All 3 David Johnston contributions to the Telecommunications (Security) Act 2021

Read Bill Ministerial Extracts

Mon 30th Nov 2020
Telecommunications (Security) Bill
Commons Chamber

2nd reading & 2nd reading & 2nd reading: House of Commons & Carry-over motion & Carry-over motion: House of Commons & Money resolution & Money resolution: House of Commons & Programme motion & Programme motion: House of Commons & Ways and Means resolution & Ways and Means resolution: House of Commons & 2nd reading & Programme motion & Money resolution & Ways and Means resolution & Carry-over motion
Thu 14th Jan 2021
Telecommunications (Security) Bill (First sitting)
Public Bill Committees

Committee stage: 1st sitting & Committee Debate: 1st sitting: House of Commons
Thu 14th Jan 2021
Telecommunications (Security) Bill (Second sitting)
Public Bill Committees

Committee stage: 2nd sitting & Committee stage & Committee Debate: 2nd sitting: House of Commons

Telecommunications (Security) Bill

David Johnston Excerpts
2nd reading & 2nd reading: House of Commons & Carry-over motion & Carry-over motion: House of Commons & Money resolution & Money resolution: House of Commons & Programme motion & Programme motion: House of Commons & Ways and Means resolution & Ways and Means resolution: House of Commons
Monday 30th November 2020

(3 years, 5 months ago)

Commons Chamber
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts
David Johnston Portrait David Johnston (Wantage) (Con)
- Hansard - -

It is always a pleasure to follow my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes). I welcome the Bill and congratulate the Government on it. It is a good Bill, and credit should go to the ministerial team for that. Credit should also go to my Back-Bench colleagues who have made important contributions this year. There are plenty of them, but in particular, my hon. Friend the Member for Tonbridge and Malling (Tom Tugendhat), my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) and my hon. Friend the Member for Isle of Wight (Bob Seely) have helped us to get to a better Bill.

This comes a couple of weeks after Second Reading of the National Security and Investment Bill, which I also spoke in support of. As with that Bill, it is right that we devise a new regime for the risks that we think we face at this time, and we should not be too prescriptive. Our focus in 2020 is Huawei, but we have to leave this open to new threats that we might encounter, so I am comfortable with Huawei’s name not being on the face of the Bill.

I support Ofcom being given the powers to ensure that providers adhere to the new security measures that we want them to take. I also support the Government bringing forward the deadline for buying new equipment from Huawei to September 2021 and the removal of all its equipment by 2027. Of course, I would like that date to be earlier, and I maintain that there is a distinction between what the providers want to do and what is genuinely impossible for them to do, but I accept the Government’s judgment. I accept that, like any businesses making an investment decision, providers require certainty. They need to know that that is the year it is happening, and we need to stick to that. I also accept—perhaps the Minister could comment on this—that providers have an understandable concern that the decisions made by local authorities about masts and so on may further delay the roll-out, and perhaps we can support them in those decisions.



As this debate went on in 2020, I found some of the contributions—not necessarily from this House but from outside it—frustrating. One in particular was the suggestion that there are no risk-free vendors. I accept that, but when we are dealing with companies such as Nokia and Ericsson, we know that we are dealing with fundamentally different entities from companies such as Huawei. We are not concerned that Nokia and Ericsson will collaborate with intelligence agencies on spurious national security grounds, and we are not concerned that there might be back-door vulnerabilities in the equipment, as Vodafone found a decade ago; even though it was assured that they had been taken out, that was not the case. It is also fair to say that we are not concerned about malicious cyber-attacks being directed at us from the Governments of Finland and Sweden. I accept that no provider can be without any risk at all, on the basis that I accept that no system is completely foolproof, but we are dealing with very different companies in those respects, compared with those where we have concerns about the world view of the country they are headquartered in.

Yet we need more competition and more diversity of providers. We would need that, by the way, even if there were no security considerations whatsoever, because competition improves quality, choice and price. I therefore very much support the Government’s investment of £250 million. I represent a largely rural constituency, so I entirely understand the importance of connectivity generally, and of 5G for the country as a whole and for my constituency. It has been suggested that it will be worth £170 billion to our GDP in the next decade. I know that the decisions being made through the Bill will delay the roll-out and increase the cost, yet they are entirely the right decisions to take because they are about our national security. In July 2019, the Government’s own supply chain review found that successive policy decisions had meant that, although we might have achieved good commercial outcomes, we had poor cyber-security. It is therefore entirely right that the Government should now reverse that order of priority, even if it is going to cost more and take more time, and I wholly support their aspiration to have one of the toughest security regimes in the world.

Telecommunications (Security) Bill (First sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Telecommunications (Security) Bill (First sitting)

David Johnston Excerpts
Committee stage & Committee Debate: 1st sitting: House of Commons
Thursday 14th January 2021

(3 years, 4 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Q In the near term, it is not going to replace the hardware that we need at the moment, which the two vendors are providing. Are you talking specifically about open RAN, or are you talking about diversification or any strategy to develop a UK hardware supplier?

Andrea Donà: There is an opportunity for British companies to play an active role in the open RAN ecosystem. As we open up the interfaces of the technology, it creates a golden opportunity for British companies, with British support and know-how, to come and contribute to the development of this new technology.

Patrick Binchy: My views are broadly aligned with the previous answers. The reality of the situation that we find ourselves in is that there are only two practical vendors for the next couple of years. As both my colleagues have said, beyond that there is opportunity for ORAN.

I am not sure if it came across in the previous answers, but I would stress strongly that the first thing we need is the R&D. We need to understand how we can move this technology forward. As Derek said, trials are primarily operating in rural capacity, but to be a true competitor to the incumbents we have to be able to use it in deep urban areas, under significant loads, which needs a lot of development.

The Government can support trials and help build the ecosystem around them, but the first thing that we need is to get the research and development that will feed the trials. In terms of the Government’s development of opportunities in ORAN, it is key that they look at working with international partners. This has to be scaleable; otherwise, it is never going to be commercially viable.  The UK market will not be big enough to drive that scale and commerciality.

David Johnston Portrait David Johnston (Wantage) (Con)
- Hansard - -

Q It was widely reported that between 2009 and 2011, Vodafone found back-door vulnerabilities in equipment in Italy, and that you were assured by Huawei that they were being removed. You subsequently found that, in fact, they had not been removed. Do you have any concerns about back-door vulnerabilities in the equipment between now and 2027, and can you give us a sense of your management of that risk and what you do to try to make sure that there are not any?

Andrea Donà: Specifically on the incident you are referring to, which was in April 2019, it was a Telnet protocol, which is used by many vendors in the industry to perform diagnostic functions. It is important to note that it would have not been accessible from the internet. Detailed analysis showed that it was simply a failure to remove a function that is used, as I said, for performing diagnostics after it had been developed.

On the broader question of security and our concerns, we have always maintained the very highest level of security policies, security processes and security procurement mechanisms and frameworks. We use a layered approach to our security needs, whereby we secure by design. All our systems and process put in place guarantee the highest security standards, end to end. The UK networks and standards are the highest in the world. We constantly work hand in glove with the NCSC, and abide by all the latest NCSC guidance and policies to keep those minimum standards high every time. We have worked very closely with the NCSC to set up HCSEC, an ad hoc centre where any new Huawei equipment or software goes through rigorous checks, audits and assurances, in line and in close collaboration with NCSC.

Patrick Binchy: I do not have much to add to that. We are similarly aligned in terms of our processes, from procurement to deployment. We have security checks throughout, and separate functions to make sure that we are adhering to those. We work very closely with the NSCS and HCSEC in terms of the technologies that are in the network. Going forward, we will continue to do so. We will be reviewing the software and hardware versions that we have in place and ensuring that those are fully checked and validated. As I said earlier, we also have a full, independent view of the traffic traversing our network, so if something untoward were to start happening, we would immediately have a view of it, and would be able to shut it down independently.

Derek McManus: As I said earlier, we do not have sufficient numbers in the UK. We have fewer than 10 Huawei base stations, so although we perform all the necessary checks, we are not exposed on the scale of others in the market.

None Portrait The Chair
- Hansard -

I propose drawing this part of our deliberations to a close at 12.30 pm. We have five Members seeking to ask questions. If our panellists keep each of their answers to one minute, we will get everybody in—and we will get all the answers as well. I call Christian Matheson.

Telecommunications (Security) Bill (Second sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Telecommunications (Security) Bill (Second sitting)

David Johnston Excerpts
Committee stage & Committee Debate: 2nd sitting: House of Commons
Thursday 14th January 2021

(3 years, 4 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Q I do not disagree on that, but let us be honest. Telecommunications is a competitive market. If we want to move to open RAN or make real generational change, the Government will have to intervene quite heavily in the market to change minds. Operators will not do it unless they see a competitive advantage. That is possibly why we have had the situation with the hardware side of it, with China buying into the market by undercutting other people and providing state subsidies, for example. Without support for R&D and actual market intervention, that radical change will not happen quickly.

Matthew Evans: I think the £250 million is clearly initially focused on the R&D ecosystem. That is a big commercial barrier when you look at the testing environment and the time it often takes for operators, understandably, to feel confident in deploying equipment into their networks, because they are ultimately responsible for the integrity of them. If we can supercharge the testing environment in the UK, we should be able to shorten the time to market, but open RAN in particular is going to require a boost in funding to accelerate the maturity of that technology.

The other part of the diversification strategy is the scale vendors that may be operating in other parts of the world but are not present in the UK today. That is why it is also important to tackle some of the regulatory or commercial barriers that exist and prevent them from entering the market today.

Hamish MacLeod: I do not think I really have anything to add to what Matt just said.

David Johnston Portrait David Johnston (Wantage) (Con)
- Hansard - -

Q I think we all support diversification in principle, but what does success look like for the two of you? How many companies would it be? We have only two vendors that we can choose from at the moment, so how many do you think is acceptable? Is there an analogous comparison for you, whether in tech or elsewhere, of the much broader choice that we should be aiming for, and how long do you think it will take to get there?

Hamish MacLeod: One of the things about open RAN and more open architecture generally is that you generate competition in the hardware and in the software—it is not one package—so I think it is realistic to expect more competition, particularly in the software side of things.

None Portrait The Chair
- Hansard -

Do you have anything to add, Mr Evans?

Matthew Evans: Not too much. It is hard to put a number on it, but success would be where we clearly have a greater number of vendors than today, and that is a mix of open and proprietary technology. As Hamish says, the reason it is hard to put a number on it is that in that open stack, you could have competition within the stack, rather than between vendors that sell the consolidated package.

David Johnston Portrait David Johnston
- Hansard - -

Q So you do not want to put a number on it, but is there another sector that you would draw a comparison with that does not have this problem and is, in principle, the sort of thing we should be aiming for here?

Hamish MacLeod: The analogy that has sometimes been used with me is looking back 40 years to the computer market. We all used to buy IBM computers and you got the computer and all the software integrated, and then the two separated out. There was interoperability and you create a lot more competition and innovation. That is a potential analogy—a rough analogy, I would say.

None Portrait The Chair
- Hansard -

Anything to add, Mr Evans?

Matthew Evans: No, that is a good analogy.

--- Later in debate ---
None Portrait The Chair
- Hansard -

Who wants to go first? It looks like it is Mr Johnston. Can I just ask you to say which of the witnesses you are directing your question to?

David Johnston Portrait David Johnston
- Hansard - -

Yes, although I was going to ask them who they think is best to answer it.

None Portrait The Chair
- Hansard -

There is always one.

--- Later in debate ---
David Johnston Portrait David Johnston
- Hansard - -

Q We asked the previous witnesses this question. When it comes to stringency on these issues, do any of you feel able to give us a sense of the international comparison between the regime that this Bill creates and regimes around the world?

John Baker: Perhaps I could take that one. This is falling in line with what is going on globally. We see initiatives coming from Spain, the EU and the US. The US is further ahead in terms of passing law on trusted suppliers, and it is now setting timelines and budgets for taking suppliers out of the network. That rip-and-replace programme is now under way. The money for that was approved in December, and operators are looking at open RAN as solutions for that. That is very similar to the activities that you are planning through this Bill in the UK.

Chris Jackson: What we have seen in Japan is strong support for this direction, but I think the UK Government have taken the lead in terms of putting forward an aggressive stance on this to ensure that the security of the country is protected. The UK is doing everything that we would expect it to, and we fully support that.

Stefano Cantarelli: Some of the things said about the diversification of the supply chain are particularly important in terms of the ability to create competition and, as such, innovation. The interoperability of interfaces is fundamental in order to boost data and to be able to create more competition. We strongly believe that competition is based in innovation, and innovation these days can create a very powerful cycle of technology. It is not like how it was in the old days when it took maybe a year, two years or three years to get things into deployment; today, in less than a year a trial can become a commercial deployment.

Pardeep Kohli: I agree with the other gentlemen. In a number of countries, operators have made the decision that, going forward, they will only buy open RAN-based solutions. Governments are supporting that in many parts of the world.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Q This question is to whoever wants to pick it up. The debate in the UK on Huawei has been around hardware, and clearly open RAN is the future. Can you give an indication of two things? First, what are the timescales for its development and deployment? Secondly, because we have got operators currently taking out Huawei kit and putting in Ericsson or Nokia kit, how do you incentivise those companies to take the open RAN approach in terms of developing a market for that product? Where are we at internationally on open RAN compared with other countries?

Pardeep Kohli: Let me start. You are right that until now it was all about hardware, because people were building proprietary hardware to supply radio products. When you do hardware-based solutions, the scale matters, because you need logistics, manufacturing capability and factories, and obviously Huawei, Ericsson and Nokia had a strong base and the logistics set up.

When you do open RAN, it is more software leaning on general-purpose hardware. Companies like us do not need manufacturing plants any more because we are only providing software, and we have the advantage that our software can run on a private cloud that an operator can build on, for example, standard Dell servers—there are plenty of them, and people can build those—or we can run it on a public cloud on Amazon or Google. If you look at the scale that Google, Amazon and Azure have, Huawei is nowhere close to their scale. In that sense, the whole matter of Huawei’s scale does not matter at all the moment you move a hardware problem to a software problem.

The same thing happens with logistics and people. For us, hardware-based solutions need people to carry the hardware around, bolt it and everything. For software, with the click of a button you can distribute it to 2,000 sites; you do not need people and logistics to drive hardware around. This is how with what we are doing—for example, we are working with Dish to build a nationwide network, and we will have 50,000 sites deployed in less than two years—not that many people are required to do all this, because the problem has moved from hardware to software.

We would like the Government and other people to understand that there is no way any company can beat Huawei with the presence it has in China alone if they take on the problem as a hardware problem. It must be converted into a software problem—that is the only way it can be solved.

On your question about how we convince operators, it is always on the point about proof. We are a 20-year-old company working with operators all over the world. We handle 60% of the world’s operators’ messaging. If you look at SMS, for example, we carry that traffic for all the operators in the UK, and voice calling. We already do more critical services: radio is important, of course, because of the connectivity, but operators are relying on us for the day-to-day services. Now we are working with them to prove that our software is as good or better than what they can get on from the incumbents. Of course, we are expecting them to participate in the journey and work with us so that we can prove to them that we are good. We have done that in all other layers of the software, so we feel that if somebody engages with us, within six to nine months we will prove to them that we are good and it works.

That is working; in terms of the whole idea that the technology does not exist, we have crossed that hurdle. Now it is more about, “Okay, does it work for this use case or that use case?”, or, “In my network, I may have some proprietary stuff I have done with existing vendors, and I want you to do that as well.” So it may take six to nine months, or even 12 months, to get there, but I think we are beyond the point where we need to prove that it works. We know it works.

--- Later in debate ---
None Portrait The Chair
- Hansard -

I think it is possibly better if I get one of the Members to put a question to you first. David.

David Johnston Portrait David Johnston
- Hansard - -

Q That was a helpful teaser of what you think about this legislation. Could you expand on exactly why you have that view on what you see as the inadequacies?

None Portrait The Chair
- Hansard -

I think that is primarily to Dr Bennett.

Dr Bennett: It is because I care very much about you succeeding with this. I think everyone in the telecoms industry wants your intentions to be met, but we have to remember that when it comes to something as complex as security in the UK telecoms network, even if everyone follows best practice, it is a question of not if there will be a security breach, but when, and how quickly you can mitigate it. The reason is that our communications network has grown like Topsy. It has multiple digital infrastructures sitting on a lot of legacy systems, including analogue systems and copper. It is a very complex system of systems, with multiple, ill-defined interfaces and literally billions of end points, many of which have no security at all; the internet of things is an example.

The question is how you can minimise the likelihood of breaches. To do that in this very complex situation, you need a balance between light-touch regulation, which Ofcom seems to prefer, particularly with tier 3 suppliers, and the absolute need for security. Looking at our absolute need for security and the recent SolarWinds compromise, the inclusion of SolarWinds Orion products in networks was considered by everyone to be perfectly sensible. It was a trusted supplier. However, the latest things that I have seen say that thousands of networks have been compromised by that. As it seems to have been a spying attack, only about 10 networks are known to have been breached, but it will take months for all of those networks to be secured, and there are other potential breaches. The NCSC recently put out a note about that to all end users.

That is typical of the kind of things we will face. If we want an infrastructure that can cope with that, we need to do a lot of things. There needs to be a very honest and open dialogue between all the telecoms suppliers, their supply chains, their subcontractors, the Government, Ofcom and other agencies.

None Portrait The Chair
- Hansard -

Q I will interrupt you there for a second, but I will come back to you. Mr Robson, do you have anything you want to add?

Julius Robson: Security is about resilience, and it is not a question of whether something will go wrong; it is a question of when. When we realise that one of our vendors is high-risk, will it take seven years to fix that problem? That is not a healthy place for our industry to be in. We want a rich diversity of suppliers working together, so that when we identify a suspect component or part in our network, there is something sitting there, warmed up and already integrated, ready to be swapped over. That is where we want to get to.

Dr Louise Bennett pointed out that there are many parts to this network; it has lots of legacy pieces. It is not a bad thing that our network is comprised of many diverse parts—that makes it less vulnerable to a single point of failure. Someone pointed out earlier that there is the idea of the weakest link—something is only as good as its weakest link—but actually, a diverse system with many different types of vendors involved is harder to take down. Maybe you can take down part of that network, but the whole thing will not fail if just one part is compromised. I think diversity is the answer to resilience in this case, and we should be looking to head in that direction.

David Johnston Portrait David Johnston
- Hansard - -

Q Just to be clear, is your critique of this legislation that you feel that something is missing from it? Or, given that you think breaches are a case of “when” rather than “if”, which I am happy to accept, is your critique that no one piece of legislation could totally protect us from this, and that it is about what the whole sector is doing to keep us secure?

Dr Bennett: It is partly to do with what the whole sector is doing, but I think some things have not had enough emphasis in the Bill. One of them is what I have called the asset database. Those of us who were involved with the millennium bug know that we spent a hell of a lot of time trying to understand what the asset database for all our networks was, in order to find the components that were likely to cause a problem. I assume that the tier 1 suppliers and our main network suppliers have a comprehensive asset database, but you actually need a well-secured asset database that goes down to the component level. Over time, as you maintain it and move some components out and other components in, you need to be clear about what has happened to them.

At a subcontractor level, that can often be extremely difficult to do. You can find someone who thinks, “Oh, it’s okay; I’ve replaced that with something, and the spec looks similar.” The spec may look similar, but when someone says, “Actually, it is version so and so of such and such a component from such and such a supplier that you now need to take out,” you will find that you do not know in your asset database that you have some of those components in it. I could not see anything in the Bill that talks about the asset databases of the companies that supply the networks we are using, and I think that omission needs to be dealt with.

That leads to another point, which is about the processes for maintaining security over time. You may now be taking out all the Huawei kit and putting other things in its place, but that is happening all the time—that maintenance is going on all the time. There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition. The board would perhaps be able to point out that there were new types of components coming in that ought to be looked at or considered and that ought to be recorded in people’s asset databases, and people should make sure that happens.

Leading on from that, I also think that the processes are not as transparent as they ought to be for Parliament. It would be helpful if there was a commissioner, such as the Information Commissioner or the Investigatory Powers Commissioner. That would be helpful in keeping an eye on what is going on here, and in order to be able to help policy makers and the Secretary of State to make the right changes.

None Portrait The Chair
- Hansard -

I am just going to interrupt you there, because I am conscious of time and a couple of Members are indicating that they want to come in. I call Christian Matheson.