Telecommunications (Security) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Matt Warman
Main Page: Matt Warman (Conservative - Boston and Skegness)Department Debates - View all Matt Warman's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Third sitting)
Matt Warman ExcerptsTuesday 19th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Chi Onwurah
Q
Emily Taylor: Generally, our standard of security across the board is not as high as it should be.
Professor Webb: I realise that Chi had also asked me how the UK can strengthen its ability to provide diversified supply chains, and I did not address that.
I want to pick up on something Emily said as well. I think she is absolutely right—the UK has a great number of really excellent engineers, both in universities and in leading consultancy-type organisations. Here in Cambridge there is a plethora of wonderful consultancies and start-up companies. In my experience, the biggest problem is actually finance. To try to raise the finance to get a start-up company off the ground, particularly one that sells to operators who have huge purchasing power and tend to squeeze all their vendors—quite naturally—is very difficult in the UK. It is much easier in the US. Addressing the ability to provide finance for those kinds of entities and, to Emily’s point, allowing them to exist for many years rather than to be bought as part of that financial process would help more than anything else, for the UK to grow its own major players in this space.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
Q
Professor Webb: Yes, I think there is a balance. I do not have strong views on that. The legislation appears to be sufficient and flexible in this space. I think the issue is the way it is implemented, and particularly the downstream actions of the Government and of Ofcom might need a bit more care.
Emily Taylor: The legislation is creating a framework, and a lot of that will be filled out through statutory instrument and the codes of practice that are envisioned. I imagine the codes of practice will reflect the TSRs to a large degree. Thinking particularly about how the legislation might impact on the wish and the essential need to diversify, it imposes very high levels of liability for providers, and almost unlimited duties on everybody for the smallest infractions. That is William Webb’s point about proportionality.
As the measures come to life through secondary legislation, codes of practice and the actions of Ofcom, it is going to be very important that there are checks and balances. I am not sure whether the Committee is hearing from any civil society groups, but I am sure they would be worried about the very wide discretion for the Secretary of State. There is a lot of concentration of power in the Secretary of State and, perhaps, insufficient safeguards, as things are currently drafted.
Also, on the provisions that relate to the identity of the supplier—the nationality—rather than the qualities of security, which I think are the more relevant points, of course identity and nationality can be relevant, but there may need to be more of a look there to ensure that we are on the right side of potential risks of discrimination.
Matt Warman
Q
The Chair
You will both get a chance. We will go to Professor Webb.
Professor Webb: I am certainly all in favour of placing the requirements on those best placed to deliver them. For diversification, that is certainly the operators. I talked a bit about how you could, for example, offer them some financial incentive to have a more diversified supplier base. That would make some kind of sense, given that this would add costs to their management of the network.
In terms of security, I think it is a bit more difficult to see how that one might follow. I can imagine that there might be certain security issues where, for example, the decision might be made that a replacement is needed for a certain component in the network, or that they need to purchase some additional elements, and then you might imagine that it might help to have some sort of financial incentive to do that. But I think that would be on more of a case-by-case basis—I cannot see a clear, catch-all type of approach that would enable that.
Emily Taylor: I very much agree with what Professor Webb has said. Indeed, one of my reflections on the draft Bill is that it is very much at the stick end rather than the carrot end. Maybe we will start to see a bit more of the incentives coming through as the detail is filled out. But I think that thinking about incentives would very much reflect the close working relationship that there has historically been between the industry and Government. That is not the case in every country; it is actually a benefit in this case.
Security is expensive, and it is also long term. The telecoms supply chain review last year put it very accurately: the market does not reward investment in security—quite the opposite—so I would hope that there would be some recognition from Government about what is needed. I do not think that the investment in the diversification strategy is nearly going to match the investment that is required by the mobile providers who—yes, they are very successful large companies—have not had the great decade that, say, the Googles of the world have had in terms of their margins. So you are asking an already squeezed sector to make substantial investments, and I think that is the place where you could be looking at incentives.
Sara Britcliffe
Q
Dr Drew: I believe they were. I have seen a lot of attempts to quantify the damage or impact of limiting our vendor net, as it were. With the removal of Huawei, I have seen multiple attempts to put a value to that—of the slowdown and having to go to different vendors. I am uncertain as to the accuracy of any of those, and I think that it would be very difficult to put a number on that in any useful sense.
My impression is that there is nothing that should stop us from being able to enact the goals of this Bill and the incentives to diversify the market, while also being able to develop and invest in the next stage of 5G use, which is its actual application, and to marry those two up together in a manner that provides us with both security and financial and economic benefit from putting these systems in place.
Matt Warman
Q
Dr Drew: I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.
I think the biggest issue that Government face—not only in Ofcom, but in regards to future technology policy—is attracting and keeping those individuals who can provide the services and understanding, as well as develop the tools, that a future Government will need. If you can demonstrate a way to capture that talent and retain it, I think that would go a long way to soothing any potential questions about whether Ofcom will be capable of meeting the requirements of this and other Bills. This goes across all Departments, I feel.
Matt Warman
Q
Dr Drew: Yes. I believe that this is potentially one thing where, as much as possible, greater co-operation between these Departments should be encouraged, to the extent that it is possible to do, given how the security dynamics of the different Departments work. Quite frankly, Government do not have enough of this kind of personnel and expertise. What you do have, you must ensure is used as effectively as possible. That means that you cannot let them languish in one silo or Department, when their expertise would be highly useful in another where suddenly they find themselves dealing with types of issues that are far beyond their normal remit.
Mr Jones
Q
I think the Minister is relying on good co-operation between the two organisations, but it is clear from the 2013 ISC report on critical national infrastructure and Huawei that civil servants with a bent for looking at economic development did not have their eye on the ball in terms of security, and they did not even tell Ministers about security concerns that were clear then.
Dr Drew: That is a fantastic question. The best way for me to phrase this is that I believe there is an imbalance that is natural to those who have a particular role within Government or the civil service. Those with responsibility for economic advancement will have a different take on the same issue from those of their colleagues with a security bent to their work.
I find this is a complex topic that needs to be balanced across those different interests. That is why I would generally lean towards co-operation between these groups as opposed to others. I also suspect—although, due to the nature of their work, I cannot be certain—that GCHQ and the NCSC have significant work already, which is only likely to increase. Although they might have the technical capability that Ofcom lacks, I am not sure they have the capacity to take on the sheer volume of work that this is likely to create. I would argue that, actually, more resourcing in general is required for whatever co-operative body is created to carry out the actions of this Bill and other Bills attached to it. That is needed.
James Sunderland
Q
Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.
In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.
The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.
Matt Warman
Q
Lindsey Fussell: Yes, of course, I am very happy to do that. As you say, we have responsibility now to monitor and enforce compliance on security. The difference, which is why I think this legislation is so welcome, is that at present we do not have any obligations set out as to how operators need to meet those security requirements. It has been basically up to them to decide what is necessary. While many companies have invested very heavily in their security—I would not want to suggest otherwise—clearly there is a journey to go on and improvements that need to be made. It is very welcome that we now have this much clearer framework, so that operators know what they need to do and we can enforce against it.
The other point that is worth bringing out is that, at present, operators are under a requirement to report incidents to us, but the nature of that reporting tends to be around incidents that cause outages. We do get a lot of those—caused not just by cyber-security but by wind, weather and other issues. Quite a lot of cyber-security incidents are, frankly, precisely designed not to cause outages, because it is in the interests of the malicious actor to allow the network to keep operating while they do whatever they are up to. The new requirements on operators are to tell us not just if there is an outage but if there is an incident where they believe their system may have been compromised. They are wider ranging and welcome powers.
Matt Warman
Q
Lindsey Fussell: Absolutely.
Matt Warman
Q
Lindsey Fussell: Yes, so the way the legislation works, as you say, is that there is a primary duty on operators to promote security of their networks, and on us to enforce and monitor compliance against that. My understanding is that the secondary legislation will set out around 40 to 50 sub-duties on operators, which they will all need to meet—that is all operators and providers of electronic communications services.
Underpinning that, each of those sub-duties will be reflected in the code of practice, setting out the details of what the operators need to do to meet each of those sub-duties. As I explained earlier in relation to the questions we discussed on national security, we are entitled, as the regulator, to place quite a lot of weight on the national security judgments that the NCSC and the Government have made in drawing up both those sub-duties in the code of practice, in responding to the threats identified.