Tue 26th January 2021
Telecommunications (Security) Bill (Eighth sitting) (Public Bill Committees)
Committee Debate: 8th sitting: House of Commons
166 interactions (14,414 words)
Thu 21st January 2021
Telecommunications (Security) Bill (Sixth sitting) (Public Bill Committees)
Committee Debate: 6th sitting: House of Commons
149 interactions (18,362 words)
Thu 21st January 2021
Telecommunications (Security) Bill (Fifth sitting) (Public Bill Committees)
Committee Debate: 5th sitting: House of Commons
79 interactions (10,507 words)
Thu 14th January 2021
Telecommunications (Security) Bill (Second sitting) (Public Bill Committees)
Committee Debate: 2nd sitting: House of Commons
165 interactions (20,798 words)
Thu 14th January 2021
Telecommunications (Security) Bill (First sitting) (Public Bill Committees)
Committee Debate: 1st sitting: House of Commons
85 interactions (11,282 words)
Mon 30th November 2020
Telecommunications (Security) Bill (Commons Chamber)
2nd reading: House of Commons
Carry-over motion: House of Commons
Money resolution: House of Commons
Programme motion: House of Commons
Ways and Means resolution: House of Commons
94 interactions (31,425 words)

Telecommunications (Security) Bill (Eighth sitting)

(Committee Debate: 8th sitting: House of Commons)
Tuesday 26th January 2021

(1 month ago)

Public Bill Committees

Read Hansard Text Bill Main Page
Department for Digital, Culture, Media and Sport

The Committee consisted of the following Members:

Chairs: Mr Philip Hollobone, † Steve McCabe

† Britcliffe, Sara (Hyndburn) (Con)

† Cates, Miriam (Penistone and Stocksbridge) (Con)

† Caulfield, Maria (Lewes) (Con)

Clark, Feryal (Enfield North) (Lab)

Crawley, Angela (Lanark and Hamilton East) (SNP)

† Johnston, David (Wantage) (Con)

† Jones, Mr Kevan (North Durham) (Lab)

† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)

† Matheson, Christian (City of Chester) (Lab)

† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)

† Richardson, Angela (Guildford) (Con)

† Russell, Dean (Watford) (Con)

† Sunderland, James (Bracknell) (Con)

Thomson, Richard (Gordon) (SNP)

† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)

West, Catherine (Hornsey and Wood Green) (Lab)

† Wild, James (North West Norfolk) (Con)

Sarah Thatcher, Huw Yardley, Committee Clerks

† attended the Committee

Public Bill Committee

Tuesday 26 January 2021

(Afternoon)

[Steve McCabe in the Chair]

Telecommunications (Security) Bill

Before we begin, I know this is difficult and people forget, but Mr Speaker is clear: we should be wearing our masks if we are not speaking. I ask you to do your best to comply with that, because it is sensitive. The rules under which the House is allowed to operate have been agreed with health and safety, meaning that if we are not complying, not only are you putting everyone at risk, but unfortunately all the work that has been done could be invalidated. I urge people to do their best to remember.

Clause 17

Laying before Parliament

Amendment proposed (this day): 20, in clause 17, page 29, line 31, at end insert—

“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.

(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”—(Christian Matheson.)

This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.

Question again proposed, That the amendment be made.

I remind the Committee that with this we are discussing the following:

Amendment 22, in clause 20, page 35, line 30, at end insert—

“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 23, in clause 20, page 37, line 41, at end insert—

“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 24, in clause 21, page 39, line 9, at end insert—

“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.

Amendment 25, in clause 21, page 40, line 6, at end insert—

“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.

I need to understand, Mr Matheson, what your intention is.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - - - Excerpts

As you correctly say, Mr McCabe, I need to announce my intention, but just as I was about to, the Committee was halted. I am reminded of the occasion involving that notorious football referee Clive Thomas. The 1978 World Cup blew up against Brazil because, as the ball was heading towards the goal, he disallowed the goal. That was rather how I felt this morning.

That said, I do not wish to press the matter further, despite the fact that I had devastating remarks that would have swayed the Minister. I will not put my amendments to the vote. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 17 ordered to stand part of the Bill.

Clause 18

Monitoring of designated vendor directions

Question proposed, That the clause stand part of the Bill.

With this it will be convenient to discuss clauses 19 to 23 stand part.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - - - Excerpts

It is a pleasure to be back under your chairmanship, Mr McCabe.

I will try to rattle through these as quickly as I can. Clauses 18 to 23 cover monitoring and enforcement, and further provisions relating to non-disclosure and information requirements. Clause 18 gives the Secretary of State the power to give Ofcom a monitoring direction, requiring the regulator to obtain information relating to a public telecoms provider’s compliance with a designated vendor direction and to provide that information in a report to the Secretary of State.

The clause also includes requirements about the form of such reports and the procedures around their provision, but it does not create any new powers for Ofcom, which already has them under section 135 of the Communications Act 2003. The provisions in the clause are an integral part of the compliance regime. The power to give a monitoring direction to Ofcom is necessary to ensure that the Secretary of State has the ability to require it to provide the information needed to assess compliance with designated vendor directions.

Clause 19 provides Ofcom with the power to give inspection notices to public communications providers. The provisions will apply only where the Secretary of State has given Ofcom a monitoring direction. Inspection notices enable Ofcom to gather information from communications providers in relation to their compliance with a direction. The notices are a tool for Ofcom to give effect to its obligations under a monitoring direction.

Clause 19 also sets out the new duties that inspection notices can impose, the types of information that they can be used to obtain and how the duties in an inspection notice will be enforced. Ofcom may only give inspection notices in order to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to how a provider is preparing to comply with a direction. Ofcom can instead use its other information-gathering powers under section 135 of the Communications Act 2003 to obtain such information.

Clause 20 provides the Secretary of State with the powers necessary to enforce compliance with designated vendor directions, as well as with any requirement for a public communications provider to prepare a plan setting out the steps it intends to take to comply. It is the Secretary of State’s responsibility to issue directions where necessary in the interest of national security. Clause 20 is essential to ensure that the Secretary of State can carry out this role effectively and enforce compliance with any directions issued. New sections 105Z18 to 105Z21 will be inserted into the Communications Act 2003 for this purpose. The provisions set out the process that the Secretary of State will follow in instances where an assessment is made that a public communications provider is not acting in compliance with the direction or with the requirement to provide a plan. The process encompasses giving a contravention notice, enforcing it and imposing penalties for non-compliance. The clause is essential in ensuring that the Secretary of State can carry out the role effectively and deters and penalises instances of non-compliance.

Clause 21 provides the Secretary of State with the power to give urgent enforcement directions. Provisions to enable urgent enforcement are needed in cases where the Secretary of State considers that urgent action is necessary to protect national security or to prevent significant harm to the security of a public electronic communications network, service or facility.

Clause 22 creates a power for the Secretary of State to impose a requirement on public communications providers or vendors not to disclose certain types of information without permission. The provisions are necessary to prevent the unauthorised disclosure of information, which would be contrary to the interest of national security.

Finally, clause 23 creates a power for the Secretary of State to require information from a public communications provider or any other person who may have information relevant to the exercise of the Secretary of State’s functions under new sections 105Z1 to 105Z26. For example, the Secretary of State can require information on a provider’s planned use of such goods or information relating to how a network is provided. It can also include information about the proposed supply of goods or services. The ability to gather such information would ensure that the Secretary of State is able to make well-informed decisions when considering whether to issue designation notices and designated vendor directions. Information obtained through the use of this power can also be used to support the monitoring of compliance, with directions supplementing information gathered by Ofcom through its information-gathering and inspection notice powers.

To summarise, new sections 105Z18 to 105Z21 together establish the power and processes that outline how the designated vendor regime will be monitored and enforced. The provisions in clause 22 are needed to manage the disclosure of information, the unauthorised disclosure of which may be contrary to national security, and clause 23 will ensure that the Secretary of State is able to obtain the information necessary to make assessments to determine whether to give a notice or direction and to assess compliance.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship once again, Mr McCabe. I will not detain the Committee long with a consideration of the clauses, and I thank the Minister for so ably setting out what the clauses aim to achieve. Indeed, we on this side recognise the importance and the necessity of clauses 18 to 23 in establishing the process and ensuring the powers to obtain information and enforce direction as part of that process.

We only reiterate a small number of important points to draw attention once again to the breadth of the powers, which enable the Secretary of State to require information to an almost unlimited extent. Given the breadth of the powers, the information and progress on the telecommunications diversification strategy is, once again, notable by its absence. Given the breadth of the requirements, it is notable that there is nothing on progress on the diversification strategy. Nor, if my memory serves me correctly, does the impact assessment reflect the potential costs to either the network operators or Ofcom in exercising these powers. The clauses do not set out the impact and they emphasise once again the importance of Ofcom having the appropriate resources to enable it to carry out the requirements effectively. I hope that the Minister will bear those limitations in mind in his ongoing review of the Bill.

Question put and agreed to.

Clause 18 accordingly ordered to stand part of the Bill.

Clauses 19 to 23 ordered to stand part of the Bill.

Clause 24

Further amendment concerning penalties

Question proposed, That the clause stand part of the Bill.

With this it will be convenient to discuss clause 25 stand part.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Clause 24 enables higher penalties than those currently set out in the Communications Act 2003 to be issued by Ofcom, and clause 25 makes two necessary consequential amendments to that Act. The penalties under clause 24 can be imposed for contraventions of requirements to provide information to Ofcom for the purpose of its security-related functions. That includes when providers do not provide information requested by Ofcom for the purpose of providing a report to the Secretary of State.

Penalties can be set at a maximum of £10 million or, in the case of a continuing contravention, up to £50,000 a day. These maximum penalties are a marked increase on the existing ones, which are capped at £2 million, or £500 a day. This clause ensures that the maximum penalties are the same as those in clause 23. The size of these penalties is appropriate given the potential impact of the situation described. Proposed new section 139ZA(5) of the 2003 Act, inserted by this clause, gives the Secretary of State the power to change, by regulations subject to the affirmative procedure, the maximum amount of the fixed and daily penalties. That will help to future-proof the framework by ensuring that penalties can be adjusted over time—for example, because of inflation.

In summary, clause 24 enables Ofcom to issue the financial penalties necessary to ensure that providers supply it with the information that it needs. Clause 25 contains the consequential amendments to that, which are necessary because the Bill creates a number of powers to make regulations and some of those regulations will amend primary legislation.

Question put and agreed to.

Clause 24 accordingly ordered to stand part of the Bill.

Clause 25 ordered to stand part of the Bill.

Clause 26

Financial provision

Question proposed, That the clause stand part of the Bill.

With this it will be convenient to discuss the following:

Clause 27 stand part.

Government amendments 1 to 4.

Clauses 28 and 29 stand part.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.

I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.

Question put and agreed to.

Clause 26 accordingly ordered to stand part of the Bill.

Clause 27 ordered to stand part of the Bill.

Clause 28

Commencement

Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.

This amendment would cause clauses 15 to 23 to come into force on Royal Assent.

Amendment 2, in clause 28, page 46, line 19, at end insert—

“(ca) section24, so far as it relates to section18;”.

This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.

Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).

This amendment is consequential upon Amendments 1 and 2.

Amendment 4, in clause 28, page 46, line 30, at end insert—

“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.—(Matt Warman.)

This amendment is consequential upon Amendments 1 and 2.

Clause 28, as amended, ordered to stand part of the Bill.

Clause 29 ordered to stand part of the Bill.

New Clause 3

Duty of Ofcom to report on its resources

‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.

(2) The report required by subsection (1) must include an assessment of—

(a) the adequacy of Ofcom’s budget and funding;

(b) the adequacy of staffing levels in Ofcom; and

(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)

This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.

Brought up, and read the First time.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I beg to move, That the clause be read a Second time.

With this it will be convenient to discuss new clause 7— Review of Ofcom’s capacity and capability to undertake duties (No.2)—

‘(1) The Communications Act 2003 is amended as follows.

(2) After section 105Z29 insert—

“105Z30 Review of Ofcom’s capacity and capability to undertake duties

The Secretary of State must, not later than 12 months after the day on which the Telecommunications (Security) Act 2021 is passed, lay before Parliament a report on Ofcom’s capacity and capability to undertake its duties under this Act in relation to the security of public electronic communications networks and services.”.’

This new clause would require the Secretary of State to report on Ofcom’s capacity and capability to undertake the duties provided for in the Telecommunications (Security) Bill which would be inserted into the Communications Act 2003 under the cross-heading “Security of public electronic communications networks and services” (which would encompass all the clause numbers which start with 105).

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.

I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.

In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.

New clause 3 provides a duty on Ofcom to report on its resources, including the

“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.

In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.

We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:

“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.

Emily Taylor of Oxford Information Labs said:

“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]

The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.

Kevan Jones Portrait Mr Kevan Jones (North Durham) (Lab)
- Hansard - - - Excerpts

I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.

I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.

Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.

I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.

There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I support and second the comments and contributions of my hon. Friend the Member for the City of Chester (Christian Matheson) and of my right hon. Friend the Member for North Durham (Mr Kevan Jones), who tabled new clauses 3 and 7. I would also like to congratulate the Committee on having made it through, as it were, the thickets of the Bill as it stands to the sunlit uplands of our new clauses, which are designed to improve it in a constructive and supportive way.

New clauses 3 and 7 both address the challenge of Ofcom’s resources. As Members of the Committee know, I joined Ofcom in 2004. I know that we are not allowed to use props in debates in the Chamber, but the Communications Act 2003, which I am holding in my hand, is the Act with which the Bill is concerned. The changes that the Bill makes are mainly adding to that Act.

When I joined Ofcom in 2004, the Act was about half the size it is now. I am grateful to the Vote Office for printing and binding the enlarged Act which, as I said, is about double the size it was when I joined Ofcom. That is because—my hon. Friend the Member for City of Chester alluded to this—Ofcom has acquired responsibility for critical national infrastructure, the BBC, the Post Office. What is not yet reflected in the Act is Ofcom’s soon-to-be-acquired responsibility for the entirety of our online existence, as reflected in an online safety Bill, which has yet to make its appearance but has the absolute commitment of the Minister’s Department.

This latest expansion of Ofcom’s duties will necessarily add a strain not only to its budget—I shall come on to address that briefly—but, most importantly, to its resources, as was referred to by my right hon. and hon. Friends. In January this year, a colleague of the Minister stated that Ofcom will have the resources that it needs to do its job. If that is the case, may I ask what objection the Minister has to Ofcom reporting to Parliament on the state of its resources, particularly as those resources will be very hard to come by. My right hon. and hon. Friends emphasised the fact that Ofcom lacks experience in national security measures, and that expansion of duties will require the recruitment of people with the required level of security clearance and experience.

We heard in the evidence sessions that that might be a challenge. Dr Alexi Drew said:

“I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 84, Q82.]

I just want to reiterate that the Bill must be forward-looking on security challenges. While we the existing architecture of our telecoms networks requires skills in certain aspects of technology—radio frequencies and so on—as the architecture moves more and more into the cloud and the software domain, those skills and CVs are going to be all the more scarce and difficult to obtain.

We also heard from Dr Drew that he was not sure whether Ofcom had the capacity to take on the sheer volume of work that was likely to be created. Finally, we heard evidence from Lindsey Fussell, Ofcom’s group director for network and communications:

“In relation to Ofcom’s costs, Ofcom is funded in two ways: first, by a levy on the sectors and companies that it regulates and, secondly, through the collection of fees, primarily from our spectrum duties. Our overall funding is obviously agreed by our board but also subject to a cap agreed with Government…We are currently in discussion with the Treasury about the exact technicalities and which of those routes will be used to fund this, but it will be in line with Ofcom’s normal funding arrangements.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 97, Q131.]

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

This is about resources for Ofcom as a whole, but there will also be debate within Ofcom about how its resources are spent. Without any ring-fenced moneys for security, is my hon. Friend concerned, like me, that not only the external control of the budget but that debate internally might compromise security?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My right hon. Friend makes an excellent point. This debate is important for the Bill and important for our new clauses. It is also important that the Minister clarifies what the duties and priorities of Ofcom should be. Having worked for Ofcom at a different point in its history, I can tell hon. Members that when there is, say, a complaint about the behaviour of somebody in the “Big Brother” household that is hitting all the headlines in all the newspapers, that attracts the sudden concentration of resource—unnecessarily, one might argue. There needs to be a counterweight, if you like, to those headline-driven resourcing bottlenecks, which would be either ring-fencing or reporting on how resource is being used to support national security.

All Opposition Members are clear that national security must be the first priority of Government, and therefore the first priority of Ofcom. This is all the more relevant as I pick up the Communications Act 2003, in all its weightiness, where we find the general duties of Ofcom in section 3:

“It shall be the principal duty of OFCOM, in carrying out their functions—(a) to further the interests of citizens in relation to communications matters; and (b) to further the interests of consumers in relevant markets, where appropriate by promoting competition.”

Security is not mentioned—national security or telecommunications security. During the evidence sessions, the argument was made, although I forget by whom, that security was a necessary part of furthering the interests of citizens in relation to communication matters. That is possibly true, but I still think this important issue would be improved by clarity.

As we know, there is a significant pressure on Ofcom’s resources, which changes week by week and month by month depending on what the issues are in the many and increasing domains in which it operates. If these principal duties of Ofcom do not reflect our national security, the concern is that having no direct reporting mechanism to Parliament could mean these resources being used opaquely, with no direct requirement to prioritise national security. I hope the Minister will agree that new clauses 3 and 7 solve a problem the Bill will have in practice. I hope that if he will not agree to the clauses as they stand, he will agree to consider how Ofcom’s prioritisation of national security interests can be made clearer.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

As I have said before, I am not a great fan of arm’s length regulators, because it is a way of Government Departments and Ministers off-loading their responsibilities. Given how my hon. Friend has described the Bill, the way this is going means that Ofcom will be larger than DCMS in the future. Does she share my concern about accountability if things go wrong? It is a good get-out for the Government to be able to hide behind Ofcom, rather than Ministers taking direct responsibility.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.

My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.

My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.

The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.

As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I am intrigued. The Minister says Ofcom already has over 900 people, and it is obviously going to have to grow. How big is DCMS? We basically have a mini-Department here.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.

The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.

As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

How to choose?

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

My hon. Friend is the shadow Minister.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I give way to the hon. Lady.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for giving way and for the tone of his response to the different points we made. I will leave the reassurance about writing to the ISC to my right hon. Friend the Member for North Durham. Does the Minister recognise that that does not address the issue of Ofcom’s resources and reporting more generally, particularly lower down the pipeline, when it comes to national security? We have emphasised again and again the breadth of powers. The Minister has said that Ofcom will have the discretion, for example, to require an audit of all operators’ equipment—an asset register audit. It will take significant resource to understand the audit when it comes back. There are significant resource requirements involved that do not necessarily require security clearance but are nevertheless essential to effective security, and the Minister does not really seem to be offering reassurance on those.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.

Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

According to the website that I have looked at, the figure is 1,170, so it has obviously increased slightly. Still, it makes Ofcom with its new responsibilities nearly as big as, if not bigger than, the sponsoring Department.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.

I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.

Question put, That the clause be read a Second time.

New Clause 5

Reporting to Parliament No.2

‘(1) The Communications Act 2003 is amended as follows.

(2) After section 105Z29 insert—

“105Z30 Reporting to Parliament

(1) The Secretary of State must produce an annual report for the Intelligence and Security Committee of Parliament concerning—

(a) designated vendor directions made under section 105Z1; and

(b) designation notices issued under section 105Z8.

(2) The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections.

(3) Ofcom must produce an annual report for the Intelligence and Security Committee of Parliament—

(a) assessing the adequacy of existing security measures within UK public electronic communication networks and services; and

(b) assessing future threats to the security of those networks and services.”’—(Chi Onwurah.)

This new clause introduces a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It also requires Ofcom to produce a forward looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.

Brought up, and read the First time.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I beg to move, That the clause be read a Second time.

New clause 5 is similar in its intent to amendment 19, which we discussed earlier. As with all our amendments and new clauses, it is designed to improve the Bill through ensuring greater scrutiny, focus, transparency and security for the diversification of our network. It would introduce a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It would also require Ofcom to produce a forward-looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.

At the centre of the new clause is a wish to reflect the importance of national security not as a snapshot in time but as something that needs to be continually monitored, considered and assessed for future impact. The new clause would require the Secretary of State to produce an annual report for the Intelligence and Security Committee of Parliament. That would ensure that the report can be comprehensive with regard to security issues that might not be appropriate to share with the public or the Digital, Culture, Media and Sport Committee. The new clause would require that the annual report should concern designated vendor directions made under new section 105Z1 and designation notices issued under new section 105Z8. The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections. That is for the Secretary of State to report.

In addition, Ofcom would be required to produce an annual report for the Intelligence and Security Committee to assess the adequacy of existing security measures within the UK public electronic communication network and services. Critically, it should assess future threats to the security of the networks.

As we have discussed, the Bill gives major sweeping powers to the Secretary of State and Ofcom. We want to ensure that they are proportionate and accountable. Like amendments 5, 9, 10, 20 and 22 to 25, the new clause seeks to address issues of oversight, scrutiny and transparency. We have taken some heart from the Minister’s recognition in the previous debate of the unique role of the Intelligence and Security Committee in assessing security implications, in that case resourcing for Ofcom. The new clause would ensure a focused accountability to Parliament, via the Intelligence and Security Committee, of the notices, designated vendor directions and designation notices made under the provisions of the Bill, and the existing security measures and future threats.

As aspects of this have already been debated, I want to focus on assessing future threats to the security of the network and services. The Minister might say that that is part of the responsibility of the National Cyber Security Centre. What we see is a massive transformation of how the UK addresses security in telecommunication networks, for very good reasons, and a significant amount of the responsibility falls on Ofcom.

The Minister has written to us about how Ofcom and the NCSC will be expected to work effectively together, and we welcome that, but it is also important that Ofcom demonstrates that it has the resources and skills to assess forward-looking threats to the security of our networks. If the measures in the Bill are to be effective for the next five or 10 years, there must be adequate accountability and assessment of future threats, so that we do not find ourselves once more in the position that we are in now because there has been a wholesale change to the networks and Parliament has not been able to assess the implications.

To support the concerns that we have raised, it is worth remembering that Andrea Donà, UK head of networks at Vodafone, said:

“Reviewing the legislation at regular intervals to assess its efficacy in the face of new technological challenges, and also in the light of new strategic aims by Government and that constant review involving the industry, will be very welcome”.––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 8, Q3.]

Dr Alexi Drew of the Centre for Science and Security Studies, talked about making it as hard as possible for attackers to get access, saying:

“We should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met…this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 82, Q100.]

Dr Louise Bennett argued that it was incumbent on the Government to have funding in place if vendor designations affected particular suppliers, because it could have the opposite effect to the one intended as small suppliers might not have

“the resources of skills, time or money”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]

to respond. Reporting to the Intelligence and Security Committee on the impact of vendor designation notices as well as on forward-looking threats would be provide an opportunity to take account of the impact on particular sectors and on small suppliers, for example. Furthermore, we have talked previously about issues of confidentiality in the sector and concerns about changes and evolution in network architecture or the performance and predominance of one particular supplier, and the increasing influence that a supplier might have, which might not be appropriate to be reported in a public domain but would very much gain from being reported in a secure measure.

I know that the Minister is reluctant to add to the duties of Ofcom. He will probably say that Ofcom could do this if it wanted to. I reiterate that Ofcom has a lot of things that it could or should do, and would do, but it does not have as a principal duty ensuring the forward-looking security of our networks. The new clause will ensure that that is regularly considered by Ofcom and that Parliament can exercise adequate and effective scrutiny. It would also contribute greatly to the ability of Ofcom and the National Cyber Security Centre to work together effectively, as they would to produce such a report. I hope the Minister will support the provisions of the new clause.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The hon. Lady is right, but as of 31 December 2020, section 3(4) states:

“OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services”.

It is absolutely there, but I fear we are getting into a somewhat semantic argument.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.

I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Will the Minister give way?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.

Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.

Question put, That the clause be read a Second time.

New Clause 6

Network diversification (No. 2)

‘(1) The Communications Act 2003 is amended as follows.

(2) After section 105Z29 insert—

“105Z30  Network diversification

(1) The Secretary of State must lay before Parliament an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communications networks and services.

(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—

(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;

(b) likely changes in ownership or trading position of existing market players;

(c) new areas of market consolidation and diversification risk including the cloud computing sector;

(d) measures taken to implement the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;

(e) the public funding which is available for telecommunications diversification.

(3) A Minister of the Crown must, not later than two months after a report has been laid before Parliament under this section, make a motion in the House of Commons in relation to the report.’ —(Chi Onwurah.)

This new clause requires the Secretary of State to report on the impact of the Government’s diversification strategy as it relates to the security of telecommunications networks and services, and to allow for a debate in the House of Commons on the report.

Brought up, and read the First time.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I beg to move, that the clause be read a Second time.

It is with some sadness that I come to the last new clause we have to present—[Interruption.]. I see that causes some hilarity in the Committee; I am sure that is just nervous laughter and everyone shares my dismay that the focus on telecommunications that the Committee has ably exhibited for the last few sittings will soon come to an end. Our consideration in some detail of the importance and implications of our telecoms network’s security must conclude, but I am pleased that we end on this new clause, which sums up one of the key themes we have focused on throughout our discussions: the importance of the diversification strategy.

Many amendments tabled by the Opposition reflect our concern that the Bill claims to seek the security of our telecommunications networks and yet does not mention once the diversification strategy. We are moving the new clause to put that right. We support the Bill and the Government’s aims in the Bill. We believe it is right to remove high-risk vendors from the UK’s networks and to take the measures in the Bill that will ensure that the Government will be able to designate vendors and require telecoms operators to comply with security requirements. However, those steps must go hand in hand with credible measures to diversify the supply chain, and that must be subject to parliamentary scrutiny.

As I said, the Bill as drafted fails to mention the Government’s diversification strategy and chooses to ignore the impact that the new powers afforded to the Secretary of State and Ofcom will have on supply chain diversity. The Minister recognises that they will reduce diversity, yet there is no reference to the steps that will be taken to diversify the supply chain. The new clause would require the Secretary of State to report on the Government’s diversification strategy’s impact as it relates to the security of telecommunications networks and services.

The Opposition have argued throughout our deliberations that the sweeping powers afforded to the Secretary of State and Ofcom by the Bill must be put under proportionate scrutiny, and the new clause would do that. It would bring about a debate in the House on the findings of the Secretary of State’s diversification strategy report and require a ministerial response no more than two months after the report’s publication. The new clause would therefore provide accountability for the diversification strategy’s progress and lead to real action, not just talk.

It has been said that

“it is essential that we create a more diverse and competitive supply base for telecoms networks”

because reliance on two providers creates “an intolerable resilience risk”. Those are not my words, but the words of the Secretary of State. Members from across the House agree that we cannot have a robust and secure network with only two service providers. That is something we were repeatedly told in the evidence sessions. The chief technology officer of BT Group, the director of emerging technology at Ofcom and the former head of cyber-security at GCHQ think so, and even the Secretary of State thinks so, yet the lack of link between the diversification strategy implementation and the security of our networks is ongoing cause for concern. Now we have the chance to take action, and I am glad to offer the Minister the opportunity to put this right.

This is not new information. The dependence of our telecoms networks on diversifying the supply chain was set out in the 2019 telecoms supply chain report. A leak from that report caused a Cabinet resignation, so important was it considered to be. Unfortunately, in the intervening year and a half, the Government have failed to act, refusing to take the necessary steps to ensure the diversification of our national supply chain, leaving us at real risk of being short-changed on national security. I emphasise, once again, that we place national security at the heart of everything that we do in this Committee.

The UK defence industry seeks to encourage, support and create markets for UK small and medium-sized enterprises, supporting the very best in innovation and helping innovative small and medium-sized enterprises to grow. We would like to see the UK’s telecommunications industry do likewise, to ensure a sovereign security capability. We want the Bill and the diversification strategy to create significant opportunities for UK businesses, linking them to global supply chains.

I welcome the Government’s diversification strategy. After all, I have been calling for a strategy to grow and diversify our telcoms sector for a long time—even before I came to this House. Although the Government have been talking about such a strategy for some time—there was an awful lot of talk about a diversification strategy and bigging it up before it was published—as is often the case with this Government, the strategy that was published was a bit of a disappointment. It lacked the clear commitment and funding that one would expect to find in any effective strategy.

The £250 million committed by the Government over five years came with little detail on how it would be spent. I have now had assurance that the funding is focused on integration and testing facilities, which are necessary, but there is no emphasis on supporting research and development, and particularly supporting our start-ups in the telecommunications sector. In the evidence sessions, Mike Fake of Lumenisity highlighted that the first year of the £250 million diversification funding was equivalent to only 10% of BT’s annual research and development budget. This is not the bold action of a Government committed to network diversification and our telecommunications security.

The diversification strategy declares itself

“a clear and ambitious plan to grow our telecoms supply chain while ensuring it is resilient to future trends and threats.”

That is a bold ambition. It says it will do that by focusing on three main areas:

“Supporting incumbent suppliers to ensure their resilience and ability to supply the market in the near term, while supporting their transition into the emerging market structure; attracting new suppliers into the UK market to build resilience and competition, prioritising deployments that are in line with our longer term vision; accelerating open-interface solutions and deployment so that we are not reliant on any single vendor and begin to realise our long term vision for a more open and innovative market.”

These are all highly laudable. They are not easy. I recognise the challenge that the Government face. As we discussed in the evidence sessions, this comes after decades of neglect of sovereign capability, not only in the UK but by other countries, which is why we find ourselves with only two vendors, both from Scandinavian countries, and no UK, US or other European capability.

We have heard just how difficult this challenge will be. Will the Minister tell me how we can possibly achieve that bold ambition if we fail to monitor the impact of the strategy? We need an annual report on the progress made by the diversification strategy, so that we can apply appropriate parliamentary scrutiny. After all, the strategy commits the Government to regular reports on progress, which is what the new clause asks for, while adding a focus on the diversification strategy’s impact on our national security. That is what it is all about. The Secretary of State tells us that the Government are implementing one of the toughest telecommunications security regimes in the world, but why is there to be no scrutiny applied to this key part of the regime?

When I asked the Minister in parliamentary questions why the diversification taskforce was not diverse in terms of geography—it includes no one from north of Watford—or discipline, having on it no equipment supply chain expertise, I was told that geography did not matter, and that the taskforce was focusing on cyber-security skills. To be fair, the Minister did say that Ian Livingston, the chair, was Scottish, but I think he will acknowledge that he has not lived in Scotland for some time. Geography does matter. We need to build up concentrations of skills and expertise—clusters. Cyber-security is very important, but focusing on it suggests that we are not serious about developing sovereign capability in other very important areas.

We are agreed that diversification is essential, and I hope that we are agreed that that should include UK capability. We also agree that it is challenging. How do we do it? In an evidence session, Professor Webb said:

“If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, ‘You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.’ The stick might be some kind of licence condition that said, ‘In order to meet your licence, you have to have at least x number of vendors in your network.’”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 73, Q87.]

We also heard from Chris Jackson, who said:

“Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 38, Q43.]

The Government have chosen not to do that. They have chosen to focus on big sticks for security, as set out in the Bill, such as designations, enforcements and fines of up to 10% of turnover, but they have left diversification very much to the market, providing it with a sweetener of £250 million over five years. Surely we have a right—indeed a duty—to monitor how and whether that is successful.

We heard in the evidence sessions that we have significant national promise in terms of capability. Dr Andy Sellars, the strategic development director for the Compound Semiconductor Applications Catapult, said:

“In the UK we have something like 5,000 companies that design and manufacture electronic systems. Something like 600 of them are involved in telecoms. I am not suggesting that all of those 600 become equal players. That would be a crazy scenario. But there are certainly some parts of the telecom network where the UK is pre-eminent. There are some backhaul and fibre technologies that we are very good at. As we deploy 5G into rural communities, that is likely to require low Earth orbit satellites; we are very good at satellite communications.”––[Official Report, Telecommunications (Security) Public Bill Committee, Tuesday 19 January 2021; c. 109, Q142.]

I will give the Minister a specific example of both the opportunity and the challenge, which I hope he will respond to equally specifically. I am very pleased to say that the example comes from my constituency of Newcastle upon Tyne Central: INEX, which is leading the UK’s drive for a sovereign radio frequency and communications gallium nitride semiconductor—an important semiconductor capability for telecommunications.

INEX is currently working with many of the organisations in the north-east communications cluster, including aXenic, Evince, VIPER RF, II-VI, Newcastle University and Durham University. Further afield, it works with companies and organisations in south Wales, Glasgow, Cambridge and Edinburgh, deploying compound semiconductors for RF and microwave applications, and working on the microfabrication of devices for quantum, medical and centres markets. Most recently, that has been expanded to include graphene-based devices.

Despite covid-19, in 2020 INEX grew by 50%, having recruited six highly qualified and experienced people. To address and grow the telecommunications market, those businesses in the north-east will have to extend their reach to partners in tier 1 telecommunications companies and their labs, and demonstrate that they have the skills and resources to scale the delivery of telecommunications hardware. The biggest challenge will be accessing the capital investment to buy the process and manufacturing equipment to deliver at-scale commercial products. That is a fundamental barrier to entry for many small and medium-sized enterprises in the sector. I ask the Minister what specifically he is doing to redress that. He will say that the diversification strategy suggests that there will be funding for testing and integration, but we are specifically looking at the challenge regarding capital investment.

If that group of companies is to be an intrinsic part of telecommunications deployment, we must ensure that it can reach into and benefit from the competitive pull of tier 1 labs and access the global telecommunications industry. I strongly believe that although direct procurement of critical subsystems, cyber-certification and sponsoring the UK’s attendance on standards bodies is beneficial —I will talk a bit about that—for truly secure telecommunications, the UK’s sovereign businesses, both hardware and software, need to be embedded in the global supply chain from which telecoms infrastructure is built.

The Bill needs to ensure that the UK is an embedded development partner, rather than simply a taker of technology. I am afraid that right now the Bill simply tries to ensure that we are a taker of technology. During the evidence sessions, we heard repeatedly of the importance of standards from numerous sources. Emily Taylor, the chief executive officer of Oxford Information Labs, heralded the exciting opportunities presented by inter-operable standards, and the impact that they could have on prevention of vendor blocking. The diversification strategy recognises that too, stating that standards

“play a critical role in determining the barriers to entry for new suppliers and establishing principles such as open interfaces and interoperability”,

but the Bill gives no requirement for reporting on the progress of standards, and no indication of how our involvement in standards, which is necessary for diversification, will be achieved.

Emily Taylor also said:

“The ITU is headed by a Chinese national, and of 11 working groups within the ITU’s Telecommunication Standardisation Sector …China has a chair or vice-chair in 10, and a total of 25 positions at chair or vice-chair”.––[Official Report, Telecommunications (Strategy) Public Bill Committee, Tuesday 19 January 2021; c. 71, Q82.]

Clearly there is a huge challenge in increasing UK participation in the standards necessary for telecommunications security, but how are we to see the progress that I am sure the Minister envisages if we do not have a report on the progress of the diversification strategy and its implications for security?

On standards, Professor William Webb told us:

“The UK Government themselves could not really have an influence, and nor could a university or any other organisation like that, not unless they spent inordinate amounts of money and hired a lot of people to write a lot of papers. There needs to be a concerted global or western European effort, or some kind of larger scale activity that can help the larger companies with the resources and expertise and the standards bodies to step up their efforts”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 72, Q83.]

yet we see no reflection of that in the Bill.

The impact that standards can have on vendor supply chain diversity is reflected in the diversification taskforce and the diversification strategy, which put a lot of emphasis on open RAN. We had much discussion in the evidence sessions about the maturity or otherwise of open RAN. The Government seem to have placed open RAN technology at the centre of their strategy to diversify 5G hardware, and aim to see live 5G open RAN in the UK this year. We support utilising open RAN, but evidence suggests that the technology may not be mature for another five to eight years, and Doug Brake stated that open RAN may not even be ready to be incorporated into 5G.

I acknowledge that through open RAN, the Government are thinking about how we will build the next generation of UK networks, but the UK currently has only two vendors. Our telecoms security is desperately in need of diversification and the development of a sovereign capability as soon as possible. We need an appropriate way of measuring that success.

We have also discussed the implications of changes in the architecture of telecommunications networks, and of moving control and services to the cloud. We have discussed the importance of forward-looking assessment, but I feel that a report to Parliament would ensure that those matters were kept very much at the forefront of the minds of Ofcom and the Department. It is worth mentioning that, on diversification and strategy, Dr Bennett suggested that a commissioner could help by

“keeping an eye on what is going on here, and in order to be able to help policy makers and the Secretary of State to make the right changes.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q61.]

I will make a couple more points before I bring my remarks to a close. First, we heard concerns from a number of operators that they might be left in a contractual limbo, with designated vendor notices rendering them unable to buy from a supplier but contractually obligated to. If the Government will not address that now, they should at least allow us visibility, through a report, of the impact. Secondly, as discussed, neither the Bill nor the diversification strategy include incentives to diversify, but the Government could put in place incentives to innovate, which might have the same effect—requiring improving rates of spectral efficiency, and network SIP funds, such as the rural one, for example. Is the Minister considering that?

Finally, I think we can all agree that this should involve working with our allies. We heard in evidence that the new Administration in the United States, for example—we all congratulate the new President, Joe Biden —would be inclined to do that. Doug Brake said:

“What we have seen over the last several years in the United States is a variety of different agencies doing what they can to mitigate the risks. It is less a co-ordinated whole of Government approach in the US and more a disjointed and fragmented policy response across different agencies, so I am hopeful that under a Biden Administration we will see a much more co-ordinated effort and one that is more co-operative with allies.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 123, Q163.]

We also heard from Emily Taylor about the idea of a D10, which the Defence Committee has talked about—a Five Eyes-type of collaboration among our allies. That idea has been kicking around for some time, yet we are yet to see it progress to anything concrete. Bringing together allies to work internationally and collaboratively on reinvigorating our telecoms sector is a laudable aim, but why is the Minister so afraid of monitoring its success?

A decade of neglect of our telecoms infrastructure has left us vulnerable and created the need for this Bill. We support the Bill, but it is clear that to protect our national security now and in future we must have an effective network supply chain diversification strategy, plan and implementation. New clause 6 would ensure that this vital aspect of our telecoms security is regularly reviewed and scrutinised, so that the UK is never again forced to choose between technological progress and national security.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The hon. Lady raised an important issue. Fundamentally, however, the issue of diversification is twofold. The Government want to see greater diversification within our telecoms supply chain. The £250 million allocated for the first three years of that programme to support the diversification strategy is a hugely important part of it.

As we are already seeing in the increased use of open RAN, whether with Vodafone in Wales or the NeutrORAN project with the NEC, there is already significant progress. I think that demonstrates that the industry does regard this—whether the hon. Lady wants to call it as an incentive or a carrot—as something that is making things happen to a greater extent. The Government cannot legislate for the diversification of the market; that is something that we can incentivise and work with the market to do.

We can monitor the diversity of networks, as Ofcom has the powers to do. We can set requirements on what the minimum standards might look like. For instance, NCSC guidance already says that two vendors should be the minimum, rather than one, for a telecoms network. That gives you an indication of what we will be monitoring and looking at, potentially, in codes of practice in the future. The hon. Lady is right to focus on this important issue, but it is wrong to pretend, important though Secretaries of State are, that any Secretary of State could legislate in the way she describes for the greater diversification that we all seek.

The focus of the Bill is on setting clear and robust security standards for our networks that telecoms providers must adhere to, and they must be met regardless of the diversity within any of those networks. To be fair, the diversity within a provider’s supply chain, in and of itself, does not offer the guarantee of network security. A provider using a diverse supply chain needs to be held to the standards set out in this Bill, so that the provider is able to offer the security standards that we need, regardless of the number of suppliers that they have available.

It is important to reassure hon. Members that Ofcom will have the ability to collect information relating to the diversity of suppliers’ networks under section 135 of the Communications Act 2003, as we have discussed. I do not think it is necessary to specify the need to collect information relating to diversification, as that is just one set of information that Ofcom may collect; it is just as important as several others in monitoring and reporting the security and resilience of networks. It is also important to clarify that, although greater diversity is critical in ensuring that we reduce our national dependence on a small number of suppliers, it is part of a broader approach to building security and resilience across the global supply chain that sits outside the Bill, important though it is. Diversification is an issue broader than the make-up of supply chains for UK providers alone, as the hon. Lady knows.

At this stage, there is a limited number of suppliers in the global market—a smaller number that are capable of providing equipment suitable for the UK market. It is a global challenge that requires a global solution, which is why it is an integral part of the diversification strategy that the hon. Lady mentions. Our primary objective has to be to grow the supplier base and give operators more choice about the vendors that they use.

As we heard in evidence sessions, operators are equally committed to increasing diversity in UK networks. To achieve that, the Government will take forward the programme of works that the hon. Lady mentioned, with trials and testbeds for new suppliers and open RAN technology. We will ensure that telecoms standards are set in a way that promotes security and interoperability, and we will remove barriers to entry for new suppliers.

As the hon. Lady said, all that work is being informed by an independent taskforce looking at all options to drive increased market diversification. That includes incentives in forms other than those that I have already described, and the taskforce will be making recommendations in the coming months. It is also looking forward to identify areas where market consolidation might occur in the future, what can be done to offset those risks and where the UK can establish its sovereign capability.

The hon. Lady asks why there were not suppliers on the taskforce. If there had been suppliers directly on the taskforce, they would have been conflicted, but the taskforce has worked closely with suppliers because they are obviously very important. Indeed, Manevir, NEC and others who gave evidence are among those who we have spoken to and worked closely with, as we have with Nokia, Ericsson and Samsung.

As the Government deliver our strategy across all these areas, we will be making announcements and providing regular updates as required. That approach, rather than the one the hon. Lady seeks through the new clause, will enable us to provide up-to-date and timely information on progress. With that, I hope she will be content that there is plenty in the diversification strategy that will deliver what she wants, but it is not an issue for the new clause.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his comments; having spoken for so long myself, I was reluctant to interrupt him. I am pleased that he has clarified that the £250 million is over three years, as opposed to being over five years—I had not seen that before. That is welcome, and I anticipate further funding.

However, the Minister says that the Government cannot legislate for the diversification of the network. Why not? The Government can legislate to break up consolidation in other markets, and they have legislated to do so—for example, competition law does exactly that. We heard in evidence sessions from some who felt that diversification could be achieved only through direct intervention. He implies that I am arguing that diversification delivers telecoms security on its own, but I am not arguing that. I am arguing that it is necessary though not sufficient—clearly, other methods are needed.

The Minister suggests that diversification is one of many things that Ofcom can report on, if it so chooses. That is equally important, but let us be clear that it was the diversification of a supply chain that was the critical report—a report so important that the current Secretary of State for Education was forced to resign because of its leaking, which is why we are here today. The diversification of the supply chain is absolutely critical.

The Minister says that we heard from operators that were committed to diversification, but we also heard that there were real challenges in their commitment to diversification. We would not be where we are today if they were so committed to diversification of their supply chain. That is why there is a need for incentives and intervention. On that basis, it is important to test the will of the Committee on the new clause.

Question put, That the clause be read a Second time.

Mr Jones, new clause 7 has already been debated. Do you want to put it to a Division?

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

No, Mr McCabe, it was a probing amendment. We debated some important issues around the accountability of Ofcom. Clearly, we are getting to a point where Ofcom has more staff than DCMS—perhaps, at some future date, Ofcom could take over the role of DCMS.

I realise that this will come as a devastating blow to all of you, but the final question I must put is that—

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

On a point of order, Mr McCabe. I put on the record my gratitude, and that of my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester, to you and your colleague, Mr Hollobone, for the way in which you have expertly chaired proceedings in the Committee. I also sincerely thank all House staff who have supported our work here, including those representing Hansard, and particularly the Clerks, who have been absolutely invaluable in setting out our desires to improve the Bill in clear and orderly amendments and new clauses.

I also thank all members of the Committee from both sides of the House. This detailed, technical Bill is critical for our national security, coming at a time of national crisis, when we are braving—all of us: staff and Members—a pandemic in order to be here. We have had an orderly and constructive debate.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Further to that point of order, Mr McCabe. What fun we have had! It is a pleasure to come to this point in the Bill’s passage. I echo the hon. Lady’s thanks to the House staff and to yourself, Mr McCabe, and Mr Hollobone. I also reiterate her point that this is a crucial Bill—one that I am glad enjoys cross-party support. I look forward to debating its further stages in the House.

Bill, as amended, to be reported.

Committee rose.

Written evidence reported to the House

TSB 11 Stefano Cantarelli, Chief Marketing Officer, Mavenir.

Telecommunications (Security) Bill (Sixth sitting)

(Committee Debate: 6th sitting: House of Commons)
Thursday 21st January 2021

(1 month, 1 week ago)

Public Bill Committees

Read Hansard Text Bill Main Page
Department for Digital, Culture, Media and Sport

The Committee consisted of the following Members:

Chairs: Mr Philip Hollobone, † Steve McCabe

† Britcliffe, Sara (Hyndburn) (Con)

† Cates, Miriam (Penistone and Stocksbridge) (Con)

† Caulfield, Maria (Lewes) (Con)

Clark, Feryal (Enfield North) (Lab)

Crawley, Angela (Lanark and Hamilton East) (SNP)

† Johnston, David (Wantage) (Con)

† Jones, Mr Kevan (North Durham) (Lab)

† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)

† Matheson, Christian (City of Chester) (Lab)

† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)

† Richardson, Angela (Guildford) (Con)

† Russell, Dean (Watford) (Con)

† Sunderland, James (Bracknell) (Con)

Thomson, Richard (Gordon) (SNP)

† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)

West, Catherine (Hornsey and Wood Green) (Lab)

† Wild, James (North West Norfolk) (Con)

Sarah Thatcher, Huw Yardley, Committee Clerks

† attended the Committee

Public Bill Committee

Thursday 21 January 2021

(Afternoon)

[Steve McCabe in the Chair]

Telecommunications (Security) Bill

Before we resume, I have been asked by Mr Speaker to remind people that, when they are not speaking, they should wear a mask. I know this is extremely inconvenient for lots of people, not least me—my glasses steam up. I do not want to be taking names or issuing yellow cards, but may I ask you to try to be mindful of Mr Speaker’s concerns and do the best you can? Hopefully we will all be okay.

Clause 1

Duty to take security measures

Amendment proposed (this day): 21, in clause 1, page 3, line 26, at end insert—

‘(2A) The Secretary of State must make regulations under subsection (1) requiring providers of public electronic communications networks and public electronic communications services to carry out an audit of the goods, services and facilities supplied, provided or made available for the purposes of the provision of their network or service to ascertain whether they present a risk to the security of that network or service.’.—(Chi Onwurah.)

This amendment is a probing amendment designed to learn how the Government plans to ensure network operators have a comprehensive audit of hardware of interest because, for example, it is manufactured by a designated or high-risk vendor.

Question again proposed, That the amendment be made.

Kevan Jones Portrait Mr Kevan Jones (North Durham) (Lab)
- Hansard - - - Excerpts

I am demasked. Welcome to the Chair, Mr McCabe. It is a pleasure to serve under your chairmanship. The amendment’s intention is similar to that of new clause 7, which we spoke about earlier. My hon. Friend the Member for Newcastle upon Tyne Central is trying to probe, like I was, how we get operators to ensure that there is a full audit of their telecoms networks. This is not an easy situation. I accept what the Minister said about trying to strike a balance between prosperity—not wanting to put undue burdens on operators—and ensuring security. As my hon. Friend said, with her huge expertise in the field, these networks are not static entities; they develop over time. The example that she cited was that some of the kit in networks is many years old, which may now create security issues that were not evident when the equipment was introduced.

We are not talking about too onerous a burden on the network operators, because they are large companies. I accept that they will be resistant to anything that adds cost because, at our insistence of wanting cheaper phone calls and mobile technology, prices are competitive between the various operators. My hon. Friend therefore makes a good point that there must be a clear level playing field between the operators.

The Bill will ensure that existing Huawei kit is taken out by 2027, even though the networks did nothing wrong by putting in that kit in the first place. Without wanting to carry on my campaign against the Cabinet Office, the Intelligence and Security Committee’s 2013 report “Foreign involvement in the Critical National Infrastructure” shows that the Cabinet Office was made aware of BT’s contract with the Chinese company Huawei in 2003. That the Cabinet Office felt it was not important enough to tell Ministers so until 2006 reinforces my point about its role. That brings me to Ofcom and its capacity, which I will come to later. If we want the most robust system, we will need a system by which we know what is in the network.

There are two issues. I think it is possibly easier for future deployments, because we know what we are putting in. In the debate around Huawei and the security risks, I think it has been very clear. Let us be honest: an operator would be very silly to put in a piece of equipment that was deemed to be high risk for any future roll-out. However, as my hon. Friend says, it is what is already in the network. We accept that some of that will be taken out as a result of the Huawei issue, but a huge amount of equipment will still be in there.

That is before we look at software. What saddens me about the entire debate around Huawei and the telecoms sector is that it has been very hardware-centric. We know that the risks to our network from software are greater in some respects; we have seen examples of where network compromise is easier, too. Again, how do we get a robust framework in terms of the audit around software—not just what has already been used, but what will be used in the future?

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

My right hon. Friend is making some excellent comments. He has raised another issue, which I perhaps did not highlight in my speech, which is that there might be existing equipment that is not necessarily seen as having a security implication but that, as the network evolves, will pose a security threat in the future. I gave an example in the evidence sessions. Say Amazon Web Services was to be bought by a Chinese company. As our networks move the functionality into the software, that will be running in the cloud over the Amazon Web Services infrastructure, which would have a huge potential security impact. An effective audit of where that equipment is now would be critical to knowing the level of that threat.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I do not disagree with my hon. Friend. That is why we need to get into the idea of the audit. As I said earlier, we basically need a level playing field for operators; we do not want one to have an advantage over another. We also need a clear picture of what we are asking in terms of the audit. On the point she makes regarding web services and the cloud, there is an issue there that I think is worth referring to. It links today’s Bill with the National Security and Investment Bill, which we were discussing yesterday. There was a lot of discussion around what we define as critical—a point she has already raised.

For yesterday’s Bill, the question was what is critical to national infrastructure—for example, a company that is developing software that is then acquired by a state that we deem is a security risk to us. If that equipment or software is being used in our telecommunications network, does that mean that the network is compromised, and how do we guard against that? There are provisions in the National Security and Investment Bill that enable the Government to stop the acquisition of companies that we consider vital to our national security, but unless we know that in advance, how will we make that decision?

If we have a situation where a small company is providing software for part of our critical national infrastructure for telecoms, how will that be joined up? How will we be able to use the provisions in the National Security and Investment Bill, so that the Business Secretary can block the sale? Likewise, how do we get that connection? We can do that only by the Minister and Ofcom having a very clear indication from day one—I do not think it will be possible from day one, but from some time into it—what is in our network, not just now, but into the future. That will be important.

That brings us to the role of Ofcom. We have seen a development of regulators in this country. I am not a great fan of regulators, because I think it is a way for Ministers to palm off their responsibilities to third parties and then stand back and saying, “If it all goes wrong, it is nothing to do with me, guv—it is these independent organisations.” A long time ago—perhaps it is a bit old-fashioned—the General Post Office used to be responsible for this type of thing, and I am currently reading the excellent new history of GCHQ that has come out, which I recommend to everyone. It is fascinating to read about some of the challenges—things that apply to this Bill—such as, in the first world war, what was conceived as national security and who was responsible for it. Was it the GPO, the military or someone else?

How will Ofcom be able to look at a network and say, “Yes, we are satisfied that there is nothing in there that is a matter of national security”? They do not know. I do not think for one minute that we are going to have a situation whereby this Government or any future Government will suddenly throw so much money at Ofcom that a huge army of inspectors will be climbing up poles and going into operators’ offices to check source codes and so on. That is not going to happen.

From a practical point of view, the operators will have to be responsible for providing that information to Ofcom. Whether it is in the Bill or in the guidance, it must be clear what is expected of operators. It is no good looking back in hindsight and saying, “We should have done that,” when something happens. The operators will just say, “You did not tell us we had to do that,” or, “We didn’t know about that.” It has to be very clear, to prevent a competitive advantage between different companies, that there is one standard. They also have to know what we are asking for. Then, taking the telecoms hat off and putting the national security hat on, from the Government’s point of view, that needs to be very clear as well, because we need to be reassured that the components and software in those networks, now and in the future, are not a national security risk.

That brings us to an issue that I have already raised. I am not someone who thinks that every time we go to bed at night, we should look under the bed to see whether the Chinese are there, unlike some members of the China Research Group, but there is an issue about the way in which China will look at supply chains as a way of getting access, for two reasons. The first is national security. The second is commercial reasons—dominating the market, which is what China has done with Huawei. How will we identify that, without having some type of audit process? I do not think that everything to do with China is bad, but a huge number of the components in all our mobile phones in our pockets today will have come from China, including Ericsson and Nokia hardware.

James Sunderland Portrait James Sunderland (Bracknell) (Con)
- Hansard - - - Excerpts

I am enjoying the right hon. Gentleman’s logic. He talks a lot of sense, which is great. I am really intrigued by his insistence that the Government place these obligations on the National Cyber Security Centre and Ofcom. In my humble view, and knowing how those organisations work, it is likely to be the case that the Joint Forces Intelligence Group, GCHQ or the National Cyber Security Centre inform Government where there have been transgressions of security and breaches. I am intrigued by the counter-logic with where I think we need to be.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

This is a remarkable day. This morning I was told that my contribution to the debate was inspiring, and now I am being told that I am talking sense—I thank the hon. Gentleman for making my day.

The hon. Gentleman is right, but he is also wrong. He is right in the sense that there are threats that will come through GCHQ and others—they will say to operators, “You’ve got to be careful of these things.” Where he is wrong, though, is with the idea that somehow GCHQ can take a guess at what is in the network. It does not have that capability. Going forward—the emphasis in this country, in the Bill, in terms of looking at telecoms security—yes, the bar has been raised substantially.

There will be occasions when GCHQ—it does it already —contacts operators and others to say, “Beware of this software or this thing.” I accept that as a proactive approach, but handling backwards will also be important. How do we have a gold-plated system, whereby we have GCHQ doing what the hon. Member for Bracknell suggested they are already doing, but one that also matches up with operators taking responsibility to say, “We have spotted something and are doing something about it”? It is pulling the two things together.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Part of the challenge is that the operators do not know themselves and, as we have discussed, there are no incentives for them to find out. To give an example, Virgin Media took over from NTL, which I think took over from the 13 different cable providers in the franchises of the ’80s, and the BT mobile network was bought partially from EE—so there are takeovers and acquisitions, and partners may not know, and do not necessarily have an incentive to find out unless we put in a requirement.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.

We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.

I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr McCabe.

We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers

“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.

That is already there and key to the issues that hon. Members have been talking about.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - - - Excerpts

This is an important point. The criticism that I will articulate later is that too much of the Bill is based on an assumption that the players in the sector will automatically do the right thing. For example, there is an assumption of a dialogue between Ofcom and the major players. Will the Minister think about whether he is satisfied that an assumption goes far enough in something as important as this?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.

The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.

In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.

Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.

I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.

As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.

Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.

Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.

These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.

Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.

On the specific duties that the Secretary of State will have the power to require, are they considered updates to the powers in proposed new section 105A—the general duties for all providers—or will they be specific to a certain network provider, and perhaps to a change in its security situation? I do not quite understand why the Secretary of State will have the power to make regulations for specified security measures when he already has the power to require providers to take steps to identify and reduce the risks of security compromises, and there will already be the telecoms security requirements set out in a framework, as he has published in draft.

The Minister looks slightly puzzled, so perhaps he does not see the point that I am making. I am trying to understand what the specific security measures might be. Presumably, they will not already be in the telecoms security requirements, which will have been published, so are they specific to the provider or to some issue that arises—a Russian attack or a SolarWinds attack—or are they simply there as a backstop, in which case why would not the telecoms security requirement be updated regularly, as I think he said it would be, to deal with and address that?

Notwithstanding that outstanding question, we are happy to support the clause.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I am happy to write to the hon. Lady on the matter she has discussed. We anticipate draft directions in due course that will be network specific, because each network is different, but the overall tenor will be in the same direction. This is probably a matter that we can talk about outside the Committee in a bit more detail to make sure she gets the answers she wants.

Question put and agreed to.

Clause 1 accordingly ordered to stand part of the Bill.

Clause 2

Duty to take measures in response to security compromises

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.

Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.

In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.

In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.

I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.

Question put and agreed to.

Clause 2 accordingly ordered to stand part of the Bill.

This must be down to that productivity seminar they sent me on. Still, nothing lasts forever.

Clause 3

Codes of practice about security measures etc

Kevan Jones Portrait Mr Kevan Jones
- Hansard - - - Excerpts

I beg to move amendment 6, in clause 3, page 5, line 4, at end insert—

“(ia) the National Cyber Security Centre;”

This amendment would require the Secretary of State to consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.

With this it will be convenient to discuss the following:

Amendment 10, in clause 3, page 5, line 8, at end insert—

“(iiia) the National Cyber Security Centre;”

This amendment requires the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security measures.

Amendment 5, in clause 4, page 7, line 41, after “OFCOM”, insert—

“and the National Cyber Security Centre”.

This amendment would require providers to inform the National Cyber Security Centre, as well as OFCOM, of any security compromise.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

We are romping through the Bill, aren’t we? Two clauses in less than 15 minutes.

Again, these amendments are probing. I might sound like a broken record, but my aim with them is to ensure that national security and those who deal with national security decision making are at the centre of the decisions that are taken. Amendment 6 would require the Secretary of State to

“consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.”

The Minister will say, “Well, it is self-evident that they will do that,” but going back to my Robin Day analogy from this morning, legislation needs to survive him, me and everyone else. The guidance will change over time, and we have to ensure that whoever is sitting in the Minister’s seat in 10 years’ time—hopefully, it will not be the current Minister, not for any unfair reason, but because he has gone on to higher and better things—the onus is on the Secretary of State to consult. Having that on the face of the Bill, or at least some discussion about it, would reinforce that, because the Secretary of State will move on, and there will be new civil servants, who might not have as clear an indication as the Minister will give today, or perhaps a Minister who thinks that this is the key part.

It might be a bit anorak-ish, but the problem with the national security world, which I inhabit occasionally, is that people can see everything through the national security prism—although I am not sure that that is the case for everyone. It will be important to ensure that the individuals at the National Cyber Security Centre have a real input, and not just to say that they will be consulted. The NCSC, which was introduced at the tail end of the coalition Government, is the only positive thing I can think of that that Government did. We now have a world-beating centre that protects our national security and also does a very strange thing: it looks to the secret world, but also looks outwards, engaging with the industry and individual citizens, too.

That is now being replicated around the world. I chair the science and technology committee of the NATO Parliamentary Assembly. On our visit to the UK the year before last, we visited the centre, and most of my parliamentary colleagues from across the world, including the US, were quite impressed with how it balanced complete secrecy about things that need to be kept secret and having that outward-looking approach. I am really just trying to see how we can ensure that going forward.

Amendment 5 seeks to ensure that the NCSC, as well as Ofcom, is informed of compromises and breaches. I am sure the Minister will tell me that Ofcom and the NCSC have such a symbiotic relationship that that information will automatically be transferred, but again we are assuming a lot about what will be done. It is important that this Committee at least discusses how we ensure that that continues. I will come to Ofcom personnel, but various comments have been made. I asked the head of Ofcom about Ofcom’s expertise in dealing with these issues, and this comes back to the point I made to that witness. This is about mindset. Whether we like it or not, people in the security world think differently from the rest of us in how they approach things. Ofcom will have a learning curve, not only in recruiting the individuals with the capability to do this work, but in ensuring the culture to react to these issues. My two amendments seek to ensure not only that national security is at the heart of the Bill, but that practitioners have a clear focus on national security risk.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.

The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.

It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:

“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]

In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.

Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.

I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.

For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.

New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.

The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.

We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I talked about promotion.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.

The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.

I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.

We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.

I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.

Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.

New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.

New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Is the Minister saying that the code of practice is the standard that providers are expected to meet? Is it the legal bare minimum or do we expect them to do more than what is set out in the code of practice? What is the direction of travel?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life,

and I would expect that to continue in the area in question as well.

Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.

Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.

We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.

On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.

I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.

Question put and agreed to.

Clause 3 accordingly ordered to stand part of the Bill.

Clause 4

Informing others of security compromises

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.

We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.

New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.

Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.

The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.

The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will pretend I have not finished, and give way to the hon. Lady.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Speaking gives me an opportunity to take my face mask off. I will make a few points about clause 4, which is broadly welcome because it clarifies for operators what their responsibilities are, not just from a national security point of view but from a consumer point of view. I think there is an issue, though, which my hon. Friend the Member for Newcastle upon Tyne Central raised.

Again, I do not want the Minister to respond now, but I think the crossover with the Information Commissioner might be one area that we need some clarity on. Is there an example of this? Yes—the TalkTalk case. People might look at this Bill and think national security is about the Russians or the Chinese hacking, but that was a criminal act that led to a lot of people’s data being compromised. From a constituency point of view, as any Member of the House at that time will know, trying to get TalkTalk to do anything about that, in terms of the losses that people incurred, was virtually impossible. That is why these clauses are so important.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Is my right hon. Friend aware that the hack used by the young person had been around for longer than that young person had been alive? That is an indication of the low level of security TalkTalk had in their network; they had not been able to address a known hack that had existed for at least 16 years. The Bill aims, in part, to address that and the consequences of that lack of security for our constituents.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

My hon. Friend is correct. A lot of the debate has been about hardware, but the biggest threat to our national security, in terms of telecoms, is from hacking and cyber-attacks. The changing nature of the threat is interesting. There are state actors and there is organised crime, acting on of behalf of states, but there is also, as referred to by my hon. Friend, some poor teenager who thought it was a good idea. The TalkTalk case showed the emphasis they put on the security of their network. Not just clause 4, but the whole Bill, puts the onus on the operators, which is why it is so welcome. Never again could they be accused of not knowing their responsibilities.

New section 105J requires providers to take “reasonable” steps to inform users about the risk, the nature of the security compromise, the steps the user could take in response, and the name and details of the person to contact. That is fine, but how to respond might be a matter for Ofcom. That is important, because people might then quickly take steps to stop compromises to their security.

The Bill lays out penalties for telecoms operators, but what about the consumer and people who have lost money because of data breaches? Do I assume that the Bill does not change that? It beefs it up, but I assume that any mitigation or compensation that should be paid to individuals who have been compromised would be an issue for Ofcom. When we had the TalkTalk compromise, getting TalkTalk to do anything was like trying to get blood out of a stone. That is important from the point of view of consumers.

It is important that the Secretary of State is informed, but how will that be done? I presume GCHQ and others would do that. Would that lead to lessons learned or to a notice being given to other operators that that has happened? Would that be done by Ofcom, the National Cyber Security Centre or GCHQ, or would it be a combination of all of them? It comes back to the point made by my hon. Friend the Member for Newcastle upon Tyne Central: this is a risk and this clause puts the onus initially with the operators, where it should be.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.

My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.

I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.

I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?

Those are just some general comments. We welcome the clause.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.

On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Will the Minister write to us on the issue of data and the link to the Information Commissioner?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I am not sure I fully understand the right hon. Gentleman’s point.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I raised the point, as did my hon. Friend the Member for Newcastle upon Tyne Central, that we are asking operators to inform individuals about data compromises. That is welcome, but as my hon. Friend said, there might also be a breach of the Information Commissioner’s regulations, and we just wanted to get some idea of how the two would mesh together. I do not expect the Minister to know now, but could he write to us to say how the two would interact?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.

Question put and agreed to.

Clause 4 accordingly ordered to stand part of the Bill.

Clause 5

General duty of OFCOM to ensure compliance with security duties

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—

“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”

This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.

It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.

I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.

From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.

Clause 5 asserts a general duty on Ofcom to assure compliance with security details. Much of the detail required under this clause is specified in the next one, clause 6. Obviously, we welcome the clause, which lies at the heart of the purpose of the Bill and underpins the powers and responsibilities given to the regulator. The amendment shares some responsibility with the network providers, which must surely also have a duty to maintain a running assessment of security—something that I am sure that they must try to do already, but which still requires scrutiny. The historical context is clear because, as my hon. Friend the shadow Minister and my right hon. Friend the Member for North Durham have talked about, BT sold off a chunk of its network to Huawei and did not formally inform the regulator or the Government of its intention to do so until a couple of years after the event.

In the evidence sessions, we heard varying views on the ability of network providers to assess their networks, equipment and software for compliance with the proposals before the Committee today. All the main network operators gave confident answers regarding the integrity and reliability of their asset registers when it comes to equipment and presumably—but only presumably—the software that drives it. The impression was clear that, at the top level, work had already been undertaken on making an assessment of what assets would need to be replaced before the 2027 deadline, and where the operators were on that. We welcome that.

Some later witnesses, however, while not entirely contradicting that certainty, suggested that the task would not be so easy. We heard about overlapping 2G, 3G, 4G and 5G networks, with different equipment of different ages. My hon. Friend the shadow Minister gave a shocking statistic in relation to the age of the equipment that was responsible for the insecurity that led to the TalkTalk hack. I describe that overlapping network as sounding to non-experts—such as me, I hasten to add—like a bowl of spaghetti.

We therefore accept that any assessment is a complicated task, and we recognise the work that providers have undertaken and will continue to undertake to make good the security of the networks, but several problems remain. First and foremost, any audit or asset register is simply a snapshot at the moment. When national security is at stake, an accurate, up-to-date and rolling picture and assessment must be available. It is better to know in advance where problems might occur.

Any business faces commercial pressures, and although I have confidence that no British provider will ever take risks with our nation’s security, the obligations outlined in the amendment will provide clarity and certainty as to which side of the line they should fall in any situation where doubt occurs about whether they ought to discuss potential issues with Ofcom. I think my right hon. Friend the Member for North Durham was hinting at some of those pressures when in the previous clause he mentioned the TalkTalk hack and some of the commercial pressures that companies are under.

Another issue is the relationship between Ofcom and the companies that are being regulated —the network and service providers—because Ofcom it at once a regulator, necessarily with a stick in hand, and a partner agency that is hoping to support the service providers to meet their obligations. We hope that the amendment will provide a little bit of clarity in order to make that partnership more even.

The amendment encourages a rolling conversation with Ofcom, with those matters at the forefront. I assume and hope that that will be happening anyway but, as I have said already, assumption is no basis on which to proceed in legislation. The amendment therefore provides clarity on a sense of obligation. It would also help providers to address problems at the outset and to have the knowledge, as far as possible, but they are likely to be complying on security under the regulations, rather than finding themselves in a situation where they have to comply with the duty under the sections mentioned in the amendment only after the fact and only after work has been done.

Finally, clause 5 puts an obligation on Ofcom, but Ofcom cannot be blamed for not knowing something that it does not know and so failing in its duties under clause 5. The amendment, by sharing the responsibility with the network providers, would assist Ofcom in its duties of overseeing the networks and, I hope, foster more of a partnership when addressing the problems, in the interests of the nation.

We have to avoid providers doing first and telling Ofcom later, because the avoidance of problems is greatly to be preferred to enforcement action further down the line. We have to make things easy for Ofcom. The regulator is growing in scope and complexity, as my hon. Friend the shadow Minister has said, and national security responsibilities are still fairly novel for Ofcom. That load has to be shared, and the amendment provides a focus for providers to assist.

I was a little concerned by suggestions during the evidence sessions that it gets harder to verify security and compliance the further we go down the supply chain. The focus on national security has to be baked in. With a chip here or a piece of software code there which might have been carried forward from a previous or separate piece of equipment, as my right hon. Friend the Member for North Durham has said, it has to be the responsibility of the suppliers and ultimately the network providers not to make any assumptions, but to query every aspect of their asset register and propose changes to it to maintain their duty of security and compliance under sections mentioned in this amendment.

We heard expert testimony during the evidence sessions. Dr Drew said:

“On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 83, Q101.]

Andrea Donà said:

“We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have. That is a clear aspect of our working together: ensuring that the assets in the telecoms network infrastructure that are in scope are very well defined.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 16, Q14.]

The amendment is simple and straightforward, sharing the obligation on security and allowing for a forward-looking assessment by Ofcom and network providers to give the assurance that we need and to head off problems before they arise. It is about being forward-looking and not always being reactive. I commend it to the Committee.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.

A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.

It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.

The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.

James Sunderland Portrait James Sunderland
- Hansard - - - Excerpts

Does the Minister agree that the Bill in its current form is prescriptive enough already?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.

In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I am most grateful for the debate on the amendment. My hon. Friend the shadow Minister made the key point that Ofcom cannot be blamed for not enforcing something that it does not know anything about. The amendment’s intent was to encourage a sense of shared responsibility in what my right hon. Friend the Member for North Durham reminded us is still a competitive industry in which businesses might want to maintain a level of confidentiality about technological changes or the deals they are doing with suppliers. However, if the Minister is satisfied that that is covered in other parts of the legislation, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 5 ordered to stand part of the Bill.

Clause 6

Powers of OFCOM to assess compliance with security duties

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I beg to move amendment 12, in clause 6, page 10, line 12, at end insert—

“(3) In this section “another person” means a UK government agency or a person from a UK government agency.

(4) OFCOM may not incur costs exceeding £50,000 in carrying out, or arranging or another person to carry out, an assessment under this section.”.

This amendment restricts those who Ofcom may arrange to carry out an assessment under this section to a UK government agency or person from such an agency. It also caps the cost of an individual security assessment at £50,000 for Ofcom.

The desire of the Committee is to crack on, so I will not detain us for too long. The clause, which covers more than three pages of the Bill, is extensive in outlining the powers of Ofcom to assess compliance with security duties and will amend sections of the Communications Act 2003 to that end. The Opposition’s probing amendment intends to bring clarity in two areas in particular.

The clause will insert proposed new section 105N into the Communications Act to give authority to Ofcom or “another person” to undertake an assessment of whether a network or service provider is carrying out its duties—an inspection, spot check or audit, whatever you will, Mr McCabe. That is all fine, but the appointment of “another person” is far too vague and needs clarity. Since this is a matter of national security, we believe such an authority can be vested only in an agency or arm of the UK Government. It would be wholly inappropriate to outsource it to a telecoms, IT or other consultancy in part because of the need for full co-operation from the business being audited, which must have absolute confidence to be open and transparent and, therefore, must have confidence in the inspector. Ofcom therefore cannot appoint any Tom, Dick or Harry to do the job but only someone who rides above the industry and will not give the inspected business any reason to think that its commercial confidentiality is at stake.

My hon. Friend the Member for Newcastle upon Tyne Central, with her extensive experience of the telecoms sector, has told me that it is a tight-knit industry in which everyone has worked for everyone else at some point. We got that impression from the oral evidence as a lot of the experts had worked with or knew one another. Perhaps it is an exaggeration to say that everyone has worked for everyone else, but it is illustrative of the nature of the sector, so there will be limits on who could be appointed. Does the Minister agree that the current suggestion of “another person” is too wide?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Will my hon. Friend give way?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The impression that I have given my hon. Friend about the telecoms sector being tight-knit is absolutely right. One concern that that brings is that there will therefore be conflicts of interest. Ofcom, as a public servant with the status of a quango, has rules and regulations for declaring interests that mean previous conflicts of interest will not weigh into its work. The concern that I have articulated to my hon. Friend in the past is that that would not apply to “other persons”, so broadly defined.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I am really grateful for that intervention—not just for the context that my hon. Friend gave, but for prompting me to think that having such a tight-knit sector, and the character of the sector, works both ways. Ofcom might appoint as an inspector to undertake one of the audits somebody who is on very good terms with the business or the provider. They will perhaps take their foot off the pedal and not do quite as thorough an investigation, because they know the business and trust them. As a result, the inspection would not be as thorough.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

My concern is also that the Government do not have a good track record on applying the standards that have been developed over many years to ensure proprieties in public appointments. No doubt somebody who would fit the bill for the role would be Dido Harding, who was responsible for TalkTalk and is now having huge success, as we have been told by the Prime Minister, with Test and Trace. She seems to have a common thread, but success does not seem to be part of that.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Who am I to disagree with my right hon. Friend and his years of experience? So far, we have been fairly consensual in this Committee, because we want the Bill to pass. My right hon. Friend is absolutely right: we have seen a certain level of—

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Chumocracy.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My right hon. Friend the Member for North Durham raised the Test and Trace programme. I do not want to dwell on that, as it is not within the scope of the Bill, but it is important to understand the extent to which the programme has been used as a vehicle to privatise parts of the NHS by building up private sector skills as opposed to public sector skills. There must be some concern that the huge new powers for and requirements on Ofcom might effectively be used to privatise some of its duties.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.

This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.

It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I thought that was the case was when I looked at it. Frankly, for anyone to do that job in telecoms for £50,000 would be very unusual.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Again, I rise mainly to support the excellent contributions made by my hon. Friend the Member for City of Chester in moving this amendment. I will raise a couple of points from my experience in this area.

As I said to my hon. Friend, having worked in telecoms for 20 years, when I joined Ofcom in 2004, I had worked with, or worked with someone who had worked with, just about every operator and network provider in the business. Those personal relationships can be helpful in ensuring quick, effective collaboration, but they can also bring about conflicts of interest. Ofcom, as a public body, has processes and procedures to address those conflicts of interest. However, the Bill makes no provision for that to be applied to whoever is “another person”.

It is also the case that, unfortunately, as a regulator, one can be subject to regulatory capture by those who are regulated. The large operators often have tens or, in some cases, hundreds of lawyers and public affairs spokespeople. However, the smaller operators, unfortunately, cannot afford to dedicate so much time and resource to engaging with the regulator. It is critical that this huge increase in new powers and work for Ofcom is carried out in the right way.

As my hon. Friend said, the £50,000 figure has not been calculated on the basis of the likely costs to Ofcom, because the impact assessment does not indicate what they could be. However, it is merely the cost of five consultants at £1,000 a day for 10 days. We know that hundreds of consultants have been hired as part of the Test and Trace programme at those sorts of prices. That likely cost is within scope of any programme that is to be carried out by bringing in large private sector organisations. I hope the Minister will reassure us that he is taking these considerations into account.

Finally—I think we will discuss this point in more detail—this is a huge additional requirement on Ofcom. In the evidence session, Ofcom said that it thought it would need to hire 50 or 60 people to address the requirements of the Bill. There is always going to be an inclination to reduce internal resources, especially if they are in short supply, such as those to do with network engineering resources and the current skill set. So it is really important that the Bill should have a better definition than it currently does of who may carry out the work.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.

The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.

The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.

I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.

As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.

On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I beg to move amendment 13, in clause 6, page 10, line 20, at end insert—

“(aa) provide a report on the diversity of their network’s supply chains;”

This amendment gives Ofcom the power to request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.

It is a great pleasure to speak to this amendment, which goes to the absolute heart of one of our key concerns about the Bill—the lack of any reference to the diversification of our supply chain. That is absolutely critical and should be integral to our national security. Our amendment 13 affects clause 6, which we have already discussed. The objective of the amendment is to give Ofcom the power to

“request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.”

As we have heard, clause 6 amends the Communications Act 2003 to insert section 105N, which gives Ofcom powers to assess compliance with the security duties set out in earlier sections, and section 105O, which gives Ofcom the power to impose on providers the duty to do any of a significant list of things, from (a) to (k)—to

“carry out specified tests or tests of a specified description…make arrangements of a specified description…direct an authorised person to documents on the premises…”

or

“assist an authorised person to view information”.

As I have said, this is an integral part of the Bill and requires some considerable debate, so it may detain the Committee for some time, but this debate can be continued at a later time if necessary. There is a long list of requirements that Ofcom might place on network providers, but nowhere is there a requirement for those providers to give a report on the diversity of their supply chains, yet the diversity of a network provider’s supply chains is absolutely integral to the security and resilience of that network provider.

We heard that very clearly during our evidence sessions. In particular, I asked Dr Drew:

“Is it possible for the UK to have secure networks without a diverse supply chain for them?”

Her answer was:

“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]

The reason I have highlighted that particular quote—there were a number of quotations supporting the diversification of supply chains—is that it sets out really well what might happen if a network provider has only one possible supplier. If every aspect of its network is supplied by, let us say, Ericsson, and Ericsson then has supply issues itself or is bought or acquired by another operator from a different country that we might not be so close to, or—I do not mean to imply that this is a possibility—should fail in some way, that network provider no longer has any support for their network and no longer has the ability to maintain it securely.

The dependence of our telecoms security on diversifying the supply chain was set out in the 2019 telecoms supply chain report; yet the Bill fails to mention it at all. The objective of the clause is really for Ofcom to assess how successful a network provider is in meeting our nation’s security requirements. My argument is that it is not possible to do that without understanding the diversity of that network provider’s supply chain; yet the clause as it stands makes no reference to that.

Our clause would enable Ofcom to request a report on the diversity of the network’s supply chain. Alongside network provider diversity more generally, that provides a double layer of network diversification measurements because it enables Ofcom to see what each network provider is doing, as well as generally how our network supply chain is being diversified. During the evidence sessions, we heard a lot about open RAN. Indeed, the telecoms diversification taskforce and the telecoms diversification strategy put a lot of emphasis on open RAN. Open RAN is a development in standards, and so on, which will enable interfaces in networks to be open so that there can be a multiplicity of suppliers at different points in the network.

The evidence that we heard suggested that open RAN was at least six to eight years’ away from maturity and from playing a significant role in our networks. What we seem unable to do in the Bill as it stands is collect the information to enable us to see how different operators are diversifying their supply chain, through the use of open RAN for example. We heard from Vodafone that it is undertaking trials of open RAN, particularly in rural areas, and we would expect, over time, that similar trials may be taken up by other network providers in the UK. How will we see that flowing through network providers’ supply chains if we do not have a requirement or amendment of this type?

In Committee, we heard from Julius Robson, who said:

“Security is about resilience, and it is not a question of whether something will go wrong; it is a question of when. When we realise that one of our vendors is high-risk, will it take seven years to fix that problem? That is not a healthy place for our industry to be in. We want a rich diversity of suppliers working together, so that when we identify a suspect component or part in our network, there is something sitting there, warmed up and already integrated, ready to be swapped over. That is where we want to get to.”—[Official Report, Telecommunications (Security) Public Bill Committee, Thursday 14 January 2021; c. 48, Q60.]

My question for the Minister is: how will we know that we are getting there? How will we know how diverse network providers’ supply chains are? How will we know how resilient they are, and what the impact and security threat of a vendor being acquired by a hostile actor will be, for example?

We also heard from Doug Brake about the problems of regarding open RAN as a silver bullet that we can make a quick transition to.

He said to us:

“I honestly worry that it is too late for open RAN to be incorporated into 5G, at least on a broad scale. For greenfield networks, it is a different story and it might make sense to go with these open and modular systems from the get-go.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 125, Q166.]

My question to the Minister is this: how will we know the extent to which particular vendors are taking up more diverse solutions and more resilient solutions without an amendment to the Bill of this type?

When it comes to understanding the diversity of vendors’ supply chains, we have heard—I have spoken about this a few times, so I apologise for repeating myself—that there is an evolution of the network, from hardware into software services. We also heard during the evidence sessions that more and more of those software services and controls would be on cloud services.

However, in terms of understanding how resilient the new network architectures are, currently the Bill does not make any requirement for reporting on the evolution of network providers’ networks with regard to who their different suppliers are and how many of them there are. So I have real concerns that the Bill is short-changing us on our network security, with the lack of any requirement on network providers to share with Ofcom information about the diversity of their supply chains. We have discussed the importance of supply chains and, to a certain extent, the complexity of supply chains, but we have not seen anything that will enable us to follow how the diversity of particular network operators’ supply chains evolves over time.

I will finish on this point. We have seen significant consolidation in this industry, including in the number of network vendors, over the years. With the removal of Huawei, we are down to two equipment vendors, Ericsson and Nokia. However, we have also had a significant consolidation in terms of the management of networks and particularly in the underlying network architectures, so that many different network operators are effectively operating by perhaps using the same radio access network, or they may have very similar management layers.

The amendment is also designed to enable Ofcom to see how those technological changes are bringing new threats into our telecoms networks by bringing in new areas of potential consolidation. A number of times, I have used the example of Amazon Web Services. The future of networks that was suggested in our evidence sessions would ideally be a radio access network, manufactured by a number of different manufacturers but with quite simple boxes and antennae. And then the control, the services—everything—would be in a layer that would be running over equipment, or servers, from Amazon Web Services or any cloud computing service. That in itself is a different form of potential monopoly consolidation and potentially a different single point of failure, yet I see no requirement on Ofcom to assess how each vendor, each network provider, is evolving in terms of its network architectures and the threat to diversification of the supply chain that comes as a consequence of that.

When it comes to understanding the supply chains of the network providers as they are today, understanding how successfully they are evolving to become more diverse, which is a hope that we all have—a shared desire—and understanding how technological changes may be bringing in new potential areas of consolidation, monopoly provision, and single points of failure, this amendment is designed to ensure that we have greater understanding of how things are today and advance warning of the implications of changes, and I do hope that the Minister will be able to accept it.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for that, but I am still puzzled as to where clause 12 says that Ofcom will collect data with regard to diversification of the networks. Ofcom is given the power to collect data with regard to the duties under the Bill, but there is not a duty under the Bill to diversify networks. I am trying to speed-read clauses and subsections; perhaps the Minister can direct me to a part of the clause that specifically requires information concerning. Clause 12 mentions

“information concerning future developments of a public electronic communications network or public electronic communications service that could have an impact on the security of the network or service.”

I agree that that could be liable to an interpretation that included diversification of the network, but given that the Bill does not anywhere mention diversification of the supply chain as being part of the security of the network, I am afraid I do not feel reassured.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Ordered, That further consideration be now adjourned. —(Maria Caulfield.)

Adjourned till Tuesday 26 January at twenty-five minutes past Nine o’clock.

Written evidence reported to the House

TSB 09 Heba Bevan OBE, CEO and Founder, Utterberry Ltd.

TSB 10 Photonics Leadership Group and UK optical communication community

Telecommunications (Security) Bill (Fifth sitting)

(Committee Debate: 5th sitting: House of Commons)
Thursday 21st January 2021

(1 month, 1 week ago)

Public Bill Committees

Read Hansard Text Bill Main Page
Department for Digital, Culture, Media and Sport

The Committee consisted of the following Members:

Chairs: † Mr Philip Hollobone, Steve McCabe

† Britcliffe, Sara (Hyndburn) (Con)

† Cates, Miriam (Penistone and Stocksbridge) (Con)

† Caulfield, Maria (Lewes) (Con)

Clark, Feryal (Enfield North) (Lab)

Crawley, Angela (Lanark and Hamilton East) (SNP)

† Johnston, David (Wantage) (Con)

† Jones, Mr Kevan (North Durham) (Lab)

† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)

† Matheson, Christian (City of Chester) (Lab)

† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)

† Richardson, Angela (Guildford) (Con)

† Russell, Dean (Watford) (Con)

† Sunderland, James (Bracknell) (Con)

Thomson, Richard (Gordon) (SNP)

† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)

West, Catherine (Hornsey and Wood Green) (Lab)

† Wild, James (North West Norfolk) (Con)

Sarah Thatcher, Huw Yardley, Committee Clerks

† attended the Committee

Public Bill Committee

Thursday 21 January 2021

(Morning)

[Mr Philip Hollobone in the Chair]

Telecommunications (Security) Bill

Before we begin, I have a few preliminary announcements.

Members will understand the need to respect social distancing guidance. I am told here that I shall intervene if necessary to remind everyone. Mr Speaker has asked that Members wear masks in Committee, except when speaking. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. Hansard colleagues will be grateful if Members could email their speaking notes to hansardnotes@parliament.uk.

We now begin line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. This shows how the selected amendments have been grouped together for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order that they are debated, but in the order that they appear on the amendment paper. That is often confusing for Members, young and old alike. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.

Clause 1

Duty to take security measures

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

I beg to move amendment 7, in clause 1, page 1, line 19, at end insert—

“(ba) the presence in the network or service of supply chain components which represent a threat to national security;”.

This amendment would add the presence of supply chain components which represent a security threat to the list of “security compromises” which network and service providers must take security measures against. “Supply chain components” are defined by Amendment 8.

With this it will be convenient to discuss amendment 8, in clause 1, page 3, line 17, at end insert—

“‘supply chain components’ means the sequence of processes involved in the production, distribution and maintenance of networks and services.”

This amendment defines “supply chain components” for the purposes of Amendment 7.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

It is a great pleasure to serve under your chairship, Mr Hollobone, and to see the Bill Committee present. I thank all its members for taking part, and I observe that the room is a lot warmer than it was in December, when the National Security and Investment Bill was in Committee. I hope that we will continue like that. I also thank the Clerks and all the members of House staff who have supported us with the amendments and on the Bill more generally.

I crave your indulgence, Mr Hollobone, to start with a few opening remarks that will be helpful in understanding the Opposition’s approach to this amendment and to the Bill as a whole. To give the context, I worked as an electrical engineer for 20 years before entering Parliament. I am still a chartered engineer and proud of that. As an engineer, I worked all over the world helping to build out the networks—fixed, wireless and mobile—that became the internet and on which this Bill is intimately focused.

I should also declare an interest. Many of the provisions of the Bill deal with the regulator, Ofcom, and I joined Ofcom in 2004, just a few weeks after it was born, when it was to be a light-touch regulator, small and nimble. Over the years, it has acquired responsibility for critical national infrastructure, the BBC, the Post Office, soon the entirety of online harms and now, it would appear, national security as well. I have been calling for greater security, in particular for our mobile networks, for many years now, so I and the Opposition welcome the aims of the Bill, and the Bill itself. However, many areas within it need to be addressed.

As I have declared my personal and professional interest in the telecoms network, Mr Hollobone, you will not be surprised to hear that I am thrilled that we will spend so many hours of our parliamentary democracy time here in this room, dedicated to debating our telecommunications infrastructure. But, to my regret, the Committee is not taking advantage of the very telecoms infrastructure with which it is dealing. I would like to place on the record that we believe holding this Bill Committee physically rather than virtually is putting Members of the House, Clerks and House staff at risk from the coronavirus pandemic, and we feel that it is our duty, as a reasonable and responsible Opposition, to ensure that that risk lasts for as short a time as possible. Therefore, we are going to crack on as quickly as possible through as many clauses as possible, while maintaining appropriate levels of scrutiny. I want to put the Government on notice that we expect as a consequence to have more time on the Floor of the House on Report to consider the Bill, because we do not feel that it would be wise to dwell on many of its important themes when we are meeting physically in one room at a time of national pandemic and lockdown.

To keep all Members and staff as safe as possible, we will have a laser-like focus on three primary areas. The first is national security. Labour prioritises national security, but failings in the Bill show the Government are taking risks with our security-critical national infrastructure and economic security, and we will highlight those failings constructively whenever we can. Secondly, the security of our networks depends on an effective plan to diversify the supply chain, which should include support for UK capability, and we are very concerned that the Bill short-changes both our national security and our telecoms infrastructure by not including more references to the Government’s diversification strategy; it is a weak strategy and we will try to overcome that. Thirdly, the Bill also gives sweeping powers to the Secretary of State and Ofcom, including sweeping powers over security. As my hon. Friend the Member for Cardiff South and Penarth (Stephen Doughty) said on Second Reading, the Department for Digital, Culture, Media and Sport is not known for its understanding of or expertise on national security, and we want to take measures to address that.

Security is the primary concern of amendment 7, which was tabled by my right hon. Friend the Member for North Durham. It seeks to add the presence of supply chain components that represent a security threat to the list of security compromises that network and service providers must take security measures against. Supply chain components are defined in amendment 8, for the purposes of amendment 7.

James Wild Portrait James Wild (North West Norfolk) (Con)
- Hansard - - - Excerpts

Amendment 7 refers to national security. I note that the Opposition have not tabled a definition of national security, which is an issue we have considered in other debates. Is there a reason why the hon. Lady now accepts that we should not define national security?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the hon. Member for his intervention, which raises a really important point that I will say something about. As I am sure you are aware, Mr Hollobone, yesterday was the Third Reading of the National Security and Investment Bill. I refer Members to the report by the Select Committee on Foreign Affairs, published on Tuesday, on the critical issue of national security and its definition. In fact, the Opposition sought to put into the National Security and Investment Bill not a definition of national security but a minimum standard of what national security should refer to. We wanted to include elements such as critical national infrastructure—of course, telecoms infrastructure is a part of that—and supply chains, which the amendment deals with, and also human rights. I do not want to anticipate what we might table in future, but one reason we have not so far tabled a framework for guidance in national security is that we had hoped that the Minister responsible would recognise both the advice of the Foreign Affairs Committee and the Intelligence and Security Committee in giving greater guidance on what national security was, and that that was a better place for it.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - - - Excerpts

The other opportunity for the definition to be addressed would be when the Government next produce their defence and security review, which comes out no more than every five years. They might address what national security is or whether it is indeed desirable, as my hon. Friend has said, to specify that in an ever-changing world.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank my hon. Friend for that helpful intervention. I do not want to take up too much of the Committee’s time on the way in which national security should be defined, or guidance given, although it is relevant to the Bill. As my hon. Friend says, there are other places where a framework for understanding national security would be better placed. One of our concerns about this Bill is that, as I have alluded to, Ofcom and the Department are not experienced in security issues, and they are not the best organisations to make security decisions. Putting a framework to define national security in the Bill might not be as helpful, but if as our debates progress we see a need for greater clarity on guidance around national security, and it is not to be found anywhere else, we might take up his challenge, and I hope to have his support if that should happen.

With regard to the amendment, it is important that the supply chain components are understood. As we proceed through the Bill, we will come to understand better that the steps to remove high-risk vendors from UK networks that the Minister is in the process of taking are welcome, but that is not enough to secure our networks. We also need an effective diversification of our network supply chains. Part of the challenge here is that if we remove high-risk vendors, as the Bill enables, and leave only one or two approved vendors, our networks remain insecure because they are less resilient. In fact, they are not resilient at all. The loss of one vendor would mean that there would be only one vendor for our entire 5G network supply chain, as things stand.

In order to understand the diversification of the supply chain and how effectively, or not, it is proceeding, it is important that we consider the components of the supply chain, particularly identifying where they are a threat to our national security. Up until now, we have allowed our telecoms infrastructure to lack both security and resilience. Going forward, it is critical that we address both the lack of resilience and the lack of security, and that that assessment is made by those qualified to make it. That is not the Department as things stand, but our security services and the National Cyber Security Centre, in particular.

I hope the Committee will approve the amendment and I look forward to contributions from the Minister and others.

Kevan Jones Portrait Mr Kevan Jones (North Durham) (Lab)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr Hollobone. I apologise for my late arrival, but I was asking a question of the Health Secretary on the vaccine roll-out. When we look back at the time before the pandemic, would we have thought that part of our critical national infrastructure would be vaccine production? As my hon. Friend the Member for Newcastle upon Tyne Central said, that is a good example of the changing nature of these things. Will the threats to telecoms change? Yes, they will. Last night we discussed the National Security and Investment Bill, which addresses some of the same issues.

I tabled the amendment to focus on and consider the supply chain. There has been much concentration, quite rightly, on Huawei—not just the history, but the threats. As the Minister knows, I was a keen supporter of the Government’s initial response to Huawei. From a technical point of view, I think allowing 35% and making sure that Huawei was not in the core network was the right response. That all changed with the US sanctions on semiconductor exports to China, which changed the security advice. Again, I agree with that.

It will be interesting to see whether, if President Biden were to change that, we would change the security advice back. Frankly, I doubt that because of the direction of travel. I do not think there will be great change in the new Administration’s approach to China. It might be more nuanced and less belligerent, but I do not think it will fundamentally change. I know from sitting on the NATO Parliamentary Assembly and meeting fellow members from both sides of the House in the US Congress that there is a pretty unified bipartisan position on China.

The debate around Huawei has concentrated on the hardware. My amendment, which is a probing amendment, tries to see what coverage we will have in the telecoms network supply chain. There has been much talk about compromising the main components, but each of these networks are very complicated. We need only look at any electronic equipment used today, whether that is a telephone or a microwave oven, to see that they are very complex pieces of kit. The components are not all sourced here in this country—it would be impossible to do that—but are supplied from around the world. However, in terms of electronics, the major suppliers of a lot of these components are the Chinese, or Chinese companies that manufacture in different parts of south-east Asia, for example.

This is not just about how we get diversification in this sector, although trying to get some home-grown innovation is going to be important. To be honest, I think the opportunity is going to be in software and open RAN, because that is where we can get an advantage if we get our ducks in a row, not only through investment but through Government initiatives and other things. It is about trying to minimise the risk that will be there now that we are going to have two vendors. Now that Huawei is no longer in the network, we are going to have Ericsson and Nokia, both of which are going to be there for the foreseeable future. What will the regulator do to look at the supply chain around their components, for example? From the evidence we took from Dr Drew, it is quite clear that China is using not just these networks and the components that go into telecoms, but other things, including the belt and road initiative, for geopolitical purposes.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank my right hon. Friend for giving way, and for the excellent points he is making. He mentioned the evidence we took in our session with Dr Drew. Is it not true that in those evidence sessions, we heard about the complexity of our networks and the extent to which network operators were not always aware of where their components were or, in this case, the level of components? Is it not the case that my right hon. Friend’s amendment will not only increase the visibility of the different components in the supply chain, but should help the Department and Ofcom understand where these components are, where they are going and the way they are changing through soft upgrades?

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I agree. The issue with both Ericsson and Nokia is that they will have Chinese components in their hardware. This is an incredibly complex situation, as my hon. Friend said: we are talking about not just one piece of kit that most of us have in our pockets, but hundreds of thousands of components, pieces of software and other things. What I am trying to put on the record, and what I want the Minister to respond to, is the question of how we get an understanding of any risks that are involved in that, and how the regulator and the Government are going to look at ways in which national security could be compromised, not by the main company being owned by a Chinese state entity, a Russian state entity or any actor that we feel is a threat to us, but by a key component.

I have not yet really understood how the regulator will look at that issue further down the supply chain, and whether it will ask a supplier of kit to the telecoms network, “What is the level of threshold or security that you need?” That is hard enough with hardware, but with open RAN and software—we are talking about bits of code—it is going to be incredibly difficult. One of the issues is around vulnerabilities, and various things have been said about the vulnerability that Huawei poses to our telecoms network. However, I suggest people read the Huawei assessment centre’s annual reports—I am rather sad, because I read such documents. One thing sticks out every single year, and it is not that the Chinese are doing anything nefarious. The reports are highly critical of Huawei for its shoddy workmanship and engineering, but that type of shoddy engineering and a lack of attention to security will lead to security concerns in our telecoms network.

Amendment 7 is designed to tease out from the Government their thinking about the supply chain. We do not want to be over-burdensome on it, because we want to get innovation in the supply chain. We do not want to suddenly give researchers and other people in the supply chain huge regulatory hurdles to jump over, because that would stifle the development that we are looking for. It is about how individual components and the overview of the supply chain will be regulated. I have tabled a later amendment about Ofcom, but again it comes back to the point I made yesterday about the National Security and Infrastructure Bill. What has to be at the heart of it all, every single time, is not to stifle innovation and prosperity, but what has to come first every time is national security.

As I say, amendment 7 is a probing amendment, and I want to understand where the Government are at in terms of the supply chain, the security they feel they need over the supply chain and, more importantly, the visibility of the supply chain.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr Hollobone. I echo the thanks of the hon. Member for Newcastle upon Tyne Central to you and the House staff for facilitating this Public Bill Committee. I also echo her praise for the temperature of the room and especially her commitment to crack on and not fill it with further hot air. That is to be welcomed.

Like the hon. Lady, I will briefly talk about the broader context of the Bill before I directly address this group of amendments. As we all know, security should be the first priority for any Government, and the Bill demonstrates this Government’s commitment to securing the UK’s telecoms networks.

Clauses 1 to 14 raise the bar for security across the whole telecoms sector, and the subsequent clauses—15 to 23— provide the mechanism for the Secretary of State to manage the role of high-risk vendors. The part that telecoms plays in our security is undeniable and has become even more evident in the midst of this global pandemic. At present, the internet provides absolutely everything for workplaces, schools, families and friends, and the Government are committed to improving that through our gigabit programme. New technologies have the potential to be transformative, but they have the opportunity to reach their full potential only if they are secure, and the Bill will ensure that.

Before I explain the Government’s response to amendments 7 and 8, it is necessary to explain briefly how they would interact with clause 1. New section 105A in clause 1 places a duty on providers to take “appropriate and proportionate” measures. Those measures oblige providers to identify and reduce the risks of security compromises and require them to prepare appropriately for those risks. New section 105A also addresses the interaction between the duty and the national security and law enforcement activity, such that these activities are appropriately excluded from the definition of a security compromise. I will return to new section 105A later—I know that will excite the Committee.

Alongside the overarching security duty in new section 105A, new section 105B gives the Secretary of State the powers to make regulations that impose duties to take specific security measures. Clause 1 creates a duty for providers to take “appropriate and proportionate” measures to protect their networks and services from security compromises. “Security compromise” is then defined in new section 105A.

Amendment 7 seeks to extend the definition of a security compromise to include

“the presence in the network or service of supply chain components which represent a threat to national security”.

It is accompanied by amendment 8, which provides a definition of supply chain components. I take it from what the right hon. Gentleman said that the intention of the amendment is that providers should not necessarily need to be directed by the Government not to use such components, but should proactively reduce their use of such equipment or take other appropriate measures. In many ways, these are the sorts of things that we would expect see in documents such as the code of practice. We are very keen to be as transparent as we can, as quickly as we can, and I hope that the right hon. Gentleman would say that we have already tried to adopt that spirit in some of the documentation and draft legislation that we have published around the Bill.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I would, and this is really a probing amendment to get an understanding of what the Government think, but may I ask the Minister a direct question about the national security bodies—GCHQ and others? If they came across a component or something that a supplier was producing that raised concerns, how would their concerns be translated into saying that a red warning should be put on a certain component in a supply chain?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I simply say that, as the right hon. Gentleman knows, the NCSC and others already work very closely with the networks. What he seems to be talking about, in some ways, is a very day-to-day way of talking about security concerns. That happens a lot already, and what the codes of practice and other documents will do is set up the framework by which that is formalised. As he knows, that process of very quick action being taken as soon as something is spotted, both by the networks themselves and by our agencies, is already well established, and the Bill gives considerably greater force to it.

As the right hon. Gentleman knows, the Bill is aimed at ensuring that providers take responsibility for the security of their networks and services in a way that has not happened, in legislative terms, in the past, and it then provides the Government with the powers that we need to enforce that. In so far as any supply chain components give rise to risks to the security of a network or service, new section 105A already requires providers to take appropriate action and proportionate measures to identify those risks. I appreciate that this is a probing amendment, but in a sense what the right hon. Gentleman is seeking to do through it is already there, and it will be enforced in the documents, such as the code of practice, that I have mentioned.

Furthermore, the addition of the presence of a supply chain component as a security compromise would not be consistent with the security framework’s definition of a security compromise, but I do not think that we need to get into too much detail about that in the context of a probing amendment. The concept of a security compromise is used in other provisions in the Bill, and it is important that we are consistent.

More fundamentally, the right hon. Gentleman’s amendment would put the onus on providers, rather than the Government, to determine a national security risk, but, as he implied, it is absolutely down to the NCSC and, ultimately, the Government and agencies to make that definition. Placing the responsibility for determining what does and does not constitute a threat to national security on the shoulders of all individual providers is not the right thing to do, and I think, to be fair, the right hon. Gentleman is not really suggesting that it is, either.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for the way in which he is addressing these important proposals. I think that his concern is that this amendment would put the responsibility on the providers rather than the National Cyber Security Centre, and I understand that, but can he say a little about the following matter, because it is the providers that know their networks? The National Cyber Security Centre is excellent, and we have huge admiration for it, but in terms of the supply chains, changes to the supply chain and new components evolving, how does he envisage that, day to day, working effectively without an amendment of this kind to put this requirement on the providers?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

As I have said, new section 105A partly provides the legal basis that the right hon. Gentleman seeks, but in practice no one is suggesting—the Secretary of State talked about this on the Floor of the House—that it is solely the name on the box of a piece of kit that defines international security status. We are not naive to the possibility of the supply chain being another vector of attack. That would be reflected in codes of practice and elsewhere around the legislation.

Public telecoms providers can and should consider the security of the resilience of their networks and services throughout the supply chain in a sensible and proportionate way. National security considerations are inevitably much broader than the issues that can be addressed solely by private companies. I think that is reflected in the distinction drawn up in this Bill.

The amendment would have implications for Ofcom’s monitoring and enforcement of providers’ compliance. The Bill includes provisions for Ofcom to collect information on behalf of the Secretary of State in narrow and specific areas related to national security, but this amendment would require Ofcom more actively to take some of the compliance judgments. In the evidence session the right hon. Gentleman was keen to see that it was not asked to make those judgments.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

Clearly NCSC does a tremendous job in terms of education of members of the public and companies —as the Minister outlined, that is a key part of its role. Does he see, therefore, a role for Ofcom as part of that, in terms of ensuring that the supply chain and operators are aware of their responsibility not only under the Bill, but to ask the right questions about supply chains from what might be deemed as high-risk vendors?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

In so far as codes of practice will be published by Ofcom, the answer to the right hon. Gentleman’s question is yes. The more nuanced answer is that it is a co-production between Ofcom, the Government, NCSC and others.

To conclude, the Government are immensely sympathetic to the issues that the right hon. Gentleman and the hon. Lady seek to probe, but we take the view that this amendment would do something that is, ultimately, already covered in the Bill. I hope that, in that spirit, she will withdraw the amendment.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his response. I am concerned that there is not greater clarity on the role of the supply chain components and the supply chain more generally. We will come to that in further amendments. Given where we are and how we got here, we must take a forward-looking approach to future risks and vectors for risks. This amendment is important in probing that, but I do not seek to put it to a vote. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I beg to move amendment 9, in clause 1, page 3, line 26, at end insert—

“(2A) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a report on the specified measures.”

This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to specified security measures which the Secretary of State requires the provider of a public electronic communications network or a public electronic communications service to take.

We are now going to have a debate reiterating a speech I gave yesterday on the National Security and Investment Bill, because it covers the same issues. I will go into the details in a minute, but the amendment attempts to ensure parliamentary oversight of the way in which this Bill will operate. Such scrutiny traditionally comes from the Select Committee that mirrors the Department —the Select Committee on Digital, Culture, Media and Sport—but the decisions taken by the Government and the Secretary of State will be based on evidence that cannot be put into the public domain, because much of it is highly classified. In Parliament, only the Intelligence and Security Committee has the required STRAP clearance to see that evidence. It is important to ensure that the Executive is held to account for taking such decisions and for the public and Parliament to know that decisions have had parliamentary oversight from the ISC.

I do not want to give the impression that the ISC is looking for work, because I have been a member for a number of years and we are busy with a lot of inquiries—I have three to four hours’ reading every week looking through reports from the agencies. However, it is important that the ISC can at least look at the intelligence that lies behind decisions. The amendment does not propose that the ISC should have a veto or be a regulator, because that would not be correct. Decisions about high-risk vendors are for Ofcom and the Secretary of State.

We had the same debate yesterday on the National Security and Investment Bill, because the same issues come up there: decisions will be taken on national infrastructure, and the justification for them will be based on highly classified secret intelligence to which the Business, Energy and Industrial Strategy Committee will not have access. People might say, “Isn’t this the ISC getting involved in the day-to-day work of the BEIS Committee?” No, it is not. The ISC already has such a responsibility for Defence Intelligence and the National Cyber Force—military cyber-security—and we stick just to that; we do not go into wider Defence policy issues. Likewise, we scrutinise MI6, whose home Department is the Foreign, Commonwealth and Development Office. Again, we do not get into general foreign policy issues, which are rightly for the Foreign Affairs Committee. I do not think there is an easy way for the Government to provide for parliamentary scrutiny at the moment, but I want to go through and explain one.

I have some sympathy with the Minister, just like I had some sympathy with the Secretary of State for Business, Energy and Industrial Strategy yesterday on the National Security and Investment Bill. I know exactly where the problem is, and it is not in the Minister’s Department or in BEIS: it is in the Cabinet Office, which seems to have an issue with the ISC and jealously guards anything that we ask for, ensuring we get only some information even though we are legally entitled to it under the Justice and Security Act 2013. There is usually a tug of war, and on every occasion I have seen it the ISC has won—it is legally allowed the information—but that does not stop the civil servants. I must say that this is not Ministers’ fault; it is the culture in the civil service.

The point was quite well summed up in yesterday’s debate by the right hon. Member for New Forest East (Dr Lewis). We have departments that we scrutinise—MI5, MI6, GCHQ and defence and military intelligence. Section 2(1) of the Justice and Security Act refers to those intelligence agencies. It also lays out the various agencies that we have the responsibility for monitoring and scrutinising. However, section 2(2) sets out the broader context. It says:

“The ISC may examine or otherwise oversee such other activities of Her Majesty’s Government in relation to intelligence or security matters as are set out in a memorandum of understanding.”

The memorandum of understanding is between the Committee and the Prime Minister, as section 2(5) explains. It also explains that the MOU can be altered at any time. Therefore, all that is required is the Government’s activity in relation to defence and intelligence matters to be added to the list in the memorandum of understanding. There is a mechanism there—it already exists—to allow the ISC to look at that.

James Sunderland Portrait James Sunderland (Bracknell) (Con)
- Hansard - - - Excerpts

Given that most MPs do not fully understand what the ISC does, does the right hon. Gentleman not agree that the Government are probably best placed to make the decision on this particular matter?

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

No, I do not. I know the hon. Gentleman is a new Member, and I actually quite like him, but what is he arguing for? A dictatorship? That the Executive should decide everything? Knowing you, Mr Hollobone, you would take a very dim view of that. You have form on holding the Executive to account—all Governments.

The ISC is there to look at information and provide parliamentary scrutiny. As for the nature of the information we receive, we have all the clearances from top secret going up to STRAP, including STRAP 3, which is intelligence that has a limited circulation and people have to be added to the list. We have access to that as well, which allows us to consider that information.

Our annual reports, which we supply to Parliament, can be debated by Parliament. We can produce reports. For example, most recently, there was the Russia report, which highlighted what the Government had not done rather than what it should have been doing. The contention from the Cabinet Office is that if information goes to the ISC, it is in the public domain. That is a little bit insulting. We do public reports, which have information that can be put into the public domain, but there are always secret annexes that go to the Prime Minister and are not made public, which allow us to question decisions and highlight issues that we think the Prime Minister should take notice of. It is a valuable mechanism for scrutiny.

The argument that will come from the Cabinet Office is that DCMS is not covered. It is. The memorandum of understanding says:

“The ISC is the only committee of Parliament that has regular access to protectively marked information that is sensitive for national security reasons: this means that only the ISC is in a position to scrutinise effectively the work of the Agencies and of those parts of”

the Government

“whose work is directly concerned with intelligence and security matters.”

I accept that DCMS’s day-to-day work is not covered in the description of national security, whether or not this is an issue of concern to individuals. I think it is. There could be an argument as to why the Department for Digital, Culture, Media and Sport got this legislation and whether it should perhaps be put in another Department. I do not agree with that, because I think the general issue of telecoms fits well into the Department’s wider briefs.

Increasingly, a number of Departments are getting involved in, or taking responsibility for, areas that involve national security. BEIS and the National Security and Investment Bill is a good example.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My right hon. Friend is far too modest to set out his vast experience with and long-standing membership of the Intelligence and Security Committee. Does he agree that the geopolitical and technological shifts in the last decade in particular—perhaps the last two decades—have meant that the threats to our security come from a broader range and, more specifically in a more technologically-based range, and we have seen our defence requirements move to cyber-security? Therefore, as he said, the increased need of Departments to consider security issues means that the Intelligence and Security Committee’s ability to review items that require security clearance is important. Does he understand why the Government will not allow the Committee to do that?

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

My hon. Friend knows that modesty is one of my trademarks, but no, I do not—I do not understand it, nor do I understand where the Government are coming from. I do not think that the problem is with the Minister or his Secretary of State; I think it is the culture of the Cabinet Office, trying somehow to test the Justice and Security Act to destruction. Its argument, basically, is that DCMS is not on the list of organisations, but the Act and the memorandum of understanding are clear: we have jurisdiction over matters that relate to national security, which this clearly does.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I am grateful to my right hon. Friend for providing inspiration for a speech that I will make later, when I will make similar points on similar provisions. Listening to him and to the hon. and gallant Member for Bracknell—whom I also like, incidentally—talk about the alternatives, it strikes me that there are only three: to provide classified information to be laid before the whole House or the DCMS Committee; to do the right thing and to provide that classified information to the Intelligence and Security Committee, which was surely established for exactly that purpose; or to have no scrutiny at all. It is one of those three alternatives. Surely the Government are not pushing for no scrutiny at all.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I must say that this is the first time I have heard that one of my contributions to a Bill Committee is inspirational. I shall mark that as something to be remembered. However, my hon. Friend summarises the position very clearly: the DCMS Committee cannot deal with this, because the nature of the information garnered could not be shown to them, given its classification. We would not want to do that because this is highly sensitive information—meaning no disrespect to the members of that Select Committee. Some of it is not our intelligence; some of it will come from our Five Eyes partners, so it is about guarding not just our secrets, but theirs. Any leaking or compromise of that type of intelligence affects not only our ability with this type of work, but our relations with our Five Eyes partners. The next option, the ISC, is the obvious one. The third option means that the Government must put through a Bill that does not allow Parliament to scrutinise these matters at all. I do not think that that is what the Minister, or his counterparts in BEIS, believe. I think we will have a to and fro on this, and will get there eventually, but it will be hard work.

As my hon. Friend the Member for City of Chester says, scrutiny is important in helping to ensure that there is not only public but parliamentary confidence that the decisions are at least being looked at. Some of the decisions will be very controversial and the Government need covering. Will that be onerous for the Department? No, because all it will entail is that the report should include the decisions taken and the reasons why. We can ask, and be supplied with that, and that, I think, is important.

Yesterday, speaking on the National Security and Investment Bill, the Under-Secretary of State for Business, Energy and Industrial Strategy, the hon. Member for Stratford-on-Avon (Nadhim Zahawi) said that the ISC can ask for the information and demand that the Secretary of State comes before it. There are two important points about that. First, yes, we could do that. However, and as I said yesterday I do not for one minute suggest that the Secretary of State or the Department would want to refuse, but there is no legal justification behind it. If a future Secretary of State said “No, I am not appearing or giving you the information,” there would be nothing at all that the ISC could do.

I remind the Committee as I reminded the two Ministers in yesterday’s debate that we are all, as the great Robin Day once said, “here today, gone tomorrow” politicians, so any legislation we pass here must be future-proofed. Not only must we be satisfied with it; it must go on. The other important aspect of what the Under-Secretary said was the recognition of the ISC’s role in asking for information in relation to the National Security and Investment Bill. However, if it is possible to ask for information a mechanism is needed to guarantee it. I think that is also the case for the Bill that we are considering.

It will be interesting to see how the Minister responds, and whether he really believes what he will tell me, but there is a mechanism available and it would be easy and not burdensome. I stress that not for one minute is it suggested that the ISC would veto decisions or have any involvement in them. As with much of our work, apart from certain issues, it would be retrospective, looking back at decisions that had been taken. If mistakes, issues and concerns are raised, we can raise those directly with the Prime Minister and Departments. That is another check and balance in the system, of which I think you, Mr Hollobone, would approve, in view of your vociferous wish, whatever the Government, to hold the Executive to account. The mechanism is pretty straightforward. Either we put it on the face of the Bill or we get it into the memorandum of understanding.

There is an increasing problem with the involvement of more and more Government agencies that are not traditionally involved in national security, such as the new Joint Biosecurity Centre, which falls within Department of Health and Social Care. All the information that they will get is classified, so how, again, will Parliament scrutinise it? That will be important.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Perhaps my right hon. Friend will reflect on a third issue. The Committee cannot ask for information if it does not know that it exists. If there is no obligation to report orders to the Committee there is no way for it to know that they have been made, and that it needs to scrutinise them.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

There is, but to give a bit of background, we are quite tenacious on the Committee and if we do not get what we ask for we usually keep on and get it eventually. Some of the agencies are better than others, but overall the working relationship with GCHQ has always been a very good one. The amendment would help the Bill, but I think we will to and fro on this.

At this stage, I am not minded to press the amendment to a vote, but as I said on Third Reading of the National Security and Investment Bill yesterday, and as the Minister admitted afterwards when I spoke to him privately, it is quite clear that if an amendment is tabled in the other place, the Government will accept it. That approach irritates me, although as I said in the House yesterday, it is not just this Government that do it; we did it when we were in government, too. It is seen as a sign of weakness if a Bill is amended in this House, but it is somehow a virtue if it is amended in the other place—suddenly the lights shine and we get a revelation of something that should really have put in by the Bill Committee.

If the Minister will not accept the amendment in Committee, I urge him to table his own on Report. There are two ways of doing this: either he puts it in the Bill or he gets the Prime Minister and the Government, across the piece, to amend the explanatory memorandum to give responsibility, which would have the same effect as the amendment. I plead with him to act. This issue will not go away.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I will not detain the Committee long, given that my right hon. Friend the Member for North Durham made such excellent points. I will add one point of consideration, which again, his modesty may have forbidden him from making.

The amendment goes to the heart of our concerns about the scrutiny of the provisions in the Bill. I say again for the record that we support the wide-ranging powers that the Bill gives the Secretary of State, but those powers must come with appropriate scrutiny, not because scrutiny is a “nice to have” or, as my right hon. Friend said, because the ISC needs further work, but because scrutiny of the provisions is essential to the good working of the legislation in practice.

Considering specifically the impact of the requirement to remove Huawei at this stage in our 5G roll-out—the economic impact, the cost to the providers and the cost to our economy—we recognise that it is the right thing to do, but we must also recognise the cost of doing it. Back in 2013, the ISC was one of the first parliamentary organisations to raise the issues around Huawei. I truly urge the Minister to accept this constructive amendment to support the appropriate provision of scrutiny.

My other point is more about the working of the clause, which gives the Secretary of State the power to make regulations that require providers to take specified security measures. As we know, the telecoms security framework and telecoms security requirement, to which all providers must adhere, will be set out in delegated legislation. In his response, will the Minister give us some idea of why the Secretary of State might need to set out additional specified requirements that are not in the draft of the TSR that he has published? Is the intention of the clause to enable him to set out additional specified requirements, or is it to enable him to highlight particular specified requirements that he does not think the providers are meeting quickly enough? In either case, does that not suggest that there are particular security concerns, either about providers or about the circumstances, that require these specific security measures? To come back to my first point, does that not highlight for those concerns to receive parliamentary scrutiny, with the appropriate clearance, which is to say that of the Intelligence and Security Committee?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I start by acknowledging the incredibly important work that the ISC does. Its role in overseeing the work of the UK intelligence community is vital to maintaining public trust, as the right hon. Member for North Durham described, and its members make important contributions to public debates on national security matters of all kinds. The right hon. Gentleman has done that for a number of years. Because he is a member of the ISC, he will know that I have proactively engaged with it on the substance of the Bill. I did so enthusiastically—if any Minister can ever regard a Select Committee appearance enthusiastically—and in recognition of the interest that I knew that Committee would have in the Bill. I will be writing again to the ISC on a number of matters raised in the Bill, and I have instructed officials from my Department to continue to engage with the ISC as the Bill proceeds through Parliament, building on the work that it has already done and on the transparency that we have already demonstrated by publishing the draft of the security framework regulations on 13 January, copies of which have been provided to the members of the ISC and a number of other interested Committees. I hope that all that demonstrates the Department’s commitment to working constructively with the ISC, despite the fact that, as the right hon. Gentleman said, DDCMS does not normally fall within the ISC’s formal remit.

It is none the less important to acknowledge that the ISC is not the only legitimate avenue to scrutinise this framework. We fully intend to make use of all the appropriate parliamentary procedures.

The regulations and the explanatory memorandum accompanying them will all be there for the ISC to scrutinise. There is also further guidance to providers in connection with the measures specified in the regulations that can be provided in the code of practice, which must be published, with a copy laid before Parliament. Also, beyond the usual arrangements for secondary legislation, new section 105Z of the Communications Act 2003 provides for Ofcom to produce security reports. Clause 11 of the Bill enables those reports to be published by the Secretary of State, and clause 13 provides for a review of the effectiveness of the framework, including any regulations, after five years.

It is in that context that I point to the enthusiasm with which we have engaged with the ISC. We will continue to do so and ultimately—this is perhaps the reason why the right hon. Gentleman described this process as an ongoing campaign, rather than something that we should address piecemeal—the ISC is clearly defined in the Justice and Security Act 2013. I do not think it would be right to address the memorandum of understanding that he referred during our consideration of the Bill. We should not go at it in piecemeal fashion. The role of the ISC as set out in that MOU is to oversee the work of the security agencies, to provide oversight of certain intelligence or security matters within Government. Ultimately, if the right hon. Gentleman wants to change the MOU, that is a broader issue for him to take up. I note that he is not the only Member of this House to have made that point, but it is not my place to take a view on the role of the ISC; that should be for the ISC itself.

I am confident that we will continue to engage with the ISC; I personally will certainly do so. I know that the DCMS Committee will continue to take an interest, and I will simply say that we will co-operate as fully as possible. I will set out more in the letter I mentioned, and I look forward to the future salvos in the right hon. Gentleman’s campaign.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

I make no criticism of the Minister, because he has been very proactive, as has his Secretary of State. The problem is this: we have two pieces of legislation going through Parliament. We do not have security Bills very often in this place, and now we have two in a very short period of time. Both make eminent sense and I support them, but this is not something that comes up regularly.

In terms of the Minister’s co-operation, I have no complaints about the way he has operated, but he is not going to be there forever and neither is his Secretary of State, so we need to put in place something that will weather the passage of time, and create an arrangement whereby it will be seen that Parliament is scrutinising these measures. I do not know why the Government—I am sure it is not the Minister, or even his Secretary of State—are resisting this. Frankly, I am not really bothered whether it goes on the face of the Bill or in the MOU, but the Justice and Security Act 2013 is very clear that as a Committee, the ISC has the ability to look at this.

I accept that it would be wrong to get into issues around this Bill that are quite rightly, as the Minister said, for the relevant Select Committee—the Committee on Digital, Culture, Media and Sport—to deal with. We would never do that, so I will withdraw this probing amendment, but we will come back to this issue. I am not usually a betting man, but I suspect that by the time this Bill and the other Bill go through, we will have got to where both I and the Minister—I think, privately—think we should be. I therefore ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I beg to move amendment 21, in clause 1, page 3, line 26, at end insert—

“(2A) The Secretary of State must make regulations under subsection (1) requiring providers of public electronic communications networks and public electronic communications services to carry out an audit of the goods, services and facilities supplied, provided or made available for the purposes of the provision of their network or service to ascertain whether they present a risk to the security of that network or service.”

This amendment is a probing amendment designed to learn how the Government plans to ensure network operators have a comprehensive audit of hardware of interest because, for example, it is manufactured by a designated or high-risk vendor.

The amendment goes to the heart of two of our key themes: the scrutiny of the powers in the Bill and the effectiveness of the accompanying diversification strategy. It is a probing amendment, designed to enable us to understand—or to have the Minister clarify—plans to ensure that network operators carry out a comprehensive audit of hardware that is relevant to the Bill because, for example, it is manufactured by a designated or high-risk vendor.

We tabled the amendment for a number of reasons. The first is the Government’s decision, which we welcome, to strip Huawei out of our telecommunications networks. There are questions about where that equipment is located, the level of software provision, and in particular the exact nature of the revision of the equipment within the network. In addition, the Government have not provided a plan for locating and removing Huawei from our networks; instead, they have opted to leave it entirely to private sector providers.

That might seem appropriate, but as someone with 20 years’ experience in the telecoms sector, I have to say that it is generally not the case—I am not insulting any individual provider—that providers know exactly where every bit of equipment is located and what level of software or build is associated with the equipment.

James Sunderland Portrait James Sunderland
- Hansard - - - Excerpts

Given that the Bill mandates that vendors could be fined up to 10% of annual turnover or £100,000 a day for violating the terms of their obligations, does the hon. Lady agree that a full audit of all goods and services supplied could be quite draconian and onerous?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I am slightly confused, to be honest, because there was a contradiction there. It is a basic, inherent requirement under the Bill to understand the security implications of a network—the security implications, the security threat and future compromises. It goes to the amendment tabled by my right hon. Friend the Member for North Durham. Given that different components might provide different threats, it is essential to understand the kit that is in the equipment in order to meet the requirements of the security framework. So no, I do not think it is draconian that there should be an audit of the equipment. Indeed, providers should have this information already, but I know from my own experience and the experience of those who gave evidence, which I will come to in a moment, that this is not always the case because networks are so complex, and because our networks today have built up over decades and decades. There is software running in some of our networks that has been around for 40 or 50 years, as well as copper lines that have been around for even longer. So it is not always the case that this information is known.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Does my hon. Friend agree with me that having the carrot of an audit might help firms to avoid the stick of a draconian fine that the hon. Member for Bracknell referred to?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

As always, my hon. Friend makes an excellent point. Indeed, the audit, which I agree is burdensome if the information is not already in the management systems, which it should be, would, I hope, be less burdensome than the potential fines for not meeting the basic requirements of knowing what is in the network and where it is. Also, that challenge has been made more complex by the subcontracting of different parts of the telecoms networks.

For example, network providers such as Vodafone or Three have primary vendors—currently Ericsson or Nokia—but there might be subcontractors who provide particular elements of the network and particular management elements. We hope that that will be increasingly the case as we seek to open up the supply chains and make them more diverse. A basic and critical requirement for the Bill to be effective is to have a more diversified supply chain. More suppliers go hand in hand with a diversified supply chain, and therefore different types of equipment, of which we will need to keep track.

Kevan Jones Portrait Mr Jones
- Hansard - - - Excerpts

The hon. Member for Bracknell has argued that regulations are somehow burdensome on business and unnecessary. It is only when things go wrong that we look back and think, “Wait a minute. That regulation or audit, which was suggested in an amendment, was vitally important.” We must get the context right. These amendments are being tabled not for their own sake but to ensure that security is improved.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My right hon. Friend makes an excellent point. As someone who worked for a regulator for six years, I might be expected to agree with my right hon. Friend on the point of regulation; in this context, regulation should not be seen as a burden. As my hon. Friend the Member for City of Chester set out, it should be seen as a carrot—an incentive—to get things right. Imagine we had known and been able to see how Huawei’s presence in BT’s network, over the last 15 years or so, would rise from small beginnings to becoming the principal vendor. That might have rung more alarm bells and been an incentive to have transparency.

Regulation is also about levelling the playing field and enabling more effective competition. The better providers will do that, but some providers may not. We want a level playing field, particularly because the 2019 UK Telecoms Supply Chain Review said that there was not an incentive for security in mobile networks. It concluded specifically that there was no incentive for security in mobile networks. Given that conclusion and some of the points provided in the evidence sessions, the Bill does not address incentives to ensure security by design in our mobile networks. It has burdens and fines for not doing that, but it does not have positive incentives.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Was not that exactly the problem with Huawei, which has undercut and undermined so much of the telecoms sector elsewhere, either on price or on shoddy workmanship, as my right hon. Friend the Member for North Durham said? This amendment addresses that issue. By raising standards, we help existing and future contributors to the sector to come in and address the problem that Huawei caused.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Again, my hon. Friend makes an excellent point with regard to the way in which Huawei grew in the telecoms sector. I do not want to detain the Committee on that history, but Huawei grew by under-cutting existing vendors, building up scale and making its profits by locking in network providers, despite issues with the quality of the equipment, which, as we have discussed, our security services identified.

Having visibility of network equipment, as well as the level of concentration of any one provider, will enable us, in part, not to get into such a situation of dependency in future. Again, I would emphasise that this is about incentivising what should happen but is unfortunately not always the case. That is not simply my view or that of the Labour party; it is the view of witnesses who participated in our evidence sessions. For example, Andrea Donà said:

“It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 13-14, Q10.]

Dr Bennett said:

“I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q62.]

Dr Bennett later said:

“I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]

Ofcom said that it was more or less impossible to meet the requirements set out in the codes of practice for the operators, unless it had a detailed asset register of everything in its system. We will expect to see evidence of that, and we expect that it will be regularly checked, audited and so on. We recognise the potential costs of an audit, particularly for smaller providers, although most of them have newer networks and equipment and should have a lot of this information already available. Ofcom is anticipating that this is something it would need to have access to, yet there is no requirement in the Bill or, as far as I can see, in the delegated legislation that has been published to make that requirement.

I have mentioned that this is a probing amendment. I am not sure that it is necessary to have it on the face of the Bill, and it might be that it will be provided for in delegated legislation, but we need a clear and strong strategy for the detection and removal of high-risk components, vendor hardware and software. Otherwise, the Bill will not protect our national security effectively. I hope the Minister will give clarification on that.

Order. Mr Jones wants to speak, but he will have to wait until this afternoon.

Ordered, That the debate be now adjourned.— (Maria Caulfield.)

Adjourned till this day at Two o’clock.

Telecommunications (Security) Bill (Second sitting)

(Committee Debate: 2nd sitting: House of Commons)
Thursday 14th January 2021

(1 month, 2 weeks ago)

Public Bill Committees

Read Hansard Text Bill Main Page
Department for Digital, Culture, Media and Sport

The Committee consisted of the following Members:

Chairs: Mr Philip Hollobone, † Steve McCabe

† Britcliffe, Sara (Hyndburn) (Con)

† Cates, Miriam (Penistone and Stocksbridge) (Con)

† Caulfield, Maria (Lewes) (Con)

Clark, Feryal (Enfield North) (Lab)

Crawley, Angela (Lanark and Hamilton East) (SNP)

† Johnston, David (Wantage) (Con)

† Jones, Mr Kevan (North Durham) (Lab)

† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)

† Matheson, Christian (City of Chester) (Lab)

† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)

† Richardson, Angela (Guildford) (Con)

† Russell, Dean (Watford) (Con)

† Sunderland, James (Bracknell) (Con)

Thomson, Richard (Gordon) (SNP)

† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)

West, Catherine (Hornsey and Wood Green) (Lab)

† Wild, James (North West Norfolk) (Con)

Sarah Thatcher, Huw Yardley, Committee Clerks

† attended the Committee

Witnesses

Hamish MacLeod, Director, Mobile UK

Matthew Evans, Director, Market Programmes, TechUK

Stefano Cantarelli, Global Chief Marketing Officer, Mavenir

John Baker, Head of RAN Business Development, Mavenir

Pardeep Kohli, CEO, Mavenir

Chris Jackson, President and CEO, NEC Europe Ltd.

Julius Robson, Chief Strategy Officer, Small Cell Forum

Dr Louise Bennett, Director, Digital Policy Alliance

Dr Scott Steedman CBE, Director of Standards, British Standards Institute

Charles Parton, Royal United Services Institute

Public Bill Committee

Thursday 14 January 2021

(Afternoon)

[Steve McCabe in the Chair]

Telecommunications (Security) Bill

Examination of Witnesses

Hamish MacLeod and Matthew Evans gave evidence.

Order. We will now hear from Hamish MacLeod, the director of Mobile UK, and Matthew Evans, the director of market programmes at techUK. We have until 2.45 pm for this session, and I will try to alternate as best I can. May I ask the witnesses in turn to introduce themselves for the record?

Hamish MacLeod: I am Hamish MacLeod, and I am the director of Mobile UK, which is the trade body for the UK’s four mobile network operators.

Matthew Evans: My name is Matthew Evans, and I am director of markets at techUK, the trade association for the wider technology sector, which has several telecom-related members.

Who would like to have the first question?

James Sunderland Portrait James Sunderland (Bracknell) (Con)
- Hansard - - - Excerpts

Q26 Gentlemen, good afternoon to you and thank you for coming in. A very quick and easy question: how do the challenges of maintaining security in a mobile network differ perhaps from those of a fixed network?

Matthew Evans: I am happy to take that question. From the principle point of view, the principles of cyber-security are the same regardless of the network: having security built in by design, but also having a zero-trust principle and good assurance that your defences are looking inwards as well as outwards. On a principle basis, they are very similar.

Hamish MacLeod: I have nothing to add to what Matt said.

Thank you. Who is next?

Dean Russell Portrait Dean Russell (Watford) (Con)
- Hansard - - - Excerpts

Q I would be interested to know whether you agree that strengthening the UK’s telecom security through this Bill is important as we continue to roll out the gigabit connectivity.

Matthew Evans: I am happy to take that as well. We completely agree with the overall objective of the Bill, which we think provides clarity to the sector and helps us to further enhance the security and resilience of the UK’s telecommunication networks. Obviously, as more and more services and applications are used over our fixed and mobile networks, ensuring their security and resilience is incredibly important. That is why we are pleased to welcome the Bill and the associated diversification strategy alongside it, which is obviously separate to the Bill but intrinsic to matters of resilience as we seek to broaden the supply chain.

Hamish MacLeod: I should perhaps reiterate what my colleague said this morning—that the mobile sector very much welcomes the Bill. Security has always been a top priority for mobile operators. We have always worked closed closely with the National Cyber Security Centre, but this is a great opportunity to formalise the arrangements and to make them more structured and transparent.

Chi Onwurah, did I detect that you were going to ask questions on behalf of Catherine West?

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

Q Thank you, Mr McCabe. I was going to ask on behalf of my colleague, Catherine West, who cannot be here because we have chosen to sit physically rather than remotely. [Interruption.] It has been decided that we will sit physically. Her question is about international comparisons. Are you aware of what is happening with other countries’ security frameworks in addressing Huawei and high-risk vendors? Are you aware of any international comparisons?

Matthew Evans: From techUK’s point of view, obviously our members—you heard from some of them this morning, and you have more this afternoon—operate across a number of different territories. We seem to be the furthest, or the most advanced, in bringing into place quite a holistic security regime. That is in the first half of the Bill. Obviously, the conversation about high-risk vendors is prevalent in other areas, but I would say that in terms of bringing in a regime that covers the entire telecoms sector, this seems to be a world-leading initiative.

Hamish MacLeod: Chi, I am certainly aware of what other countries are doing as regards high-risk vendors. The operators absolutely accept the Government’s policy and the 2027 timeline. The important thing now is to stick to that timeline, because it allows not only for an orderly removal of the HRV equipment, but for alternatives to develop and emerge as viable competitors to the remaining companies.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q So, what are other countries doing that you are aware of?

Hamish MacLeod: The States, New Zealand and Australia have all excluded Huawei, among others. We could supply you with a full list if that is needed.

Miriam Cates Portrait Miriam Cates (Penistone and Stocksbridge) (Con)
- Hansard - - - Excerpts

Q The Government’s diversification strategy goes alongside the Bill. Obviously, the principle driver of the diversification is security reasons, but it will also open up the networks to smaller operators—I imagine, Matthew, many of your members are much smaller companies. Do you think that it will have a positive effect on the sector, in that sense, and are there any other barriers to entry for the smaller tech companies that you can identify and that could be addressed in the Bill?

Matthew Evans: Thank you for that question. As I said at the start, we welcome the Government’s diversification strategy. It looks to tackle four issues, really, which are supporting incumbent suppliers to the UK market; attracting other global-scale suppliers; accelerating open interfaces and interoperability; and then the fourth area, which we could probably do with more detail on, which is really building on that domestic capability. I know that the taskforce that helped Government to frame the strategy is working on that aspect of it. As I say, I think we could do with some more detail.

However, we welcome the funding that has come alongside that strategy, and I think that we have a real opportunity in the UK in some of the areas where we have traditional strengths, in the software side in particular, to build some world-leading capability. As for the Bill itself, I do not think that it necessarily presents a barrier to that domestic capability; it is more in how we develop the strategy that sits alongside the Bill.

Hamish MacLeod: Just to add to what Matt said, yes, we very much welcome the diversification strategy. It is an absolutely necessary step to mitigate the risks of having to rely on two incumbents. It gives the UK an opportunity to have a leadership role in the development of exciting new technologies, such as open RAN, and, as Matt said, to grow the supplier base in the UK in the mobile sector.