Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Merron
Main Page: Baroness Merron (Labour - Life peer)Department Debates - View all Baroness Merron's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill
Baroness Merron ExcerptsThursday 15th July 2021
(2 years, 9 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-III Provisional third marshalled list for Grand Committee - (14 Jul 2021)
Baroness Merron
“OFCOM’s Annual Report
After section 105Z29 of the Communications Act 2003 insert—“105Z30 OFCOM’s Annual Report(1) Every report under paragraph 12 of the Schedule to the Office of Communications Act 2002 (OFCOM’s annual report) must include a statement on—(a) the adequacy of OFCOM’s resourcing in fulfilling its functions under the amendments made to this Act by the Telecommunications (Security) Act 2021;(b) OFCOM’s determination of the adequacy of measures taken by network providers in the previous 12 months to comply with sections 105A and 105B of the Communications Act 2003 and regulations made thereunder; and(c) OFCOM’s assessment of emerging or future areas of security risk based on its interrogation of network providers’ asset registries.(2) The statement required by subsection (1)(a) must include an assessment of—(a) the adequacy of OFCOM’s budget and funding;(b) the adequacy of staffing levels in OFCOM;(c) any skills shortages faced by OFCOM.””Member’s explanatory statement
This new Clause introduces an obligation on Ofcom to report on the adequacy of their resources and assess the adequacy of the annual measures taken by telecommunications providers to comply with their duty to take necessary security measures. It also requires Ofcom to assess future areas of security risk based on its interrogation of network providers’ asset registries.
Baroness Merron (Lab)
My Lords, I will also speak to Amendment 26, which stands in my name. As I recall raising at Second Reading, the whole point about this legislation is not just its intent but whether it can be delivered in practice. Can it do the job that it intends to do? These amendments are intended to ensure that we know we have the resources, whether in people, funding, infrastructure or whatever, to deliver the protections that the Bill is intended to offer. There are considerable questions about that.
I will focus first on the new responsibilities, remit and powers that are being given to Ofcom. As we know, there has been a vast expansion of Ofcom’s remit over the past 10 years, so it is most important that it is appropriately resourced to carry out its duties and to be very forward-looking. As my noble friend Lord Coaker said earlier, for us, the whole issue of looking forward is a particular concern in the Bill. That has been echoed by many noble Lords this afternoon. I note that reassurance is often given by the noble Baroness, Lady Barran, as the Minister and I am sure that the noble Lord, Lord Parkinson, will also seek to reassure me. But I am sure he will have picked up the feeling in the Room today that we need to go rather further than words of reassurance.
What we know about Ofcom is that experience in national security measures is not its natural and current territory, so the expansion of these duties will absolutely require people with the required level of security clearance and experience. I recall the comments of Emily Taylor of Oxford Information Labs during the debate in the Public Bill Committee in the other place. She has considerable expertise in cyber intelligence and she said at that time that Ofcom
“will have to acquire a very specific set of skills and capabilities, and that will require substantial investment and learning as an organisation”.—[Official Report, Commons, Telecommunications (Security) Bill Committee, 19/1/21; col. 72.]
I also note that a memorandum was published recently by Ofcom and the National Cyber Security Centre about how they will work together as part of the new regulatory regime. On the face of it, I thought that might provide some of the reassurance that I am sure the Minister will wish to give to noble Lords. However, I observe that while the National Cyber Security Centre will indeed be able to provide advice on national security matters, the question is whether Ofcom has the resource and the greater expertise to understand that advice. It is one thing to receive advice but another to be able to work with it. I am sure noble Lords know their own limitations. I certainly know mine when it comes to advice and expertise. For me, that memorandum did not show understanding of the limitations that there are.
Amendment 23 would require Ofcom to report annually on the adequacy of measures taken by network providers to comply with changes introduced in the Bill, empowering the Government to track the effectiveness of the legislation. That seems to be good legislation: to put it in place, to make sure it does the job it ought to do, to resource it and then to track its effectiveness.
Amendment 23 would also ensure that Ofcom will have the human and informational resources to provide an assessment of security risks based on its interrogation of network providers’ asset registers. This needs to include things such as a reference to the adequacy of Ofcom’s budget, funding and staffing levels and any potential skill shortages that might mean that it cannot do the job it is intended to do.
It is interesting to look at the Government’s own impact assessment, which states that the costs of monitoring compliance with the telecoms security requirements could be up to £49.4 million by 2029. Allied to that, Ofcom’s current budget for telecoms security for this financial year has been increased by £4.6 million; that is intended to reflect its enhanced security role under the Bill. The first obvious question to the Minister is whether this funding will be sufficient to meet the demands and to engage those with the right security skills. As a supplementary question to that, what targets does Ofcom have to seek the numbers of new staff it needs?
On staff shortages and funding shortfalls, how does the Minister consider that the Government will be aware of these problems without some kind of annual report? Furthermore, where do the public fit into this? How will they know that everything is in hand without such a reporting requirement being met? In my view, if Ofcom is to do more on security, the Government absolutely have to make sure that it is secure and able in its new role.
We spoke earlier about the absolutely crucial aspects of future proofing and horizon scanning. It seems that Ofcom also needs to be able to assess future risks to the security of UK telecoms. We know that new types of threat have emerged over recent years; for example, attacks on healthcare systems. We are also sensitive to potential future risks; for example, the dependence of cloud computing infrastructure on Amazon Web Services, the dominant vendor in this market. Clearly, dangers could arise if AWS was bought by a hostile foreign state or hacked by a hostile operator. In all these ways, we need to ensure that Ofcom is equipped not just for the present but for the future.
Amendment 26 looks at the very important matter of skills in the wider sector. We know from the Institute of Engineering and Technology that the UK economy is suffering a loss of £1.5 billion per year due to STEM skills shortages, and the Chartered Institute of Personnel and Development has found that two-thirds of employers who have vacancies report that some are proving hard to fill, with engineering being one of the most prevalent.
Amendment 26 seeks to require the Government to publish a review of the implications of skills shortages and training support for the security of the tele- communications network and its supply chain. Again, this amendment looks forward to ensure that we can protect our security capability.
I have a few specific questions for the Minister. I would be interested to know whether he is concerned that the 2027 target for Huawei removal might be delayed due to skills shortages. Can he comment on what skills shortages have been identified as a security risk? What action are the Government taking to fill them? I look forward to hearing from him regarding these amendments. I beg to move.
Lord Stirrup (CB)
My Lords, Amendments 23 and 26 touch on the critical issue of skills, in Ofcom and then more widely in the supply chain. They are right to do so, but in my view they are too constrained and do not go nearly far enough. This is not the fault of the drafters—they have to propose amendments that fall within the scope of this particular legislation, and they have done so admirably—but the problem they expose goes much wider than the field of telecommunication.
We find ourselves in this discussion at least in part because of our current reliance on Huawei technology and on the associated vulnerabilities that this introduces. But why have we become so dependent on Huawei? I said earlier that in the first half of the last decade we made unbalanced decisions about our trade and security relationship with China, and that is true. But it is also a fact that Huawei was—and still is—one of the very few companies to have brought the necessary technology to market. Frankly, there were not many options open to us, so our supply chain is anything but resilient in this area.
There are two elements to this problem. One is the level of industrial commitment to and investment in critical technologies; the other is the skills base to support such industries. Both of these interlinked issues must be addressed if we are to resolve the weakness in our supply chain.
The answer does not, of course, have to be wholly national. Industrial capacity and skills that are sufficiently widespread internationally, particularly among responsible countries that abide by international law, norms and standards, would provide us with an acceptable degree of resilience. This will undoubtedly have to be part of the solution, at least in the short term, but we have to ask ourselves why, in technologies that are so important to our security and that promise such future advantage to the companies involved, we are lagging so far behind. I acknowledge that we cannot lead everywhere and provide everything ourselves, but surely an important part of our national strategy should be to put ourselves in the van of those capabilities that will shape and guard our future.
This is certainly not about direct government involvement in business decisions; that approach already has a quite sufficiently inglorious history. It is, though, about government incentives—not least through a clear strategy and consequent procurement decisions—for the appropriate industries and a national effort to provide the necessary skills base to support those industries.
Amendment 26 makes some modest proposals in this regard and I welcome them, as far as they go, but we need to go much further. Telecommunication is not the only area to be hampered by such problems, and I believe we should take a more holistic approach. I have no doubt the Minister will reject the amendment, although I stand ready to be surprised. If, however, he lives up to my expectations, I invite him to say whether the Government agree with my analysis and, if so, how they propose formally to tackle a problem that is so central to our future security and prosperity.
Baroness Merron (Lab)
I am grateful to noble Lords and to the Minister for his reply, which referred to various items in some detail. What I take from this debate is that, although I am sure that noble Lords are interested to hear of the various initiatives and actions that are in place and which the Minister has rightly emphasised, the question still remains of whether this is enough. Is this exactly what we need? I feel again that this is something of a theme in our debates throughout Committee. Nobody is suggesting to the Ministers that nothing is being done, but is it being done coherently, is it sufficient and is it what is needed? That is again left hanging in the air.
I am grateful to the noble and gallant Lord, Lord Stirrup, who referred to—these are my words—the need for a national strategy which would, in his words, shape and guard our future. That is exactly the point of these amendments. Indeed, the Government do not do everything, but it is only the Government who have a role in bringing all the parties together and have the ultimate responsibility for security in this country, of course.
I note the helpful remarks from the noble Lord, Lord Fox, who referred to the need to work with other government departments. I would feed that into my point about the need for a strategic approach. My sense from this debate is that this is the part that is not quite clear. As the noble Lord, Lord Fox, asked, what is the plan? We have insight into actions, but whether that is a strategy or a plan is hard to make a judgment on. The Minister indicated that 50% of companies in the relevant sector—that seems a lot—are reporting that they have a lack of cybersecurity skills. Something else that I thought was important was when the Minister spoke of a lack of confidence. We all know that a lack of confidence in any sector, particularly this sector, is problematic and must be addressed.
It is disappointing that the Minister’s response is, again, that this is not necessary and we do not need to publish or to report to Parliament, because I feel it is a missed opportunity to satisfy the country and, within that, noble Lords. It is a missed opportunity to satisfy those who have the security of this country at heart, as the Minister does, about whether the measures are enough and whether they will go fast enough, fully meet the needs of the necessary part of the industry and provide the security needed. Although I am disappointed, I beg leave to withdraw the amendment.
Baroness Merron (Lab)
“Network diversification
(1) The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;(b) likely changes in ownership or trading position of existing market players;(c) changes to the diversity of the supply chain for network equipment;(d) new areas of market consolidation and diversification risk including the cloud computing sector;(e) progress made in any aspects of the implementation of the diversification strategy not covered by paragraph (a);(f) the public funding which is available for diversification.(3) The Secretary of State must lay the report before Parliament.(4) A Minister of the Crown must, not later than two months after the report has been laid before Parliament, move a motion in the House of Commons in relation to the report.”Member’s explanatory statement
This new Clause requires the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and allows for a debate in the House of Commons on the report.
Baroness Merron (Lab)
My Lords, I move the amendment in my name and thank the noble Lords, Lord Fox and Lord Alton—he could not join us today —for their support.
The amendment is about ensuring that the intent of the Bill can be delivered, and the measures that we are all in favour of will actually happen. There is therefore a link to the earlier debates. Throughout these debates it has become clear that diversity of suppliers is needed at different points of the chain, with sufficient support for the UK’s own start-ups. That will be the only way in which we can secure proper telecoms security.
Even the Government’s 5G diversification strategy demonstrates how diversification and security are inherently linked. It states that if the status quo remains with market consolidation, it will lead to
“an intolerable security and resilience risk”.
However, as was said clearly in earlier debates, the Bill does not even mention supply-chain diversification or the diversification strategy, even though we would all agree that we cannot have a robust and secure network with only two service providers—Ericsson and Nokia—which is the number that will be left once Huawei is removed from our networks. I hope that the noble Baroness the Minister will have the opportunity to address that concern.
It is of course right to remove high-risk vendors from the UK’s networks and enable the Government to designate vendors and require telecoms operators to comply with security requirements. However, as seems obvious, our networks will not be secure if the supply chain is not diversified. All that will happen is that there will be a shift of dependency to another point of failure.
Therefore, the amendment requires that network diversification is reported on annually. That can include an assessment of likely changes of ownership of existing market players, new areas of market consolidation and available public funding. The report could also provide proper accountability for the strategy’s progress, which will lead to real action. That is what we need. We know that that was called for by the Science and Technology Committee, which criticised the current diversification strategy for not having an action plan with clear targets and timeframes for how that funding will be spent.
The Minister will expect a question on how the announced £250 million funding will be spent. We all know that there are small start-up suppliers in this sphere which are desperate for this kind of support. I should also refer to the new advisory council, which, as she knows, I will come to in a later group. There are many unanswered questions about the adequacy and independence of its advice.
We cannot have a secure network with only two service providers, which is what we will effectively be left with after the removal of Huawei. So we need a diversified supply chain, which means diversity of supply at different points in the supply chain and networks not sharing the same vulnerability of a particular supplier. That is incredibly important for network resilience. That is why the amendment has been tabled. We are concerned to ensure that national security is not put at risk due to a lack of diversification. I beg to move.
The Earl of Erroll (CB)
My Lords, this point is very important and has been put across very well by the noble Baroness, Lady Merron. Network diversification will increase resilience and security for various very obvious reasons. The main thing is not just the supply chain. How the internet works is that messages are split over a whole lot of different routers going all over the place. Two things happen. First, because it is split up, if they are all going across different vendors, it is impossible to intercept the entirety of the messages. If it is all over one vendor and there is a clever way of monitoring that, it might be possible to put it together. Funnily enough, if you have lots of vendors, it does not matter whether Huawei is in there or not, and you will end up with flaws.
Also, the resilience of the internet is such that if you knock out a good chunk of the routers, it will still work and automatically route around the ones that have not been knocked out. If they are all from one vendor and all have the same flaw in them at some point, whether they are friendly vendors or not, you can take the whole lot out at once. The very fact that you have a good mixture gives you greater resilience and security. Everyone seems to think that it still runs over a copper wire from one end to the other, but it does not. The IP world is very different from that. That is the main thing.
Amendment 20 is also about long-term strategy. My noble and gallant friend Lord Stirrup is right about all these things. Although the amendments are not in this group, I might as well say now, rather than waste the Committee’s time later, that this lies with the principle of Amendments 18 and 25, that we need the right advisers, who can then advise on the issues that we are now discussing in Amendment 24. It all hangs together. We should not be chopping this up and structuring the Bill in a way that makes us vulnerable.
We may think that we have got the right people in, but we have clearly failed to do all this so far. This is the place to rectify our blindness. From the Minister’s comment, I think that the major change is the diversification and proliferation of civil service departments that are involved in security. That really does reduce our security. The lack of coherence will cause confusion like nobody’s business and will be very expensive.
Baroness Merron (Lab)
My Lords, this has been a short debate but it has been valuable in shining a light on the requirement for diversification and the need to be sure that we are in the right place. I thank the Minister for her reply and the details she gave in response to various questions, including my own. Of course, as ever—I am beginning to feel like a stuck record—the requests to ensure that there is a reporting facility, so that we know all the things in place actually work, have not been accepted.
I was interested in the confidence of the noble Lord, Lord Fox, when he suggested to the Minister that there could be great creativity employed by all noble Lords. I am sure that is indeed the case, but I say to him that I fear our creativity is perhaps not required on this occasion, although I am sure we will stand ready should it be so.
I welcomed the comments of the noble Earl, Lord Erroll, who spoke about the shifting sands of alliances and allies. That is an important point when we consider diversification. I did of course hear the Minister say, rightly, “Of course, this is not just a UK solution to our security”, for a range of excellent reasons. However, we have to be able to take our place and it is that which is of concern. It is not just that the chain is in reference to the UK but that it should take account of those shifts which the noble Earl referred to.
The noble Baroness, Lady Stroud, again asked: “Why on earth would the Government not want to have more parliamentary oversight?”. I will leave that to others to answer, but it seems that it is not flavour of the month in the debate that we are having.
The Minister referred to my question about how the £250 million would be spent, and I am sure it was of great interest to all noble Lords to hear that. Yet it still leaves the question as to why it cannot be matter of report, of why Parliament cannot be not just reassured but informed, and have the opportunity to interrogate and to add. I have a sense that parliamentary oversight—and not just in this area—is not regarded as something which assists process, when in fact the whole experience is that it does. With that, I beg leave to withdraw the amendment.
Baroness Merron
“Telecoms Supply Chain Diversification Advisory Council: security function
(1) The Telecoms Supply Chain Diversification Advisory Council must discuss the impact of diversification on the security and resilience of public electronic communication networks and services at their quarterly meeting.(2) The Telecoms Supply Chain Diversification Advisory Council may advise the Secretary of State based on those discussions, and this advice must be published. (3) The membership of the Council must include members with expertise in security.(4) The appointments process for the Council must be transparent and consider the previous security experience of applicants.”Member’s explanatory statement
This amendment aims to probe the function of the Advisory Council in relation to the Bill.
Baroness Merron (Lab)
My Lords, I am pleased to speak to Amendment 28, which stands in my name. It is the result of a number of recent developments, which I shall refer to. Noble Lords will be aware that on 2 July the Government published their response to the Telecoms Diversification Taskforce’s report and in it announced that the taskforce was now to transition into the Telecoms Supply Chain diversification advisory council, which came up earlier today. The Minister will recall that in response to a Written Question from me she said:
“The Advisory Council will play a key role in overseeing and offering scrutiny to the delivery of the 5G Supply Chain Diversification Strategy. We will also draw on the expertise of the Advisory Council for wider telecoms supply chain diversification issues beyond the RAN (Radio Access Network).”
That is all well and good. However—and this is the point that the amendment seeks to unravel—the Government have also announced that Mr Simon Blagden will be the new chair of this permanent council. Noble Lords will be aware that Mr Blagden was the non-executive director of Fujitsu UK during the Post Office scandal and has donated more than £215,000 to the Conservative Party.
As we have all discussed, diversification is inherently linked to security, so the new advisory council has to provide sound, expert advice that will secure our telecoms network, and we need confidence in that. The point I want to explore with the Minister, as she is already aware from Written Questions that I have submitted, is that the appointment of Mr Blagden raises a number of serious questions about the council’s independence and how the appointment will be able to benefit national security.
In addition to tabling Amendment 28, I have a number of questions to tease out all these points. It is also worth noting that in the past 24 hours there have been reports of a telecoms company, IX Wireless, having given—it has come to light through correct declarations of course—more than £20,000 to Conservative MPs, while the Secretary of State has given this same company glowing endorsement at a launch event, with a promotional film, which I have seen, showing him in his ministerial office with the executives of that company.
I should say to the Minister that it is a question not just of how things are but of how things look. Of course there will be facts on which I am sure the Minister can enlighten us. I have a number of questions in that regard for her relating to an inquiry about the appointment process that was in place for Mr Blagden. Who was involved and which Minister made the final decision? Will there be payment for Mr Blagden in his role as chair? How will the council give independent advice and what happens if Ministers reject that advice? Will there be security experts as members of the advisory council? What knowledge did Mr Blagden have of the faults with the Horizon system during his time at Fujitsu? Can the Minister confirm that Mr Blagden has no remaining financial interests in Fujitsu?
I know that the noble Baroness may not be in a position to answer those questions now. In which case, I hope that she will write to me before we go into the Summer Recess. I beg to move.
Lord Fox (LD)
Before I comment on that excellent speech from the noble Baroness, Lady Merron, I want to return to the answer that the Minister gave on the Newport Wafer Fab issue, which proves the point that we were making on the need for the ISC to be involved. Regarding the ISC issue, the Government furnished themselves with the National Security and Investment Act, which was supposed to deal with issues such as this. However, the Prime Minister has chosen to refer it back not to the people running that unit but to the National Security Adviser, which proves the point that someone with access to national security information is needed to make decisions of this nature, rather than an organisation that does not have access to the information. It absolutely proves the point that our amendment on the ISC is completely appropriate, just as it was appropriate for the BEIS analogue of what is happening here.
The noble Baroness, Lady Merron, made an excellent speech and I am not going to attempt to adorn it either with my normal flippancy or with detail. There is just one issue that I wish to raise regarding Simon Blagden. Are there any outstanding legal liabilities from his time at Fujitsu? In other words, has his activity been fully exonerated or is there potential legal recourse? Other than that, I echo the point that perception of these issues is as important as reality. If the Government continue to operate in a black-box way, everybody will assume that things are going on that they cannot see and that should not be happening. It is therefore in the Government’s interests to be transparent about how that person in particular was appointed and how the advisory council will operate.
Baroness Merron (Lab)
My Lords, I thank the Minister for her response. I will of course read it carefully so that I can again appreciate her answers to my various questions. There are some questions that I think are still outstanding, which also chime in with the question from the noble Lord, Lord Fox, regarding Mr Blagden’s links with Fujitsu and continuing potential issues in relation to that. I feel there are still some unanswered questions and would be grateful for a reply to those. I am absolutely sure that the Minister will write to me about those points.
I am grateful to the noble Lord, Lord Fox, for making the point, as I did, that there is reality and perception, and they both matter. There are clearly concerns about this appointment and about the need for assurance regarding security advice being impartial and appropriate. It is undoubtedly the case that sunlight is always the best disinfectant so, if there are any chinks of sunlight not yet coming through, I am sure that they will be forthcoming. With that, I beg leave to withdraw this amendment.
Lord Fox (LD)
I am moving this amendment on behalf of my noble friend Lord Clement-Jones, in whose name it is, who unfortunately could not come today. He figured that this would be taken on day three of the process, but we have got ahead of ourselves. I also thank the noble Earl, Lord Erroll, for his support for this amendment when he spoke to the second group. It is appreciated. I know that he has had to leave.
As Comms Council UK has pointed out, new Clause 105E is not the only new clause to give the Secretary of State extensive powers; there are others. New Clause 105Z1, for example, gives powers to the Secretary of State to outlaw the use of individual vendors, potentially with no parliamentary oversight, if the Secretary of State considers that it would be contrary to national security.
Clause 15 creates a scheme for dealing with particularly high-risk vendors by inserting new clauses into the Communications Act 2003. These empower the Secretary of State to give designated vendor directions where they consider it
“necessary in the interests of national security”
and the requirements imposed are
“proportionate to what is sought … by the direction.”
The designated vendor direction can impose wide-ranging requirements on providers on their use of
“goods, services or facilities … made available by a designated vendor specified in the direction.”
While vendors are entitled to notice of their designation if “reasonably practicable” to do so, they are not entitled to be consulted or informed of the reasons for the designation if the Secretary of State considers it contrary to national security. Vendors are also entitled to notice when directions are imposed on providers or when a designated vendor direction is revoked, but this right does not apply if the Secretary of State considers it contrary to national security.
The effect of all this is that, while a vendor may know of its designation, the providers with which it does business can have various restrictions imposed because of their relation to the designated vendor without the vendor knowing the reasons or possibly the existence of such directions. This is complicated but serious, and in several scenarios the vendors would have no real prospect of mounting any legal challenge, even under the closed material procedures provided for in the Justice and Security Act 2013.
Cutting to the chase, this amendment would give the Investigatory Powers Commissioner oversight of the power given to the Secretary of State in the Bill to outlaw the use of individual vendors. Without this, we are telling suppliers that they essentially have to operate without full legal protection. I cannot help thinking that this will discourage the future investment we need. I am interested to hear how the Government think they can mitigate an essentially Orwellian situation in which people find themselves in an adverse legal position but they do not know why, and sometimes they do not even know that they are there. I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment. I do not have too much to add to this brief and interesting debate, but I take the opportunity to thank the Constitution Committee for its report on the Bill.
At Second Reading the Minister said:
“Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act”.—[Official Report, 29/6/21; col. 747.]
However, she did not say why it would be wrong for the commissioner’s remit to change. This is the one point I put to the Minister, and it would be helpful to have a response.
Lord Parkinson of Whitley Bay (Con)
My Lords, I thank the noble Lords, Lord Fox and Lord Clement-Jones, for tabling this amendment. As the noble Lord, Lord Fox, says, the noble Lord, Lord Clement-Jones, is a victim of the speedy progress we have made in this Committee.
Like them, I recognise the importance of proper oversight and scrutiny in the use of the Bill’s powers. The amendment they tabled aims to give the Investigatory Powers Commissioner oversight of the Secretary of State’s power to issue designated vendor directions. The Bill already contains effective mechanisms for oversight of the Secretary of State’s use of those powers to give a designated vendor direction or designation notice. It requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament. That will provide Parliament with the opportunity to scrutinise their use.
As the Committee has heard, on very rare occasions the Secretary of State may choose not to lay a designation notice or direction before Parliament because to do so would be contrary to the interests of national security. Where this is the case, the Digital, Culture, Media and Sport Select Committee will be able to view such directions and notices, so there will be oversight there.
On the legal point that the noble Lord, Lord Fox, raised, designated vendor directions and designation notices are subject to ordinary judicial review principles. The Secretary of State will issue designation notices and designated vendor directions only where they are necessary in the interests of national security and the requirements in the directions are proportionate.
The Investigatory Powers Act 2016 provides a frame- work for use by the security and intelligence agencies, law enforcement agencies and other public authorities to obtain communications and communications data. The role of the Investigatory Powers Commissioner is independently to oversee the use of these powers, ensuring that they are used in accordance with the law and in the public interest. The regime set out in the Investigatory Powers Act is not directly comparable with the new powers and framework set out by this Bill, as the noble Baroness, Lady Merron, noted. The reason for that is that oversight of activity by the Investigatory Powers Commissioner, as authorised by the Investigatory Powers Act, is considered appropriate because these powers often involve balancing important questions regarding the right to privacy.
The national security powers in this Bill are very different from those in the Investigatory Powers Act. They focus on protecting public telecommunications networks and services from the threats posed by high-risk vendors. That is different from questions about individual citizens, their communications and their communications data. That is why we respectfully disagree with the suggestion by the Constitution Committee of your Lordships’ House and feel that it would not be appropriate for the Investigatory Powers Commissioner to have an oversight role in respect of this Bill.
Briefly, that is why the Government disagree with this amendment and hope that the noble Lords, Lord Fox, will be content to withdraw it.
Lord Fox (LD)
We are down to the irreducible minimum. During my Second Reading speech, I asked the Minister about the range of technologies covered by the Bill. I do not recall getting a meaningful answer, so I thought I would try again using this as a probing amendment.
The noble Baroness, Lady Merron, talked about the creativity of your Lordships. I am now going to test your memory functions, which I know can sometimes be stretched in this House. I would like your Lordships to cast your minds back to 2003, the year when the Nokia 1100 mobile phone was introduced. Few noble Lords will remember the number, but most of you will remember the phone. It was an iconic phone that took over mobile telephony. For those who would like to see one, I have two and, for as long as 3G is available, they will continue to work. More than 250 million of these basic GSM phones were sold. It was the best-selling consumer electronics device in the world at that time—the state-of-the-art communications device—and was discontinued in 2009.
Meanwhile, at the same time, the Communications Act 2003 was introduced to regulate machines such as the Nokia 1100. This has not been discontinued but has enjoyed several patches along the way. As I have said, this is a probing amendment seeking to clarify the definition of “public electronic communications network” within the 2003 Act. I think you see what I have done; I have tried to illustrate that the world has changed a bit since 2003.
The amendment seeks to amend Section 151 of the Communications Act by adding a contemporary definition of the range of communication networks that increasingly have emerged since the Act was conceived, when Nokia ruled the roost. It would introduce a new clause to the Bill that would define the “public electronic communications network” as
“landline communications systems … mobile data, audio and video networks … digital surveillance networks … satellite delivered networks”.
My first question to the Minister is: in her opinion and that of the department, which of these categories is covered by the Bill and which is not? I also have some specific scenarios that I would like the Minister to consider. The noble Baroness, Lady Merron, will be pleased to note that they are focused on the consumer—an issue she addressed earlier in the week.
First, when broadband or 5G are delivered by satellite, whether by the BEIS-owned OneWeb or the Musk-owned SpaceX, to what extent is the satellite element covered by this legislation?
Secondly, when a facial recognition camera captures an image, sends that image to a database using a closed network and, in turn, contacts either a public sector or private sector operative via a smartphone, which part of this—if any—is covered by the legislation?
Thirdly, data is being relayed back and forth over smart speakers—Alexa and its, or her, colleagues—so do these transactions fall within the purview of the Communications Act or the Bill? For example, with smart speakers, does the Bill cover only the transmission and not the speaker itself? If that is true, what, if anything, covers the security integrity of the speaker and its software?
My fourth question concerns data travelling between smart meters, home thermostats, camera doorbells and the ever-increasing internet of things. How is their security and integrity protected by the Bill? If the answer is that they are not protected, where do these modern manifestations of communications fit in? How is the security of these things being protected for the consumers of today?
This is not just a piece of legislative housekeeping. The noble Lord, Lord Alton, raised other potentially risky companies in his speech on Amendment 1; at Second Reading I raised a range of other companies. I will not repeat them but they are in Hansard. These are just a few of the businesses involved in the sorts of activities that I have just outlined, so by understanding which activities are included in the Bill we may start to understand which companies and technologies it includes. It is about how satellites, cameras, smart speakers and the internet of things fit in the purview of what is now called communications. Times have changed since 2003. Can the Minister please update us? I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Fox, Lord Clement-Jones and Lord Alton, for tabling this amendment. The noble Lord, Lord Fox, has set out why they believe this definition of a public electronic communications network is needed. I also appreciated his reference to the importance of consumers, who, after all, are core in all our discussions.
It is important to hear from the Minister whether she believes that this definition is limiting for security purposes and what impact it would have. Perhaps she can advise on whether she feels that anything is missing which should be in there. Would this definition inhibit the future-proofing ability of the Bill? I look forward to hearing from the Minister.
Baroness Barran (Con)
This amendment seeks to clarify the definition of a public electronic communications network contained within Section 151 of the Communications Act 2003. I thank the noble Lord, Lord Fox, for moving it. It aims to do this by including specific examples of networks and systems covered by that definition.
In response to the noble Lord’s first question, three of the suggested examples in the amendment are already covered by the current definition of public electronic communications network, to the extent that they are electronic communications networks
“provided wholly or mainly for the purpose of making electronic communications services available to members of the public”.
These three examples are: landline communication systems; mobile data, audio and video networks; and satellite-delivered networks.
However, as the noble Lord explained, the amendment also refers to “digital surveillance networks”. I understand that the noble Lord is referring principally to CCTV and other similar technologies of the kind used by law enforcement and local authorities for specific surveillance purposes. These types of technologies have been raised by a number of noble Lords in previous debates, including the noble Lords, Lord Alton and Lord Fox. Such closed networks do not fall within the definition of a public electronic communications network as set out in Section 151 of the Communications Act. That definition refers to an electronic communications network that is provided
“wholly or mainly for the purpose of making electronic communications services available to members of the public”.
I emphasise “wholly or mainly”, because the noble Lord gave examples of where services might be provided which could reach a member of the public, but not “wholly or mainly”.
The powers in the Bill are intended to create a stronger regulatory and legislative framework to protect against the security threats to our public electronic communications networks and services, such as those provided by companies such as BT and Vodafone. Public networks are those most widely used by businesses and the public and it is right that the Bill should focus on the protection of those networks. Furthermore, any change to the definition of public electronic communications networks to include CCTV and other similar networks to which the noble Lord referred would affect other sections of the Communications Act beyond those relating to security. That is because the current definition of a public electronic communications network is used across Chapter 1 of Part 2 of the Act, and not only in Sections 105A to 105D, which this Bill replaces.
The consequences of such a change would be wide-ranging. For example, Section 127 creates a criminal offence of improper use of public electronic communications networks, as defined by Section 151. If the definition changed, the scope of those caught by that offence would also change. It would also affect other legislation that makes reference to the Act’s definition, such as the Privacy and Electronic Communications (EC Directive) Regulations 2003 or the Insolvency Act 1986. Any such change to the definition would therefore have substantial unintended impacts for providers of digital surveillance networks and for many other entities, including Ofcom, of course.
The noble Lord also asked how the security of digital surveillance networks could be assured. There is of course already legislation and extensive guidance in place to assure security and prevent the abuse of information gathered by CCTV and surveillance camera networks. As noble Lords will be aware, the Information Commissioner’s Office is the UK’s independent regulator for data protection and is responsible for providing advice and guidance on compliance with the UK’s data protection laws. All organisations in the UK that process personal information must comply with the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018. The Information Commissioner’s Office has issued a specific data protection code that provides recommendations on the use of CCTV systems to help organisations comply with the Data Protection Act.
The Information Commissioner’s Office’s code and the Data Protection Act ensure that any personal data gathered via CCTV and similar networks is kept confidential and subject to the highest protections, including secure encryption of data. Where closed networks, such as CCTV and other similar surveillance technology, are used by public bodies or within critical national infrastructure, there are specific arrangements in place. Lead government departments, advisory partners —including the National Cyber Security Centre—and regulators work with infrastructure owners and operators to manage and mitigate the risk of security issues. There are, therefore, already adequate measures in place regarding safe deployment of CCTV and other similar surveillance technologies within the UK. Indeed, we are strengthening the actions we can take in this area.