Telecommunications (Security) Bill (Fourth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Dean Russell
Main Page: Dean Russell (Conservative - Watford)Department Debates - View all Dean Russell's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Fourth sitting)
Dean Russell ExcerptsTuesday 19th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Dean Russell (Watford) (Con)
Q
Dr Sellars: You are quite right that 5G opens up a whole load of new benefits, predominantly high-speed access/lower latency. I think some of the security risks are around who is providing the infrastructure to support 5G. The concern that we have at the moment is that we need to have security of supply—both resilience of the supply chain for that infrastructure, and the cyber-security and encryption element of that infrastructure.
I think it is fair to say that 5G is likely to support a much broader selection of services. It is likely to have an impact on commercial, governmental and security transmission, just because of the widespread access and its very high-speed capability. It is also likely to support a very large number of internet of things devices—the sort of devices that UtterBerry develops. Some of those devices are another potential attack vector, if you like; they are another potential vulnerability. It is broadening the access into the network, which is potentially opening up new sorts of vulnerabilities that we need to take into consideration.
Dr Johnson: Let me start by saying that some aspects of security in 5G networks are actually much more secure than in previous generations. Looking over the lifetime of cellular, you will know that you could just listen into first generation analogue networks with a very high frequency radio. GSM—the global system for mobile communications—was secure, partly at least. The network and the phones would authenticate to each other, but only asymmetrically, so the phone could be captured by a surreptitious network. That sort of attack is still used.
3G is much more secure, with symmetric authentication. It is harder for devices to be captured by the wrong network, but it is still possible. It is also possible for the IMSI—that is to say, the international mobile subscriber identity—of an individual or group to be found from that network. The same is true of 4G. In 5G, that is much more difficult. In terms of the security of the user of the network, 5G has tightened up a lot of the loopholes in previous generations in a way that is very hard to unpick. That creates tactical problems for some law enforcement agencies, which rely on some of the insecurities of earlier generations to do their job.
From the network side of things, there are some issues. There is a new network model in terms of the way nodes are connected in the core network. No longer are there physical interfaces as in previous generations of network, where there would be an S1 connection from the base station to the core. There are still connections, but they are much more in a publish-subscribe-type model. I think those, conceivably at least, bring a little more opportunity for attackers to probe nodes within the core network to find weaknesses and vulnerabilities. That is my take on 5G.
Heba Bevan: We have three elements that the telecoms community could work on: the communication aspect, which is provided by companies such as BT; the hardware aspect, which is probably provided by companies such as Utterberry; and the software element within the system. So there are three types of vulnerability that could be introduced in the path of these three elements. The only problem with these paths is this: who is responsible if there is an attack? Usually, the communication aspect is the most important part to get protected.
Currently with 5G, there is a huge opportunity for opening up a huge economic impact from the sector in terms of healthcare, education and tech industries. These industries will need to move on and having 5G is definitely an important element, but how can we make sure it is secure in providing an effective communications network that provides an end-to-end solution and security? That is where I think we need to concentrate on the telecommunications and how can we make sure that what we are getting from that communication is totally secure, and that the encryption within it passes certain thresholds.
We can follow a certain standard within the hardware and software, but if the network is weak and has not provided us with good reliability, that is where things could be broken.
Christian Matheson (City of Chester) (Lab)
Q
Is there a shelf-life of the older versions? I am surprised that we are still talking about 2G—that it has not been removed. Is there a shelf-life for those elements and will they be removed from what I term “the network”, which is of course the whole global telecommunications infrastructure of the UK? Nick, do you want to start on this question?
Dr Johnson: Yes. Let me start on that shelf-life question. GSM is a little bit like Radio Four longwave, right? I do not think that it is ever really going to die; there are just too many people who depend on it for one reason or another, whether that is for emergency calls, or just for coverage in remote locations or wherever. I think GSM will stay there forever, despite its security issues. They are well known and understood, and managed in due course.
The shelf-life of network components is an interesting aspect. Our experience of deploying into cellular networks is that there is always a security audit involved. When we take a piece of equipment into a new operator, there is always a hurdle to be overcome. They have their own audit procedures and those include a sort of paper audit, where they look at the particular software components that the software is built from, some of which we build ourselves, some of which is open source and some of which is commercial off-the-shelf software libraries and so on. They want to make sure that those are all up to date and properly patched, with all the latest security patches and so on. I think that will just continue on. To some extent, that is just the baseline hurdle.
I am not sure this is exactly what you are asking, but what has changed in my mind as we go forward is this idea that there can be software in the network that is not so much interested in security—as in, somebody hacking into it—but is more of a Trojan horse type of software, completely undetectable until some signal or some date comes by and it springs to life and does bad things. The example I have in mind is the SolarWinds example from December last year, where software had been inserted in the supply chain and had been sitting there quite happily for a while. That, to my mind, is very difficult to detect. Until it goes off, you do not know there is a bomb inside it, and that is an issue.
Coming back to the shelf-life question, keeping the software up to date is a major issue. It sounds easy, but practically speaking, I know it is an operational dialogue all the time within vendor businesses: they are striving for revenue from new customers, for new features to be added, and that is acting against updating the software libraries and so on to bring them up to date. There is a continual dialogue in every vendor company to ask, “Do we need these features to get more revenue, or do we need to update these libraries because we need to maintain secure software?” I guess to some extent, the whole reason for this Bill is to try and force that to the front of the conversation; to say, “Look, you can’t go on. That dialogue has to stop now. The software needs to be secure.” That has to be the baseline; it has to be a basic hygiene factor in selling software that it must be secure to a certain level, and the features need to come as value added. If you have some questions coming up on the code of practice, designated vendors and so on, we might talk about that, but those are my comments on shelf-life.
I think I missed your first question. I apologise.
James Sunderland (Bracknell) (Con)
Q
Mike Fake: I think the diversification strategy is important. It is great to see the national telecoms centre proposal and the £250 million for research and development. One concern is whether that will be enough. Listening to earlier parts of the hearing last week, BT said that they it invests £500 million per annum and Huawei has a revenue of probably $120 billion per year. Sorry, did I say, “million”? I meant billion. What do they invest in research and development? Probably $2 billion a year. The opportunity I see is that we have a short-term focus for network equipment manufacturers to replace high-risk vendor equipment, but it will be difficult in that period for other new entrants to get their share.
The opportunity is to foster new entrants in technologies in the UK telecoms supply chain, and to leverage innovative solutions for manufacturing scale in the UK. Another issue is that there is a lot of focus on the radio access part of 5G, but that is only one small part of the network. There is optical fibre connectivity from the masts, and transport to the network’s core: that is critical to the network’s security and performance.
Helen Duncan: When I started my career, the industry was dominated by big names such as STC, Plessey, GEC and Racal. They all received funding from defence organisations such as the Royal Signals and Radar Establishment at Malvern. They used a lot of the spin-offs from that technology to develop their telecoms capability. That all ceased in the 1990s after the Berlin wall came down and cost-plus was abolished and so on. It is significant that independent industry research shrank in those times. We are now, at last, seeing a bit of stimulation going back into British industry thanks to the catapults, like Andy Sellars’, and this could be an opportunity, if not to return to those days, to put some investment in and to develop the talents we have in this country.
Dr Cleevely: The Bill is a great opportunity, as the other speakers have said. In technical jargon, it is a necessary but not sufficient condition. It does provide some great opportunities. I am an investor and have created a number of British companies of which, like you, I am very proud. We do, however, need to think carefully about how the market actually works. A number of speakers before us talked about the way in which the number of suppliers has come down in this business. We need to be careful in thinking about how we intervene to set the rules of the game and to encourage certain kinds of behaviour. I am very familiar with one example that relates not only to Government but also to large corporates: the notion that you go through a procurement department that is forcing you down on price, and it does not have the notion of innovation as one of its key performance indicators. The notion of innovation, on the other hand, is built into a lot of the systems that are employed in other countries, primarily the United States, as a way of evaluating whether a technology should be procured or not. We need to think rather more carefully about how we foster that development and growth of smaller companies into larger companies, particularly with this view about innovation.
For example, Ofcom is an economic regulator—one of 11 or so economic regulators in the UK. It has always, below the radar, treated innovation as one of the things it ought to be fostering. I would suggest, for example, that alongside the consideration of this Bill, we think about how we push innovation rather more firmly and put some money behind it in terms of procurement.
Dean Russell
Q
Mike Fake: Obviously, we have got two things to do here. We need to replace the existing vendors’ equipment, but in parallel, if we can invest in the UK supply chain—we have a very healthy supply chain in the sense that there are a lot of companies which provide optical components and subsystems into the equipment manufacturers. We need to do both things at once. We need to swap out the equipment, and also invest in the new companies coming up, so that in the future we can have a much more future-proof, innovative, secure and leading network.
Pushing the timescales forward, we have to recognise that in the short term we are going to be stuck with two alternative vendors that we need to swap out, but if we can invest in the up-and-coming, innovative, small SMEs and really foster those, as the previous speakers have said, I think we have got a real opportunity to change things and to have a world-leading, British, high-UK content network moving forward.
Dean Russell
Thank you. Could I ask Helen the same question?
Helen Duncan: I think there are some real practical difficulties in swapping out the equipment. It sounds simple; you just take one radio out and put another one in, but I think you would find that cell sites would be down and consumers would be complaining.
There has been some research recently by a company—albeit funded by Huawei—called Assembly Research, which estimates that it would put the UK three years behind in its programme of 5G deployment. At a time when communications are key to our surviving the unusual circumstances of the pandemic, it seems counter-intuitive to think about putting even more strain on that by moving the deadline closer. I think perhaps it should be the installation engineers who work for the networks we should be putting this question to: how much disruption is it going to cause?
Dean Russell
Thank you. David too?
Dr Cleevely: I would like to echo what Helen said, but in a rather different way. There is an engineering problem, which is what we have been dealing with, but there is also a human behavioural problem. Anybody who has worked in a large corporation or worked on these large projects will know that the way in which people approach the problem, and the way they think about it, the way they want to programme it and the urgency they feel, is driven as much by the psychological issues as it is by the technical. I would urge you to think through how you would encourage the behaviour that you want to see. Now, obviously Government can do that by simply issuing an edict and forcing a deadline, but there may be other ways that you can get more innovation and a more rapid shift than the 2027 deadline, simply by thinking through with the industry—going back to Helen’s point about the engineers on the ground—about what is required. A little bit more detailed thinking on that could yield some very positive result.
Mr Kevan Jones (North Durham) (Lab)
Q
Mike Fake: That is a difficult problem to solve, but I think it is important that innovation is a powerful force, and you can turn around things in this new world very quickly. Although you have old legacy systems, and you replace everything from overseas vendors with old legacy systems, you need to keep moving forward. In terms of optics, we probably have one of the world’s leading telecom fibre optics innovation capabilities in the world, through the universities. We have a whole bunch of small and medium-sized enterprises out there, and they are struggling to make that step to some scale and to get that innovation deployed in the network. But I think innovation—
Mr Jones
Q
Doug Brake: I think it is absolutely right that there is a real risk if we cut off supply to China, particularly in semiconductors. We have already seen an aggressive action on their part to stand up an indigenous semiconductor industry. This is getting a little outside of my area of expertise; semiconductors is not some place that I know super well. However, I think that it is absolutely correct that there is a real risk that the extent to which we try to cut off Chinese companies will see them double down efforts to create their own indigenous supply chain. So—absolutely.
I am hopeful that we see either a change to that or a much broader international coalition to double down on those efforts. I think that it is more likely that we will see a Biden Administration ease some of those restrictions, or work through the current legal means to allow for licences for companies to sell semiconductors to Huawei and others.
Dean Russell
Q
Doug Brake: That is absolutely right. This is a long-term effort. I worry about some who tout ORAN as something of a silver bullet that we can make a quick transition to, that it is a flash cut for existing equipment providers to an open RAN sort of system—a more modular and diverse ecosystem. It is something that is going to take a number of years. I honestly worry that it is late for ORAN to be incorporated into 5G, at least on a broad scale. For greenfield networks, it is a different story and it might make sense to go with these open and modular systems from the get-go.
I worry that this is much more a conversation about putting in the tools, resources, testing facilities, the labs, R&D, et cetera, to put us on a path for years down the road so that this becomes the industry standard. I do think, absolutely, that this is the time to be looking at those early stage investments to be driving further and, frankly, looking down the road to 6G, to be able to put in place the policies and efforts to transition the industry to this more diverse future, and put those in place now for years to come.
James Sunderland
Q
Doug Brake: I worry that sometimes 5G is conceptualised as a singular technology or a singular thing. It is not a monolith; there are a number of different component technologies and a number of different flavours. Depending on whether you are doing a fully 5G network, a stand-alone network or a non-stand-alone network, it is a very different sort of system. There are also a lot of differences between what spectrum is used to deploy the network—if you are using low-band, mid-band or high-band spectrum or a combination of all three. It is hard to answer that question in generalities.
A number of different component technologies and architectures will be rolled out over time. At a high level, the real advantage of 5G compared with 4G is in its flexibility. It is able to tailor its connectivity to a number of different applications’ needs. It can offer extremely high throughput and much faster speeds. It is very reliable, with very low latency. For example, if you want to stream a football match while travelling on a train, it can do that quite well, or quite a bit better than LTE and 4G today. At the same time, you can also change very obscure technical parameters to make for simple communications that require very little battery on the device side to be able to communicate. If you want to have massive deployments of sensors for smart agriculture, or something like that, that have battery life in the order of decades, it can do that. The hallmark is its flexibility.
Given that flexibility, it is anticipated that 5G is going to be much more deeply integrated within the economy and trade sectors, and will be a key tool to boost productivity. There is an important hope that we see a broad deployment, not just in urban areas but in rural areas. Again, I go back to that note on differences depending on the spectrum that is used to deploy—unless it is of interest, I do not want to get too bogged down in the details, but there are real differences in what we would expect to see deployed in urban versus rural areas. But, again, we would also expect to see very different use cases in those areas. Admittedly, there will likely be a performance difference between urban areas and more rural areas. But at the same time, like I said, the use cases look very different—you are not likely to have massive crowds of people all looking to share video from a stadium or something like that in rural areas. There will be a real difference in the roll-out, but I worry that sometimes the challenges with that have been overstated.