The noble Lord’s amendment would also make provision for Parliament to receive annual reports on current and emerging threats from this new body. The National Cyber Security Centre already publishes guidance as and when threats develop. Furthermore, as noble Lords are aware, the Intelligence and Security Committee is able to see and scrutinise the National Cyber Security Centre’s assessments of current and emerging threats. Given that there is already this provision for parliamentary oversight, I do not consider that laying a report before Parliament annually would be necessary.
Amendment 25 would require the Government to publish a long-term telecoms security and resilience strategy, covering various topics set out in the amendment, within six months of the Bill’s Royal Assent, and would require this strategy to be laid before Parliament. The Government share the noble Lord’s desire to ensure that this country is fully prepared to overcome future challenges to the security of our telecoms networks. However, the publication of such a strategy is, we feel, unnecessary because recent government reports and announcements, publicly available, already address these topics. The noble Lord will be aware that the Bill is the result of the recommendations put forward in the UK Telecoms Supply Chain Review Report, published in July 2019. That report, along with the Government’s announcements last year, has already set out our strategy for addressing telecoms security risks, particularly relating to supply chains.
In addition, we published our 5G Supply Chain Diversification Strategy last November. This includes our strategy for collaborating with allies on future network research and development, and influencing global telecoms standards. As I will touch on when we debate Amendments 24 and 28, this work is progressing well and the Government’s response to the recent diversification taskforce report, published earlier this month, sets out the steps we are taking to deliver on our goals.
More broadly, the Government’s approach to telecoms security and resilience is informed by cross-government priorities. These include the integrated review, published in March, which committed to launching a new comprehensive cyber strategy this year. The strategy will set out how we will build up the UK’s cyber resilience, deter our adversaries and influence tomorrow’s technologies so that they are safe, secure and open.
Alongside this, a national resilience strategy will ensure that our suite of systems, infrastructure and capabilities for managing the full range of resilience risks becomes more proactive, adaptable and responsive to future threats and challenges. Work is well under way to develop these cross-cutting strategies, and we will ensure that our approach to telecoms security and resilience continues to take them into account.
I think the noble Lord, Lord Coaker, and the noble and gallant Lord, Lord Stirrup, know very well that there is a tension between having a greater degree of focus in a strategy and a wider scope. We believe that we have struck the right balance in this area.
The noble Lord, Lord Coaker, asked about cyber deterrence. He may be aware that the Government will shortly bring forward legislation to counter state threats of the type he described. It will create new offences, tools and powers to detect, deter and disrupt hostile state activity by states targeted at the UK. He also referred, in the context of future-proofing, to the National Security Council. Among its responsibilities is examining forward-looking strategies.
The noble Baroness, Lady Northover, mentioned the role of the FCDO. Of course, she will know that the First Secretary of State provides leadership across departments to ensure that the Government’s response to cyberthreats and our ambition as a cyberpower are fulfilled.
My noble friend Lady Stroud talked about the Government being asleep at the wheel in relation to Huawei. I think that is a little harsh. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecoms networks compared with other vendors. A risk mitigation strategy has been in place since Huawei began to supply equipment to UK public telecoms providers. Obviously, the Government have announced extensive advice to manage those security risks based on the work of the experts at the National Cyber Security Centre. Most recently, the Secretary of State announced advice that providers should remove all equipment made by Huawei from 5G networks by the end of 2027.
The noble Lord, Lord Coaker, asked about the presence of security experts on the recently announced diversification council. I can confirm that a senior official from the National Cyber Security Centre will attend to provide that expertise.
The noble Earl, Lord Erroll, asked what parliamentary scrutiny there was of Ofcom. The chief executive and other senior officials from Ofcom give regular evidence to parliamentary Select Committees, including an annual scrutiny session with the DCMS Select Committee, and it also lay its annual report and accounts before Parliament.
I hope I have managed to address most of the points raised and to reassure your Lordships that, while we recognise the very valid questions that have been asked, we believe that we have the balance right in terms of co-ordination and strategy. With that, I ask the noble Lord to withdraw his amendment.
The Deputy Chairman of Committees (Baroness Healy of Primrose Hill) (Lab)
I have received a request to speak after the Minister, from the noble Lord, Lord Fox.
Lord Fox (LD)
I thank the Minister and other speakers for this debate, which is really important. The Minister was basically saying in her response, “Don’t worry, we’ve got this covered.” If the Government did indeed have it covered, I suggest that ripping out 40% of the 5G network at the cost of several billion pounds to the industry is a pretty poor cover. The point made by the noble Baroness, Lady Stroud, that it took Back- Benchers to highlight this rather than the Government was particularly apposite.
The Minister portrayed the decision to remove Huawei almost as if it was a success of the process. Will she acknowledge that these billions of pounds are growth that we will not get, that they are investment in this country that has been wasted, and that it has put the country in danger in the process? Will she further acknowledge that there might be others who are able to help in the process of avoiding a repeat of what is a huge debacle?
Baroness Barran (Con)
I tried to present the breadth and depth of approaches that the Government are taking to address this incredibly serious and complex problem. If I may borrow the word used by the noble and gallant Lord, Lord Stirrup, we have tried to show some agility in responding to changing circumstances. The noble Lord will be aware that there were changes to the US foreign-produced direct product rules in May 2020 which changed the risk profile of our engagement with Huawei, and we acted on that, so I do not feel that I have to apologise at this point.
Lord Coaker (Lab)
I thank the Minister for her reply and for again seeking to answer the questions. We may well have to come back to some of this, but I take the point that the Government are seeking to address current and emerging threats; I just think that this needs to be more clearly stated in the Bill. The Minister gave examples of cross-government working. We all know that there are examples of cross-government working, but the Committee is saying—I think that there was agreement across the Committee—that sometimes there is a need for a mechanism to ensure that it happens. It may be that another body will do that more effectively in the face of the threats that we face now or may face in the future—it may be that we seek to replace rather than add a body. The Government may want to consider that.
Lord Coaker
“Provision of information to the Intelligence and Security Committee
The Secretary of State must provide the Intelligence and Security Committee of Parliament as soon as is reasonably practicable with a copy of—(a) any direction or notice (or part thereof) that is withheld from publication by the Secretary of State in the interests of national security in accordance with section 105Z11(2) or (3) of the Communications Act 2003;(b) any notification of contravention given by the Secretary of State in accordance with section 105Z18(1) of the Communications Act 2003;(c) any confirmation decision given by the Secretary of State in accordance with section 105Z20(2)(a) of the Communications Act 2003;(d) any reasons for making an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in accordance with section 105Z22(5) of the Communications Act 2003; and(e) any reasons for confirming or modifying an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in accordance with section 105Z23(6) of the Communications Act 2003.”Member’s explanatory statement
This new Clause would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security.
Lord Coaker (Lab)
I apologise to the Committee for having to hear so much of me in the first 48 minutes. This is a really important amendment and I will make a couple of general remarks before making some more specific comments.
Concern has been expressed throughout consideration of this Bill about the extent to which the Bill provides for parliamentary scrutiny. Parliamentary scrutiny is the important area that Amendment 22 seeks to address, and I am grateful for the support of my noble friend Lady Merron and the noble Baroness, Lady Northover.
Amendment 22 seeks to improve and prioritise national security. We have all said that we support the intention behind this Bill and the need for national security, but the sweeping powers that the Bill gives the Secretary of State must be used in the interests of securing our critical national infrastructure. Removing Huawei does not in itself do that, so there is a question of accountability here. Amendment 22 is designed to ensure greater scrutiny, focus and transparency and address the deepening hole in accountability presented by the Government. At its heart, it would
“ensure that the Intelligence and Security Committee … is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security”
by the Secretary of State, as soon as reasonably possible.
The Minister knows that, during the passage of the National Security and Investment Bill, noble Peers from all sides of this House repeatedly tried to ensure that the Intelligence and Security Committee had oversight of national security issues. To be frank with the Minister, it was difficult to understand why the Government were so determined not to give the committee a role. This amendment says to the Government that the ISC is the appropriate place to discuss matters of national security and that it has a unique role in assessing security implications, as even Ministers accept.
The key point is to ask the Minister how this would work. This is the nub of the amendment and goes to the heart of what many noble Lords have said. The DCMS Select Committee and many of the people who will be looking at these documents do not have the required clearance to scrutinise highly classified evidence, so should the ISC, which does have the necessary security clearance, not have a role? It is the only committee of Parliament that has regular access to documents marked “information sensitive for national security reasons”.
I am sure that many of us simply do not understand that when you look at the state security threats to the telecommunications infrastructure that have been identified by the Government, the level of clearance will not be official-sensitive, STRAP 1 or STRAP 2, it will be STRAP 3. No one in this Committee will see that. Some Members of the Committee may have seen it in the past. So how can Parliament be reassured without knowing that the Intelligence and Security Committee has looked at it? Who has oversight of it? Even the Minister will not have the level of clearance to see all of it, yet she will tell the Committee that Parliament has oversight of these matters, when none of us—or very few of us—have the security clearance to actually look at and scrutinise those threats. So how will Parliament scrutinise it if we do not have the security clearance to do that? It is logically inconsistent. Yet time and again, the Government refuse to allow the committee set up with that express purpose—namely, the Intelligence and Security Committee—the function that it was set up to do on behalf of Parliament. With respect, I simply do not understand why the Government are so resistant to that. On many of the other things that we mention, there is a debate and opinions are exchanged. But this is completely and utterly illogical.
I ask the Committee to consider this. Given that the level of security clearance needed to protect our country, its telecommunications structure and that of our allies from the threats posed by other states is above that of the vast majority of Ministers of the Crown, Members of the House of Lords and civil servants, who is to scrutinise these matters if not the Intelligence and Security Committee? I fail to understand what the answer to that is. Parliament deserves to scrutinise these matters and it should be done by the committee set up to do that because it is the only committee of Parliament that has the necessary security clearance. I beg to move.
The Earl of Erroll (CB)
My Lords, the noble Lord, Lord Coaker, has summed up an important recurring theme that was raised at Second Reading. The Government should take this very seriously indeed.
Oversight by a body with top-level security clearance is essential. I certainly would sleep safer if I knew this was happening. Part of this comes from the Minister’s reply when I started to query the status of Ofcom and its relationship to the Civil Service department. I gather that the relationship of Ofcom is similar to that of an agency—if it is not actually set up as an agency; it is set up as a regulatory body, I think. I remember the huge problem—debacle would be a better word—when Defra failed to bring in the new mapping system back when we were changing the way of paying farmers. Everyone knew that it was about to be disastrous. Everyone could see the train crash coming. The Minister could not do anything about it except stand at the Dispatch Box and say, “I’m not allowed to interfere. It is a separate company. We can only call it to account at the end of the year.” As a result, when it all went pear-shaped and farmers suffered disastrous and severe financial problems, the Minister was retired—and it was not any fault of his. He knew perfectly well what was going on but had no power under the structure.
This is my problem with the agency structure that was set up, I think under Mrs Thatcher, when she was trying to cut back the Civil Service so she took things off the Civil Service books to make the figures look better. We have to be very careful when we are handing huge powers or these momentous decisions to an agency. Therefore, it is important that we get into the Bill mechanisms by which we can know what is going on at the time and make sure that it is not going wrong. This oversight, certainly by the Intelligence and Security Committee, is essential—a no-brainer.
I will just mention that the same principle applies in Amendment 29 in the names of the noble Lords, Lord Clement-Jones and Lord Fox, which I did not put my name to because I thought that was unnecessary. Exactly the same thing applies to the Investigatory Powers Commissioner. Rather than me wasting time speaking again, I will say it now: please will the Government start looking at this more seriously?
Baroness Northover (LD) [V]
My Lords, I have added my name in support of Amendment 22, which the noble Lord, Lord Coaker, explained so comprehensively and so well. He has picked up an ongoing theme that has been so agitating noble Lords—especially, I note, the noble and learned Lord, Lord Judge—about the Executive increasingly and simply bypassing Parliament. I think that the noble and learned Lord will be very interested in this matter when we come to Report in the Chamber.
In this regard, I can do no better than refer the Minister to the speech by the noble Lord, Lord West, at Second Reading. He is the Lords representative on the Intelligence and Security Committee. He pointed out that this is exactly what that committee is for. It is clearly vital that Parliament has a role in what is covered under the Bill, but we also understand the potential security sensitivities here. This is where that committee can play a vital role on behalf of Parliament, but under the strict security rules under which it operates. If there are matters that the Secretary of State is withholding from publication in the interests of national security and in related areas, these must be reported to the ISC. I therefore urge the Minister to accept this amendment.
Lord Fox (LD)
My Lords, I commend the noble Lord, Lord Coaker, and my noble friend Lady Northover for this amendment, which I would have signed had she not done so already. We heard at Second Reading an excellent speech from the noble Lord, Lord West, explaining not only why this amendment is important but why certain figures who would normally speak in this debate are not doing so. He explained that the ISC is seeking to change its MoU. As such, he and others would not speak in this particular debate.
However, we have an analogous debate to refer to, which has already been mentioned. Those of us who are veterans of the National Security and Investment Bill have been through this already. I think the noble and gallant Lord, Lord Stirrup, is the only other person in this Room who was involved in it. I certainly spent some of my life on that Bill.
We sent back to the Commons an amended version of that Bill. Your Lordships adopted an amendment not dissimilar from the one in front of the Committee today. That decision was made, as we heard from the noble Lord, Lord Coaker, because the BEIS Select Committee is not enabled to deal with the level of security information it needs to properly scrutinise the operation of BEIS for the National Security and Investment Act. There is exactly the same situation here. I gather, anecdotally, that the BEIS Committee is already hitting issues with getting the information it needs under that Act.
We also heard anecdotally on Tuesday of the debacle over the Newport Wafer Fab, where the BEIS Secretary of State has failed to use the power given to him by the National Security and Investment Act to do something around national security. The noble Baroness, Lady Stroud, is no longer in her place, but once again the ministry was forced by Back-Bench action to reconsider what it was doing. This should not be how things work. It is beginning to look like these are rhetorical points, rather than actually being usable. I hope the same fate does not befall this legislation and that it actually gets used rather than shelved. But in the same way as BEIS, DCMS will have a Select Committee that cannot access the information it needs to scrutinise the activities covered in this Bill.
The noble Lord, Lord Coaker, notwithstanding the stifling atmosphere of this Committee Room, managed to do a very close approximation of complete incredulity over why the Government should not listen to this fantastic advice. I can say that, having gone through the last Bill and seen how resistant the Government are to advice of this sort, this is neither an accident nor a sin of omission. This is a sin of commission. The Government are very clear that they do not want proper scrutiny of what they are doing, and if this Bill remains as it is, there will not be the scrutiny that is needed. Neutering of that scrutiny is not an accident but a deliberate act of the Government.
Baroness Barran (Con)
My Lords, I thank the noble Baroness, Lady Merron, for tabling this amendment, and the noble Lord, Lord Coaker, for moving it. The role and remit of the Intelligence and Security Committee, as noble Lords have remarked, have been raised a number of times in the other place and at Second Reading of this Bill, so I welcome the opportunity to clarify how appropriate oversight of the Bill’s national security powers will be provided for in the Bill and through existing mechanisms.
Amendment 22 would require the Secretary of State to provide the Intelligence and Security Committee with copies of designation notices and designated vendor directions when such notices, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security. It would also require the Secretary of State to provide copies of notifications of contraventions, confirmation decisions, the reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), and the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
I will try to correct the suggestion made by the noble Baroness, Lady Northover, and the noble Lord, Lord Fox, that the Government are trying to avoid parliamentary scrutiny on this particular point. That simply is not borne out by the way that the Bill is drafted. We are very clear about where parliamentary scrutiny should take place. I recognise the desire of your Lordships for the Intelligence and Security Committee to play a greater role in the oversight of national security decision-making across government, including in relation to this Bill. As I mentioned earlier, through the oversight of the National Cyber Security Centre, the Intelligence and Security Committee can request information around NCSC advice on, and activities relating to, high-risk vendors.
However, this amendment would extend the role of the Intelligence and Security Committee in an unprecedented way. As noble Lords are aware, the activities of the Department for Digital, Culture, Media and Sport are not within the ISC’s remit. That committee’s remit extends to the intelligence agencies and other activities of the Government in relation to intelligence or security matters, as they are set out in its memorandum of understanding.
The noble Lord, Lord Coaker, asked what he called the “central question” of how this will work in practice in terms of security access. My understanding is that according to the Osmotherly rules detailing how the Government may share information with Select Committees, members of the Digital, Culture, Media and Sport Committee are able to view and handle classified and other sensitive material, subject to agreement between the department and the chair of the committee on appropriate handling. Documents may also be shared with the chair of the DCMS Committee on Privy Council terms, subject to agreement between the committee chair and the department.
The advice of the intelligence agencies will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the advice of the National Cyber Security Centre, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity caused by the requirements in any designated vendor direction. The ISC does not have the remit to consider non-security issues such as the economic and connectivity implications of the requirements in designated vendor directions. The Digital, Culture Media and Sport Select Committee can consider those wider aspects and that is why it is the correct and appropriate body to see copies of designation notices and designated vendor directions that are not laid before Parliament. Any future changes to the ISC’s remit would be best managed through consideration of the Justice and Security Act 2013 and the associated memorandum of understanding.
For the reasons that I have set out, I am unable to accept the amendment and I hope that the noble Lord, Lord Coaker, will therefore withdraw it.
Lord Coaker (Lab)
I thank the Minister for her reply. The Government are going to have to reconsider this matter. The explanation of what can or cannot be looked at is very unclear. The purpose of the amendment is to make it clear through the legislation that the Intelligence and Security Committee would have an automatic right to look at some of the threats, rather than it being the judgment of someone, who has to consult someone else to make a decision. That is the whole point. It should not be a question of someone deciding after discussion whether the matter should go forward; there should be a requirement in the Bill that that be done.
The point that I keep making is that at security clearance level 3, hardly anyone in the country could look at this matter, but there may well be aspects of a threat to telecommunications from a state that are at that level. All that any of us is saying is that of course Parliament should not be openly told about it, but that does not mean that there should be no scrutiny by the committee set up with that express purpose, so that we have oversight and scrutiny of even the most highly classified information. It would be a great credit to our democracy if the even highest level of security threat were subject to a check, set up by Parliament.
I and the Committee are saying to the Minister that this matter needs to be reconsidered. Even the Government, in response to the debate in the other place, have said that they are going to look at the next annual report of the Intelligence and Security Committee to see whether its remit should be extended to include the DCMS Committee. The Government are therefore aware that there is a problem here and say that they will look at this issue. We are trying to horizon-scan here and are saying that this will be a problem if this proposal is not included in the Bill.
I honestly believe that the Government really are going to have to look at this. I am going to repeat that because it is so important. The Minister herself, even the Secretary of State, will not know of some of this. The noble and gallant Lord, Lord Stirrup, knows how many people know, but it is very few. Yet the Intelligence and Security Committee was set up to consider this issue and we are saying that there should be measures in the Bill to deal with it.
The reason why the noble Lord, Lord Fox, and I are incredulous is that this just does not logically hold together. This is not an opinion but a fact: if the Bill goes through unamended, we in Parliament will not be able to look at the security threats that people are making decisions about. It is accepted that not everybody should be told about such things—of course not—but I doubt whether Parliament thinks that this situation is acceptable. I ask the Minister to reconsider that.
Baroness Merron
“OFCOM’s Annual Report
After section 105Z29 of the Communications Act 2003 insert—“105Z30 OFCOM’s Annual Report(1) Every report under paragraph 12 of the Schedule to the Office of Communications Act 2002 (OFCOM’s annual report) must include a statement on—(a) the adequacy of OFCOM’s resourcing in fulfilling its functions under the amendments made to this Act by the Telecommunications (Security) Act 2021;(b) OFCOM’s determination of the adequacy of measures taken by network providers in the previous 12 months to comply with sections 105A and 105B of the Communications Act 2003 and regulations made thereunder; and(c) OFCOM’s assessment of emerging or future areas of security risk based on its interrogation of network providers’ asset registries.(2) The statement required by subsection (1)(a) must include an assessment of—(a) the adequacy of OFCOM’s budget and funding;(b) the adequacy of staffing levels in OFCOM;(c) any skills shortages faced by OFCOM.””Member’s explanatory statement
This new Clause introduces an obligation on Ofcom to report on the adequacy of their resources and assess the adequacy of the annual measures taken by telecommunications providers to comply with their duty to take necessary security measures. It also requires Ofcom to assess future areas of security risk based on its interrogation of network providers’ asset registries.
Baroness Merron (Lab)
My Lords, I will also speak to Amendment 26, which stands in my name. As I recall raising at Second Reading, the whole point about this legislation is not just its intent but whether it can be delivered in practice. Can it do the job that it intends to do? These amendments are intended to ensure that we know we have the resources, whether in people, funding, infrastructure or whatever, to deliver the protections that the Bill is intended to offer. There are considerable questions about that.
I will focus first on the new responsibilities, remit and powers that are being given to Ofcom. As we know, there has been a vast expansion of Ofcom’s remit over the past 10 years, so it is most important that it is appropriately resourced to carry out its duties and to be very forward-looking. As my noble friend Lord Coaker said earlier, for us, the whole issue of looking forward is a particular concern in the Bill. That has been echoed by many noble Lords this afternoon. I note that reassurance is often given by the noble Baroness, Lady Barran, as the Minister and I am sure that the noble Lord, Lord Parkinson, will also seek to reassure me. But I am sure he will have picked up the feeling in the Room today that we need to go rather further than words of reassurance.
What we know about Ofcom is that experience in national security measures is not its natural and current territory, so the expansion of these duties will absolutely require people with the required level of security clearance and experience. I recall the comments of Emily Taylor of Oxford Information Labs during the debate in the Public Bill Committee in the other place. She has considerable expertise in cyber intelligence and she said at that time that Ofcom
“will have to acquire a very specific set of skills and capabilities, and that will require substantial investment and learning as an organisation”.—[Official Report, Commons, Telecommunications (Security) Bill Committee, 19/1/21; col. 72.]
I also note that a memorandum was published recently by Ofcom and the National Cyber Security Centre about how they will work together as part of the new regulatory regime. On the face of it, I thought that might provide some of the reassurance that I am sure the Minister will wish to give to noble Lords. However, I observe that while the National Cyber Security Centre will indeed be able to provide advice on national security matters, the question is whether Ofcom has the resource and the greater expertise to understand that advice. It is one thing to receive advice but another to be able to work with it. I am sure noble Lords know their own limitations. I certainly know mine when it comes to advice and expertise. For me, that memorandum did not show understanding of the limitations that there are.
Amendment 23 would require Ofcom to report annually on the adequacy of measures taken by network providers to comply with changes introduced in the Bill, empowering the Government to track the effectiveness of the legislation. That seems to be good legislation: to put it in place, to make sure it does the job it ought to do, to resource it and then to track its effectiveness.
Amendment 23 would also ensure that Ofcom will have the human and informational resources to provide an assessment of security risks based on its interrogation of network providers’ asset registers. This needs to include things such as a reference to the adequacy of Ofcom’s budget, funding and staffing levels and any potential skill shortages that might mean that it cannot do the job it is intended to do.
It is interesting to look at the Government’s own impact assessment, which states that the costs of monitoring compliance with the telecoms security requirements could be up to £49.4 million by 2029. Allied to that, Ofcom’s current budget for telecoms security for this financial year has been increased by £4.6 million; that is intended to reflect its enhanced security role under the Bill. The first obvious question to the Minister is whether this funding will be sufficient to meet the demands and to engage those with the right security skills. As a supplementary question to that, what targets does Ofcom have to seek the numbers of new staff it needs?
On staff shortages and funding shortfalls, how does the Minister consider that the Government will be aware of these problems without some kind of annual report? Furthermore, where do the public fit into this? How will they know that everything is in hand without such a reporting requirement being met? In my view, if Ofcom is to do more on security, the Government absolutely have to make sure that it is secure and able in its new role.
We spoke earlier about the absolutely crucial aspects of future proofing and horizon scanning. It seems that Ofcom also needs to be able to assess future risks to the security of UK telecoms. We know that new types of threat have emerged over recent years; for example, attacks on healthcare systems. We are also sensitive to potential future risks; for example, the dependence of cloud computing infrastructure on Amazon Web Services, the dominant vendor in this market. Clearly, dangers could arise if AWS was bought by a hostile foreign state or hacked by a hostile operator. In all these ways, we need to ensure that Ofcom is equipped not just for the present but for the future.
Amendment 26 looks at the very important matter of skills in the wider sector. We know from the Institute of Engineering and Technology that the UK economy is suffering a loss of £1.5 billion per year due to STEM skills shortages, and the Chartered Institute of Personnel and Development has found that two-thirds of employers who have vacancies report that some are proving hard to fill, with engineering being one of the most prevalent.
Amendment 26 seeks to require the Government to publish a review of the implications of skills shortages and training support for the security of the tele- communications network and its supply chain. Again, this amendment looks forward to ensure that we can protect our security capability.
I have a few specific questions for the Minister. I would be interested to know whether he is concerned that the 2027 target for Huawei removal might be delayed due to skills shortages. Can he comment on what skills shortages have been identified as a security risk? What action are the Government taking to fill them? I look forward to hearing from him regarding these amendments. I beg to move.
Lord Stirrup (CB)
My Lords, Amendments 23 and 26 touch on the critical issue of skills, in Ofcom and then more widely in the supply chain. They are right to do so, but in my view they are too constrained and do not go nearly far enough. This is not the fault of the drafters—they have to propose amendments that fall within the scope of this particular legislation, and they have done so admirably—but the problem they expose goes much wider than the field of telecommunication.
We find ourselves in this discussion at least in part because of our current reliance on Huawei technology and on the associated vulnerabilities that this introduces. But why have we become so dependent on Huawei? I said earlier that in the first half of the last decade we made unbalanced decisions about our trade and security relationship with China, and that is true. But it is also a fact that Huawei was—and still is—one of the very few companies to have brought the necessary technology to market. Frankly, there were not many options open to us, so our supply chain is anything but resilient in this area.
There are two elements to this problem. One is the level of industrial commitment to and investment in critical technologies; the other is the skills base to support such industries. Both of these interlinked issues must be addressed if we are to resolve the weakness in our supply chain.
The answer does not, of course, have to be wholly national. Industrial capacity and skills that are sufficiently widespread internationally, particularly among responsible countries that abide by international law, norms and standards, would provide us with an acceptable degree of resilience. This will undoubtedly have to be part of the solution, at least in the short term, but we have to ask ourselves why, in technologies that are so important to our security and that promise such future advantage to the companies involved, we are lagging so far behind. I acknowledge that we cannot lead everywhere and provide everything ourselves, but surely an important part of our national strategy should be to put ourselves in the van of those capabilities that will shape and guard our future.
This is certainly not about direct government involvement in business decisions; that approach already has a quite sufficiently inglorious history. It is, though, about government incentives—not least through a clear strategy and consequent procurement decisions—for the appropriate industries and a national effort to provide the necessary skills base to support those industries.
Amendment 26 makes some modest proposals in this regard and I welcome them, as far as they go, but we need to go much further. Telecommunication is not the only area to be hampered by such problems, and I believe we should take a more holistic approach. I have no doubt the Minister will reject the amendment, although I stand ready to be surprised. If, however, he lives up to my expectations, I invite him to say whether the Government agree with my analysis and, if so, how they propose formally to tackle a problem that is so central to our future security and prosperity.
Lord Fox (LD)
Once again, this is a short but important debate, and one of a continuing series. In response to the noble and gallant Lord, Lord Stirrup, we had a short discussion that, to some extent, was crying over spilt milk about why industrial capacity in telecommunications in the United Kingdom is where it is. I think the noble Earl, Lord Erroll, largely agrees with me that it is to do with the purchasing decisions made by near-monopolistic private sector companies based on price. If that is not a lesson for the Government to take forward, we are all doomed anyway.
To turn to the detail of these two amendments, as both the noble Baroness, Lady Merron, and the noble and gallant Lord, Lord Stirrup, have set out, they are about people. Without overrepeating it, I come to the point I was talking about earlier, which is that BEIS is going through a similar process. It is setting up a unit that is supposed to scan the entire industrial landscape for supposed security problems and alert the Minister to decisions that should be made about the future of those companies. These people will have many of the same skills and face many of the same issues, going forward.
First, does the Minister think there is a sufficient pool of people available to cover both these units? Is it sensible to have two units operating in parallel to, and probably in isolation from, each other, with the BEIS unit setting up a telecoms capability, which DCMS will also have? Perhaps the Minister can tell us what conversations are going on between DCMS, Ofcom and BEIS to avoid that duplication. We have already heard that there are too few people so, frankly, it does not make much sense to have two departments competing for the same people.
More broadly, the noble Baroness, Lady Merron, is completely correct that there is a huge issue with the availability of people. Unless the Government pick up major programmes to train and retrain people and look at skills that are completely necessary to move forward, we will be left high and dry without the skills we need to create the sorts of industries that the noble and gallant Lord, Lord Stirrup, suggested we need. That will take time, so perhaps the Minister can say what the plan is. What is the process and what discussions are going on with trainers, universities and employers to deliver the skill set we need?
Of course, we would want to review all this annually, which is why these amendments are here, so the Government necessarily come to Parliament to explain how they are getting on and what they are doing. I am sure the Government do not want us to be suspicious of what they are doing, and the best way to avoid that suspicion is to be open and transparent, rather than try to operate in a black box.
Lord Parkinson of Whitley Bay (Con)
My Lords, these amendments, both tabled by the noble Baroness, Lady Merron, highlight the two important issues that our short debate covered—the role of Ofcom in relation to the Bill; and skills and training, and their effect on telecoms security. I am pleased to have the opportunity to outline some of the work that has already been done in these areas, which I hope explains why we consider these amendments not to be needed.
Amendment 26 would require the Government to complete a review of, and publish a report on, the impact of levels of skills and training on the security of the telecoms network and supply chain. It would require the Government to publish the report within six months of Royal Assent.
The Government certainly agree that it is crucial that public telecoms providers and organisations such as Ofcom have access to people with the skills that they need to keep our networks safe. DCMS published research this year as part of its annual survey, Cyber Security Skills in the UK Labour Market, which found that 50% of UK businesses have a basic technical skills gap. It also found that they do not have confidence in their ability to carry out basic cybersecurity functions and do not outsource these skills.
That is why the Government have a range of programmes already in place to support the growth of cybersecurity skills. Over the past five years, work funded by DCMS has supported over 160,000 young people to forge a career in the cyber sphere. The department has also funded a range of schemes to help adults or career changers to acquire new skills, most recently through the Cyber Launchpad initiative and projects sponsored through the fast track digital workforce fund.
Clearly, there is still much more work to be done to close the cyber skills gap. However, we are making progress. When compared with the 2018 survey, Cyber Security Skills in the UK Labour Market 2021 found that organisations were less likely to report a basic cyber skills gap in areas such as firewall configuration, restricting administrator rights and patching.
Specifically on skills in the telecoms sector, we know that telecoms providers need to have access to people with the right skills to ensure that their networks and services are secure, as the noble and gallant Lord, Lord Stirrup, rightly said. That is why we are creating a pipeline of these skills for the future, with telecoms apprenticeships currently available across the sector, and over 4,500 people starting this year alone.
The creation of the UK telecoms lab, as announced by my right honourable friend the Secretary of State in the other place last November, will facilitate knowledge sharing and promote skills development in telecoms security. The lab will collaborate with DCMS, the National Cyber Security Centre, the newly established UK Cyber Security Council and industry. It will develop and deliver training packages and support the establishment of professional bodies and communities. I hope that these initiatives demonstrate how seriously the Government take the task of supporting telecoms skills, and cyber skills in particular, and why we feel that the review proposed in the amendment is not needed.
I will speak more broadly about our skills agenda. The Department for Education has targeted specific investment in key areas of learning, such as science, technology, engineering and mathematics—STEM—and technical and digital subjects, which could support careers in telecoms. That includes: £2.5 billion of investment in the national skills fund to support adults to retrain and gain the skills they need for the future; nearly £2.5 billion made available for high-quality industry-designed apprenticeships; £500 million a year towards T-levels; up to £290 million to establish institutes of technology across the country, which will be the pinnacle of technical training; and a new £18 million growth fund to support further and higher education providers to expand high-quality higher technical education.
The noble Baroness, Lady Merron, asked about the impact of skills on the removal of Huawei equipment. We have no plans or intention to delay the 2027 target for the removal of Huawei equipment from 5G networks. Indeed, BT, for example, has already shared in the media that it is making good progress on removing Huawei from 5G networks, starting in Hull. We believe that we are on track.
Amendment 23 would require Ofcom to publish an additional statement as part of its annual report, under paragraph 12 of the Schedule to the Office of Communications Act 2002. This statement would contain information about the adequacy of Ofcom’s resourcing, and telecoms providers’ compliance with their security duties. It would also contain Ofcom’s assessment of any future or emerging risks to telecommunications networks, identified by interrogating telecoms providers’ asset registries.
I reassure the Committee that this amendment is also not needed. The Bill already contains a range of reporting mechanisms that will ensure that Ofcom’s role can be properly scrutinised. I will address three of these mechanisms in particular.
First, Ofcom will need regularly to report to the Secretary of State under new Section 105Z, providing information to assist him with the formulation of policy on telecommunications security. New subsection (4)(a) makes it clear that this report must include information on providers’ compliance with the duties imposed on them by the Bill.
Secondly, Ofcom will need to report on telecoms security in its annual infrastructure report. Clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new Sections 105A to 105D. Thirdly, by virtue of Clause 14, the Secretary of State will need regularly to report to Parliament on the effectiveness and impact of the new telecoms security framework.
The amendment would address three issues. I will take each in turn. The first concerns Ofcom’s resources, on which the noble Baroness, Lady Merron, began. As my noble friend the Minister mentioned at Second Reading, Ofcom’s security budget for this financial year has been increased by £4.6 million. This funding will allow Ofcom more than to double its headcount of people working on telecoms security, ensuring it has the necessary capacity to deliver its new responsibilities under the Bill. The noble Baroness asked specifically about staffing. Ofcom will work with a recruitment partner to secure the specific cyber skills needed to implement this work. This will include seconding in technical expertise to develop its capability further.
As we discussed earlier in the Committee, Ofcom will also work closely with the NCSC, which will share its expertise to support Ofcom’s implementation of the new regime. The noble Baroness mentioned the relationship between Ofcom and the National Cyber Security Centre. As she noted, the two organisations are in the process of developing a memorandum of understanding and have published a statement summarising how they intend to work together. The three key principles set out in that statement are, first, that the NCSC will provide expert technical cybersecurity advice to Ofcom to support implementation of the new telecoms security framework; secondly, that Ofcom and the NCSC will exchange information where necessary and permitted by law; and, thirdly, that the NCSC will continue to provide incident management support during serious cybersecurity incidents to telecoms operators and to Ofcom as necessary. That statement can be found on Ofcom’s website.
The second area of the amendment is a requirement for Ofcom’s annual report to include information on providers’ compliance with their duties under new Sections 105A to 105D. This reporting would duplicate provisions elsewhere in the Bill. Ofcom is already required to report publicly on providers’ compliance with those duties in Clause 11.
The final point in the amendment is about publishing information on emerging and future security risks. This has also been accounted for in the Bill. New Section 105Z(4)(f) already requires that Ofcom report to the Secretary of State any emerging risks it becomes aware of in its annual report on security. The noble Baroness asked about informing the public. It would be at the discretion of the Secretary of State whether to publish this information.
I can assure the Committee that Ofcom takes a forward-looking approach to regulation to ensure that it is robust in the face of market and technological developments. For example, its recent Technology Futures report looked at innovative technologies that will shape the communications industry, with input from the world’s leading technologists.
I hope that I have provided assurance that adequate and detailed reporting requirements for Ofcom are already outlined in the Bill. As I have set out, it already includes provision for reporting on Ofcom’s work, so additional requirements about skills and training are not necessary. I hope that the noble Baroness will therefore be content not to press her amendments.
Baroness Merron (Lab)
I am grateful to noble Lords and to the Minister for his reply, which referred to various items in some detail. What I take from this debate is that, although I am sure that noble Lords are interested to hear of the various initiatives and actions that are in place and which the Minister has rightly emphasised, the question still remains of whether this is enough. Is this exactly what we need? I feel again that this is something of a theme in our debates throughout Committee. Nobody is suggesting to the Ministers that nothing is being done, but is it being done coherently, is it sufficient and is it what is needed? That is again left hanging in the air.
I am grateful to the noble and gallant Lord, Lord Stirrup, who referred to—these are my words—the need for a national strategy which would, in his words, shape and guard our future. That is exactly the point of these amendments. Indeed, the Government do not do everything, but it is only the Government who have a role in bringing all the parties together and have the ultimate responsibility for security in this country, of course.
I note the helpful remarks from the noble Lord, Lord Fox, who referred to the need to work with other government departments. I would feed that into my point about the need for a strategic approach. My sense from this debate is that this is the part that is not quite clear. As the noble Lord, Lord Fox, asked, what is the plan? We have insight into actions, but whether that is a strategy or a plan is hard to make a judgment on. The Minister indicated that 50% of companies in the relevant sector—that seems a lot—are reporting that they have a lack of cybersecurity skills. Something else that I thought was important was when the Minister spoke of a lack of confidence. We all know that a lack of confidence in any sector, particularly this sector, is problematic and must be addressed.
It is disappointing that the Minister’s response is, again, that this is not necessary and we do not need to publish or to report to Parliament, because I feel it is a missed opportunity to satisfy the country and, within that, noble Lords. It is a missed opportunity to satisfy those who have the security of this country at heart, as the Minister does, about whether the measures are enough and whether they will go fast enough, fully meet the needs of the necessary part of the industry and provide the security needed. Although I am disappointed, I beg leave to withdraw the amendment.
Baroness Merron (Lab)
“Network diversification
(1) The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;(b) likely changes in ownership or trading position of existing market players;(c) changes to the diversity of the supply chain for network equipment;(d) new areas of market consolidation and diversification risk including the cloud computing sector;(e) progress made in any aspects of the implementation of the diversification strategy not covered by paragraph (a);(f) the public funding which is available for diversification.(3) The Secretary of State must lay the report before Parliament.(4) A Minister of the Crown must, not later than two months after the report has been laid before Parliament, move a motion in the House of Commons in relation to the report.”Member’s explanatory statement
This new Clause requires the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and allows for a debate in the House of Commons on the report.
Baroness Merron (Lab)
My Lords, I move the amendment in my name and thank the noble Lords, Lord Fox and Lord Alton—he could not join us today —for their support.
The amendment is about ensuring that the intent of the Bill can be delivered, and the measures that we are all in favour of will actually happen. There is therefore a link to the earlier debates. Throughout these debates it has become clear that diversity of suppliers is needed at different points of the chain, with sufficient support for the UK’s own start-ups. That will be the only way in which we can secure proper telecoms security.
Even the Government’s 5G diversification strategy demonstrates how diversification and security are inherently linked. It states that if the status quo remains with market consolidation, it will lead to
“an intolerable security and resilience risk”.
However, as was said clearly in earlier debates, the Bill does not even mention supply-chain diversification or the diversification strategy, even though we would all agree that we cannot have a robust and secure network with only two service providers—Ericsson and Nokia—which is the number that will be left once Huawei is removed from our networks. I hope that the noble Baroness the Minister will have the opportunity to address that concern.
It is of course right to remove high-risk vendors from the UK’s networks and enable the Government to designate vendors and require telecoms operators to comply with security requirements. However, as seems obvious, our networks will not be secure if the supply chain is not diversified. All that will happen is that there will be a shift of dependency to another point of failure.
Therefore, the amendment requires that network diversification is reported on annually. That can include an assessment of likely changes of ownership of existing market players, new areas of market consolidation and available public funding. The report could also provide proper accountability for the strategy’s progress, which will lead to real action. That is what we need. We know that that was called for by the Science and Technology Committee, which criticised the current diversification strategy for not having an action plan with clear targets and timeframes for how that funding will be spent.
The Minister will expect a question on how the announced £250 million funding will be spent. We all know that there are small start-up suppliers in this sphere which are desperate for this kind of support. I should also refer to the new advisory council, which, as she knows, I will come to in a later group. There are many unanswered questions about the adequacy and independence of its advice.
We cannot have a secure network with only two service providers, which is what we will effectively be left with after the removal of Huawei. So we need a diversified supply chain, which means diversity of supply at different points in the supply chain and networks not sharing the same vulnerability of a particular supplier. That is incredibly important for network resilience. That is why the amendment has been tabled. We are concerned to ensure that national security is not put at risk due to a lack of diversification. I beg to move.
The Earl of Erroll (CB)
My Lords, this point is very important and has been put across very well by the noble Baroness, Lady Merron. Network diversification will increase resilience and security for various very obvious reasons. The main thing is not just the supply chain. How the internet works is that messages are split over a whole lot of different routers going all over the place. Two things happen. First, because it is split up, if they are all going across different vendors, it is impossible to intercept the entirety of the messages. If it is all over one vendor and there is a clever way of monitoring that, it might be possible to put it together. Funnily enough, if you have lots of vendors, it does not matter whether Huawei is in there or not, and you will end up with flaws.
Also, the resilience of the internet is such that if you knock out a good chunk of the routers, it will still work and automatically route around the ones that have not been knocked out. If they are all from one vendor and all have the same flaw in them at some point, whether they are friendly vendors or not, you can take the whole lot out at once. The very fact that you have a good mixture gives you greater resilience and security. Everyone seems to think that it still runs over a copper wire from one end to the other, but it does not. The IP world is very different from that. That is the main thing.
Amendment 20 is also about long-term strategy. My noble and gallant friend Lord Stirrup is right about all these things. Although the amendments are not in this group, I might as well say now, rather than waste the Committee’s time later, that this lies with the principle of Amendments 18 and 25, that we need the right advisers, who can then advise on the issues that we are now discussing in Amendment 24. It all hangs together. We should not be chopping this up and structuring the Bill in a way that makes us vulnerable.
We may think that we have got the right people in, but we have clearly failed to do all this so far. This is the place to rectify our blindness. From the Minister’s comment, I think that the major change is the diversification and proliferation of civil service departments that are involved in security. That really does reduce our security. The lack of coherence will cause confusion like nobody’s business and will be very expensive.
Baroness Stroud (Con)
My Lords, I support Amendment 24, tabled by the noble Baroness, Lady Merron, which adds a new clause to the Bill that would tackle the pressing issue of network diversification.
As we have heard, the amendment places a duty on the Secretary of State to produce an annual report to Parliament on the progress that has been made in diversifying suppliers for our critical infrastructure in our telecommunications networks and services. The report would then be debated in the other place, ensuring that there is sufficient parliamentary oversight of the successes, challenges and opportunities of our diversification strategy. As I think about it, I am not sure why the Government would not want to commit to such an undertaking. As we have already heard this afternoon, the diversification of our telecoms networks needs to be a priority for this Government and an integral part of Ofcom’s reporting on the progress of these networks.
However, it is important to note that we have a Government who understand the seriousness of this issue. Indeed, the Secretary of State told the other place on 30 November 2020:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”.—[Official Report, Commons, 30/11/20; col. 75.]
This should never have been allowed to happen, and as I have mentioned, I fear that without the adequate parliamentary oversight that this amendment could give us, it is at risk of happening again.
Despite the reassuring statements from the Foreign Secretary, as highlighted in Tuesday’s Committee by the noble Lord, Lord Alton, we have seen new vendors come to market that are also high risk. The noble Lord said:
“Last week, we learned that, in a deal estimated to be worth £63 million … the UK’s largest producer of semiconductors … has been acquired by the Chinese-owned manufacturer Nexperia. Nexperia is a Dutch firm but is owned by China’s Wingtech.”—[Official Report, Lords, 13/7/21; col. GC 461.]
On Wednesday, this led to the Prime Minister expressing concern after the Business Secretary had said that the Government were monitoring the situation closely but did not consider it appropriate to intervene at the current time.
This new challenge is set against the backdrop of the noble Lord, Lord Grimstone, who is at the Department for International Trade, telling the House that he wants to deepen trading relations and trade deals with China, and of China having just overtaken Germany to become the UK’s biggest single import market for the first time since records began. Goods imported from China rose 66% from the start of 2018 to nearly £17 billion in the first quarter of this year.
Lord Fox (LD)
I thank the various noble Lords for their contributions. I will speak to Amendment 24, which bears my name, but I recommend that the noble Baroness, Lady Stroud, reads the Chancellor’s Mansion House speech, in which he calls for a nuanced relationship with China. Failing that, she could read my speech on the first group of amendments, in which I challenged how nuanced a relationship can be with a country threatening both our security and that of its own people. At the heart of the Government’s challenge is to be all things to everyone in this argument. They are doomed to fail if they try to do that.
I turn to the amendment I am supposed to be speaking to. As we discussed at Second Reading, there are essentially three strands to the diversity strategy. The first leg is supporting incumbent suppliers. I was corrected by the Minister: this refers not to domestic suppliers but suppliers we already have, presumably— although it is not explicit—with the ones we do not want having been weeded out. The second is attracting new suppliers into the UK market, and the third is accelerating open interface solutions, which I assume helps the second of those strands in particular.
There is not a strand about growing a domestic industry; some of us—I am one of them—were confused about this. It mostly seems to be about taking advantage of other countries’ businesses that we can trust—or think we can at the moment; I refer the Committee to earlier comments by the noble Earl, Lord Erroll, about today’s allies not always being tomorrow’s allies—rather than massively growing our own national capability. Bearing in mind those three legs, it would be helpful to hear from the Minister how the improvement in the domestic share of this market is planned.
In her letter to many of us on the subject of diversification, the Minister made the point that Vodafone has already attracted six new suppliers, two of which were Samsung and NEC, into the market through the open RAN deployment. I think I asked her at Second Reading when open RAN would become a significant player in telecoms delivery in this country. If she gave an answer then I am afraid I mislaid it, so can she tell us when open RAN will become a significant player or whether it is something of a sideshow? I do not mean that in a bad way; it is a recognition of where it really is in the market at the moment.
The biggest challenge I have with this is that the Government have launched a lot of strategies. They usually come with a glossy document and a picture of a smiling Secretary of State. I can confirm that this strategy is no exception. We have a very nice picture of the Secretary of State, Oliver Dowden, on page 3, but it does not come with a timeline and a delivery plan. The Government would not issue a strategy if they did not have a delivery plan, so I am sure there must be one. I think it would help us all if we understood what the delivery plan is. Perhaps the Minister could share with the Committee the timeline for the delivery of this strategy, otherwise many of us might suspect that it is something that gets only launched, not delivered. I understand that money has been put into it but, again, that does not guarantee that outcomes will be forthcoming.
This amendment has been tabled to reveal how that timeline is going and how the outcomes are being delivered. That is what it is for. It would enable the Government’s spending of taxpayers’ money on delivering this strategy to be tracked by Parliament. That seems a perfectly reasonable function for Parliament to have.
The Minister might come back and say that DCMS is being asked to lay all sorts of things before Parliament. If that is the case, I think that all of us, including me, the noble Baroness, Lady Merron, who spoke very capably on this, the noble Earl, Lord Erroll, the noble Baroness, Lady Stroud, and others are quite capable of coming up with a composite annual report that covers not just the items in Amendment 24, but those in Amendment 25 on strategy, Amendment 23 on Ofcom’s performance, and Amendment 26 on skills. Taken together, I am sure we could put together a composite annual report in the next round of discussions that would save DCMS having to make several different annual reports. I suspect that that might be a way forward and look forward to the Minister embracing this idea, because of course DCMS wants to demonstrate how it is delivering its diversification strategy.
Baroness Barran (Con)
I am grateful to all noble Lords for their contributions to this short debate and consideration of the Government’s ambitious diversification strategy. The amendment tabled by the noble Baroness, Lady Merron, raises the important issue of diversification, which I know is of great interest to your Lordships, as it was to Members in the other place. Diversification is a key part of the Government’s broader approach to ensuring that our critical networks are healthy and resilient. That is why the Government set out their 5G diversification strategy last autumn, and we are fully committed to ensuring that this strategy comes to fruition.
Our long-term vision for the telecoms supply market is one where, first, network supply chains are disaggregated, providing network operators more choice and flexibility; secondly, open interfaces that promote interoperability are the default; thirdly, the global supply chain for components is distributed across regions, creating resilience and flexibility; fourthly, standards are set transparently and independently, promoting quality, innovation, security and interoperability; and finally, security and resilience is a priority and a key consideration in network design and operation. However, the Bill focuses on setting clear security standards for our public networks and services. As the noble Baroness, Lady Merron, pointed out, although diversification is designed to enhance security and resilience, not all diversification activity is relevant to the security and resilience of our networks. That is why we believe the amendment would not be appropriate.
The Government have already made progress since the publication of our strategy, including the creation of the Telecoms Diversification Taskforce, which set out its recommendations in the spring. Work is already under way to implement several of those recommendations. Research and development was highlighted by the task force as a key area of focus in order to promote open-interface technologies that will establish flexibility and interchangeability in the market. As raised by the noble Baroness, Lady Merron, and the noble Lord, Lord Fox, it will also allow a range of new smaller suppliers to compete in a more diverse marketplace.
That is why the Department for Digital, Culture, Media and Sport was delighted to announce the launch of the future radio access network competition on Friday 2 July. Through this, we will invest up to £30 million in open radio access network research and development projects across the UK to address barriers to high-performance open deployments. This competition is part of a wider programme of government initiatives, which includes the SmartRAN Open Network Inter- operability Centre—more friendlily known as SONIC Labs—a facility for testing interoperability and integration of open networking solutions, which opened on 24 June. A number of leading telecoms suppliers are already working together through this facility.
We welcome recent announcements from operators including Airspan, Mavenir, NEC and Vodafone to introduce open radio access networks into their infrastructure. This demonstrates that industry is working alongside us, here in the UK, to drive forward the change needed in the sector. We continue to work with mobile operators, suppliers and users on a number of other important enablers for diversification; for example, we are developing a road map for the long-term use and provision of legacy network services, including 2G and 3G. Alongside this, the Government have led efforts to engage with some of our closest international partners, including the Five Eyes, to build international consensus on this important issue.
We are also working to deliver on UK issues in standard- setting bodies, and working with industry, academia and international partners to ensure that standards are set in a way that aligns with our overall objectives. Ensuring that standards are truly open and interoperable will drive market growth and diversification. Through the UK’s G7 presidency, we took the first step in discussing the importance of secure and diverse supply chains among like-minded partners and the foundational role that telecommunications infrastructure, such as 5G, plays.
The noble Baroness, Lady Merron, asked how we were planning to spend the initial £250 million, which we announced to kick off work to deliver our key priorities. These priorities have been informed by the recommendations of the Telecoms Diversification Taskforce and include: establishing a state-of-the-art UK telecoms lab; exploring commercial incentives for new suppliers; launching test beds and trials for new technologies such as open RAN; investing in an R&D ecosystem; and seeking to lead a global coalition of like-minded partners on an international approach to diversification. In response to questions from the noble Baroness and the noble Lord, Lord Fox, about the growth of UK businesses, we have been clear that we are focused on investing in the UK and in UK businesses, but do not think that a UK-only solution is a wise or realistic option.
We are working closely with operators and suppliers to develop targeted measures that address the needs of industry to deliver our long-term vision for the market. We responded to the task force’s findings in July and outlined our next steps and the use of that initial investment. If the noble Earl, Lord Erroll, has not seen the government response, I am sure he would find it interesting. It also sets out our plans to create a diversification advisory council, which will meet quarterly. I hope that responds to his question.
Baroness Merron (Lab)
My Lords, this has been a short debate but it has been valuable in shining a light on the requirement for diversification and the need to be sure that we are in the right place. I thank the Minister for her reply and the details she gave in response to various questions, including my own. Of course, as ever—I am beginning to feel like a stuck record—the requests to ensure that there is a reporting facility, so that we know all the things in place actually work, have not been accepted.
I was interested in the confidence of the noble Lord, Lord Fox, when he suggested to the Minister that there could be great creativity employed by all noble Lords. I am sure that is indeed the case, but I say to him that I fear our creativity is perhaps not required on this occasion, although I am sure we will stand ready should it be so.
I welcomed the comments of the noble Earl, Lord Erroll, who spoke about the shifting sands of alliances and allies. That is an important point when we consider diversification. I did of course hear the Minister say, rightly, “Of course, this is not just a UK solution to our security”, for a range of excellent reasons. However, we have to be able to take our place and it is that which is of concern. It is not just that the chain is in reference to the UK but that it should take account of those shifts which the noble Earl referred to.
The noble Baroness, Lady Stroud, again asked: “Why on earth would the Government not want to have more parliamentary oversight?”. I will leave that to others to answer, but it seems that it is not flavour of the month in the debate that we are having.
The Minister referred to my question about how the £250 million would be spent, and I am sure it was of great interest to all noble Lords to hear that. Yet it still leaves the question as to why it cannot be matter of report, of why Parliament cannot be not just reassured but informed, and have the opportunity to interrogate and to add. I have a sense that parliamentary oversight—and not just in this area—is not regarded as something which assists process, when in fact the whole experience is that it does. With that, I beg leave to withdraw the amendment.
Baroness Merron
“Telecoms Supply Chain Diversification Advisory Council: security function
(1) The Telecoms Supply Chain Diversification Advisory Council must discuss the impact of diversification on the security and resilience of public electronic communication networks and services at their quarterly meeting.(2) The Telecoms Supply Chain Diversification Advisory Council may advise the Secretary of State based on those discussions, and this advice must be published. (3) The membership of the Council must include members with expertise in security.(4) The appointments process for the Council must be transparent and consider the previous security experience of applicants.”Member’s explanatory statement
This amendment aims to probe the function of the Advisory Council in relation to the Bill.
Baroness Merron (Lab)
My Lords, I am pleased to speak to Amendment 28, which stands in my name. It is the result of a number of recent developments, which I shall refer to. Noble Lords will be aware that on 2 July the Government published their response to the Telecoms Diversification Taskforce’s report and in it announced that the taskforce was now to transition into the Telecoms Supply Chain diversification advisory council, which came up earlier today. The Minister will recall that in response to a Written Question from me she said:
“The Advisory Council will play a key role in overseeing and offering scrutiny to the delivery of the 5G Supply Chain Diversification Strategy. We will also draw on the expertise of the Advisory Council for wider telecoms supply chain diversification issues beyond the RAN (Radio Access Network).”
That is all well and good. However—and this is the point that the amendment seeks to unravel—the Government have also announced that Mr Simon Blagden will be the new chair of this permanent council. Noble Lords will be aware that Mr Blagden was the non-executive director of Fujitsu UK during the Post Office scandal and has donated more than £215,000 to the Conservative Party.
As we have all discussed, diversification is inherently linked to security, so the new advisory council has to provide sound, expert advice that will secure our telecoms network, and we need confidence in that. The point I want to explore with the Minister, as she is already aware from Written Questions that I have submitted, is that the appointment of Mr Blagden raises a number of serious questions about the council’s independence and how the appointment will be able to benefit national security.
In addition to tabling Amendment 28, I have a number of questions to tease out all these points. It is also worth noting that in the past 24 hours there have been reports of a telecoms company, IX Wireless, having given—it has come to light through correct declarations of course—more than £20,000 to Conservative MPs, while the Secretary of State has given this same company glowing endorsement at a launch event, with a promotional film, which I have seen, showing him in his ministerial office with the executives of that company.
I should say to the Minister that it is a question not just of how things are but of how things look. Of course there will be facts on which I am sure the Minister can enlighten us. I have a number of questions in that regard for her relating to an inquiry about the appointment process that was in place for Mr Blagden. Who was involved and which Minister made the final decision? Will there be payment for Mr Blagden in his role as chair? How will the council give independent advice and what happens if Ministers reject that advice? Will there be security experts as members of the advisory council? What knowledge did Mr Blagden have of the faults with the Horizon system during his time at Fujitsu? Can the Minister confirm that Mr Blagden has no remaining financial interests in Fujitsu?
I know that the noble Baroness may not be in a position to answer those questions now. In which case, I hope that she will write to me before we go into the Summer Recess. I beg to move.
Lord Fox (LD)
Before I comment on that excellent speech from the noble Baroness, Lady Merron, I want to return to the answer that the Minister gave on the Newport Wafer Fab issue, which proves the point that we were making on the need for the ISC to be involved. Regarding the ISC issue, the Government furnished themselves with the National Security and Investment Act, which was supposed to deal with issues such as this. However, the Prime Minister has chosen to refer it back not to the people running that unit but to the National Security Adviser, which proves the point that someone with access to national security information is needed to make decisions of this nature, rather than an organisation that does not have access to the information. It absolutely proves the point that our amendment on the ISC is completely appropriate, just as it was appropriate for the BEIS analogue of what is happening here.
The noble Baroness, Lady Merron, made an excellent speech and I am not going to attempt to adorn it either with my normal flippancy or with detail. There is just one issue that I wish to raise regarding Simon Blagden. Are there any outstanding legal liabilities from his time at Fujitsu? In other words, has his activity been fully exonerated or is there potential legal recourse? Other than that, I echo the point that perception of these issues is as important as reality. If the Government continue to operate in a black-box way, everybody will assume that things are going on that they cannot see and that should not be happening. It is therefore in the Government’s interests to be transparent about how that person in particular was appointed and how the advisory council will operate.
Baroness Barran (Con)
My Lords, I thank the noble Baroness, Lady Merron, for tabling the amendment and for giving me an opportunity to provide an update on the work of the Diversification Taskforce and the new diversification advisory council.
The Government recently announced the council, building on the work of the Diversification Taskforce, chaired by my noble friend Lord Livingston of Parkhead. I should like to take this opportunity to offer my thanks to him and the taskforce members for volunteering their valuable time and knowledge to their excellent review. Their recommendations and expertise will remain crucial to helping us bring greater resilience and competition to our future networks as the taskforce now transitions to the new diversification advisory council.
The Government recognise that diversification is a broad and complex issue relating to matters of security and resilience, technology and geopolitics. It is for this reason that we sought the advice of the experts appointed to the diversification task force. Many of the task force members will continue to provide advice as part of the new advisory council. In appointing the membership of the advisory council, the Government have followed all standard processes. The Government have ensured that the council comprises experts from both industry and academia across a wide range of subject matters, including security, of course.
Baroness Merron (Lab)
My Lords, I thank the Minister for her response. I will of course read it carefully so that I can again appreciate her answers to my various questions. There are some questions that I think are still outstanding, which also chime in with the question from the noble Lord, Lord Fox, regarding Mr Blagden’s links with Fujitsu and continuing potential issues in relation to that. I feel there are still some unanswered questions and would be grateful for a reply to those. I am absolutely sure that the Minister will write to me about those points.
I am grateful to the noble Lord, Lord Fox, for making the point, as I did, that there is reality and perception, and they both matter. There are clearly concerns about this appointment and about the need for assurance regarding security advice being impartial and appropriate. It is undoubtedly the case that sunlight is always the best disinfectant so, if there are any chinks of sunlight not yet coming through, I am sure that they will be forthcoming. With that, I beg leave to withdraw this amendment.
“Oversight by the Investigatory Powers Commissioner
(1) The Investigatory Powers Act 2016 is amended as follows.(2) After section 229(3)(j) insert—“(k) the exercise by the Secretary of State of functions under section 105Z1 of the Communications Act 2003”.”Member’s explanatory statement
This amendment would give the Investigatory Powers Commissioner oversight of the power given to the Secretary of State in this Bill to outlaw the use of individual vendors.
Lord Fox (LD)
I am moving this amendment on behalf of my noble friend Lord Clement-Jones, in whose name it is, who unfortunately could not come today. He figured that this would be taken on day three of the process, but we have got ahead of ourselves. I also thank the noble Earl, Lord Erroll, for his support for this amendment when he spoke to the second group. It is appreciated. I know that he has had to leave.
As Comms Council UK has pointed out, new Clause 105E is not the only new clause to give the Secretary of State extensive powers; there are others. New Clause 105Z1, for example, gives powers to the Secretary of State to outlaw the use of individual vendors, potentially with no parliamentary oversight, if the Secretary of State considers that it would be contrary to national security.
Clause 15 creates a scheme for dealing with particularly high-risk vendors by inserting new clauses into the Communications Act 2003. These empower the Secretary of State to give designated vendor directions where they consider it
“necessary in the interests of national security”
and the requirements imposed are
“proportionate to what is sought … by the direction.”
The designated vendor direction can impose wide-ranging requirements on providers on their use of
“goods, services or facilities … made available by a designated vendor specified in the direction.”
While vendors are entitled to notice of their designation if “reasonably practicable” to do so, they are not entitled to be consulted or informed of the reasons for the designation if the Secretary of State considers it contrary to national security. Vendors are also entitled to notice when directions are imposed on providers or when a designated vendor direction is revoked, but this right does not apply if the Secretary of State considers it contrary to national security.
The effect of all this is that, while a vendor may know of its designation, the providers with which it does business can have various restrictions imposed because of their relation to the designated vendor without the vendor knowing the reasons or possibly the existence of such directions. This is complicated but serious, and in several scenarios the vendors would have no real prospect of mounting any legal challenge, even under the closed material procedures provided for in the Justice and Security Act 2013.
Cutting to the chase, this amendment would give the Investigatory Powers Commissioner oversight of the power given to the Secretary of State in the Bill to outlaw the use of individual vendors. Without this, we are telling suppliers that they essentially have to operate without full legal protection. I cannot help thinking that this will discourage the future investment we need. I am interested to hear how the Government think they can mitigate an essentially Orwellian situation in which people find themselves in an adverse legal position but they do not know why, and sometimes they do not even know that they are there. I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment. I do not have too much to add to this brief and interesting debate, but I take the opportunity to thank the Constitution Committee for its report on the Bill.
At Second Reading the Minister said:
“Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act”.—[Official Report, 29/6/21; col. 747.]
However, she did not say why it would be wrong for the commissioner’s remit to change. This is the one point I put to the Minister, and it would be helpful to have a response.
Lord Parkinson of Whitley Bay (Con)
My Lords, I thank the noble Lords, Lord Fox and Lord Clement-Jones, for tabling this amendment. As the noble Lord, Lord Fox, says, the noble Lord, Lord Clement-Jones, is a victim of the speedy progress we have made in this Committee.
Like them, I recognise the importance of proper oversight and scrutiny in the use of the Bill’s powers. The amendment they tabled aims to give the Investigatory Powers Commissioner oversight of the Secretary of State’s power to issue designated vendor directions. The Bill already contains effective mechanisms for oversight of the Secretary of State’s use of those powers to give a designated vendor direction or designation notice. It requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament. That will provide Parliament with the opportunity to scrutinise their use.
As the Committee has heard, on very rare occasions the Secretary of State may choose not to lay a designation notice or direction before Parliament because to do so would be contrary to the interests of national security. Where this is the case, the Digital, Culture, Media and Sport Select Committee will be able to view such directions and notices, so there will be oversight there.
On the legal point that the noble Lord, Lord Fox, raised, designated vendor directions and designation notices are subject to ordinary judicial review principles. The Secretary of State will issue designation notices and designated vendor directions only where they are necessary in the interests of national security and the requirements in the directions are proportionate.
The Investigatory Powers Act 2016 provides a frame- work for use by the security and intelligence agencies, law enforcement agencies and other public authorities to obtain communications and communications data. The role of the Investigatory Powers Commissioner is independently to oversee the use of these powers, ensuring that they are used in accordance with the law and in the public interest. The regime set out in the Investigatory Powers Act is not directly comparable with the new powers and framework set out by this Bill, as the noble Baroness, Lady Merron, noted. The reason for that is that oversight of activity by the Investigatory Powers Commissioner, as authorised by the Investigatory Powers Act, is considered appropriate because these powers often involve balancing important questions regarding the right to privacy.
The national security powers in this Bill are very different from those in the Investigatory Powers Act. They focus on protecting public telecommunications networks and services from the threats posed by high-risk vendors. That is different from questions about individual citizens, their communications and their communications data. That is why we respectfully disagree with the suggestion by the Constitution Committee of your Lordships’ House and feel that it would not be appropriate for the Investigatory Powers Commissioner to have an oversight role in respect of this Bill.
Briefly, that is why the Government disagree with this amendment and hope that the noble Lords, Lord Fox, will be content to withdraw it.
Lord Fox (LD)
I thank the Minister for his response—but not much. There is a tendency, which has come through in this and lots of other Bills, for representatives of Her Majesty’s Government to stand up and completely ignore important committees of this House. The Constitution Committee and the Delegated Powers and Regulatory Reform Committee are not any old committees; they are very serious. The way in which their advice—or rather more than advice—has been dismissed across the board by both Ministers in this debate is a serious development. I implore representatives of Her Majesty’s Government to take those committees more seriously, because their not being observed is somewhat an abuse of process.
That said, I will read the Minister’s response in detail, with a suitably socially distanced lawyer to advise me. I do not think we have heard anything that makes this amendment less needed but, at this stage, I beg leave to withdraw the amendment.
“Definition of public electronic communications network
In section 151 of the Communications Act 2003, in the definition of “public electronic communications network”, at the end insert “, including—(a) landline communications systems;(b) mobile data, audio and video networks;(c) digital surveillance networks;(d) satellite delivered networks;”.”Member’s explanatory statement
This amendment clarifies the definition of “public electronic communications network”.
Lord Fox (LD)
We are down to the irreducible minimum. During my Second Reading speech, I asked the Minister about the range of technologies covered by the Bill. I do not recall getting a meaningful answer, so I thought I would try again using this as a probing amendment.
The noble Baroness, Lady Merron, talked about the creativity of your Lordships. I am now going to test your memory functions, which I know can sometimes be stretched in this House. I would like your Lordships to cast your minds back to 2003, the year when the Nokia 1100 mobile phone was introduced. Few noble Lords will remember the number, but most of you will remember the phone. It was an iconic phone that took over mobile telephony. For those who would like to see one, I have two and, for as long as 3G is available, they will continue to work. More than 250 million of these basic GSM phones were sold. It was the best-selling consumer electronics device in the world at that time—the state-of-the-art communications device—and was discontinued in 2009.
Meanwhile, at the same time, the Communications Act 2003 was introduced to regulate machines such as the Nokia 1100. This has not been discontinued but has enjoyed several patches along the way. As I have said, this is a probing amendment seeking to clarify the definition of “public electronic communications network” within the 2003 Act. I think you see what I have done; I have tried to illustrate that the world has changed a bit since 2003.
The amendment seeks to amend Section 151 of the Communications Act by adding a contemporary definition of the range of communication networks that increasingly have emerged since the Act was conceived, when Nokia ruled the roost. It would introduce a new clause to the Bill that would define the “public electronic communications network” as
“landline communications systems … mobile data, audio and video networks … digital surveillance networks … satellite delivered networks”.
My first question to the Minister is: in her opinion and that of the department, which of these categories is covered by the Bill and which is not? I also have some specific scenarios that I would like the Minister to consider. The noble Baroness, Lady Merron, will be pleased to note that they are focused on the consumer—an issue she addressed earlier in the week.
First, when broadband or 5G are delivered by satellite, whether by the BEIS-owned OneWeb or the Musk-owned SpaceX, to what extent is the satellite element covered by this legislation?
Secondly, when a facial recognition camera captures an image, sends that image to a database using a closed network and, in turn, contacts either a public sector or private sector operative via a smartphone, which part of this—if any—is covered by the legislation?
Thirdly, data is being relayed back and forth over smart speakers—Alexa and its, or her, colleagues—so do these transactions fall within the purview of the Communications Act or the Bill? For example, with smart speakers, does the Bill cover only the transmission and not the speaker itself? If that is true, what, if anything, covers the security integrity of the speaker and its software?
My fourth question concerns data travelling between smart meters, home thermostats, camera doorbells and the ever-increasing internet of things. How is their security and integrity protected by the Bill? If the answer is that they are not protected, where do these modern manifestations of communications fit in? How is the security of these things being protected for the consumers of today?
This is not just a piece of legislative housekeeping. The noble Lord, Lord Alton, raised other potentially risky companies in his speech on Amendment 1; at Second Reading I raised a range of other companies. I will not repeat them but they are in Hansard. These are just a few of the businesses involved in the sorts of activities that I have just outlined, so by understanding which activities are included in the Bill we may start to understand which companies and technologies it includes. It is about how satellites, cameras, smart speakers and the internet of things fit in the purview of what is now called communications. Times have changed since 2003. Can the Minister please update us? I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Fox, Lord Clement-Jones and Lord Alton, for tabling this amendment. The noble Lord, Lord Fox, has set out why they believe this definition of a public electronic communications network is needed. I also appreciated his reference to the importance of consumers, who, after all, are core in all our discussions.
It is important to hear from the Minister whether she believes that this definition is limiting for security purposes and what impact it would have. Perhaps she can advise on whether she feels that anything is missing which should be in there. Would this definition inhibit the future-proofing ability of the Bill? I look forward to hearing from the Minister.
Baroness Barran (Con)
This amendment seeks to clarify the definition of a public electronic communications network contained within Section 151 of the Communications Act 2003. I thank the noble Lord, Lord Fox, for moving it. It aims to do this by including specific examples of networks and systems covered by that definition.
In response to the noble Lord’s first question, three of the suggested examples in the amendment are already covered by the current definition of public electronic communications network, to the extent that they are electronic communications networks
“provided wholly or mainly for the purpose of making electronic communications services available to members of the public”.
These three examples are: landline communication systems; mobile data, audio and video networks; and satellite-delivered networks.
However, as the noble Lord explained, the amendment also refers to “digital surveillance networks”. I understand that the noble Lord is referring principally to CCTV and other similar technologies of the kind used by law enforcement and local authorities for specific surveillance purposes. These types of technologies have been raised by a number of noble Lords in previous debates, including the noble Lords, Lord Alton and Lord Fox. Such closed networks do not fall within the definition of a public electronic communications network as set out in Section 151 of the Communications Act. That definition refers to an electronic communications network that is provided
“wholly or mainly for the purpose of making electronic communications services available to members of the public”.
I emphasise “wholly or mainly”, because the noble Lord gave examples of where services might be provided which could reach a member of the public, but not “wholly or mainly”.
The powers in the Bill are intended to create a stronger regulatory and legislative framework to protect against the security threats to our public electronic communications networks and services, such as those provided by companies such as BT and Vodafone. Public networks are those most widely used by businesses and the public and it is right that the Bill should focus on the protection of those networks. Furthermore, any change to the definition of public electronic communications networks to include CCTV and other similar networks to which the noble Lord referred would affect other sections of the Communications Act beyond those relating to security. That is because the current definition of a public electronic communications network is used across Chapter 1 of Part 2 of the Act, and not only in Sections 105A to 105D, which this Bill replaces.
The consequences of such a change would be wide-ranging. For example, Section 127 creates a criminal offence of improper use of public electronic communications networks, as defined by Section 151. If the definition changed, the scope of those caught by that offence would also change. It would also affect other legislation that makes reference to the Act’s definition, such as the Privacy and Electronic Communications (EC Directive) Regulations 2003 or the Insolvency Act 1986. Any such change to the definition would therefore have substantial unintended impacts for providers of digital surveillance networks and for many other entities, including Ofcom, of course.
The noble Lord also asked how the security of digital surveillance networks could be assured. There is of course already legislation and extensive guidance in place to assure security and prevent the abuse of information gathered by CCTV and surveillance camera networks. As noble Lords will be aware, the Information Commissioner’s Office is the UK’s independent regulator for data protection and is responsible for providing advice and guidance on compliance with the UK’s data protection laws. All organisations in the UK that process personal information must comply with the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018. The Information Commissioner’s Office has issued a specific data protection code that provides recommendations on the use of CCTV systems to help organisations comply with the Data Protection Act.
The Information Commissioner’s Office’s code and the Data Protection Act ensure that any personal data gathered via CCTV and similar networks is kept confidential and subject to the highest protections, including secure encryption of data. Where closed networks, such as CCTV and other similar surveillance technology, are used by public bodies or within critical national infrastructure, there are specific arrangements in place. Lead government departments, advisory partners —including the National Cyber Security Centre—and regulators work with infrastructure owners and operators to manage and mitigate the risk of security issues. There are, therefore, already adequate measures in place regarding safe deployment of CCTV and other similar surveillance technologies within the UK. Indeed, we are strengthening the actions we can take in this area.
Lord Fox (LD)
My Lords, there are more Bills to follow; I fear that I am being drafted into the purchasing Bill and the other Bill that the Minister just mentioned.
The Minister is wrong to conflate data protection with security—we are talking not about data protection but about security. There is a big difference between the role of the ICO and that of security. I do not think that that helps answer the questions that I was asking.
Perhaps this is for the Bills to come rather than today’s Bill, but there is something about the collective threat. If everybody’s smart meter is shut down that is a national emergency, not a personal emergency. There is a national security issue around personal data devices and somewhere, whether in this Bill or those to come, there needs to be the recognition that collective security happens when everybody’s systems are secure from threat. If I were a terrorist, it would be much easier to do those kinds of things than doing some big, national thing that is protected by the National Cyber Security Centre.
That is the point of what I am putting forward. The internet of things increases the security risk to every home all the time. Similarly, every time someone turns on their GPS locator, they are putting themselves into a system that is followed. The Minister carefully used the phrase wholly or majority use data. Increasingly with cars and satellite navigation systems, and when we move to electric and autonomous locations, all that data is becoming publicly available. In other words, my car is fed into your car, which is fed into her car to make sure that we do not run into each other. The idea that somehow you can draw these lines and say that only 10% of the data is used in a public way and 90% is not starts to become irrelevant, if it is not already. That is what I am trying to highlight.
I did not expect for a minute the Minister to say that the Government would amend Section 105 of the Act. The point was to really highlight this issue, because if the Government do not address it in this way or another then personal security on a mass level is compromised, which then becomes a national security issue. That was the point of the amendment. Having raised it, I beg leave to withdraw the amendment.
The Deputy Chairman of Committees (Baroness Henig) (Lab)
My Lords, that concludes the Committee’s proceedings on the Bill. May I remind Members to sanitise their desks and chairs before leaving the Room?
Telecommunications (Security) Bill
Tuesday 19th October 2021
(2 years, 6 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-R-I Marshalled list for Report - (15 Oct 2021)
16:58 - Division on Amendment 1 - Ayes: 185 / Noes: 187 - Amendment 1 disagreed.
17:55 - Division on Amendment 8 - Ayes: 180 / Noes: 176 - Amendment 8 agreed.
19:01 - Division on Amendment 11 - Ayes: 172 / Noes: 156 - Amendment 11 agreed.
“(1A) Regulations under subsection (1) may not be made unless a draft has been laid before, and approved by a resolution of, each House of Parliament.”Member’s explanatory statement
This amendment would require Parliamentary approval before regulations regarding the duty to take specified security measures are made.
Lord Fox (LD)
My Lords, Amendment 1 applies the affirmative procedure to the regulations made under new Section 105B in Clause 1. It requires secondary legislation to be laid in Parliament in draft and to be subject to a debate and a vote in both Houses. Clause 1 allows the Secretary of State to introduce regulations that have wide-ranging consequences for providers, and there is no provision for any independent or specialist formal oversight of these regulations. This continues a worrying trend whereby the Government make key regulations with no meaningful parliamentary scrutiny. New Section 105A introduced by Clause 1 is wide-ranging. In fact, it covers
“anything that compromises the availability, performance or functionality of the network or service”
—I repeat: “anything”.
This means that the Secretary of State has the means to make regulations that have highly onerous provisions, laying down that any provider must take “specified measures” of any kind. This is currently under the negative procedure, which, as we have noted from these Benches on many occasions, gives a near-certain guarantee of their coming into force with a minimum of scrutiny—none, it is safe to say. In Committee, the Minister’s predecessor was adamant that additional scrutiny was not desirable. She said that this was meant for technical people and had to be explained in technical language, which it was not appropriate for Parliament to discuss. However, there is the rub: the Bill covers a huge range of potential issues and, as I said, there is no formal independent or specialist oversight of these regulations, yet the Government said that they were too technical for Parliament to have its say on them. My noble friend Lord Clement-Jones spoke about the Secretary of State having unfettered power and, as usual, he was right.
Since then, the Government have slightly changed their mind, and this is seen in Amendment 3. We welcome Amendment 3 as far as it goes, which, given that it is effectively a negative process, is not very far. It does demonstrate that the Government now believe that your Lordships’ House can review technical issues and that we are capable of this onerous task, which the Minister’s predecessor deemed us incapable of doing. Clause 1 covers virtually anything the Minister decides, and we are in danger of signing a blank cheque. Amendment 1 addresses this issue and gives Parliament particular scrutiny of how these regulations affect the communications networks that are so vital to the UK’s economy and our public life. I beg to move.
Lord Alton of Liverpool (CB)
My Lords, the amendment just moved by the noble Lord, Lord Fox, is about transparency, accountability and parliamentary scrutiny. It puts Parliament into the driving seat. It deserves the support of the whole House, and I hope we will give it.
Baroness Merron (Lab)
My Lords, as we start Report, I welcome the noble Lord, Lord Parkinson, to his new ministerial role. I am sure we all look forward to working with him.
I remind the House that national security must be the first duty of any Government, which is why we welcome the intention behind the Bill. As we have said repeatedly throughout the passage of the Bill, we believe that there are a number of issues with the Bill that need to be addressed, including parliamentary oversight of the new powers, which this group focuses on. As Comms Council UK said, the Bill represents an
“unprecedented shift of power from Parliament to the Minister in relation to how telecoms networks operate”
and that
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
With reference to Amendment 1, I shall not repeat the arguments made by the noble Lord, Lord Fox. Suffice it to say that we on these Benches appreciate and wish to stress the importance of parliamentary scrutiny, which we have stressed throughout the passage of the Bill.
I thank the Minister for tabling Amendments 3, 4 and 5. They are very similar to our Front-Bench amendments in Committee and reflect a key recommendation from the Delegated Powers Committee. I thank the former Minister, the noble Baroness, Lady Barran, for her work on these amendments. As noble Lords will remember, the Delegated Powers Committee called the powers in Clause 3 unacceptable and called for the negative procedure for the new telecoms security codes of practice. This important change from the Government ensures adequate parliamentary scrutiny, which is a welcome step forward.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Parkinson of Whitley Bay) (Con)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for the amendment standing in their names, and I thank the noble Baroness for welcoming me to the Dispatch Box in my new role.
The question underlying this group is whether the new telecoms security framework will have proper scrutiny. Noble Lords have proposed ways to strengthen that scrutiny throughout the passage of the Bill and your Lordships’ Constitution Committee and Delegated Powers and Regulatory Reform Committee have made their own recommendations, and I thank those committees for their work.
In Committee, the noble Lord, Lord Clement-Jones, invited the Government to make a trade-off, a choice, in his words, between
“a loose definition of ‘security compromise’”
and
“a very tight way of agreeing the codes of practice.”—[Official Report, 13/7/21; col. GC 487.]
With that in mind, I turn first to Amendments 3, 4 and 5 in my name—although I should stress, as the noble Baroness, Lady Merron, kindly did, that they also represent the work of my predecessor, my noble friend Lady Barran. We both listened to the arguments put forward in Committee and these amendments represent her views as well as mine.
We have carefully considered the concerns raised and, as the noble Lord, Lord Clement-Jones, invited us to do, we have proposed how to make that trade-off. The government amendments we have brought forward today affect Clause 3. It provides the Secretary of State with the power to issue and revise codes of practice. The code of practice is a fundamental building block of the new telecoms security framework as it will contain specific information on how telecoms providers can meet their legal duties under any regulations made by the Secretary of State.
In its report on the Bill, the DPRRC noted the centrality of codes of practice to the new telecoms security framework. The committee drew attention to the statutory effects of codes of practice and their role in Ofcom’s regulatory oversight, and because of those factors, the committee recommended that the negative procedure should be applied to the issuing of codes of practice. The noble Baroness, Lady Merron, tabled amendments in Committee to implement that recommendation. We are happy to do that. Our amendments today require the Government to lay a draft of any code of practice before Parliament for 40 days. Your Lordships’ House and the other place will then have that period of time to scrutinise a code of practice before it is issued.
We think that these changes strike the balance that noble Lords have called for today and in previous stages. I hope these government amendments demonstrate that we have listened and are committed to appropriate parliamentary scrutiny across all aspects of the framework.
Amendment 1, tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require the regulations to be laid in Parliament in draft and subject to a debate and vote in both Houses.
I share the noble Lords’ desire, echoed by the noble Lord, Lord Alton of Liverpool, to ensure that Parliament has a full and effective scrutiny role in this Bill, but I fear we disagree on the best way to achieve it. The only powers in the Bill that are subject to the affirmative procedure are delegated, or Henry VIII, powers that enable the amendment of penalty amounts set out in primary legislation. The Bill currently provides for the negative procedure to be used when laying the statutory instrument containing the regulations.
In the context of these new powers, the use of the negative procedure is appropriate for three reasons. First, Parliament will have had to approve the clauses in the Bill that determine the scope of regulations—Clauses 1 and 2—and the regulations will not amend primary legislation. Secondly, evolving technology and threat landscapes mean that the technical detail in regulations will need to be updated in a timely fashion to protect our networks. Thirdly and finally, as I noted in Committee, the negative procedure is the standard procedure for instruments under Section 402 of the Communications Act. The negative procedure delivers the right balance between a nimble parliamentary procedure and putting appropriate and proportionate measures in place effectively and efficiently to secure our networks.
The two noble Lords will also be aware that the changes they propose in their amendment are not ones that the Delegated Powers and Regulatory Reform Committee made. I accept that they are keen to explore avenues for scrutiny of this framework, but that committee made its recommendation for increasing the scrutiny of this regime, and the Government have brought forward our amendments to accept it. For these reasons, we are not able to accept the noble Lords’ Amendment 1. I hope that they will be content with what we have proposed in our amendment, and may be minded to withdraw theirs.
In conclusion, the Government were asked to make a trade-off. Through the passage of this Bill, we have been invited to provide greater opportunities for Parliament to scrutinise this regime. We have listened to those concerns and we have brought forward an answer. We feel that our amendments maintain our flexibility to adapt to an ever-changing technology environment and give your Lordships’ House and the other place a greater say in its operation, so I invite the noble Lord to withdraw the amendment.
Lord Fox (LD)
My Lords, it was remiss of me not to welcome the Minister formally; I have welcomed him personally, but not formally. Also, it was helpful that he was the Whip during the process thus far, and I should also welcome the new Whip to his seat. I thank the noble Lord, Lord Alton, and the noble Baroness, Lady Merron, for their contributions. The fact that this has been a short debate does not mean to say that it is not an important one. The reason it is short is because we have had the same debate so many times on so many different Bills, with not just this department but others. That is why it is an important issue and why, when the Minister says that we should strike a balance, we agree, but we think the balance is in the wrong place. That is why I am unable to withdraw this amendment and I should like to test the will of the House.
Lord Clement-Jones
“(7) In making regulations under this section and any code of practice made under section 105E the Secretary of State must take full account of the advice of the Technical Advisory Board established under section 105ZZ1 and of a Judicial Commissioner appointed under section 227 of the Investigatory Powers Act 2016 concerning the proportionality and appropriateness of any measures therein.”Member’s explanatory statement
This amendment would require the Secretary of State to take into account the advice of the Technical Advisory Board, as established in the amendment in the name of Lord Clement-Jones to insert a new Clause after Clause 14, and a Judicial Commissioner.
Lord Clement-Jones (LD)
My Lords, in moving Amendment 2 I will speak to Amendment 7. I add my welcome to both the Minister and the noble Lord, Lord Sharpe, in their new roles.
The Minister has now accepted in his Amendment 3 that there needs to be greater parliamentary scrutiny of codes of practice. I welcome that; I am just sad that Amendment 1 did not squeak through. However, he has not accepted the need for greater technical scrutiny of these codes. As the Minister’s predecessor, the noble Baroness, Lady Barran, said in Committee,
“the whole purpose of the regulations was to specify in greater detail what the duties of providers would be.”
Likewise, she said:
“The codes of practice will provide technical guidance to assist public telecoms providers in meeting their legal obligations.”—[Official Report, 13/7/21; cols. GC 488-93.]
However, as the industry has pointed out, there are no clear mechanisms for technical feedback or expertise to be fed into the drafting of the regulations and codes of practice.
The Minister dealt with these amendments himself in Committee. On the Clause 2 regulations, he assured us:
“Advice to the Secretary of State could”—
I emphasise “could”—
“also include relevant representations by public telecoms providers … DCMS continues routinely to engage with telecoms providers about this Bill and telecoms security more widely.”
He also said that
“Clause 3 requires that any codes of practice are finalised only after consultation with affected providers.”—[Official Report, 13/7/21; col. GC 499.]
Again, he gave no assurance of exactly with whom and how the consultation will take place, and he did not explain why he thought that a specific technical advisory board set up under this Bill was not appropriate. For that reason I have no hesitation in retabling these amendments for further consideration on Report.
As the noble Baroness, Lady Merron, pointed out in Committee, there is good precedent in the Investigatory Powers Act 2016, which
“established a Technical Advisory Board to advise the Home Secretary on the reasonableness of obligations imposed on communications providers.”—[Official Report, 13/7/21; col. GC 462.]
The judicial commissioners set up under that Act could be deployed under this Bill.
This is an opportunity for the Minister to demonstrate a much firmer and more inclusive approach to technical consultation. I hope that he will accept this amendment. I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lord, Lord Clement-Jones, for tabling Amendments 2 and 7 again on Report. I will not take up much time discussing them, not least because the Labour Front Bench tabled similar amendments in Committee better to understand what advice the Secretary of State will receive and where it will come from when making regulations under Clause 2. As the noble Lord said, we must ensure that the Secretary of State receives advice from the best experts, not just those who support the Government.
As the former Minister, the noble Baroness, Lady Barran, focused only on the incompatibility of a similar board set up by the Investigatory Powers Act, can the Minister today simply answer this question: without such a board, where will the Secretary of State receive advice, and from whom?
Lord Parkinson of Whitley Bay (Con)
I thank the noble Lord, Lord Clement-Jones, for his welcome, and both him and the noble Lord, Lord Fox, for retabling these amendments. We share the noble Lords’ ambition in this area. We also want to ensure that the telecoms security framework is informed by world-leading expertise, and that all those affected by the framework have appropriate mechanisms to shape it. The noble Lords’ amendments seek to establish a technical advisory board to advise the Secretary of State on matters of telecoms security. They also state that the Secretary of State should give due consideration to this new board’s advice, and that of a judicial commissioner, before making regulations or codes of practice.
I agree with the noble Lords on the importance of the Secretary of State having access to expert advice in the exercising of these new powers. I hope I can reassure them that she can already call upon sufficient advice through existing structures, and that I can demonstrate why, as we have explained previously, these amendments are not necessary, while giving the greater detail that the noble Lord asked for.
It is worth emphasising the level of expertise that DCMS itself retains, both on the telecoms sector and on security policy. DCMS is the lead Government department for the telecoms sector and has telecoms experts embedded in it. The department has established security and resilience teams with suitably cleared individuals, including people with substantial experience in national security. More widely, the department has established procedures through which it can draw upon further expertise across government and industry. Inside government, for example, the National Cyber Security Centre undertakes regular risk assessments of current and emerging threats, and those assessments are used to inform government policy. Regulations and the code of practice made through this Bill will be informed by the NCSC’s assessments. The Government also have fora in which they discuss emerging threats and new technological developments with the industry. The NCSC’s information exchange is one example. This is a trusted community of security professionals from across the telecoms sector who come together on a quarterly basis to discuss and share information on security issues and concerns.
The noble Lord’s amendment also calls for the new board and the judicial commissioner to be consulted before the establishment of new regulations and codes of practice. We share the noble Lord’s view on the importance of consultation. That is why the Bill is clear that any code of practice must be consulted on before it is introduced. However, we still differ in our opinions on who should be consulted. The consultation requirement in the Bill will enable those directly affected by the code of practice, as well as those with an interest in it, to comment and raise concerns without the need for a technical advisory board to be established. Of course, if your Lordships’ House supports the government amendments today, the code of practice itself will be subject to scrutiny both in your Lordships’ House and in another place. Furthermore, we published an illustrative draft of the regulations in January for the purpose of early engagement with the industry, and the feedback it has provided has been invaluable in our development of the policy. We continue to engage regularly and closely with public telecoms providers and trade bodies, ensuring that any concerns are effectively communicated to us. I remind noble Lords that the Secretary of State can make these regulations and measures in a code of practice only where she actively considers that the measures are appropriate and proportionate under the wording of new subsections 105D(2) and 105D(4).
To conclude, I thank the noble Lords for bringing their amendment back. As I have said, I share their ambition to create a robust, well-informed and evidence-led framework for telecoms security. We believe that we already undertake extensive engagement with the affected groups and bodies. The Bill sets out consultation requirements but even if it did not, the Government have strong relationships with those in the sector and would continue to seek their input. That is where the advice referred to by the noble Baroness, Lady Merron, would come from, as well as from across government, the NCSC and others I have mentioned. For the reasons I have set out, we are not able to accept this amendment and I hope the noble Lord will therefore withdraw it.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for that very helpful reply. I think he has gone as far as he can, without accepting my amendment, to try to give assurance to the industry about the nature of the consultation. I still believe that something more formal is required but I am not going to quibble about the sharing of ambition. I am sure that is right. The question is whether in practice we are going to get the result we need. The proof of the pudding will be in the eating and we will see how the regulations and the codes of practice turn out in the end. In the meantime, I beg leave to withdraw the amendment.
“(2) Before issuing a code of practice under section 105E the Secretary of State must also lay a draft of the code before Parliament.(2A) If, within the 40-day period, either House of Parliament resolves not to approve the draft of the code, the code may not be issued.(2B) If no such resolution is made within that period, the code may be issued.(2C) If the code is issued, the Secretary of State must publish it.”Member’s explanatory statement
This amendment applies a negative resolution procedure to the power to issue a code of practice under section 105E.
Member’s explanatory statement
This amendment is consequential on the first Government amendment to Clause 3.
“(5) In this section, the “40-day period”, in relation to a draft of a code, means the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).(6) For the purposes of calculating the 40-day period, no account is to be taken of any period during which—(a) Parliament is dissolved or prorogued, or(b) both Houses are adjourned for more than 4 days.”Member’s explanatory statement
This amendment inserts a definition of the “40-day period” into Clause 3.
Lord Clement-Jones
Member’s explanatory statement
This would remove Clause 13 (Appeals against security decisions of OFCOM) from the bill.
Lord Clement-Jones (LD)
My Lords, a lack of oversight has been a persistent theme through the passage of this Bill. Included within that is judicial oversight and the fact that under Clause 13 any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee said in its report,
“is unclear and is not justified in the Explanatory Notes.”
It further said:
“The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under clause 13.”
The clause reverses the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Limited v Office of Communications decision, which addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act.
The Minister’s predecessor, the noble Baroness, Lady Barran, said in Committee in response to the Clause 13 stand part debate:
“It merely changes the standard to which they will be reviewed. Having these cases reviewed on ordinary judicial review principles, rather than taking account of the merits of the case, aims to ensure a smooth regulatory process that focuses on fair decision-making … this should reduce any incentives for providers to litigate solely for the purpose of delaying the regulatory process.”
Note the word “merely”. This is very much for the Government’s convenience. She continued:
“It is particularly important, given that these decisions relate to the security of a provider’s network, that decisions can be addressed swiftly, and providers can get back to the important work of ensuring that their networks are secure.”
This nevertheless tries to give the impression that this is for the benefit of the providers. The noble Baroness then said that:
“Clause 13 applies to appeals only against relevant security decisions … The Government consider this approach to be appropriate to ensure that Ofcom’s regulatory decisions can only be successfully challenged when they are, broadly speaking, unlawful, irrational or procedurally unfair. By reducing providers’ incentives to litigate to delay regulatory action, the provisions in the clause contribute to Ofcom’s effectiveness as a regulator.”—[Official Report, 13/7/21; cols. GC 516-17.]
Surely in these circumstances, particularly on security, the merits of security decisions are particularly important and this is the legislative equivalent of the Government marking their own homework—or perhaps I should say making it much more difficult for it to be marked. I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment and the noble Lord, Lord Clement-Jones, for his remarks. It certainly is key that Ofcom is able to do the job that it has been entrusted to do. On the matter of providers, I would say that their primary duty has to be to ensure that the networks are secure. We should expect no less from them. I will be very interested to hear how the Minister responds to the points that have been made in respect of this amendment.
Lord Parkinson of Whitley Bay (Con)
I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment to Clause 13. I know the noble Lord, Lord Clement-Jones, in particular, has taken a keen interest in this area, not just in this Bill but in previous ones as well. I am grateful for the way that he set out the debate again today.
Clause 13 makes provision to ensure that the Competition Appeal Tribunal applies ordinary judicial review principles to appeals against certain security decisions made by Ofcom. Under such principles, those decisions can be successfully challenged only where they are unlawful, irrational or procedurally unfair. In setting the standard of appeal in this legislation, we must find a balance between giving telecoms providers a way to challenge Ofcom’s decisions should they be unfair and ensuring that the regulatory regime is effective and efficient.
Ofcom, as an experienced telecoms regulator, believes that changing the standard of appeal to judicial review principles for certain security decisions has the potential to make the regulatory process quicker and more efficient. The Government agree. We want to avoid either Ofcom or telecoms providers spending months in court.
It was never the intention of Parliament to set the standard of appeal, as it is now, to
“duly take into account the merits of the case”,
as this was dictated by EU law. In 2017 the Government changed the standard of appeal for reviewing decisions by Ofcom from a full merits approach to ordinary judicial review principles via Section 87 of the Digital Economy Act, as the noble Lord, Lord Clement-Jones, will well remember.
However, as EU law continued to apply, the Competition Appeal Tribunal subsequently decided that it had to apply a modified approach to
“duly take into account the merits of the case”.
In essence, this has prevented the provision in the Digital Economy Act, which had been approved by Parliament, taking effect. That rather unhappy outcome would continue to be the case for certain security decisions under the Bill should this clause not stand.
To be clear, Clause 13 applies the judicial review standard only to decisions such as those relating to the issuing of an assessment notice, which should be routine and quickly handled rather than being continuously delayed. It is not being applied to decisions about penalties such as those under Section 105T. Public telecoms providers will still be able to appeal those decisions as they do now, and the tribunal will
“duly take into account the merits of the case”.
Ultimately, we want public telecoms providers to spend their time addressing the security of the network. We do not want them to attempt indefinitely to delay an Ofcom decision by bringing cases against the regulator that do not stack up. We are not breaking new ground by changing to this standard of appeal. Judicial review principles are the normal standard by which most decisions of government and public bodies are legally reviewed.
Parliament has already decided that the standard of appeal for similar decisions under the Network and Information Systems Regulations 2018 should be ordinary judicial review principles. That is consistent with our policy approach in this Bill. Therefore, the Government feel that Clause 13 should stand part of this Bill as it will contribute to the efficiency of the regime and ensure that regulatory decisions are not unduly delayed. It will also ensure legislative consistency. I hope that reassures the noble Lord and that he will be content to withdraw his objection to this clause.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for his response. I am afraid it does not particularly reassure but there will be many other occasions on which we can raise the nature of judicial review, its continual erosion, the Government’s approach to judicial review and their dislike of being challenged. This is fairly thin territory on which to be debating a very large issue in terms of the future of judicial review. I am sure that my other legal colleagues will be more than able to dispute some of those issues. There are many other fish to fry of even greater importance on this Bill so I will withdraw my amendment.
Baroness Merron
“Network diversification
(1) The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;(b) likely changes in ownership or trading position of existing market players;(c) changes to the diversity of the supply chain for network equipment;(d) new areas of market consolidation and diversification risk including the cloud computing sector;(e) progress made in any aspects of the implementation of the diversification strategy not covered by paragraph (a);(f) the public funding which is available for diversification.(3) The Secretary of State must lay the report before Parliament.(4) A Minister of the Crown must, not later than two months after the report has been laid before Parliament, move a motion in the House of Commons in relation to the report.”Member’s explanatory statement
This new Clause requires the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and allows for a debate in the House of Commons on the report.
Baroness Merron (Lab)
My Lords, Amendment 8 is in my name. I am grateful to the noble Lords, Lord Fox and Lord Alton, for their support. It is, of course, the same as Amendment 24 that we saw in Committee, which requires that network diversification is reported on annually.
As we heard in Committee, there is wide cross-party support for the principle that our networks will not be secure if the supply chain is not diversified. For me, this is at the very heart of the Bill and what it should seek to address. Unfortunately, we still have a Bill that seeks to secure telecoms security yet seems to think it is possible to be silent on diversification. Even though the former Minister said in Committee that
“diversification is designed to enhance security and resilience”,—[Official Report, 15/7/21; col. GC 551.]
the Government have said that this amendment is not appropriate. The importance of the amendment could not be clearer. I remind noble Lords that, once Huawei is removed, the UK will be left with effectively only two service providers. This is a matter of the highest concern. We need and must have a diversified supply chain. That means diversity of supply at different points in the supply chain and that different networks do not all share the same vulnerabilities of a particular supplier. This is absolutely crucial for network resilience. It will also support British companies and grow British jobs.
If the Government fail to amend the Bill on this point by accepting this amendment, they are putting our national security at risk. Therefore, I will listen closely to the reply from the Minister, but I must stress that I am minded to test the opinion of this House on this matter. I beg to move.
Lord Alton of Liverpool (CB)
My Lords, it is a great pleasure to follow the noble Baroness, Lady Merron. Like other noble Lords, I was remiss in not welcoming the noble Lord, Lord Parkinson of Whitley Bay, to his new role earlier on. I think that is because we have all been so familiar with seeing his face throughout the proceedings on this Bill and many others. It is a great pleasure to see him in his new role.
The Government should be convinced by the arguments that the noble Baroness, Lady Merron, just advanced, simply because of what their own advisers have told them: the lack of diversification constitutes
“an intolerable security and resilience risk.”
There was widespread agreement in Committee and elsewhere about that.
I draw the Minister’s attention to the as-yet undebated report of the International Relations and Defence Committee, on which I have the privilege to serve. The report, titled The UK and China’s Security and Trade Relationship: A Strategic Void, was published on 10 September. It refers specifically to the supply chain vulnerability measures in this Bill, but says that
“such vulnerabilities are widespread in the economy.”
It continues:
“In order to retain its freedom of action towards China, the Government should conduct scenario planning on supply chain vulnerabilities and identify where action is needed to mitigate the risks.”
This amendment would give the opportunity for such discussion to take place in the House of Commons. We have to think about only the case of Newport Wafer Fab to see its importance. This was a deal of £63 million regarding the UK’s largest producer of silicon chips, which are vital in products from TVs and mobile phones to cars and games consoles. As we learned in Committee, a group of UK companies has now stepped up to the plate and hopes to acquire Newport Wafer Fab. When the Minister replies, I would be most appreciative if he would say what progress has been made on that.
Lord Fox (LD)
My Lords, it is a pleasure to follow the noble Baroness, Lady Merron, and the noble Lord, Lord Alton, in supporting Amendment 8. The Government have talked a good game on diversification but are guilty of much compartmentalisation. They have put diversification on one side and security on the other. As the noble Baroness and the noble Lord suggested, you cannot separate the two. Without a diverse supply chain, there is no security.
The issue of having only two key suppliers, which the noble Baroness, Lady Merron, referred to, is down to the fact that there has been a market failure in this area. If the Government do not intervene proactively to right that market failure, we will not get out of the situation we are in now. The Bill is the only game in town to do that. This amendment is therefore really important. During debates on the Bill, a number of Peers highlighted the words of the Government’s integrated review of security, defence, development and foreign policy. It was clear that a
“diverse and competitive supply base for telecoms networks”
is vital to a secure future. We think these are wise words from the integrated review. As such, we are pleased to support this amendment and will be happy to vote on it in the event that the noble Baroness, Lady Merron, chooses to test the will of the House.
Lord Parkinson of Whitley Bay (Con)
I thank the noble Baroness and the noble Lords, Lord Alton of Liverpool and Lord Fox, for tabling and signing this amendment relating to telecoms diversification. I hope that, during my remarks, I can convince them and other noble Lords that the Bill is not the right place for this amendment for two reasons: first, diversification extends well beyond the security focus of the Bill; and, secondly, legislating for a reporting requirement would be limiting and inflexible as our diversification work evolves. I will also outline the progress made against the diversification strategy, in both government policy and industry outcomes, to seek to reassure noble Lords that progress is being made in this important area.
The Bill will create one of the toughest telecoms security regimes in the world. It will protect our networks even as technologies evolve, future-proofing our critical national infrastructure. Throughout the passage of the Bill, there has been a great deal of debate about how diversification can help to support more secure and resilient telecoms infrastructure. While our work on diversification is intended to support our security and resilience ambitions, not all diversification is necessarily relevant to security and resilience.
The telecoms diversification work that the Government are undertaking moves the market forward by broadening the supplier base in many ways which fall beyond pure security measures; these include boosting quality, innovation, competition and choice within our critical networks. It is for this reason that we have consistently argued that it would be limiting for our 5G diversification strategy to appear on the face of this Bill. Legislating for a reporting element within the Bill, by the same token, would also be restrictive.
Furthermore, as the market and technology evolve, our desired outcomes and areas of focus will evolve too. For example, in the short term, a successful outcome could be a third major vendor in the mobile market. However, once open radio access networks are ready for deployment at scale in urban areas, our measure of success might be the level of interoperability within our networks.
At the moment, we are focusing efforts on diversifying the radio access network, which is where the most critical security and resilience risks are found. In future, a focus on other elements of telecoms infrastructure, including fixed networks, will be necessary to ensure all risks to the ways in which we communicate are tackled. Committing to reporting on specific criteria would limit us to reporting against the risks as we find them today; it would not afford us the flexibility that diversification requires.
While the Government cannot accept this amendment, I hope to reassure noble Lords that our work on diversification progresses—and at pace. The Government’s plans to diversify the market were set out in the 5G Supply Chain Diversification Strategy, which was published in November last year. We also established a diversification taskforce, chaired by my noble friend Lord Livingston of Parkhead, who of course has a wealth of experience in this field having served as the chief executive for BT Group. The taskforce’s role is to provide expert advice to the Government on this important agenda.
The taskforce set out its recommendations in the spring and many of its members have agreed to continue providing expertise as part of the Telecoms Supply Chain Diversification Advisory Council, which had its first meeting last month. Work is already underway to implement many of the taskforce’s recommendations and good progress has been made on the priorities set out in the strategy. For example, research and development was highlighted as a key area of focus, in order to promote open interface technologies that will establish flexibility in the market and allow a range of new, smaller suppliers to compete in a diverse marketplace.
That is why DCMS was delighted to announce the launch of the future radio access network competition on 2 July. Through this competition, up to £30 million will be invested in open RAN R&D projects across the UK to address barriers to high-performance open deployments. This competition is part of a wider programme of government initiatives to foster an open, disaggregated network ecosystem in the UK. This includes the Smart Radio Access Network Open Network Interoperability Centre—or SONIC Labs—a facility for testing interoperability and integration of open networking solutions, which opened in June. A number of leading telecoms suppliers are already working together through this facility.
The Government also continue to work with mobile operators, suppliers and users on a number of other important enablers for diversification, for example by developing a road map for the long-term use and provision of legacy network services, expected to be announced later this year. Alongside this, the Government have led efforts to engage with some of our closest international partners, through both multilateral and bilateral mechanisms, to build international consensus on this important issue. Through the UK’s G7 presidency, the Government made the first step in discussing the importance of secure and diverse supply chains among like-minded partners, and the foundational role that telecommunications infrastructure such as 5G plays in underpinning wider digital and technology infrastructure.
We have also seen movement in the market towards diversification objectives. The industry has taken steps to adopt open radio access networks, such as the European memorandum of understanding, co-signed by Telefónica and Vodafone. Furthermore, organisations such as Airspan, Mavenir, NEC and Vodafone have now announced UK-based open radio access network facilities. This demonstrates that the industry is working alongside the Government here in the UK to drive forward the change needed in the sector. That was further evidenced in Vodafone’s commitment to deploy 2,500 open radio access network sites using equipment provided by leading suppliers, including Samsung and NEC. This is the largest deployment of its kind anywhere in Europe and an important first step in delivering the goal of more open networks.
These commitments show a genuine and significant change in the diversification of our mobile networks. I hope they also demonstrate why placing strict legislative reporting requirements on this area of work would be premature. We are at a point of rapid exploration and experimentation in this work, and I hope that noble Lords would not want to inhibit that work before it has had time to mature.
The noble Lord, Lord Alton of Liverpool, asked about the committee report. It will not fall to me to respond to that report, as I perhaps would have done in my previous role as a Whip covering the Foreign Office, among other departments. We will, of course, reply to it in full in due course. He also asked about Newport Wafer Fab. As I am sure noble Lords will appreciate, I am not able to comment on the detail of commercial transactions or of any national security assessments on a particular case. We will continue to monitor the situation closely and, as part of this, the Prime Minister has asked the National Security Adviser to review this case. Separately, work is under way to review the wider semiconductor landscape in the United Kingdom. The National Security Adviser’s review is ongoing, drawing on expertise from across government as necessary. We will continue to monitor the situation closely and will not hesitate to take further action if needed. The Government are, of course, committed to the semiconductor sector and the vital role it plays in the UK’s economy.
For the reasons that I have set out, therefore, I am not able to accept this amendment. I hope noble Lords have been reassured by what I said, and that the noble Baroness will withdraw her amendment.
Baroness Merron (Lab)
My Lords, I thank the Minister for his reply. I am, of course, disappointed that the Minister cannot see that this amendment seeks to strengthen the Bill. It gives the Government an opportunity to showcase all the things of which the Minister has apprised the House. It is important to look at this proposed new clause. It would require the Secretary of State to report on the impact of the diversification strategy, something of which the Government are proud, and it allows for a parliamentary debate, something I would have hoped the Government would welcome, but this is clearly not the case.
As the noble Lords, Lord Fox and Lord Alton, have indicated, the absence so far of an effective plan to diversify the supply chain is what makes us concerned about security in this country. The Bill is the opportunity to put that right. Therefore, I feel it is only right and proper, in the interests of the security of the country, that we press this matter to a vote and test the opinion of the House.
Lord Coaker
“Provision of information to the Intelligence and Security Committee
The Secretary of State must provide the Intelligence and Security Committee of Parliament as soon as is reasonably practicable with a copy of—(a) any direction or notice (or part thereof) that is withheld from publication by the Secretary of State in the interests of national security in accordance with section 105Z11(2) or (3) of the Communications Act 2003;(b) any notification of contravention given by the Secretary of State in accordance with section 105Z18(1) of the Communications Act 2003; (c) any confirmation decision given by the Secretary of State in accordance with section 105Z20(2)(a) of the Communications Act 2003;(d) any reasons for making an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in accordance with section 105Z22(5) of the Communications Act 2003; and(e) any reasons for confirming or modifying an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in accordance with section 105Z23(6) of the Communications Act 2003.”Member’s explanatory statement
This new Clause would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security.
Lord Coaker (Lab)
My Lords, I welcome the noble Lord, Lord Parkinson, to his position. I am sure we will end up speaking to each other across the Dispatch Box. I wish him all the best and good luck with the important work he will be doing as a Minister of the Crown. We all wish you well in that role.
Turning to my amendment, we appreciate that, obviously, it is sometimes difficult to strike a balance between the public availability of information, even for debate by Parliament, and national security. This amendment seeks to probe the Government’s thinking. So far, their reassurances have been somewhat lacking.
I often use, and want to use, evidence—not just what I think and others may wish to say—regarding how the Government should use the Intelligence and Security Committee. It was set up by a unanimous decision of both Houses of this Parliament because they recognised that some information is so sensitive that it cannot be put in the public domain, as that would undermine national security. No Member of this Chamber or the other place would argue with that or say that that is wrong in principle. But so far, in respect of the security aspect of telecommunications, the Government have said that the existing processes and way of doing things works. Many of us would disagree with that and feel that more reassurance needs to be offered and that the Government need to rethink this.
In moving this amendment, I will use evidence from the chair of the Intelligence and Security Committee himself. I do not need to go on about this, because he summed it up in one sentence. Speaking about the Telecommunications (Security) Bill in the other place, he said:
“It is both puzzling and exasperating that the Government are yet again refusing to use the Intelligence and Security Committee for the purpose for which it was created.”—[Official Report, Commons, 25/5/21; col 286.]
That is quite a stunning sentence. I could quote the whole speech, but for me that encapsulates it. It is for the Minister say why he is wrong. Why is the chair of the Intelligence and Security Committee wrong to say that about the powers in this Bill and the security issues that will arise in respect of telecommunications now and in future? Why is it wrong for the Intelligence and Security Committee to be the body that looks at that information for us?
Lord Fox (LD)
My Lords, veterans of the National Security and Investment Bill—I am not sure there are any—will recognise this amendment: it is exactly the same argument that was put forward then. The response from BEIS was to set up a unit, within BEIS, that the relevant Minister said would have the necessary clearance to review potential national security information. It was quite clear to those in your Lordships’ Chamber at that time that that group of people would not get to see the sort of information that the ISC is cleared to see. We are in the same situation now. The Minister will say that there are people in his department who, if necessary, will be able to see the relevant information. That will not be the case and to some extent, those in the Minister’s department making decisions that refer to national security issues will be flying a little bit blind. If this is not recognised, that is regrettable. This is a really important area of security, and decisions should be made on the best available information, with the best available people reviewing that information. The clue is in the name: this is the Telecommunications (Security) Bill, and it is the Intelligence and Security Committee that is best able to review that information. That is why I support the noble Lord’s Amendment 9.
Lord Parkinson of Whitley Bay (Con)
My Lords, I thank the noble Lord, Lord Coaker, for his kind words of welcome and for tabling this amendment. The important matter of parliamentary oversight has been raised a number of times in both your Lordships’ House and another place. I welcome the opportunity to clarify further how appropriate oversight of the Bill’s national security powers will be provided for both in this Bill and through existing mechanisms. The noble Lord’s amendment would require the Secretary of State to provide the Intelligence and Security Committee with copies of a directional notice when such documents, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security.
As regards enforcement, this amendment would also require the Secretary of State to provide the committee with copies of notifications of contraventions and confirmation decisions. Further, it would require the provision of reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), as well as the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
We thoroughly agree with the need for effective scrutiny of the use of the Bill’s national security powers—that is why we have included measures to facilitate parliamentary oversight of the use of those powers. The Bill requires the Secretary of State to lay before Parliament copies of designation notices, designated vendor directions, and variations or revocations of either, unless doing so would be contrary to the interests of national security. We would expect in the vast majority of cases to lay copies of the directions and notices before Parliament. However, on very rare occasions there may be instances where the Secretary of State chooses not to do so because laying the documents would be contrary to the interests of national security. This would only be done in extremis.
We have already demonstrated our commitment to transparency with the publication of the illustrative draft designated vendor direction and designation notice last November. Indeed, it is in the Government’s interest to publish such documents as it sends a clear message to industry of our intent to use the powers in the Bill where necessary. However, while the presumption is to publish the directions and notices, it is right that we have the option to protect the UK if our national security could be put at risk through their publication.
It is worth noting that, under Section 390 of the Communications Act 2003, the Secretary of State is required to prepare and lay before Parliament annual reports on their functions under that Act. Those reports will show when the Bill’s national security powers have been exercised, whether or not copies of directions or notices are laid before Parliament. This will ensure that Parliament will always be made aware of the Secretary of State’s use of the national security powers to issue designated vendor directions and designation notices.
Having thus been made aware, the Intelligence and Security Committee will be able to request relevant information from the vital organisations it already oversees, such as the National Cyber Security Centre. Moreover, the ISC will be able to request such information at any time from the NCSC in relation to its assessment of high-risk vendors. The noble Lord is right to point to the importance of the committee. Given the cross-party support he enjoys, he knows better than most, as a former Security Minister, the important work it undertakes. The ISC will be able to do the work I have just outlined in line with its remit, as set out in the provisions of the Justice and Security Act 2013 and accompanying memorandum of understanding.
At Second Reading, the Noble Lord, Lord West, noted that the ISC had made a request for its memorandum to be formally reviewed. I understand that the chairman of the ISC has written to the Cabinet Office on these matters and that they are under consideration. Discussions and decisions regarding any changes to the ISC’s remit are of course for the Cabinet Office and the ISC to agree. That is the appropriate route for the ISC’s remit to be considered, not this Bill.
As I am sure noble Lords will appreciate, however, the advice of the security services will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the NCSC’s advice, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity of the requirements in any designated vendor direction. Those go beyond security matters and indeed fall under the work of DCMS; therefore, the Digital, Culture, Media and Sport Committee is best placed to consider those wider impacts. Hence, that is the appropriate body to oversee the Government’s use of the powers to issue designation notices and designated vendor directions, including where those directions and notices are not laid before Parliament. The Government will work with the committee to ensure that it has access to all the information it needs to carry out that oversight.
Those are the reasons why the Government cannot accept the amendment. I hope that the noble Lord will be content to withdraw it on that basis.
Lord Coaker (Lab)
I thank the Minister for a generally helpful reply and for his engagement with the amendment itself, my remarks and those of the noble Lord, Lord Fox. It is helpful when a Minister engages with a debate, rather than just reading the words in front of him. The Minister did that, and that is to be welcomed.
The Minister offered reassurance on many of the issues that I raised—and they are issues. The debate has in some ways gone beyond the Bill itself and will help the debate within government about how to resolve the issue of national security and parliamentary scrutiny. Of particular importance was the Minister saying that the memorandum of understanding between the Government and the ISC is being reviewed. That MoU is crucial, and the debate we have had on this Bill and, indeed, this amendment, should inform the Government of the view of many in this House and beyond that the memorandum of understanding needs to be clarified and perhaps reviewed and changed. I ask the Minister to ensure that that review happens in the discussions that take place within government.
With those remarks, I beg leave to withdraw the amendment.
Lord Coaker
“Long-term strategy
(1) Within six months of this Act being passed, the Secretary of State must publish a long-term strategy on telecommunications security and resilience.(2) The strategy must include but is not limited to—(a) the objectives of the United Kingdom in working with NATO, Five Eyes partners, and other allies, on research and development, adoption and deployment, standards, and overall strategy;(b) how the strategy will provide security and resilience in the long term;(c) how this Act supports strategic objectives in the Integrated Review of Security, Defence, Development and Foreign Policy;(d) how this Act will complement the powers in the National Security and Investment Act 2021 in the long term and whether a review is needed;(e) whether, for the purposes of telecommunications security, an international advisory body should be set up to help coordinate, influence and develop guidance and standards;(f) how the United Kingdom, in collaboration with its allies, will monitor, horizon-scan for, and respond to, current and emerging threats;(g) whether the United Kingdom security infrastructure is adequately resourced to respond to threats against its telecommunications network;(h) how to secure the adequacy of OFCOM’s resourcing in fulfilling its functions provided in this Act.(3) The strategy must be laid before Parliament.”
Lord Coaker (Lab)
In moving Amendment 10 I will also speak to Amendment 11 in the names of the noble Lords, Lord Alton, Lord Blencathra and Lord Fox, to which I have also put my name.
Amendment 10 seeks to future-proof the Bill. It strengthens the bonds with our international partners, ensures horizon-scanning and provides security and resilience in the long term. It again pushes the Government on a long-term strategy for the security and resilience of our telecoms network. What plans do the Government have for that?
I think all of us in this House understand that this is a fast-changing world, and many of us would not have predicted just a few years ago some of the challenges and threats we face now. Flexibility and adaptability are crucial, and a strategy needs to be put together alongside that. Indeed, the Government themselves have accepted that in their response to the House of Commons Science and Technology Committee document, 5G Market Diversification and Wider Lessons for Critical and Emerging Technologies. Indeed, the Government’s response says that there is a need for strategies and for the Government to look to future threats. Amendment 10 is an attempt to understand how all the Government’s various strategies—I did not count them, but they are putting forward many—will be put together to ensure that we have one overarching strategy dealing with the threats this country faces with respect to security and telecommunications, and in a way that is understandable and meets the challenges we may face in the future. As I say, the purpose of this amendment is to push the Government again on what their strategy is.
Amendment 11 is an incredibly important amendment. Leaving aside the various intellectual arguments, the policy documents that can be quoted, the evidence that can be cited and so on, the ordinary member of the public, who often gets left out of debates such as this, would say something like the following. The Five Eyes, which includes Australia and New Zealand, is one of our most important intelligence communities. Indeed, we have just signed the AUKUS deal, which does not involve all of the Five Eyes but is nevertheless important. Therefore, it is really important that within the Five Eyes there is a commonality of purpose, of understanding and of action.
Lord Alton of Liverpool (CB)
My Lords, it is a great pleasure to follow the noble Lord, Lord Coaker, and to endorse everything he has just said about Amendments 10 and 11.
In speaking to Amendment 11, about which I hope to seek the opinion of the House if there is not a satisfactory reply to the debate, although I hope there will be, I should say that I moved a similar amendment in Committee on 13 July. As in Committee, the amendment enjoys all-party support from across the House; I am particularly grateful to the noble Lord, Lord Blencathra, but also to the noble Lords, Lord Coaker and Lord Fox, for their support. The noble Lord, Lord Coaker, has spelled out that it would insert a new clause requiring the Government to review any telecommunications company based in foreign countries which have been banned in a Five Eyes country. It is quite straightforward. This amendment would strengthen international action and bolster UK resilience and security.
If such a provision had previously existed in statute, it might have saved this country a great deal of money over the expensive 5G Huawei debacle, which we have known was a security risk since 2013. If the House approves this amendment today, it will send a clear signal that the Bill must be further strengthened to deal with companies that have been banned in other jurisdictions, the need to dig deeper into ownership and investment of companies and the desirability of acting in concert with our Five Eyes allies. Significantly—I suppose this is another development, as the noble Lord just referred to, since Committee—there has been the, in my view, very welcome decision to create AUKUS, the security pact in the Asia-Pacific which, in addition to giving Australia greater defence capacity, also covers AI and other technologies.
At Second Reading, the noble Baroness, Lady Stroud, urged us to work
“in close partnership with our Five Eyes allies”.—[Official Report, 29/6/21; col. 727.]
She was right. The noble Baroness, Lady Merron, asked us to guard against “another costly security debacle”. She was right. My noble and gallant friend Lord Stirrup told us that we
“need to develop an approach … that constantly monitors and rebalances this equation in the context of our complex and dynamic world.”—[Official Report, 29/6/21; col. 715.]
He was right, and the amendments seek to do just that.
In Committee, I detailed many of the companies that have now been proscribed and banned in the United States of America. I would be grateful to hear from the noble Lord, Lord Parkinson—I asked this question in Committee, he will recall—if we have looked at those companies, and what action we are now taking against those that are on the list that President Biden has published. Specifically, I refer to one example, Hikvision. This is what the Foreign Affairs Select Committee of the House of Commons said in its unanimous report. The committee recommended
“that the Government prohibits organisations and individuals in the UK from doing business with any companies known to be associated with the Xinjiang atrocities through the sanctions regime. The Government should prohibit UK firms and public sector bodies from conducting business with, investing in, or entering into partnerships with such Chinese firms”.
I raised that in Committee. Have we acted in concert with principal Five Eyes allies in prohibiting Hikvision or not?
The failure to co-ordinate with allies leads to costs and uncertainty for business and endangers our national interest. The Government’s own estimate, based on the Huawei decision, is that it cost the Exchequer some £2 billion, excluding the broader economic cost of a delayed rollout of the 5G network caused by having to change horses. Earlier collective action could have prevented the later expensive U-turns.
Amendment 11 seeks to better protect our national interest in concert with our allies in the free world. I commend the amendment to the House.
Lord Blencathra (Con)
My Lords, I am used to hearing powerful speeches from my noble friend Lord Alton of Liverpool, but what a delight it was to hear also the speech of the noble Lord, Lord Coaker. He spelled it out exactly: it beggars belief. I cannot believe that my noble friend, a wise and intelligent Minister, will reject this amendment.
I support Amendment 11, which does not detract from the Bill in any way; it does not sabotage the Bill or pull the guts out of it, it merely adds to our arsenal. All it asks the Government to do, as the noble Lord, Lord Coaker, pointed out, is to review the security arrangements with a telecoms provider if one of our vital, strategic Five Eyes partners bans its equipment. We are not calling for a similar immediate ban, or an eventual ban, we are just saying let us review it and come to a conclusion.
Why do I want this added? My motivation is quite simple: I believe this will be another small warning shot to China that we will start to stand up to its aggression. I share the view of the new head of MI5, Mr Ken McCallum, that Russia is an irritation but China is a threat to world peace and our whole western way of life. Yes, Russia—or Putin, more accurately—is nasty and will happily kill opponents, as we saw in Salisbury, and attempt to interfere in elections, but Russia is not capable and is afraid of the consequences of waging a world war.
China, I believe, does not share that view. It is building that massive economic and military capacity to dominate the whole world. It will overtake the USA in military capability in the next few years and has already overtaken all western powers in its attitude to using force. It is not that China wants war: it believes that war will not be necessary, since it will win when we surrender without firing a shot. If it attacks Taiwan, will the USA and the UK rush to support it? I hope so, but I do not hold my breath. China believes we do not have the moral guts to do as we did with plucky little Belgium before the First World War or Poland before the second, and guarantee their security.
To return to this amendment, it is a small symbol of our intention to begin our moral fightback—to say that we will not be bullied by China, either in our universities and supply chains or in the freedom of the seas. China has been achieving world domination by small incremental steps: making the WHO its puppet; infiltrating universities; subtly taking over international organisations; robbing African countries of all their minerals as payback for loans; and stealing every bit of technology that it can. It is, therefore, by incremental steps, such as this little amendment, that we will show that we will not be cowed—that we will resist and not become China’s slaves.
Lord Fox (LD)
My Lords, there are many merits to the plans, set out by the noble Lord, Lord Coaker, in Amendment 10, for the Secretary of State to publish a long-term strategy on telecommunications security and resilience. However, in the interests of time, I will quickly shift my focus to Amendment 11 and disappoint the House by saying that my words will be brief. The House has heard very strong speeches, not just from the noble Lord, Lord Coaker, but from the noble Lords, Lord Alton and Lord Blencathra, and it is a pleasure to see my name alongside theirs on this amendment.
The point has been made three times: this is a very small ask of the Government. Referring back to the point made by the noble Lord, Lord Coaker, working closely with our Five Eyes partners was identified as the whole point—certainly a key objective—in the integrated review. It is one of the central pillars of our security planning. So we are not asking for something outrageous. There is a strong theme of working with our Five Eyes allies across the field of security. The UK has to work with other countries to be effective—and if not with these countries then which?
The UK’s telecoms networks face the same challenges as those of our key allies, and this amendment simply ensures that when it comes to this most crucial component of security—increasingly, communications are at the heart of all our security decisions, whether we are finding things out, transmitting information or looking at what others are doing—we take into consideration what those allies are doing. If we were not doing this, there would be a strong danger of putting a wedge between us and them. Indeed, we began to see that happening with the United States, before this Government decided to change their mind over the Huawei decision—for which some noble Lords present should take a lot of credit.
The question we have to ask ourselves, therefore—it is very difficult to understand the answers, so I look forward to the Minister’s reply—is why the Government are not adopting this amendment. The Minister may take the stance that it is not necessary. If so, it is not a problem and could be included. More worryingly, does the Minister know that this is perhaps the thin end of a wedge, and that there is a lot more technology already installed in our infrastructure across the country that the Government would have to start to remove? If there is, it would be expensive but important to do. Or perhaps the reason is the worst of all excuses: that the Government did not think of it and so are resisting suggestions from others, which is the worst sort of institutional resistance, of a kind that we see all the time.
We on these Benches, therefore, support this amendment from the noble Lord, Lord Alton, and if he sees fit to lead us through that virtual Lobby, we will be virtually beside him.
Baroness Altmann (Con)
My Lords, I add a brief word of support for all the sentiments expressed so far in this debate, and for the excellent way in which they have been presented. I very much look forward to hearing my noble friend’s reply as to the problem that the Government have in accepting what seems to be their own wording into this Bill, thereby reinforcing this country’s stance against some of the most egregious regimes in the world and staying as close as we can to our Five Eyes allies.
Lord Parkinson of Whitley Bay (Con)
My Lords, I thank the noble Lords, Lord Coaker, Lord Alton of Liverpool and Lord Fox, and my noble friend Lord Blencathra, for tabling these amendments, which relate to our national security strategy and engagement with our Five Eyes partners.
The Government’s first and overriding priority is to protect and promote the interests of the British people through our actions at home and overseas. That is a message central to our integrated review of security, defence, development and foreign policy, and one that Ministers in the other place have repeated during the passage of this Bill. What I have heard very clearly in this short but powerful debate is that, regardless of party or affiliation, noble Lords across the House agree that we must do what we can to protect our national security interests.
That is precisely why we have introduced this Bill. It is why we have published the integrated review and why we have such close working relationships with our allies—not only in the Five Eyes but also among our European neighbours and beyond. So I welcome the spirit in which Amendments 10 and 11 have been put forward. I say that so that noble Lords will know that we share their instincts and ambitions in this crucial area, even though we cannot support these amendments today, as I will explain.
I start by addressing Amendment 10, tabled by the noble Lord, Lord Coaker. This amendment would require the Government to publish a long-term telecoms security and resilience strategy, covering various topics, within six months of the Bill’s Royal Assent. It would require this strategy to be laid before Parliament. This amendment is similar to the one tabled by the noble Lord in Committee, except that here he has made additional reference to reporting on Ofcom resources.
As I have said, the Government take their responsibility to protect the British public very seriously. We welcome and share the noble Lord’s desire to ensure that this country is prepared to overcome future challenges to the security of our telecommunications. However, we have—as the noble Lord noted—already published and are implementing a number of strategies that will ensure that our national security in general, and the security of our telecoms networks and services in particular, are safeguarded.
I mentioned the integrated review. That overarching review sets out our commitment to security and resilience, so that that the British people are protected against threats. This starts at home, by defending our people, territory, critical national infrastructure, democratic institutions and way of life, and by reducing our vulnerability to the threat from other states, terrorism and serious and organised crime.
The noble Lord asked where the hierarchy lies. While the integrated review sets out our overall approach across government, the UK telecoms supply chain review guides our work on security and resilience in the telecoms sector specifically. The Government continue to implement the recommendations of the UK Telecoms Supply Chain Review Report, published in 2019. Alongside that, we continue our crucial work on supply chain resilience via implementation of the 5G Supply Chain Diversification Strategy, published last year, which we have debated during the passage of this Bill.
More broadly, the Government’s approach to telecoms security is informed by other cross-government priorities. In March we announced our intention to develop a comprehensive national cyber strategy as part of the integrated review. The cyber strategy will set out the UK’s approach to deterring our adversaries and ensuring that the technologies of the future are safe and secure. Furthermore, the Government intend to engage more widely with partners on the details of that strategy and publish it later this year, ensuring that our plans are aligned with funding decisions in the forthcoming spending review.
As set out in Committee, the Government are also in the process of developing a national resilience strategy that will provide a single, coherent approach to the way the UK approaches national resilience. That will be published in early 2022 and will provide a foundation on which to build a clear and co-ordinated approach to the whole range of resilience challenges.
Through his proposed Amendment 10 I think the noble Lord is seeking reassurance that the UK is working with our international partners to achieve shared objectives, and I am very happy to set out how we are doing that. The Government engage regularly with partner countries, including those mentioned in the noble Lord’s amendment: NATO and the Five Eyes allies. We are committed to a strong and deep relationship with our allies. We have held detailed and productive talks with partner Governments throughout the development of the Bill and will continue to do so as and when it is passed.
Similarly, the Government recognise that co-operation on international standards is vital to our joint efforts as we look to the future. We are working closely with the industry, the National Cyber Security Centre, Ofcom and a wide range of international partners to increase the UK’s influence and presence at major standards development organisations, such as ETSI and 3GPP.
Through his amendment the noble Lord is also, I think, seeking reassurance about the adequacy of Ofcom’s funding for its security arrangements. As the telecoms regulator, Ofcom will have a vital role to play in the compliance and enforcement arrangements for the new security framework. We are working with Ofcom to ensure that it has the required resources to meet its new responsibilities. Ofcom’s budget for telecoms security this financial year has been increased by £4.6 million to reflect that enhanced security role.
As I have explained, we will continue to ensure that our approach to telecoms security is kept up to date in response to the changes in threats and technology. For those reasons, I do not believe that Amendment 10 is necessary, and I hope that, when we come to it, the noble Lord will be content to withdraw it and to see that we are indeed working with our allies on this important area, as he rightly asked.
Amendment 11, tabled by the noble Lords, Lord Alton, Lord Fox and Lord Coaker, and my noble friend Lord Blencathra, seeks to ensure that we take account of the actions of our Five Eyes partners. It would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecoms vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with that vendor and to consider whether to issue a designated vendor direction or to take similar action in the UK.
We certainly agree that the UK Government should engage with international partners, including our important allies in the Five Eyes alliance. That is what we have been doing throughout the drafting of the Bill and what we will continue to do once it has passed. Our Five Eyes relationship is robust, and the UK is committed to a close and enduring partnership. The Five Eyes intelligence and security agencies maintain very close co-operation, including regular and routine dialogue between the NCSC and its international partners. This dialogue includes the sharing of our respective technical expertise on the security of telecoms networks and the question of managing the risks from high-risk vendors. There are mechanisms already in place for the NCSC to share this and wider information with DCMS.
We also agree with noble Lords that the Government should consider the policies of our Five Eyes partners when developing our own security policies, and we do that. However, although we take the position of our Five Eyes partners into consideration, our international interests are not limited to the Five Eyes. That is why the approach we have taken in the Bill provides the flexibility for the Secretary of State to take into consideration a variety of relevant information, which includes but is not limited to assessments of our international partners’ policies. I reassure noble Lords that the Bill enables the Secretary of State to consider a decision by a Five Eyes partner—or, indeed, by any other international partner—to ban a vendor on security grounds.
Clause 16 of the Bill sets out a non-exhaustive list of factors the Secretary of State might take into account when she is considering issuing a designation notice. This illustrates the kinds of factors that the Government will proactively be considering on an ongoing basis as part of our work. The Government’s approach to national security needs to remain flexible and adaptable to future challenges. Every country’s approach to national security will be different; security measures taken in one particular country might not always be appropriate in another, for example due to differences in the composition of their telecoms networks or services.
The Government’s consideration of specific countries’ policies when developing their own national security policy should not therefore be mandated or set out in such a restrictive way in primary legislation.
Lord Fox (LD)
I thank the Minister, and perhaps I am pre-empting what he is about to say, but it seems that, although he has clearly said the answer that I predicted—“not necessary”—the fact that this amendment was brought shows that it is not clear from this legislation that that is what the Minister will be doing. At the very least, whether this gets voted through or not, there is a conversation to be had when this comes back on Report that takes into consideration whether it just limits itself to Five Eyes or goes broader. Will the Minister undertake to think about those things as well, and perhaps comment on that?
Lord Parkinson of Whitley Bay (Con)
Yes, we are of course on Report; it has been a while since we were in Committee. Yes, the noble Lord is right: we do not feel that this amendment is necessary. I hope that I am setting out how the Bill provides for the Secretary of State to do what I think noble Lords want to do, not least, as I was just explaining, in Clause 16 and the non-exhaustive list of factors referred to there. Our objection is to setting out the Five Eyes partnership specifically and restrictively when there may be other countries and allies we speak to where she will also rightly want to take that into account. It is important that the Government have the freedom to determine their own national security policies so that they remain flexible and can respond rapidly to changing threats and challenges to our telecoms networks. The Government also need to be able to determine exactly how and when they engage with their Five Eyes partners and consider their actions when developing our policies.
Noble Lords are absolutely right to speak of the importance of the Five Eyes alliance; for more than 60 years it has been doing extremely valuable work for the people of this country and, indeed, for the other partner nations in it. But the Five Eyes alliance was not created through legislation and its importance has not relied on it being set out in statute either. In fact, it would be highly unusual to refer to such an alliance in legislation and we feel that this Bill is not the right place to create such an important national security precedent. That is why we are resisting it.
The noble Lord, Lord Alton, suggested that if we had had such a provision it might have saved some time and effort in the past, in particular with reference to Huawei. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecoms networks compared with other vendors. There has been a risk mitigation strategy in place since Huawei first began to supply equipment to the UK’s public telecoms providers. As he knows, in July last year, following advice from the NCSC, the National Security Council considered the impact of US sanctions in relation to Huawei and considered that further action was needed in relation to Huawei as the new US restrictions made oversight of Huawei products significantly more challenging and potentially impossible. That is an illustration of how the UK already regularly reviews security advice and requirements in response to international considerations and what other Governments are doing.
The noble Lord, Lord Alton, also asked about Hikvision. The UK is aware of reporting that has suggested links between Hikvision and human rights violations in Xinjiang. As he knows, the Government have spoken up at international organisations to condemn the ongoing situation in Xinjiang. In January, my right honourable friend the former Foreign Secretary announced a number of measures to help ensure that UK businesses and the public sector are not complicit in human rights violations or abuses there. Decisions on excluding suppliers would be made on a case-by-case basis by central government contracting authorities when undertaking procurements in line with the relevant regulations.
My noble friend Lord Blencathra raised China more broadly, and indeed the UK wants a mature, positive relationship with China based on mutual respect and trust. There is considerable scope for constructive engagement and co-operation but, as we strive for that positive relationship, we will not sacrifice either our values or our security. China is now a leading member of the world community; its size, economic power and global influence make it a vital partner in tackling the biggest global challenges, but it has always been the case that where we have concerns, we raise them, and where we need to intervene, we will.
In conclusion, I want to return to where I started these remarks. The Government view national security as their number one priority, as any responsible Government would. This debate has highlighted that there is broad agreement on the need for robust, strategic consideration of those issues. So, although I am afraid that we cannot accept the amendments in this group, I warmly welcome the intent behind them. I hope that I have reassured noble Lords sufficiently that we understand their concerns, and that they will be content not to press these amendments.
Lord Coaker (Lab)
My Lords, I thank the Minister for his reply. Speaking first to Amendment 10, the Minister gave some reassurance to the House in respect of a strategy. He and I mentioned numerous strategies and I think all of us hope that somewhere along the line they are co-ordinated; otherwise, we will end up with a strategy to deal with a strategy, which is not a good place for anyone to be. I shall leave the noble Lord, Lord Alton, to deal with Amendment 11. I beg leave to withdraw Amendment 10.
Lord Alton of Liverpool
“Review of telecommunications companies based in foreign countries
(1) The Communications Act 2003 is amended as follows.(2) After section 105Z29 insert—“105Z30 Review of telecommunications companies based in foreign countriesWhere a Five Eyes partner bans the operation of a vendor of goods or services to public telecommunications providers in its country on security grounds, the Secretary of State must— (a) review the United Kingdom’s security arrangements with that company, and(b) decide whether to issue a designated vendor direction or take similar action with regard to the United Kingdom’s arrangements with that company.””
Lord Alton of Liverpool (CB)
My Lords, the Minister was characteristically courteous. I am grateful to him, but I wish to test the opinion of the House.
Telecommunications (Security) Bill
Tuesday 26th October 2021
(2 years, 5 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-R-I Marshalled list for Report - (15 Oct 2021)
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Parkinson of Whitley Bay) (Con)
My Lords, I thank noble Lords from all sides of the House who have contributed to our debates during the passage of this Bill so far. Although that journey is not complete, their work has certainly helped us to interrogate the Bill and improve it. In particular, I would like to use this opportunity to thank my noble friend Lady Barran, who so expertly guided the Bill up to Committee; I was pleased to hear the tributes and thanks to her on Report a few days ago.
Throughout the passage of the Bill, the noble Baroness, Lady Merron, and the noble Lord, Lord Coaker, have helpfully challenged the Government’s approach from the Opposition Front Bench. I thank them for the constructive way they have done so and for their diligent approach, along with the noble Lords, Lord Fox and Lord Clement-Jones, from the Liberal Democrat Benches, who have also applied keen-eyed scrutiny throughout the Bill’s passage so far. Although we have not always agreed on the fine detail, it is clear that we all share the same ambition: to keep our telecoms networks secure.
I also thank my noble friends on these Benches, particularly my noble friends Lady Morgan of Coates, Lord Vaizey of Didcot, Lord Holmes of Richmond, Lord Young of Cookham, Lady Stroud, Lord Balfe and Lord Naseby for their contributions. The scrutiny that has been applied has already resulted in legislation that will allow the UK to protect our telecoms networks for years to come. It would be remiss of me not to extend my thanks also to parliamentary counsel for their usual brilliance in drafting the Bill, and to the House authorities for ensuring that the parliamentary stages could take place so seamlessly, including during the challenging circumstances of recent months.
I close by thanking the officials within my department, most of whom have been working on this Bill for well over a year now. Their knowledge, organisation and patience has allowed me, and I hope all noble Lords, to understand and scrutinise with relative ease what is a technical but very important Bill. It is a large Bill team and I make no apology for listing their names; it illustrates the breadth of work that has gone into what is quite a technical Bill. I thank Kathryn Roe, John Peart, Byron Grant, Thea Macdonald, Euan Onslow, Alex Walford, Malcolm Campbell, Dan Tor, Rosemary Buckland, Chris Frampton, Charlotte Carew, Will Jones, Yohance Drayton, and our lawyers, Sean Murray, Martha Hartridge, Simon Gomes, Luke Emmons, Richard Lancaster, May Wong, Harriet Preedy, Julia Clayson, Sean Wilson and Matthew Smith. All of them have supported the passage of this Bill excellently.
As my predecessor said at Second Reading:
“The Bill will … protect our telecoms networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future.”—[Official Report, 29/6/21; col. 707.]
I am encouraged that your Lordships’ House agrees that the Bill will achieve this, and I beg to move.
Baroness Merron (Lab)
My Lords, this has been my first Bill since I joined your Lordships’ House a little over six months ago. Some would say that I was thrown in at the deep end but in my view, I was simply given the opportunity to swim in rather warm and pleasant parliamentary waters. It has been fascinating and enjoyable and I am very glad that my first Bill has been such an important one for the security of the nation.
The Minister has of course been a constant throughout consideration of this Bill, and we saw his worth recognised as he was promoted from the important role of Whip to the Minister tasked with bringing the Bill home. I thank him for the courteous and professional manner in which he has conducted himself throughout, and I also express my thanks to the former Minister, the noble Baroness, Lady Barran. From these Benches, we also express our gratitude to the Bill team, the clerks, the staff of the House—indeed, all those who have worked front of house as well as behind the scenes to make this Bill possible.
Throughout, it has been my pleasure to work with my noble friend Lord Coaker, who has brought his valuable experience and knowledge to proceedings. We have been blessed to have the highly professional support of Dan Harris, our excellent adviser who has guided and advised us throughout, to whom we express our thanks. Her Majesty’s Opposition strongly believe that our nation’s security is above party politics, and I thank all noble Peers who have worked cross party on this Bill.
New technologies have long transformed how we work, live and, of course, travel. Our experiences during the pandemic have upped the ante on the degree to which we rely on telecommunications networks. At the same time, it has reinforced how intertwined these networks are with issues of national security, including the top priority of any Government: to protect its citizens from risk. This Bill is a necessary step to protect us.
I am very glad to welcome the Government’s acceptance of our arguments that codes of practice, to be issued by the Secretary of State to telecoms providers, must first come before Parliament. However, the Bill raised key questions and concerns, especially given the absence of an effective plan to diversify the supply chain and in respect of our telecom security depending on strengthening our international bonds, in particular through the Five Eyes, involving the UK, the United States, Australia, Canada and New Zealand. I thank the noble Lord, Lord Alton, for his work on that issue.
I hope that the other place will give sympathetic consideration to the changes we have made on both those matters, and that the Minister will recognise that the amendments passed by your Lordships’ House make serious and important improvements to the Bill and have widespread support across the Chamber. My concluding wish for this Bill is that the Government will reflect and feel able to support these improvements to the Bill and the security they provide.
Lord Fox (LD)
My Lords, as the Minister said, this Bill entered the other place a year ago. It has variously been urgent, in the long grass, urgent again and now quite close to passing. I will not delay its passage many more seconds. I have shelved my inner churl, but I absolutely sign up to the comments of the noble Baroness, Lady Merron. There are outstanding issues that your Lordships commented on and put into the Bill as amendments that I hope can be picked up. I hope that when this Bill is finally put to bed, it really does protect the security of this country, and we will work, on these Benches, to help make that happen. There is a lot of unfinished business in this area. I fear that the Minister himself, or one of his successors, may very well be bringing other Bills before your Lordships quite soon.
I thank the Ministers, first the noble Baroness, Lady Barran, and then the noble Lord, Lord Parkinson, for their work and their willingness to communicate with those of us who were seeking to scrutinise this Bill. I join the noble Lord in congratulating the DCMS Bill team, and I hope he did not leave anybody out. I congratulate the noble Baroness, Lady Merron, and the noble Lord, Lord Coaker, on their legislative debuts. I also thank the noble Lord, Lord Alton, for his spirited, highly principled and really important, contributions on the Bill.
Finally, I thank my noble friends Lord Clement-Jones and Lady Northover, without whom this scrutiny would not have been complete, and Sarah Pughe, our legislative officer, for her invaluable support. With that, we wish this Bill onwards, with speed and effectiveness, because it has a very important job to do.
Lord Alton of Liverpool (CB)
My Lords, before we pass this Bill, may I add to a comment to what the noble Lord, Lord Fox, and the noble Baroness, Lady Merron, said? I express my thanks as well to everyone who was on the long list that the noble Lord, Lord Parkinson, gave us, but also to his predecessor, the noble Baroness, Lady Barran. As Ministers, I do not think they could have been more helpful and more responsive to the points we made both in Committee and on Report.
My noble friend also mentioned the all-party amendment moved last week by myself and the noble Lord, Lord Blencathra, which we also raised in Committee. It raises the need for reviews to take place when another jurisdiction—specifically, in this case, many of us cited the United States of America—had banned a particular company which was not banned in the United Kingdom but working within the telecommunications sector.
One example the noble Lord, Lord Coaker, and I gave in our debates was Hikvision, which is banned in the United States. It makes the surveillance cameras that are used punitively against the Uighur people in Xinjiang but are also used in our own high streets and public buildings. That amendment called for a review: that when any such company is banned in another Five Eyes jurisdiction, it is to be reviewed in the United Kingdom. It is a very reasonable all-party amendment, but it was opposed by the Government. Before the Minister completes his remarks today, could he tell us what has happened to that amendment and how the Government intend to respond to it?
Lord Parkinson of Whitley Bay (Con)
I was remiss in not adding to the long list of names I read out those of the noble Lord, Lord Alton, and my noble friend Lord Blencathra, who signed that cross-party amendment to which the noble Lord just referred. Of course, the amendment goes to the other place, which will look at it, the official record and the debate we had on it. I am sorry I was not able to persuade the noble Lord and my noble friend of it, but I will work with my colleagues in DCMS to make sure that they take into account the views of your Lordships’ House as expressed in the vote. I will not pre-empt the debates that will be had in another place, but I look forward to seeing what it sends us back in continuing that debate.
In the spirit which all noble Lords have mentioned today of wanting to see this important Bill on the statute book swiftly but with the proper scrutiny that both places want to give it, I beg to move.
Telecommunications (Security) Bill
Monday 8th November 2021
(2 years, 5 months ago)
Commons ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Commons Consideration of Lords Amendments as at 8 November 2021 - (8 Nov 2021)
21:37 - The House divided: - Ayes: 276 / Noes: 161 - Question accordingly agreed to.
21:51 - The House divided: - Ayes: 273 / Noes: 161 - Question accordingly agreed to.
The Minister for Media, Data and Digital Infrastructure (Julia Lopez)
I beg to move, That this House disagrees with Lords amendment 4.
Mr Deputy Speaker (Mr Nigel Evans)
With this it will be convenient to discuss the following:
Lords amendment 5, and Government motion to disagree.
Lords amendments 1 to 3.
Julia Lopez
I am pleased that the Bill has returned to the House from the other place and for the chance to speak to it. I thank my hon. Friend the Member for Boston and Skegness (Matt Warman) for his tremendous work in bringing it through the House earlier in this Session and in the last.
The Bill will create one of the toughest telecoms security regimes in the world. It will protect networks, even as technologies grow and evolve, shielding our telecoms critical national infrastructure both now and for the future. As the House will be aware, the Bill introduces a stronger telecoms security framework, which places new security duties on public telecoms providers and introduces new national security powers to address the risks posed by high-risk vendors.
I will briefly summarise the changes that have been made to the Bill. Lords amendments 1 to 3 were tabled by my colleague in the other place, Lord Parkinson. Lords amendment 4 relates to reporting on supply chain diversification and Lords amendment 5 relates to reviewing actions taken by Five Eyes nations regarding high-risk vendors. I will speak first to Lords amendments 1 to 3.
The important role of parliamentary scrutiny has been raised in debate throughout the passage of the Bill. In the other place, particular attention has been paid to scrutiny of our strengthened telecoms security framework. In its report on the Bill, the Delegated Powers and Regulatory Reform Committee noted that the new codes of practice were central to this framework, as they will contain specific technical information for telecoms providers. The Committee recommended that the negative procedure should be applied to the issuing of codes of practice. We carefully considered the Committee’s recommendation over the summer, and tabled amendments 1 to 3 in the other place to accept them.
The amendments will require the Government to lay a draft of any code of practice before Parliament for 40 days. Both this House and the other place will then have a period of time to scrutinise the code of practice before it is issued. These amendments demonstrate that we have listened and that we are committed to every aspect of the framework receiving appropriate parliamentary scrutiny. I commend these amendments to the House.
I will now speak to Lords amendment 4, regarding diversification. This amendment would place an annual requirement on the Government to report on the impacts of their 5G telecoms diversification strategy on the security of public telecommunications networks and services. It would also require a debate in the House on that report. The Government cannot support the amendment for two reasons. The first objection relates to the flexibility necessary for diversification. A reporting requirement of this nature is restrictive and premature. This is an evolving market that is rapidly changing, and we need the flexibility to focus our attention where it will have the greatest impact. While our focus is currently on diversifying radio access networks, once that part of the mobile network has been diversified we will move on to focus on other areas. Committing to reporting on specific criteria would limit us to reporting against the risks as we find them today and would not afford us the flexibility that diversification requires.
Mr Kevan Jones (North Durham) (Lab)
I am very interested in what the Minister says, because one of the major themes, and one of the big failures of the 5G debacle over Huawei, is the fact that we do not have diversification in the network. How will the Government be able to do a stocktake every year so that we as parliamentarians, and others, will be able to judge that what is being said about a commitment to diversification, which is in a lot of policy papers, is actually happening in practice?
Julia Lopez
I thank the right hon. Gentleman for his comment. Hon. Members will be able to raise in the normal way, through parliamentary questions, scrutiny at oral questions and Committee work, what we are doing in this area. We are reporting regularly on some of our diversification efforts and some of the money that we are spending from the spending review.
Mr Jones
I accept that, although the current Government’s response to parliamentary questions these days is sometimes lacking. What benchmark, then, will the Government use for ensuring diversification? I accept that the Minister is the Minister today, but there will possibly be a future Minister—she will not be there for ever—so how are we to judge that we are actually going to get that diversification? Without that, we will end up as we have done now, with a network that is market-led and diversification is not in the market.
Julia Lopez
I appreciate the right hon. Gentleman’s concerns. We are committed to reporting to the House on a regular basis, but we do not want to limit ourselves on specifically what we will be reporting on in technological terms, because this is a rapidly evolving marketplace and we need to make sure that we have the flexibility to deal with particular infrastructure challenges as and when they come along.
My sense is that this amendment is intended to hold the Government’s feet to the fire on delivering their diversification strategy. If that is the case, a reporting requirement of this nature is unnecessary. This House and the other place already have mechanisms to hold the Government to account through parliamentary questions, as I said, and through the various Select Committees that can ably scrutinise this work. That is the appropriate way for scrutiny to take place.
Our second objection relates to focus. This is, first and foremost, a national security Bill. It is intended to strengthen the security and resilience of all our public telecoms networks, be they fixed line or mobile—2G, 3G, 4G, 5G and beyond. While the Government’s 5G telecoms diversification strategy has been developed to support that objective, it is not the sole objective of the strategy. This is market-making work. It is not a panacea to raise the security of our public networks. Moreover, the current scope of the strategy is not to address the entire telecoms market but to diversify a specific subset of it. The amendment extends the Bill beyond its intended national security focus and creates an inflexible reporting requirement on a strategy that will need to continue to evolve. We have been insistent on this position, and that is why I ask that this House disagrees with Lords amendment 4.
Lords amendment 5 would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecommunications vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with the vendor and consider whether to issue a designated vendor direction, or take a similar action, in the UK. I welcome the intention behind the amendment, which demonstrates that those in all parts of this House and the other place take the security of this country and its people incredibly seriously.
However, while we support the spirit of the amendment, we cannot accept it for four reasons. First, the House will recall that the Bill will provide the Secretary of State with the power to designate specific vendors in the interests of national security for the purpose of issuing a designated vendor direction. In clause 16 there is a non-exhaustive list of factors that the Secretary of State may take into consideration when issuing these designation notices. That list illustrates the kinds of factors we proactively consider on an ongoing basis as part of our national security work. A decision by a Five Eyes partner, or any other international partner, to ban a vendor on security grounds could be considered as part of that process, so this amendment would require us to do something that has been part of the Bill from the outset.
Stephen Flynn (Aberdeen South) (SNP)
The key remark that the Minister made there was that it “could be” considered. We have seen the Government’s failures previously in relation to Huawei, so why should we have confidence moving forward that this will be any different?
Julia Lopez
I appreciate the hon. Member’s comments. When the Secretary of State is looking to designate a vendor, she will put that to the House to be scrutinised, and we will be scrutinised on this issue through the usual procedures that I have outlined in my previous comments.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
I welcome the Minister to her place. If we look back over the past few months, even the past year or so, we see very much that the resistance early on by the UK Government with Huawei, when other Five Eyes countries were banning it, has led to a remarkable back-cost for replacing all this stuff because we failed to take an early decision. While the amendment may not be perfect, it indicates clearly a big weakness in the Government’s position, even in this very good Bill. If Five Eyes countries, which are our main allies in intelligence, spot there is a problem, we should pause, investigate the reasons why, and then come back to the House with the reasons why we disagree or agree. The amendment aims at doing that, so perhaps the Government should think about amending the Bill in such a way.
Julia Lopez
I appreciate my right hon. Friend’s comments, but it is important that we do not put in primary legislation the specific partners that we should have to listen to on these specific issues. It would create a hierarchy of diplomatic networks.
Sir Iain Duncan Smith
With respect, these are not specific partners; these are our closest allies when it comes to intelligence sharing. They do not get any closer than this. Working with them, as we do in sharing intelligence, means that using systems for sharing that intelligence would corrupt our own ability. I wonder whether the Minister could just slightly reset: these are not just partners.
Julia Lopez
I appreciate my right hon. Friend’s comments. The amendment would require us to do something that has been part of the legislation from the outset. We believe that our existing approach is the right way to continually consider the decisions of our international allies and partners, whether or not they are part of Five Eyes. That brings me to the second objection to the amendment, which is that it is unnecessary because we regularly engage with our Five Eyes partners and are committed to a close and enduring partnership with them. We agree with the other place that where possible, the UK Government should consider the actions of other countries when developing our own policies, and that is exactly what we do already. It is what we have been doing before and during the passage of this legislation.
The intelligence and security agencies across Five Eyes retain close co-operation, which includes frequent dialogue between the National Cyber Security Centre and its international partners. This dialogue includes the sharing of technical expertise on the security of telecoms networks and managing the risks posed by high-risk vendors. There are mechanisms in place for the NCSC to share this and wider information with the Department for Digital, Culture, Media and Sport.
Collaboration with our Five Eyes partners forms an intrinsic part of our national security work. The alliance was not created through legislation and it has not required legislation for us to develop and strengthen that relationship, and the amendment would set an unhelpful precedent. We do not need the amendment to compel us to work with our Five Eyes partners.
That takes me to our third reason for resisting the amendment, which is that the UK needs to have the flexibility to develop and encourage international relationships in addition to Five Eyes. Naming individual countries in this way would set an unhelpful precedent for national security legislation in future. As I have acknowledged, it is important that we consider the policies of our Five Eyes partners, namely New Zealand, Canada, Australia and the US, when developing our own policies, but we also need to consider the policies of a wide range of other countries, including those of our European neighbours, such as France and Germany, and those of other nations, such as Japan, South Korea and India. Stipulating in primary legislation the countries whose policies the UK Government should consider when developing our own national security policies, whether Five Eyes or other countries, would be unhelpful, given the wide-ranging nature of our international collaboration. It would be highly unusual to refer to specific countries in legislation in this way, and this Bill is not the right place to create such a precedent.
The fourth reason for resisting the amendment is that it is impractical because of the many different ways in which other countries operate their national security decision making. The amendment would require us to act whenever a ban takes place in another Five Eyes country, but it may not be immediately clear when a country has taken a decision to ban a vendor, particularly if they have relied on sensitive intelligence to make that decision.
It may not always be apparent why a particular country has banned a particular vendor. There could be any number of reasons why a foreign Government would choose to restrict a company’s ability to operate within that country. Those reasons may not be based purely on national security grounds. I welcome the intention behind the amendment, but we cannot accept it because we feel that it is duplicative, impractical, restrictive and, ultimately, unnecessary.
In summary, the House is presented with a strengthened Bill as Lords amendments 1, 2 and 3 will increase the chances of parliamentary scrutiny of the telecoms security framework. As I have set out, however, it would be inappropriate to agree to Lords amendments 4 and 5. I thank the other place for its scrutiny of the Bill. I commend Lords amendments 1, 2 and 3 to the House and ask that the House disagrees with Lords amendments 4 and 5.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
I thank colleagues in the other place who have worked hard to improve the Bill. National security is the first duty of any Government and Labour will always put our country’s security first.
The pandemic has shown how important telecommunications networks are. I declare an interest as a former telecoms engineer, but I am sure I speak for the whole House in thanking all those who have kept our networks going during the pandemic. We have been dependent on them to work from home or to keep in touch with family and friends. This House could continue its important work thanks to telecommunications networks, as well as the hard work of House staff and the Speaker’s support.
A secure network is of the utmost importance. Labour welcomes the Bill’s intention while recognising its limitations. I am pleased that the Lords amendments that we are discussing reflect issues that Labour has been raising.
Lords amendment 1 seeks to improve transparency in the use of the Secretary of State’s powers to issue codes of practice to communications providers through the negative procedure. It reflects amendments that we tabled in Committee in response to the sweeping powers that the Bill gives to the Secretary of State and Ofcom. As the Comms Council UK said,
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
The House has a duty to ensure that those powers are proportionate and accountable, so we are happy that the Government have bowed to pressure from Labour to strengthen parliamentary scrutiny, even if, in our view, it does not go far enough. Two consequential amendments to Lords amendment 1 set out the conditions for the 40-day scrutiny period and ensure that that time cannot be disrupted by recess or Prorogation so that this House and the other place have sufficient time to scrutinise the code.
Lords amendment 5 is cross party and designed to ensure that the Government review a vendor that is banned in a Five Eyes country. We support the amendment and find the Government’s opposition concerning, as we believe it could threaten our national security.
I find the Minister’s arguments against the amendment somewhat confused. She claims that the amendment is unnecessary because we already monitor Five Eyes countries and would always respond to the actions of our closest intelligence partners, but if that is true, why not formalise it? We are stronger together, specifically with our Five Eyes allies. Instead of putting forward further arguments, I turn to the eloquent explanation of Conservative peer Lord Blencathra:
“All it asks the Government to do…is to review the security arrangements with a telecoms provider if one of our vital, strategic Five Eyes partners bans its equipment. We are not calling for a similar immediate ban, or an eventual ban, we are just saying let us review it and come to a conclusion.”—[Official Report, House of Lords, 19 October 2021; Vol. 815, c. 99.]
We will support the amendment.
Lords amendment 4 requires the Secretary of State to report on the diversification strategy’s impact on the security of telecommunications networks. It would also allow for a debate in this House on the report to further strengthen parliamentary scrutiny. Labour supports the removal of high-risk vendors from our telecoms networks, and given the grave situation into which successive Conservative Governments have allowed our networks to fall, it is essential that the Government have the powers to remove Huawei at speed. However, we are left with only two providers, and as we heard repeatedly at every stage of this Bill’s progression, two providers is not diverse, is not resilient and is not secure.
We cannot ensure national security without a diverse supply chain, but I fear that the Government still just do not get it. Let me just take two of the Minister’s arguments. The first argument seems to be, as far as I could comprehend it, that requiring reporting would be “restrictive and premature”, but surely if the Government’s intention is to diversify the supply chain—and we have heard that we cannot have a secure network without a diversified supply chain—the only way a reporting requirement would be limiting is if the Government have no actual intention of doing anything about diversifying it.
The Minister’s second argument seems to be that this is too technologically specific. Lords amendment 4 says:
“The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.”
Would the Minister tell me what in that is specific as to the technology? Indeed, the only specific aspect of technology is a requirement to include future technologies that may be used as a platform, such as cloud computing. I find the Minister’s reasons for not supporting this amendment concerning. I fear that the Government are just not serious about diversifying our supply chain, and that they do not really have a plan for it.
The Minister mentioned asking parliamentary questions. Just last week, I asked her what funding was available for 5G diversification, and she talked about
“a Future RAN Competition (FRANC) and opening the doors of the SmartRAN Open Network Interoperability Centre (SONIC Labs).”
I want to know how diversification is being achieved and how local sovereign UK capability is being built, not an acronym soup that is ad hoc, hard to digest and dangerously complacent.
Bob Stewart (Beckenham) (Con)
The hon. Lady is an expert in so far as she was, I understand, a communications engineer. As far as I understand it, there are three suppliers, but one of them we do not particularly want to use, and that leaves two. What other diversification can we do if we only have two? Can we try to build up something very fast, and is that what the hon. Lady is suggesting?
Chi Onwurah
I thank the hon. Gentleman for his intervention, and I promise not to take advantage of it to set out at length what we could be doing to diversify. I would just say to the hon. Gentleman and the House that we only have two suppliers for 5G now, but the technology is evolving and there are new technologies for the next generation of networks—6G. As he will well remember, we have gone through generations of technology at quite a pace over the last 20 years.
Right now, we should be investing in great UK technologies from companies and start-ups that are working in the field of open RAN and other technologies. Rather than having just one vendor supplying a whole network, as has been the case with Huawei and others, we would have a diverse mix of vendors at every stage of the network—the core and so on—which would enable much greater resilience. We could be doing that. The technologies are there now, and with the support of a forward-looking Government, we could ensure that leaders in those technologies were UK companies. We would therefore have not only a resilient network, but a network with local capability, because I remind the hon. Gentleman that there is no UK capability or UK vendor in this area right now. That is what I hope to see from the Government. Network diversification should be a fantastic opportunity to support innovative start-ups around the country.
Catherine West (Hornsey and Wood Green) (Lab)
Does my hon. Friend agree it is a pity that the Government got rid of the industrial strategy group that helped to advise on these expert issues?
Chi Onwurah
As always, my hon. Friend makes an excellent point, and as a telecoms engineer, it has been sad to see the lack of an industrial strategy for our telecommunications capability, which strengthens our UK capability. We have excellent engineers and excellent research. We should be leading in future telecommunications capability, and an industrial strategy would ensure that was the case. It would also help collaboration with our allies. For example, the US does not have a vendor that can provide our 5G networks at the moment, and collaboration with our allies and an industrial strategy or plan could make such a difference globally and locally to our security and economic strength.
Sir Iain Duncan Smith
Is the main point in all of this that this was not a market failure? Although an industrial strategy is important, in reality this is a national security failure. Huawei has undercut the market progressively for nearly 15 years through its subsidies, breaking every rule and driving every company out of business. The single biggest problem we face is having a proper functioning market that requires those involved in it to obey the rules. China does not, and everyone has paid lip service to that. Is that the real problem?
Chi Onwurah
I both agree and disagree with the right hon. Gentleman. I agree totally that national security is not a function of the market, and the fact that we have a network that is not secure is not a market failure but a failure of government and foresight. China had an industrial strategy. That is why it has a vendor in all the networks across the world—
Chi Onwurah
Not to break the rules, but to work with other nations whose values we share, and in the long term to develop and support companies in this area.
Mr Kevan Jones
Does my hon. Friend also agree that this did not come as a great shock to the Government? It was all laid out in the 2013 Intelligence and Security Committee report on critical national infrastructure, but nothing has been done since then.
Chi Onwurah
My right hon. Friend, as always, makes a really good point. That is where an industrial strategy would have come in. It was predicted and we had time to build up alternatives. To go from having Huawei as one vendor among others that had small parts of our network, to our network being so dependent on it, took time. We could have used that time better to secure our networks and our own capability. The Government are bodging this. They are leaving it to the market when national security is not a market function. Labour has consistently welcomed the Bill, but it is only a small step towards achieving a truly secure and robust telecommunications network. In 2010 the Tories inherited a secure, competitive and world-leading network. It is now insecure, uncompetitive and bumping along the bottom. The Government have wasted 11 years, with huge delays in the second and third-generation fixed broadband roll-out, pushing us down the bottom of the OECD tables. Telecommunications are essential to our national security and economy, and we hope the Government will take this opportunity to recognise that.
Several hon. Members rose—
Mr Deputy Speaker (Mr Nigel Evans)
Order. I am introducing a four-minute limit. There is hardly any time in this debate, and the votes will come no later than 9.37 pm. If people can be even pithier than four minutes that would be helpful.
Julian Knight (Solihull) (Con)
First, I must declare that I am chair of the all-party parliamentary group on new and advanced technologies.
I have here—switched to silent, I hasten to add—my mobile phone, on which are all my apps. Just going through them gives us an idea of the flood of information about me that is now carried through telecommunication networks. I have my train app, my Uber app, my Bolt app and my Uber Eats app—as you can see from my waistline, Mr Deputy Speaker. I have my bank accounts. I have my Tesco Clubcard. I have my Signal and my WhatsApp. I have my Instagram. I have my tickets for sporting events. I have my apps for parking and for booking restaurants, and apps to read newspapers. I have apps for—heaven forbid—my golf handicap; unfortunately, it is really high. I also have my bet365 app—the less said about that, the better. I have apps for health and I have apps for my mental health.
In short, someone can see from my phone where I eat, what I spend, who I associate with, where I have been, where I am going to be, my financial status, my credit worthiness, whether I am an insurance risk, even whether I like a curry or a pizza—or, frankly, whether I am happy or sad.
Much of this is truly wonderful, and we have seen through the pandemic how technology has advanced 10 years in just 18 months. But you ain’t seen nothing yet, Mr Deputy Speaker. I expect that we will have the use of biometrics, the linking of data, and artificial intelligence. This is more than the railroad of the 21st century; it is redefining the way we interact with one another, and how the state protects and interacts with us. You do not need an aircraft carrier if you can subvert telecommunications. It is imperative that the Government ensure that our national security is not breached in this way. That must be woven into the plan that we have for the future of data and the interaction between the state and the individual. This Bill is the start of that process, although admittedly it is very late in the day, after many false starts.
Moving on to the Lords amendments, I am pleased that the noble Lord Parkinson tabled Lords amendments 1, 2 and 3 in the other place on behalf of the Government. As new technologies emerge and security threats change, it is only right that Ministers have the ability to introduce new codes of practice to bring legislation up to date. However, through the application of the negative resolution procedure, right hon. and hon. Members will be able to provide parliamentary scrutiny to the new codes where necessary.
I have great sympathy with the thrust and intention of Lords amendments 4 and 5, although I wonder whether Lords amendment 5 is slightly gilding the lily. I would hope that any Government worth their salt would take very seriously the approach of our closest security partners, so I wonder whether that really needs to be in law at this stage. However, Lords amendment 4 on network diversification is very strong, and I am minded not to support the Government on it tonight. Frankly, I think it would advance things and set a really good marker in that respect.
This is absolutely necessary law. It is very late in the day, and it has been a very difficult process, but we must now focus on the fact that this is not the end but the very beginning of the way we underpin our society in terms of how we protect our data and our telecommunications.
Stephen Flynn
I am delighted to follow the hon. Member for Solihull (Julian Knight), although now I am really interested to know whether he prefers a curry or a pizza. When I came into the debate, I did not expect that to be the topic of discussion.
I am very conscious of time, and I know that a number of people on the Back Benches would like to make contributions to this incredibly important debate. However, I will take the opportunity to set out the SNP’s views on Lords amendments 4 and 5 and, importantly, briefly to reflect on why we are in the situation that we are in. Actually, that kind of ties in to Lords amendment 5: it is because of the mess that the Government have created in relation to Huawei.
When I first came into the House—pre-pandemic, of course—one of the biggest issues being discussed was the situation with Huawei and the flip-flopping that the Government were doing. I respectfully suggest that, in relation to Lords amendment 5, it is almost akin to the fact that they have learned nothing. There is an opportunity before them to ensure that they work with key intelligence partners, as the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith) said, to ascertain where the biggest threat sits. But rather than take cognisance of what has been said in the other place, they are simply saying that the plan, as they have it at this moment in time, is good enough. That, from my perspective, simply does not cut it, especially, as we have heard, when some £2 billion has already been wasted on this debacle, notwithstanding the economic impact of being so many years behind in the roll-out of 5G itself. That, in many senses, covers Lords amendment 5.
On Lords amendment 4 and diversification, I will not repeat the exact detail of the amendment because that was done so eloquently by the shadow Minister, but I was a little bit surprised at what the Minister said. If I got the scope of it correctly, she was saying that Lords amendment 4 is far too narrow and would make the Government’s life too difficult. However, the amendment did not seem to suggest that when I cast my eyes on it. In fact, if I read it correctly, in the other place the Government’s position was that the framework was already sufficient, so the Government do not even seem to have clarity between the other place and this place on their actual position. I do not think that that is necessarily a surprise, because they are just looking for a reason not to back an incredibly helpful amendment.
Those are the views of the SNP on the two more contentious amendments. I look forward to the Minister perhaps providing the clarity that the Government have not been able to provide so far. I also look forward to hearing what our esteemed Back Benchers have to say on these matters.
Dr Julian Lewis (New Forest East) (Con)
It is a pleasure to follow all the Back-Bench speeches so far.
I would like to blaze in capital letters what the Minister said:
“This is, first and foremost, a national security Bill.”
Something very similar was said when the National Security and Investment Bill—now the National Security and Investment Act 2021—was going through this House and the other place earlier this year. The Intelligence and Security Committee is, as it always has been, a non-partisan organisation. I will therefore be saying some things to please and, probably, to annoy both sides.
The Committee considered the five amendments at a recent meeting. We agreed that the entirety of Lords amendments 1 to 3 was broadly beneficial. We looked at Lords amendment 5 and we understood the temptation to flag up the importance of the Five Eyes relationship. We agreed—it is interesting how closely our deliberations, without consultation, conformed to the views of the Chairman of the Digital, Culture, Media and Sport Committee, my hon. Friend the Member for Solihull (Julian Knight)—that it was, as he put it, a case of gilding the lily, because whenever a serious objection is raised on security grounds by one of the Five Eyes partners, we take that with the utmost seriousness. That leaves us with Lords amendment 4. For the life of us, we cannot understand why the Government are opposing it. We believe it would strengthen parliamentary scrutiny and provide a valuable annual stocktake on the progress being made on the diversification strategy and how it is helping to improve national security. Therefore, like the Chairman of our parallel Committee, I will not be voting against Lords amendment 4 tonight.
Where does that leave us as a Committee in terms of the two Bills and the amendments thereto? You may recall, Mr Deputy Speaker, that there have been intense arguments both in this place and in the upper House about the failure of the Government to accept amendments that would allow the Intelligence and Security Committee to scrutinise closely the secret aspects that are inevitably involved in those two Bills. I will not digress on this both because I lack time and because you, Mr Deputy Speaker, would instantly call me to order. I will simply say, on ensuring that there is ISC scrutiny of the classified elements that follow from this legislation, that arguments have been advanced by the Government in the other place to say, “Well, the face of the Bill isn’t the place to do it.” We agree with that now; we are taking the Government at their word. Therefore, we have written to the National Security Adviser and asked him to take up the issue with the Prime Minister, so that the memorandum of understanding between the Prime Minister and the ISC can be brought up to date to cater for the provisions of this Bill and the earlier Bill that should be part of our purview. That is what the Government promised in 2013 when the legislation was originally put through, for our Committee’s powers, and it is a promise that we expect them to keep.
Mr Kevan Jones
I begin by thanking the hon. Member for Boston and Skegness (Matt Warman), who took the Bill through Committee very ably. Sadly, he was a victim of the cull of competence in the last reshuffle, but his approach to the Bill was refreshing.
The Bill is important and, as a member of the ISC, I fully support it, but aspects of it need improving. Lords amendment 4 on the diversification strategy is vital. I was not reassured by the Minister telling us that this would be kept on track. When people try to give the impression that the issue of telecoms security suddenly hit us like a bolt out of the blue because of Huawei, I suggest that they read the 2013 ISC report on critical national infrastructure. What was going to happen was all laid out there, and nothing did. I think that without this annual stocktake, as the right hon. Member for New Forest East (Dr Lewis) said, there will be a tendency for future Governments to take their eye off the ball in terms of pushing forward the agenda that ensures that we are never again in a situation where we are beholden to, in this case, Huawei or any other vendor.
I have no problems with Lords amendments 1 to 3, but I think the Minister rather oversold this in saying that it is a demonstration of the Government’s commitment to parliamentary scrutiny. I accept that to a limited degree as it pertains to the codes of practice, but as the right hon. Member for New Forest East outlined, there is an issue that should concern Members on both sides of the House with this Bill and the National Security and Investment Act, in that there are elements of security now in two Departments that will not be able to be scrutinised by any Committee other than the ISC. As he outlined, although we have tabled probing amendments here and in the other place, we have given the benefit of the doubt to the Government, because of reassurances that scrutiny will be forthcoming. However, I say to the Minister that I would like a commitment tonight that she will feed that point back, because without this, no other Committee will be able to deal with the secret aspects involved. I have spoken to members of the Business, Energy and Industrial Strategy Committee, who are still trying to wheedle out of the Government their memorandum of understanding about what they can and cannot see, and that does not bode well. This is one thing that we will come back to, if it is not done now.
The ISC has so far been constructive and responsible in the way in which it has approached this issue. It is now in the hands of the Prime Minister to ensure that the memorandum of understanding is amended and is, as the Chair of the ISC said, in line with the Justice and Security Act 2013, which envisaged that we would have oversight if security went into other areas. Without that, these matters will lack the scrutiny that they rightly need.
Bob Stewart
I, too, speak as a member of the Intelligence and Security Committee. My comments will be short, because my time is limited, but many of the views that I will express have already been stated by other hon. Members.
As the House has heard, the ISC broadly supports the Bill, although it remains concerned about the Bill’s lack of a role for it in providing parliamentary oversight of parts of the legislation that Select Committees are unable to supervise. The ISC has made that point to the Government, but they do not accept it.
As a Committee, we want this legislation and will not push the issue, but we retain reservations about the matter not being part of the Bill. However, as the Chairman of the ISC—my right hon. Friend the Member for New Forest East (Dr Lewis)—and other hon. Members have said, we have written to the National Security Adviser to suggest that the matter be addressed in a revised edition of the Committee’s MOU, which comes from the Prime Minister. Otherwise, we consider that there will be gaps in the supervision available to Parliament—that is our main point.
The Committee fully supports the changes to clause 3 in Lords amendments 1 to 3 about codes of practice and the new wording after clause 23 in Lords amendment 4. With regard to Lords amendment 5 on Five Eyes review, we believe that the intelligence community will naturally consider the views of Five Eyes partners as part of its reporting, so the new clause, although worthy, is not really necessary.
Mr Deputy Speaker (Mr Nigel Evans)
I am extremely grateful for your pithiness.
Jim Shannon (Strangford) (DUP)
The Bill seeks to enhance security provisions that all Members of this House must recognise are much needed. Clear consensus has been achieved—it has been hard-fought—that cyber-attacks on the telecommunications infrastructure pose a significant threat to national security and that legislation is needed to strengthen the security framework. The Government and the Minister are endeavouring to protect the state and its citizens. This is an absolutely necessary law that will make a clear improvement, but more can and must happen.
I believe that the Bill is needed not only to safeguard this great nation from cyber-terrorism, both domestic and external, but to ensure that we can continue to attract jobs and investment from those who seek to utilise the skills and experience of our workforce. As I have said numerous times in this House, Northern Ireland is fast becoming the cyber-security centre of the world, with companies from Europe, America and elsewhere making use of our low business rates and our high skillset. To continue to attract that investment and those jobs, we must really be on top of our game; I believe that the Bill will play an important part in that. Could the Minister give some indication of her discussions with Ministers in the Department for Business, Energy and Industrial Strategy on the Bill’s economic benefits for all regions, particularly Northern Ireland?
We all want to secure jobs, but we cannot allow any and all companies to have access to our networks. I believe that the protections in the Bill are imperative against those who may unscrupulously seek to carry out espionage on either a corporate or a national security level. Along with many others, I had concerns about the Huawei deal and its impact on the essential Five Eyes agreement; I was pleased by the decision that the Government ultimately made for all our security. There is a lesson to be learned and I trust that we have all learned it.
I agree that it is imperative that a clear and precise code of conduct is permitted, so I support the Government’s further amendment to ensure that a code of conduct is encompassing and far-reaching. That is right and proper, and I fully support it.
Andrew Rosindell (Romford) (Con)
I rise to speak in favour of Lords amendment 5, which was tabled by Lord Alton and Lord Blencathra.
The Five Eyes alliance is one of the most important strategic alliances that the UK shares. It is one of the world’s most comprehensive intelligence-sharing alliances, bringing together nations that have a strong bond forged through our shared history and values. The Government have recently taken a great stride towards strengthening our relationship with two of our Five Eyes partners, Australia and the United States, through the AUKUS agreement. I believe that Lords amendment 5 would further strengthen our ties with those great allies and ensure that we look to the future of the security and resilience of our telecommunications network.
Telecommunications networks have become the foundation of our economy, allowing business, Government and communities to connect and share information. This ability to connect and communicate is now a fundamental part of the way in which our society operates. Only last year, however, the Government were still considering using the services of a Chinese company, Huawei, to manage the introduction of 5G technology in our country. That was deeply worrying, owing to the complete subservience of the Chinese tech companies to the Chinese Communist party. The unholy alliance of these so-called private companies and an authoritarian Government who have no respect for basic values such as privacy has allowed the CCP to increase internal surveillance to a level never seen before. We would be foolish to think that the CCP would not have used its access to the information accumulated by Huawei through its involvement in our 5G roll-out, given the immense levels of intelligence that it would have been able to gain from that.
This debacle of Huawei shows that we must be extremely careful in protecting the security of our vital infrastructure. Letting companies that are so intertwined with a malign Government manage the implementation of our telecommunications systems would be no less than an act of national self-harm. If one of our close strategic allies makes the decision to ban a telecommunications company from operating within its borders, it will have a good reason for doing so. Taking the time to consider the rationale for such decisions will cost us little, whereas I worry that not doing so could be catastrophic for our national security. I hope that this House will approve amendment 5, as it will send a clear message that technology companies that work against our national interest will not be allowed to operate in the United Kingdom. I hope that the Minister will reconsider the Government’s position.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
I will be brief, as much has been said already. However, I want to say a bit to my hon. Friend the Minister about Lords amendment 4. I also, by the way, want to recognise my hon. Friend the Member for Boston and Skegness (Matt Warman), who is no longer a Minister but who was in charge of much of the Bill’s passage. I thought that he did an excellent job. It is a very good Bill which is long overdue, and there is much to praise in it.
I think that Lords amendments 4 and 5 are worthy of a little more assessment. Lords amendment 4 does have merits, because it recognises that there is a real problem about diversification. The point that I was trying to make to the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) earlier was not an argument against any kind of strategic review or industrial policies; it was the argument that if a nation is in a sense rogue, in terms of its ability to stay within the market, and subsidises companies deliberately for strategic effect, that is why the number of companies will fall from 15 to three in the free world, which is what happened in this case. I think the amendment is about the need to recognise the fact that diversification, if not pursued deliberately, will lead us into the hands of a country like China, which then forces us eventually to have only one vendor on price, because that country has subsidised it.
As for Lords amendment 5, I heard the argument of my right hon. Friend the Member for New Forest East (Dr Lewis), the Chairman of the Intelligence and Security Committee, but I would not regard this as “gilding the lily”. I do not much like lilies and I think they could do with a bit of gilding, but I think that this is more a case of locked doors, and if the amendment is about putting an extra door into the security panoply, I think it is important. I will be brief, but last year, along with many others, I had very strong arguments with the Government about Huawei, and we were disregarded, disregarded, disregarded. The Government even led out all the great security experts who told them that they could control everything, saying, “Don’t worry, we can manage the risk”—until it finally became apparent to them that they could not. We faced that at the time. Other Five Eyes members had already said that this was not on, but we seemed to disregard their views. So I simply say that this is not about gilding the lily; it is about reminding the Government that they must abide by these provisions.
I should also make the point that there are many other companies to which we should be giving real consideration right now, and which are being looked at and banned by the Five Eyes—such as Hikvision and ByteDance—and I urge the Government to think again about those as well.
Matt Warman (Boston and Skegness) (Con)
I want to thank the various Members who have paid tribute to my small role in this Bill. I say simply to the right hon. Member for North Durham (Mr Jones) that I regard all reshuffles as an upgrade, so I welcome the Minister to her place. I mean that sincerely. I would also like to pay tribute to the officials—some of whom are in the Box today—who do not get enough credit for getting the Bill to the place that it is in. Ultimately, this is the Bill that will remove Huawei from our 5G network, and that is something that we should all welcome. It addresses a number of the issues that I raised and discussed robustly, as my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) said, during the process of getting the Bill to this point.
Ms Nusrat Ghani (Wealden) (Con)
I rise to speak in favour of Lords amendment 5, which was championed in the other place by my Friend, Lord Alton and which focuses on the Five Eyes partnership. The Minister said that the amendment was unnecessary, but I would argue that if she were to accept it, it would provide a safety net. Last year, the Government were forced into committing to removing Huawei equipment from the UK’s 5G network, which followed on from a ban by the US and Australian Governments. We had even found ourselves in a situation in which one of our closest allies publicly threatened to stop intelligence sharing with us for the first time in our 75-year partnership. I would argue that this amendment would ensure that we did not find ourselves in a similar place again.
Let me give the House an example. Despite being blacklisted by our closest ally for its ongoing links to the ongoing genocide in the Xinjiang, and a Chinese intelligence law which means that the company can not only harvest data but provide data back to the Chinese state, the surveillance company Hikvision continues to be embedded in councils, hospitals and city infrastructure up and down this country. Earlier this year, I led a Business, Energy and Industrial Strategy Committee report, “Uyghur forced labour in Xinjiang and UK value chains”, which also looked at data harvesting. I was deeply unimpressed with Hikvision’s response, and I want to put on record that I thoroughly support the Foreign Affairs Committee’s recent recommendation that the Government should forbid Hikvision from operating in the UK. My Select Committee continues its work on Xinjiang, and I look forward to meeting TikTok in the near future.
The amendment would provide a fantastic safety net to ensure that we do not find ourselves in a difficult relationship with our Five Eyes partners again. Why would we want to risk that? I urge the Minister to recognise the motivation behind the amendment, which would enable trust and deepen our intelligence sharing alliances with our closest partners as well as ensuring security at home. I also urge the Minister, if she has the time, to read the “Uyghur forced labour in Xinjiang and UK value chains” report, and in particular to focus on article 7 of China’s national intelligence law, which states that any company that is registered in China has to provide data to the Chinese Communist party on demand, and also to deny to any other state that it is doing so.
Julia Lopez
With the leave of the House, I close this debate by thanking hon. Members for their contributions to the debate and for making a number of extremely important points about national security. I am keen to address those not only now, in this legislation, but in the future, through horizon scanning for some of the challenges that are coming up.
I appreciate that some of the trust in the system has been undermined by the Huawei situation, and I am sympathetic to concerns raised about reporting, diversification and resilience. My hon. Friend the Member for Solihull (Julian Knight) is absolutely right that this legislation is just one part of a wider security framework. The development of 5G and full-fibre networks brings new security challenges, which we must be prepared for.
This legislation sets up a strong regime for handling and removing high-risk vendors from our public networks, but it is just the start. Specific security measures will be set out in secondary legislation; there will be a lot of work to do in the next stage as we draw up that legislation, and we will be publishing a code of practice explaining the technical guidance that providers can follow to comply with legal duties.
The final secondary legislation and code will be agreed through public consultation, which I hope will provide another opportunity for hon. Members who have concerns in this area to provide adequate scrutiny. I am alive to some of those concerns, but, as my hon. Friend the Member for Boston and Skegness (Matt Warman) has outlined, MPs and Peers have had multiple chances to scrutinise and feed back on our diversification strategy, and we will continue to report on developments.
Bob Stewart
I remind the Minister that the members of the ISC present tonight have written to the national security adviser on the revision of the memorandum of understanding from the Prime Minister to the ISC. We really do expect some changes to that, so that we can close the gap on supervision of things that other Select Committees cannot look at.
Julia Lopez
I thank my right hon. Friend for that point. This issue has been raised throughout the passage of the Bill; I am alive to those concerns from the ISC, which bring particular expertise and scrutiny on matters on which others cannot, by virtue of their security importance. I understand that the ISC’s Chair has written to the Cabinet Office on the matters raised, but I wish to engage with the Committee on its important work. I believe I may—
Telecommunications (Security) Bill
Monday 15th November 2021
(2 years, 5 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 64-I Marshalled list for Consideration of Commons Reasons - (12 Nov 2021)
Lord Parkinson of Whitley Bay
That this House do not insist on its Amendment 4, to which the Commons have disagreed for their Reason 4A.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Parkinson of Whitley Bay) (Con)
My Lords, noble Lords will recall that this Bill will create one of the toughest telecoms security regimes in the world and ensure the security and resilience of the UK’s telecommunications networks and infrastructure.
Amendment 4, which was tabled by the noble Baroness, Lady Merron, and the noble Lords, Lord Alton of Liverpool and Lord Fox, would insert a new clause into the Bill. The clause would require the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and would allow for a debate in another place on the report.
I ask that this House do not insist on its amendment for two reasons. Our first objection to this amendment relates to the flexibility necessary for diversification. The reporting requirement, which is based on the risks as we find them today, is restrictive and premature for a market and technology that is evolving and rapidly changing. Policy work is at an early stage, and the criteria for how we measure its success is evolving in line with our policy. It would not be suitable to set out specific reporting criteria in legislation.
The diversification strategy and any reporting on its progress must be flexible so that we can focus on achieving the greatest impact. As we hope diversification to be a short-term problem, enshrining it in legislation—a long-term solution—would be counterintuitive and unnecessary. We are currently focused on diversifying radio access networks, for instance, but that may change in the future.
The Government take diversification seriously. I reassure noble Lords that mechanisms are already in place, through Parliamentary Questions and Select Committees, to thoroughly scrutinise the strategy and its progress now and in the future. This is the appropriate method of scrutiny for an evolving, time-limited strategy.
Secondly, this is principally a national security Bill intended to strengthen the security and resilience of all our telecoms networks. The Government’s 5G telecoms diversification strategy has been developed to support that objective but it is not the sole objective of the strategy. In addition, the strategy is focused on a specific subset of the telecoms supply market, not the security of public networks as a whole.
From debates in your Lordships’ House so far, it is clear that this amendment intends to hold the Government to account on the impact of the diversification strategy on the security of public networks. We will be happy to provide updates on the strategy’s progress through existing channels, and are encouraged by the developments that we have seen since the strategy’s launch. The amendment would extend the Bill beyond its intended national security focus and creates an inflexible reporting requirement on a strategy that, as I say, will evolve as it fulfils this important work. That is why I ask your Lordships’ House not to insist on Amendment 4.
I shall also speak to Motion B, which asks that this House do not insist on its Amendment 5, to which the Commons have disagreed for their Reason 5A. As noble Lords will recall, Amendment 5 was tabled by the noble Lords, Lord Alton of Liverpool, Lord Coaker and Lord Fox, and my noble friend Lord Blencathra. The amendment would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecommunications vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with that vendor and consider whether to issue a designated vendor direction or take similar action in the UK.
As I said on Report, I welcome the intention of the amendment. It demonstrates that noble Lords across the House take the security of this country and its people incredibly seriously. However, while we support the spirit of the amendment, we cannot accept it for four reasons.
First, this amendment is unnecessary as the Bill already allows the Secretary of State to consider the policies of Five Eyes countries. Clause 16 includes a non-exhaustive list of factors that the Secretary of State may take into consideration when issuing designation notices regarding high-risk vendors. That list illustrates the kinds of factors we will be considering proactively and on an ongoing basis as part of our national security work. A decision by a Five Eyes partner or indeed any other international partner to ban a vendor on security grounds could be considered as part of that process. The amendment asks the Government to do something that has been part of the Bill from the outset. We believe that our existing approach is the right way to continually consider the decisions of all our international allies and partners.
Secondly, the amendment is unnecessary because we are already committed to a close and enduring partnership with the Five Eyes countries. We engage with our partners regularly and, where relevant, consider their actions when developing our own policies. The Five Eyes intelligence and security agencies maintain close co-operation, which includes frequent dialogue between the National Cyber Security Centre and its international partners. This dialogue includes the sharing of technical expertise on the security of telecoms networks and managing the risks posed by high-risk vendors. Engaging with our partners in this way is at the very core of our national security work.
In another place, members of the Intelligence and Security Committee agreed that the amendment was not necessary as the existing intelligence relationship with the Five Eyes, and other international parties, is strong. The chairman of the Intelligence and Security Committee, Dr Julian Lewis, said:
“We looked at Lords amendment 5 and we understood the temptation to flag up the importance of the Five Eyes relationship. We agreed ... whenever a serious objection is raised on security grounds by one of the Five Eyes partners, we take that with the utmost seriousness.”—[Official Report, Commons, 8/11/21; col. 119.]
The chairman of the DCMS Select Committee, Julian Knight MP, agreed and said that
“any Government worth their salt would take very seriously the approach of our closest security partners.”—[Official Report, Commons, 8/11/21; col. 117.]
Our third reason is that naming individual countries in legislation would be restrictive to the development of wider international relations and set an unhelpful precedent on national security legislation. The Five Eyes alliance was not created through legislation and it has not required legislation for us to develop and strengthen that relationship in the past. Moreover, we need to consider the policies of a wide range of countries, including those of our European neighbours such as France and Germany, and those of other nations such as Japan, South Korea and India, to name but a few. It is highly unusual to refer to specific countries in legislation in this way, and the amendment would set an unhelpful precedent for future legislation.
Finally, the amendment is impractical because of the many different ways other countries operate their national security decision-making. It may not be immediately clear when a country has taken a decision to ban a vendor, particularly if it relied on sensitive intelligence. It also may not be clear why a country has taken this decision, and it may not always be based on national security grounds. So, while I welcome the intentions behind the amendment, we cannot accept it and that is why I ask that the House does not insist on Amendment 5 either. I beg to move.
Lord Clement-Jones (LD)
My Lords, I hope my noble friend Lord Fox has given his apologies to the Minister for being unable to be here due to a Select Committee engagement. However, that does not mean that on these Benches we are any less disappointed—or indignant, as I think my noble friend Lord Fox would put it—about the Government having turned down both amendments, which my noble friend signed. The Minister is developing a fine turn of phrase in turning down amendments that appear perfectly sensible. On Report he talked about sharing the ambition and warmly welcoming the intent and then said that they did not quite fit the Bill and the Government could not accept these amendments. It is rather baffling since both are built very firmly on the Government’s expressed intentions —indeed, ambitions—set out in the integrated review. That was very clear in our debates on Report. It seems that the Government’s motives are much more firmly based on resistance to scrutiny and the idea that, somehow, they would be constrained in their work on diversification by having to report, in the case of Lords Amendment 4. However, the words he used were:
“legislating for a reporting requirement would be limiting and inflexible.”—[Official Report, 19/10/21; col. 86.]
Having reread the debate and heard again what the Minister had to say, I still cannot understand the Government’s rationale for this.
The rejection of Lords Amendment 5 is equally baffling because the Minister talks again about the limitation of the amendment to a particular set of countries. Surely, one of the reasons we are where we are, and the Government had to backtrack on their treatment of high-risk vendors, is precisely that they were not in step with their other Five Eyes allies. Therefore, the Government are not even learning from experience. We are where we are, however, and clearly we are not going to take this further, but I believe that the Government will regret not accepting both amendments.
Baroness Merron (Lab)
My Lords, the matters under consideration today are about not party politics but the first duty of any Government: to ensure the security of our citizens and the United Kingdom. Following majorities in this House and considered debate in this and the other place, it is regrettable that the Government have rejected sensible amendments to this important Bill, which I still believe would have improved and enhanced our collective security. The arguments against these amendments have been somewhat wanting, generally conveying the message, throughout the passage of the Bill, that it is all being take care of—a view that this House, on all sides, has not shared.
Our extensive use of new technology throughout the pandemic shone a very bright light on the degree to which we rely on telecoms networks and our experience has reinforced how intertwined these networks are with issues of national security. So, to ensure our security, diversification is crucial and thus far an effective plan to diversify the supply chain has been absent. As I recall, we do, however, have broad agreement that we cannot have a robust and secure network with only two service providers, which is what will remain when Huawei goes. This is why we need to ensure diversity of suppliers at different points of the chain, with sufficient support for the UK’s own start-up businesses. I, too, will quote, from the debate in the other place, the words of Dr Julian Lewis MP, the chair of the Intelligence and Security Committee, who is obviously much quoted today. He said, of Lords Amendment 4:
“For the life of us, we cannot understand why the Government are opposing it. We believe it would strengthen parliamentary scrutiny and provide a valuable annual stocktake on the progress being made on the diversification strategy and how it is helping to improve national security.”—[Official Report, Commons, 8/11/21; col. 119.]
The Government have said that they are serious about protecting our telecoms security and they respect the vital role that diversification plays in achieving that. I would therefore have thought that the Government would welcome the added layer of diversification scrutiny that Lords Amendment 4 provided. It is disheartening, therefore, that the amendment is rejected by Motion A.
On Motion B, our telecoms security also depends on strengthening our international intelligence bonds and the Five Eyes provides the perfect opportunity to do so. It is therefore similarly disappointing that the Government, having promised to work with this alliance in the integrated review, have resisted introducing a requirement that the Government should automatically review vendors—and by that we meant only “review” vendors when others in the Five Eyes ban companies from their networks. This was provided for by Lords Amendment 5. Such a response, as outlined in Motion B, flies in the face of common sense and it is very disappointing to see this rejection.
I accept that on this occasion we have reached the end of the parliamentary road with the Bill. However, as time goes on and the provisions of the Bill take effect, I hope that the Minister will reflect on the debates in the House and the other place concerning the intent and practical considerations that would contribute to security improvements, as provided by Lords Amendments 4 and 5. I hope the Minister will not feel constrained when he further considers making improvements in this area.
Lord Parkinson of Whitley Bay (Con)
My Lords, I certainly hear the disappointment and perhaps, as the noble Lord, Lord Clement-Jones, said, even the indignation of his noble friend Lord Fox, in his absence. I am sure that if the noble Lord, Lord Alton of Liverpool, who is not able to be with us today, were here he would have had something to say as well. However, I hope to be able to reassure all noble Lords that the Government certainly have listened to and taken on board the points which have been made. Where we respectfully disagree, I would point to the fact that another place has disagreed as well, but, as I said in my opening remarks, we are very conscious of the spirit of scrutiny in which these amendments have been put forward. Noble Lords have wanted to ensure that the Bill does what the Government intend: to set up a framework to protect the national security of our country. We simply disagree about the practicalities of some of the amendments which remain at this late stage.
It may be helpful to say a little more about the opportunities for parliamentary oversight of the diversification strategy which noble Lords and Members of another place will have been able to take advantage of. Since its publication, Members of another place and noble Lords have had the opportunity to scrutinise and provide feedback on the strategy. The Science and Technology Select Committee in another place held an inquiry earlier this year on 5G Market Diversification and Wider Lessons for Critical and Emerging Technologies. The Government responded to the committee’s report in April, agreeing with its assessment of the scale of the diversification challenge and that there is a need to work swiftly to make early progress and build momentum as we work towards our long-term ambitions. We have not yet committed to a specific way of reporting progress, as policy work is at an early stage and the criteria for how we measure its success is evolving in line with our policy, as I said in my opening remarks.
However, we have made and announced a lot of progress on our diversification strategy already: for example, on our programme of targeted R&D support, including the future RAN open competition, the winners of which will be announced soon. We will continue to update on progress and are planning to launch further policy commitments at the same time as announcing the winners of that competition later this year. I know that noble Lords, if they agree with us and do not insist on their amendments today, will certainly continue to watch this issue vigilantly and find every opportunity to pursue these important issues in your Lordships’ House and through Parliamentary Questions and Select Committees, and it is right that they do.
I end by thanking again the Bill team and all officials who have been involved in the development of this important Bill. I listed them in full last time, so I will not try the patience of the Hansard editors by repeating their names but I will add one final name: Daniel Wilson, who has been of great support to me and my noble friend Lady Barran in working on this issue in private office.
I commend the Bill to your Lordships’ House. It will create one of the toughest telecoms security regimes in the world and ensure the security and resilience of the UK’s telecommunications networks and infrastructure.
Lord Parkinson of Whitley Bay
That this House do not insist on its Amendment 5, to which the Commons have disagreed for their Reason 5A.
Lord Parkinson of Whitley Bay (Con)
My Lords, I have already spoken to Motion B, and I beg to move it formally.
Royal Assent
Wednesday 17th November 2021
(2 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Amendment Paper: HL Bill 66-I Marshalled list for Consideration of Commons Reasons - (16 Nov 2021)