(3 years, 11 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move, That the Bill be now read a Second time.
Cutting-edge technology such as 5G and gigabit broadband have the potential to transform our lives and this Government are investing billions of pounds in their roll-out nationwide, but we can only have confidence in that technology if we know it is secure, and this Bill will create one of the toughest telecoms security regimes in the world, one that will protect our networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future.
This Bill acts on the recommendations of the United Kingdom telecoms supply chain review, which in turn was informed by the expert technical advice at the National Cyber Security Centre in GCHQ. First, it establishes a tough new security framework for all the UK’s public telecoms providers. This will be overseen by Ofcom and the Government, and they will have a legal duty to design and manage their networks securely. Rigorous new security requirements will be set out in secondary legislation, and codes of practice will set technical guidance on how providers should meet the law, and where providers are found wanting, Ofcom will have the power to impose steep fines. For example, under the current regime fines for failing to protect security are limited to just £2 million or £20,000 per day, while under the new regime they will rise significantly, to up to 10% of turnover or £100,000 per day. Under the current regime Ofcom has limited monitoring and enforcement powers. Under the new regime it will have the power to enter premises of telecoms providers, to interview staff and to require technical systems tests.
If we pass this Bill, few other countries in the world will have a tougher enforcement regime, and the point of this Bill is not just to tackle one high-risk vendor; it raises the security bar across the board and protects us against a whole range of threats. According to the NCSC, the past two years have seen malicious cyber-activity from Russia and China as well as North Korea and Iranian actors. While I know that telecoms providers are working hard to protect our networks against this hostile activity, the Government have lacked the power to ensure they do so. This Bill puts a robust security framework in place, guaranteeing the protection of our networks.
It feels like a long time since we had debates about Huawei at, I think, the beginning of the year, which perhaps started this national conversation about our critical national infrastructure. My right hon. Friend speaks about threats: what is the biggest long-term geostrategic threat facing the UK now?
The purpose of this Bill is to give us flexibility so that we do not get bound by the particular circumstances of today, and we have designed it to give us that. The four big threats we consistently face in cyber in this country are, as my right hon. Friend knows, in relation to Russia, China, North Korea and Iran, and we are seeing an evolution in some of those threats, particularly in relation to China.
This new security framework is just one half of the Bill; the second half gives the Government unprecedented new national security powers to identify and tackle high-risk vendors. Under the Bill the Government will be able to designate specific vendors that pose risks to our national security and issue directions to telecoms providers to control their use of goods, services or facilities provided by those vendors.
In principle, I welcome the Bill. Its focus, however, is on kit, hardware and vendors, and that will go some way towards protecting our telecoms systems, but we are also still facing threats from hacking, so making sure we have basic good cyber-hygiene will be just as important as some of these measures we are discussing today.
In short, yes, the right hon. Gentleman is absolutely correct. What this Bill does is bite in three respects. First, it sets out the overarching duties on mobile network operators and other telecoms providers in statute. It then empowers the Government through secondary legislation to provide further requirements on them. On top of that, for the tier 1 providers, which will basically be all the big telecoms providers, it also introduces a code of practice whereby they have to comply with that to ensure that they are secure. Across the board, the Bill tightens the requirements on them.
To follow up on the comments of my good friend the right hon. Member for North Durham (Mr Jones), does the Bill also give added protection to private individuals using their mobile phone, to stop them having it tapped by, say, a newspaper reporter?
I cannot imagine what my hon. Friend is alluding to. This is aimed at the telecoms providers, but in tightening the security requirements on them, it in turn, of course, tightens the security for individual telecoms users. The Bill makes it a duty for telecoms providers to comply with those directions and introduces robust penalties for those that fail to do so.
The point is that these powers will protect us against both the high-risk vendors of today and the threats of tomorrow. I know that for right hon. and hon. Members there are significant concerns about one high-risk vendor, Huawei. This has rightly attracted the attention and concern of many hon. Members and I want, first, to reassure them that I have heard them, that I am acting and that I am taking a clear-eyed approach to protecting our national security.
In July, I announced that UK telecoms providers should cease to procure any new 5G equipment from Huawei after 31 December 2020 and remove all Huawei equipment from our 5G networks by the end of 2027. This Bill enables us to implement those decisions in law.
I welcome both the Secretary of State’s direction and his much earlier than expected announcement of no new installations. Does he agree that this fundamentally changes the incentives on any boardroom for using any kit—in this case, Huawei—that is a risk? The cost is going to be laid with the company—that they will have to remove it anyway—which changes the pricing structure that any other company would have to bid for.
My hon. Friend makes a very important point, and I will be coming on to that in a minute. It is actually happening now because telecoms providers and mobile network operators know three things. They have to remove Huawei equipment in respect of 5G by 2027 entirely. They cannot purchase any equipment from the end of this year, and—I will come on to this shortly—we have double locked that, as it were, by having the installation requirement. Mobile network operators are already working on that assumption.
I find that very strange because the Bill is about security. The Secretary of State is now saying that he is introducing proposals which mean that if, for example, Vodafone or any other operator has got some stock in, it cannot put it in from the end of this year. What is the security risk there? The only reason we changed the projections earlier last year—which I supported—was the US sanctions on future kit. There is not a security risk to the kit that is going in now so how can he use this Bill, on security, for doing that? Is this not just a political decision that he is making?
To clarify the position for the right hon. Gentleman, mobile network operators cannot purchase from December this year—so they can purchase it now— and the installation limit will then apply from September 2021. The point of these measures is to address the concerns that Members rightly raised that companies could be incentivised to purchase large amounts of stock, stockpile it and then roll it out right the way through to 2027. I told the House in July that I would set us on a clear and unambiguous path to 2027, and these measures do exactly that.
Does the Secretary of State agree that, associated with the Bill, there needs to be a plan for the greatest diversity in the supply chains? That is the long-term solution, because part of the challenge is that we have ended up focusing on one supplier, Huawei, which has been dominant in this field. What action is he taking in that area?
I thank my right hon. Friend for his intervention. The interventions are tempting me to jump around points that I intend to make, but he is right about the importance of diversification. We have published the diversification strategy, which is available for Members to examine, and I will come on to it in a moment.
It is this Bill and this Bill alone that gives Members the assurances they seek for the security of our networks both now and in the future. Further to the point made by my hon. Friend the Member for Tonbridge and Malling (Tom Tugendhat), operators are already taking our approach seriously—they are working now to meet the Government’s requirements. For example, BT has signed a deal with Ericsson for 5G equipment to enable it to phase out Huawei and is already in the process of using Ericsson products to replace Huawei in its core. Where operators can go further and faster without jeopardising the stability of our network, we will of course encourage them to do so, but it would be a big risk to force them to go even further. BT and others have warned that moving faster could put our networks under considerable strain, creating significant risk of blackouts, and it would take longer for 5G to reach the parts of the country where it would make the most difference.
O2, Three and BT had concerns that they would have to cancel their contracts with Huawei but still pay for them, because the equipment was on its way. Could my right hon. Friend clarify what happens to contracts that are in the pipeline, which could see these companies go bust if they have to pay for them?
My Department is in close contact with mobile network operators. I do not think that the sort of risk my right hon. Friend describes of companies going bust is remotely the case. Furthermore, we have given clear advance notice of this. For example, we made the first statements in January this year. We updated the guidance in July, and we also consulted extensively with the mobile network operators on the requirements in relation to installation that I am announcing today.
I will make some progress. I may come back to the right hon. Gentleman later, but I have already given way to him twice.
I know that some Members are concerned that we have not named Huawei on the face of the Bill and that our approach could be reversed in years to come. I want to reassure those Members on a number of fronts. We have not chosen to name Huawei for two compelling practical reasons. First, as we discussed, this Bill is designed to tackle not only the Huaweis of today but the Huaweis of tomorrow, wherever they come from. It needs to be flexible enough to cover future threats and not tie our hands by limiting our response to one company and one company alone. Secondly—this is the most crucial point—making reference to any one company would create a hybrid Bill, dramatically slowing the passage of the Bill and therefore our ability to combat all high-risk vendors, including Huawei.
However, as a concrete sign of our commitment to tackling the national security risks posed by Huawei, I can confirm today that we are going further in two significant ways. First—I hope Members will have had a chance to see this—we have published an illustrative designation notice and an illustrative designated vendor direction to demonstrate how the Bill’s powers in relation to a high-risk vendor could be exercised. Given the level of concern in this House and in the other place about Huawei’s role in 5G infrastructure, these illustrative drafts name Huawei explicitly, clarifying our position beyond doubt, and set out a clear pathway to the reduction and removal of its equipment.
Does the Secretary of State believe that taking out companies such as Huawei may damage the economic impact, and what assessment has he made about making sure that we are at the forefront of growing 5G network in the UK?
My hon. Friend raises an important point. We are clear-eyed about putting national security first. If national security and economic interests are in conflict with each other, national security comes first. But within the context of that, we have properly weighed up the risks as between different dates. I believe that 2027 strikes the appropriate balance in that it can be delivered with impact, in the way that I described in my statement to the House in July—it will have an impact in terms of cost and roll-out for mobile network operators—but it does not run the risk that we go too far and too fast, whereby we risk some sort of blackout and loss of provision.
In addition to the draft directions, we are going a step further by using the illustrative directions to set out a new hard deadline for the installation of Huawei equipment. That direction makes it clear that all operators must not install Huawei equipment in their networks from the end of September 2021.
That clarification has clear practical implications. It will prevent any operator from stockpiling Huawei kit in the hope that the ban might be reversed. The new installation deadline will create cold hard facts on the ground, effectively turning the plan for Huawei’s removal into an irreversible reality.
The powers in the Bill also allow us to keep an eagle eye on the progress of Huawei’s removal. They enable us to require Ofcom to obtain information from companies to see whether a provider has complied, or is complying, and they allow us to require providers to prepare a plan setting out exactly how they intend to get to zero Huawei by 2027.
Using those powers, we will not just publish an annual report of compliance on the removal of Huawei equipment, but keep a close watch on the future progress of all telecoms companies where Huawei is concerned. Under this rigorous monitoring and reporting system, no provider will be able to drag their feet. They will need to provide proof that they are working to meet the 2027 deadline. But, critically, we can do this only if we secure these important powers—the powers that will enable us to take action in relation to Huawei to protect our networks, but also to take action against any other potential high-risk vendors now and in the future.
The right hon. Gentleman is wrong. This Bill is actually about security. The reason he is going to get the powers is to take out vendors who are a clear high risk. Huawei has been there for a while. The kit that he is talking about banning after 2021—even if it is stockpiled or part of a contract—has not got a security implication at all because it has already gone through our Huawei centre. So I am not sure that he has the powers in the Bill to do that. I am sorry, but if I were a telecoms provider and I had a contract or a stockpile of kit that I could not use, I would be looking at taking legal action against the Government, because he cannot use the Bill if that equipment is not a threat to national security, which it is not.
I say to the hon. Gentleman—[Interruption.] I beg his pardon. It is the right hon. Gentleman. I stand corrected. I say to the right hon. Gentleman that, first, this Bill and the measures in it implement what we announced as a Government in January and July, which, in turn, was based on the advice of the National Cyber Security Centre and GCHQ. In relation to whether I, or any Secretary of State, has sufficient powers in the Bill, I refer him to clause 16(2), which inserts new section 105Z8(4)(a) to (l) into the Communications Act 2003, which sets out a very wide range of bases on which I can designate a provider as high risk and take measures, so I am confident that I have those sufficient powers.
We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors, thanks to a lack of competition in the global telecoms supply chain. While this is a global problem, today this Government are officially leading the way in solving it. Alongside the Bill, we have published an ambitious diversification strategy—the first such strategy to be published anywhere in the world. It sets out our vision of what an open, competitive, diverse supply market for telecoms will look like, and the measures we will bring forward to develop an innovative and dynamic market.
We want to make progress as quickly as possible, so today I can also confirm that we are committing £250 million to kick-start this work. That includes funding and building a state-of-the-art national telecoms lab, which will bring together suppliers from across the world to test the performance and security of their equipment. We are also running a 5G open radio access network trial with the Japanese supplier NEC in Wales to help the entire UK benefit from this exciting new industry. That, of course, comes on top of NEC establishing a global open RAN centre of excellence in the UK just last month. We also know that Vodafone has recently announced that it intends to deploy open RAN technology across more than 2,600 of its sites—the largest commitment of its kind across any European network.
The Secretary of State is rightly focusing on open RAN and the opportunity to partner with others in the democratic and law-abiding world. What has he done to reach out to countries such as South Korea, whose Samsung system could provide for the UK, and to encourage Nokia, Ericsson and Fujitsu in Japan?
I am pleased to say that the Minister for Digital Infrastructure has met every one of the parties my hon. Friend named; indeed, I have met many of them. Essentially, we are working across three strands. First, we are working with the existing vendors—there were three, now to become two—to secure them and make sure we do not lose a further one. We are also working with new potential incumbents such as NEC and Samsung. In addition, we are working across a range of countries, in particular the D10, to ensure that we work together to improve standards in telecoms.
I am grateful to my right hon. Friend, who is being customarily generous in giving way, but can I just make a point to him and hear his answer? This situation has constantly been wrongly described as a market failure. It was not a market failure; the failure was in the reality of one country abusing and breaking World Trade Organisation rules on subsidies. The key problem has been that China has subsidised its providers dramatically, even over 100% on contract, which has killed this market over the last 10 years. Once we release the market by stopping that, the private sector will come back into this industry because competition will be real competition, not broken competition. That is the key point.
My right hon. Friend highlights one of a range of different market distortions that have been going on. To a certain extent, there will be some market correction, but the Government also need to intervene, and our diversification strategy addresses that. If we are to get existing vendors who are not currently in the UK market back in, or to create a new open RAN solution, we need to provide financial incentives, and the diversification strategy touches on many of the steps that we propose to take.
We are taking concrete steps towards a solution, but diversification is not just a problem to be solved. It is also an opportunity to be seized. As part of our strategy, we will invest in homegrown solutions that will put us at the forefront of developing 5G technology and all the transformative benefits it brings. The next phase of this work will be taken forward by the Telecoms Diversification Task Force, chaired by Lord Livingston, formerly of BT, and others. I am grateful for the work that he, industry and academic experts have done in developing the strategy and in taking it forward.
The Bill has not been designed around one company, one country or one threat. Its strength is that it creates an enduring, flexible and far-reaching telecoms regime, one that keeps pace with changing technology and changing threats, that supports billions of phone calls, email exchanges and file transfers in this country every day, and that is essential to the UK’s economy and its future prosperity.
I listened carefully to the concerns of Members on both sides of the House in designing the legislation, and I have sought to address those concerns head on in the Bill as it stands before the House. I genuinely hope that the Bill will command cross-party support and that we will be able to work together in the national interest to ensure the security of our telecoms networks. I commend the Bill to the House.
I thank all Members for a well-informed and important debate. We have heard across the House that all Members believe that this Government should be putting national security at the very top of our agenda. That is what we are doing tonight. We are also putting forward a strategy that will allow the UK to derive all the benefits that we possibly can from all the enhanced digital reliance that we have seen across the country over the course of this pandemic and, of course, before it.
We have all heard this evening just how much connectivity matters and just how much our national security matters. We heard upwards of 20 speeches, which clearly demonstrated the critical importance of the security of our telecoms networks, especially as we move into the next phase of digital connectivity. As the Secretary of State has said, this Bill will raise the security bar across the board. It will provide us with the capabilities that we need to protect ourselves from a range of threats, both now and in the future. I am pleased that the Bill has support across the House. It is clear that we are all keen to put the UK’s national security interests first.
I hope that Members are reassured that the Government are taking these issues seriously. A number of Members referred to the Huawei interest group. Much as I have enjoyed being the subject of the Huawei interest group’s interest, I am glad that we have come to a position that has been welcomed across the House. The Government have taken steps today both to lay out our diversification strategy—an important £250 million commitment that is detailed and has real potential to see British companies grow in the way that my right hon. Friend the Member for Vale of Glamorgan (Alun Cairns) identified—and to publish illustrative designations and directions demonstrating the transparency that many Members across the House have asked for. Through that, I think we have demonstrated our commitment to dealing with the risks to our networks and the national security threats that come from high-risk vendors.
I turn to some of the points that have been raised in the course of the debate. The first, which was raised across the House, is the important matter of human rights. We want respect for human rights to be at the centre of all business that takes place in this country. These are vital issues that go much wider than telecoms. A number of Members rightly pointed out that the Telecommunications (Security) Bill will be focused on matters related to telecommunications and security, but of course we have serious concerns about the human rights situation in Xinjiang, including the extrajudicial detention of over 1 million Uyghur Muslims and other minorities in political re-education camps, systematic restrictions on Uyghur culture and the practice of Islam, and extensive invasive surveillance targeting minorities.
Where China is not meeting its obligations under international law, the UK Government will continue to speak out publicly. Indeed, the 30 June formal statement that the UK read out on behalf of 28 countries at the UN Human Rights Council highlighted arbitrary detention, widespread surveillance and restrictions targeting ethnic minorities. The Government published their response to the consultation on transparency in supply chains in September, and we are committed to taking forward an ambitious package of changes to strengthen and future-proof the transparency provisions in the Modern Slavery Act 2015. While, as many have said, issues of human rights are not matters directly for this Bill, they are acutely important, and Britain will continue to take that leading role.
I hear what my hon. Friend says, but surely he would concede that, as this Bill deals specifically with vendors and the vendors are themselves located, originally, in countries that may have been guilty of these abuses of whatever nature, should those companies be found to be using slave labour—such as some that are already referenced in this Bill—that would be a reason not to have them. Would he not think that they were high-risk vendors for the very simple reason that they abused those human rights?
As I said earlier, we would want to apply those standards not just to telecoms companies but to the garment industry and in a host of other areas where we know that there is the potential for similar abuses. I absolutely hear what my right hon. Friend says, but Britain can do better than focus simply on the relatively narrow aspect of telecoms.
I hear what the Minister is saying, but I wish to follow up the point made by my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith). If the debate on this Bill is not the place to discuss human rights, I get that, but we are also told that the debates on the National Security and Investment Bill are not the place to discuss human rights. I may get that as well, but the Government need to say where significant national interest concerns that are outside national security can be addressed. We talk the talk on human rights an awful lot in this country and this Parliament, but we have to put some trousers on that, I think.
I am not going to engage too heavily with my hon. Friend’s trousers, but I will say to him that, as I said a minute ago, we are committed to taking forward an ambitious package of changes to strengthen and future-proof the Modern Slavery Act 2015, and that is one of several significant avenues that are open to him.
On the important matter of diversification, the telecoms supply chain review asked how we can create sustainable diversity in our telecoms supply chain. That question is addressed by the new diversification strategy that we published today, which is crucial to ensuring that we are never again in a situation in which we are dependent on just a handful of vendors who supply the networks on which so many of us have come to depend. I wish to spend a little time on this issue. The Government have been working at pace to develop the 5G supply chain diversification strategy, which sets out a clear vision for a healthy, competitive and diverse supply market for telecoms and the set of principles that we want operators and suppliers to follow.
The strategy is built around three key strands: first, securing incumbents; secondly, attracting new suppliers; and thirdly, accelerating the development and adoption of open and interoperable technologies across the market. That is why, in the diversification strategy that we published today, we commit to exploring commercial incentives for new market entrants as we level the playing field; to setting out a road map to end the provision of older legacy technologies that create obstacles for new suppliers; and to investing in R&D to grow a vibrant and thriving telecoms ecosystem here in the UK.
I say gently to the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) that we have directly addressed a number of the issues that she raised in Westminster Hall last week. I look forward to engaging with her more on the strategy because it is important that we should work together to try to make sure that we all derive the benefits of a serious £250 million Government commitment that will drive early progress and ensure that our 5G diversification strategy not only bolsters the resilience and security of our digital infrastructure but creates opportunities for competition, innovation and prosperity.
It is wonderful that the strategy has emerged, but will my hon. Friend be just as clear about legislative change associated with that strategy? I understand that a further Bill may come forward; given the urgency of this issue and the concentration that his Department is applying to the strategy, when can we expect that legislation?
We do not anticipate legislation as a direct result of the diversification strategy, but of course there are other important avenues to explore as part of the broader industrial strategy. A lot of what is in the diversification strategy does not need to be delayed by the legislative programme, and I think my right hon. Friend would welcome that.
A number of Members raised the role of Ofcom. Ofcom will monitor, assess and enforce compliance with the new telecoms security framework that will be established by the Bill. It will report on compliance to the Secretary of State alongside publishing the annual reports that he mentioned on the state of the telecoms security sector. I want to be absolutely clear: we have had productive conversations with Ofcom already. Ofcom will continue to have the resources it needs. We appreciate that those needs will be affected by the changes that we are bringing in today, and we will agree their precise nature with Ofcom. We will make sure that Ofcom has all the security clearance that it needs to do the job, and all the resources, external or otherwise, to do the job, because this is an important new power.
Ofcom may also play a role in gathering and providing information relevant to the Secretary of State’s assessment of a provider’s compliance with a designated vendor direction, and it may also be directed to gather further information to comply with the requirements specified in a direction. The Bill already enables Ofcom to require information from providers and, in some circumstances, to carry out inspection of the provider’s premises or to view relevant documents. Ofcom’s annual budget, as I say, will be adjusted to take account of the increased costs it will incur due to its enhanced security role.
Let me turn to a couple of issues raised by the hon. Member for Newcastle upon Tyne Central. We will of course be working with local authorities and with networks to minimise any disruption, but we do not anticipate that the decisions that we have made over the past few months will have a direct impact on existing commercial decisions. As the Secretary of State said, we do not expect the two to three-year delay to be extended by what we have said today, but we will keep in close contact with the networks and continue to make sure that we do everything we can to remove the barriers to the roll-out of the networks as far as we possibly can. I do, however, expect companies to do as much as they can to minimise the effects. These are commercial decisions that have been made by companies over a number of years. We have already seen, as a result of the Government’s approach over the past few months, significant changes to decisions. I welcome the neutrORAN project that my right hon. Friend the Member for Vale of Glamorgan mentioned, as well as a number of others that have been taken by networks that already see important changes to how they procure their networks.
The Minister has introduced the September 2021 date after which no new Huawei or high- risk vendor equipment can go into the networks. What will happen to those companies that perhaps have stock of Huawei equipment or entered into contracts thinking that they could implement them before September 2021 and will now have to be told that they cannot? Would they actually lose a lot of money?
Those decisions, as I said, were taken in the context of the environment that people were already well aware of, and they are taken at a degree of commercial risk. However, we have worked closely with the networks to ensure that there will be no additional delays as a result of this decision. I think it is the right thing that puts national security at the absolute heart of our programme, but it also does that in the context of not jeopardising the clear economic benefits and the clear practical benefits of improving connectivity across the country that we would all like to see.
On the emergency services network, we anticipate that these announcements concerning Huawei will have a very low impact on the emergency services network. We do not anticipate any impact on the programme schedules. There is some Huawei equipment in the EE part of the emergency services dedicated core network that EE is already working towards removing.
Let me cover one other aspect raised by the Chair of the Intelligence and Security Committee, my right hon. Friend the Member for New Forest East (Dr Lewis). I look forward—maybe that is not quite the right phrase—to appearing before the ISC in the next few days. We will always co-operate with it, and I am very happy to work with it on the best way to balance the obvious requirement between transparency and national security, although we would always seek to be as transparent as we possibly can be within those important bounds.
I did ask a few questions. If the Minister cannot answer them now, by all means he should write to me. However, I am concerned about a situation where, for example, a former leader of the Conservative party and former Prime Minister has a major role in the China belt and road funding operation. How secure will Government be against lobbying of people with that sort of connection and prominence?
I will simply say that the Government will always put our national security interests first, and of course we are always alive to the commercial interests of the companies that seek to engage with us in this matter or any other. I look forward to further engaging with my right hon. Friend and his Committee.
To conclude, this Bill does not simply produce a framework that will address one particular company or even one particular country. It sets up the futureproof regime that will allow us to deal with the company that we have spoken about so much this evening and also its successors in successor networks. The intention of this legislation is to persist well beyond the current challenges that we face. I am glad that it commands the support we have seen across the House. I am immensely grateful for what has been a genuinely well-informed debate and one that I look forward to carrying on in Committee. The Telecommunications (Security) Bill will create one of the toughest telecoms security regimes in the world. It will enable us to protect our national telecoms infrastructure, and it is also a chance for the UK to become the world leader in the development of new 5G technology that we all know we can be.
Question put and agreed to.
Bill accordingly read a Second time.
Telecommunications (Security) Bill (Programme)
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Telecommunications (Security) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 19 January 2021.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Proceedings on Consideration and up to and including Third Reading
(4) Proceedings on Consideration and any proceedings in legislative grand committee shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which proceedings on Consideration are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and up to and including Third Reading.
Other proceedings
(7) Any other proceedings on the Bill may be programmed.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (Money)
Queen’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Telecommunications (Security) Bill, it is expedient to authorise any increase attributable to the Act in the sums payable under any other Act out of money so provided.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Telecommunications (Security) Bill, it is expedient to authorise provision requiring public communications providers to pay certain costs incurred by the Office of Communications.—(David T. C. Davies.)
Question agreed to.
Telecommunications (Security) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),
That if, at the conclusion of this Session of Parliament, proceedings on the Telecommunications (Security) Bill have not been completed, they shall be resumed in the next Session.—(David T. C. Davies.)
Question agreed to.
(3 years, 9 months ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
Q
Derek McManus: Basically, we have not seen anything directly like the UK legislation, although various forms of it can be seen internationally. The second question was on standards. We operate in 23 countries, and as you can imagine, their standards are key to us. We hold a lot of expertise, from a Telefónica group point of view, that the UK team is able to rely on and work with to ensure that we are at the very edge of developing the right standard.
Andrea Donà: As the Government plan to take a lead in enhancing the minimum security requirements, and in diversifying their telecoms strategy, we as a global company are happy to support the standard setting, and to advise on the practical implementation of the additional security requirements.
Patrick Binchy: I refer to Derek’s answer. We have a very similar position with regard to the UK legislation: we have not seen quite the same in the other countries. On standards, we play an active role, and we have a number of UK staff who act actively in standards setting.
Q
Andrea Donà: We need the clarification that I mentioned of what is, and what is not, in scope, so that we have absolute clarity from the word go. We all work together to understand the profile of that implementation. It cannot be a big bang—everything complying from day one. We obviously need to do a detailed risk assessment of the areas that we need to work on immediately on the Bill’s coming into force, and of what can afford to be done at a secondary stage, based on the risk assessment and the risk management analysis of the various assets in our network.
Derek McManus: As I said in my opening remarks, collaboration to date on getting the Bill to this stage has been positive. We should continue that. My request is for flexibility to help us execute effectively, while balancing the other demands on the industry.
You have 30 seconds, I am afraid, Patrick Binchy.
Patrick Binchy: Again, very similarly, we have to balance good connectivity with security. We are confident that our plans will meet the needs, but we will continue to work with Government and security on how we achieve and deliver that. It will be challenging, but we are confident that we can do it.
Q
Alex Towers: I think they overlap and that is one of our questions about the drafting of the Bill. There is clearly a relationship between those two things, and the concern about the timeframes for the removal of Huawei, for example, has been partly about ensuring that we have operational resilience during what is going to be a very complicated engineering programme to take out all its kit without losing resilience, in the sense of outages and blackouts for customers. Some of the Bill’s provisions talk about outages, but there is a difference between outages for operational maintenance and updating of kit and outages because of a security issue or attack. It is going to be quite important to pull those threads apart a little bit.
Howard Watson: On the vendor point, to summarise the approach that we are taking, we stopped purchase at the end of December, we will stop deployment in September of this year, we get down to 35% by two years hence from the end of next week, and then we have it removed from the mobile network by December 2027. I think that timeframe works well for us with introducing effectively a third supplier into our mobile network in terms of that 2027 point. It certainly helps mitigate any future steps in terms of a two-to-one.
I would not bank on it taking a full eight years to have an open RAN opportunity. As we heard from Andrea, colleagues at Vodafone have already started deployment . The real challenge there is about being able to use open RAN in dense urban areas where the technology works at its hardest, shall we say.
On your final question about research, we are in the top five investors in R&D in the UK—we invest in excess of £500 million a year across both research and development. In fact, the only companies that research more than us in the UK are the pharmaceuticals. I have 280 researchers based in the BT labs at Adastral Park near Ipswich and they, plus a standards organisation —we also draw in from engineers across my organisation—remain really actively involved in the standards bodies. I welcome what colleagues from the other operators say and think it is really important that we maintain that as a UK presence and as a European presence to ensure that we are not lost in the middle of any risk of divergence between the US and eastern and Asian countries and China. I would implore us all to work hard to ensure that that does not happen.
Q
Howard Watson: Let me take the final part of that question first, Minister. We are very much aware that that is a deadline, not a target, but we welcome the fact that the deadline is 2027. I have given evidence previously and have talked with Government significantly about the real risks to the availability of service if we pull that date forward.
We have a lot of infrastructure. That deadline allows us to plan carefully how we can switch off a site, if we have to, to replace it and swap it out, so that the spike has overlapping coverage from adjacent sites. Were we to be required to bring those timescales forward, we would be talking about mobile blackouts in the UK, which clearly we all want to avoid, given the increasing dependence of UK citizens on networks. We have a plan that gets us to that. The 35% by 28 January 2023, just two years away, is a little bit more challenging, but we have a plan to get us there. The pandemic is making that challenging, but right now we are on track for that too. I think that answers the second question.
In answer to your first question, the ambition that we have, and what will become requirements across the TSRs, will put the UK ahead of the pack, in being a safe place for people to work and run businesses, secure in the knowledge that we have a high level of protection against cyber-threats. We welcome that, particularly in the environment in which we are now operating.
We have remaining questions—we raised some of those in our written evidence—about the sequence by which the requirements will be applied. We think it is critically important that there is a strong baseline level of compliance that applies to everybody who operates a network in the UK. We do not want to have entry points through weak links across our environment.
Alex Towers: A large majority of what is in the TSRs reflects current best practice and we are already complying with it. There are some places where there is a stretch for us to do more, which is good. The key point, I suppose, concerns Howard’s point about making sure that the baseline for all operators is higher and strong enough, given that these are inter-connected network, as you have already heard this morning. The whole edifice is only as strong as its weakest point. We are concerned about the idea that the code of practice might not apply to some operators, for example. That is the sort of detail that we will begin to see debated further as the Bill goes through.
(3 years, 9 months ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
Q
Hamish MacLeod: My meeting following this hearing is with the operators addressing that very point. This is something that we want to work extremely closely with the Government on. We are meeting officials next week to continue the conversation on doing things such as setting out the road map for what needs to be done R&D-wise to develop open RAN, what needs to be done from the point of view of the test programme, and what needs to be done on the standardisation road map. We will be taking a very close interest, both as individual operators and jointly.
Matthew Evans: To add to that, I echo that we have had excellent engagement with the Minister’s officials. It is about keeping the momentum up while working with the grain of industry and making sure that we are getting the incentives on the supply side, in the R&D and in the testing, and also in the demand side. That is all about making sure that we have the right commercial incentives for operators, but also that we have the right skills and, if necessary, reinforcing the operators on some of those points as well.
Q
Chris Jackson: We would not compete with Nokia and Ericsson in terms of standard RAN, but the whole idea is that we would look to bring open RAN technology. That is the direction that NEC is supporting. If you ask me whether we could step in today and provide that capability, we believe yes, we could.
Q
Chris Jackson: First of all, thank you very much indeed, Minister, for support in that particular trial. We believe that this is very important, because it has given us the opportunity to showcase 4G and 5G open RAN capability with multi vendors, and we are doing it in supporting the share of your network, which we know is an important KPI for the UK Government, in terms of increasing that capability across the UK. They want to ensure that the investment is targeted at areas within the UK—where the UK will receive the most benefit—and, more importantly, or as importantly, an opportunity for a trial that brings multiple companies together. So, although NEC is leading this particular trial, we are working with a number of other companies to bring this overall solution together. That is exactly what open RAN is trying to embrace, and that is the way forward. We would be delighted to work with Mavenir; we are already involved with Mavenir as well. That is not a hurdle or obstacle for us.
Stefano Cantarelli: There are several angles. The first one is the neutral hosting. I would like to draw attention to the fact that we have already done work with British Telecom, two years back, on neutral hosting, so that has now been talked about for a long time. Also, you might have noticed in the market that companies—the one that comes to mind is Vilicom—have been doing this type of thing, where they deploy Mavenir infrastructure to provide neutral hosting capabilities. So, we are fully supportive and believe that this kind of funding is particularly important.
We understand that that there is some interesting funding. We are in discussion with DCMS. We are discussing some projects that we believe will boost a lot of the innovation in this space. For example, we are trying to get funding for our R&D activities for open source software that could boost the availability of radio units. We say that the radio unit is hardware, but in reality there is of course a bit of software on top. This type of software, which is mainly interfaced towards the rest of the software and the control of the operation and maintenance activities, is not differentiated for each radio unit; it is just standard. By having an open source like that, you can fundamentally get the radio vendors to focus on their IPR for analogue development and being able to produce a radio unit with different frequencies, as Pardeep said before, which we believe could boost the market. That type of funding is particularly useful, because it is aimed at boosting the market and giving availability in the open RAN of these radio units.
I would also like to add that most of the frequencies that are used today in the UK are available in our view for open RAN, so I do not see that as a problem. But that type of investment is particularly important—in R&D—so the trial that you have funded in the first round of the 5G Create programmes is particularly useful to get learning and experience. As I said, in the SONIC, we are particularly active, although that is not a 5G Create programme but a different one. We believe that in the second round, you can focus on funding some R&D specifically to boost the ecosystem of the open RAN.
Q
Stefano Cantarelli: First, remember that, as John mentioned, we acquired ip.access, which is a British company that has been in hardware for some time, so there is still space for hardware as well. Software is definitely where the majority of the innovations are. That is particularly clear—Chris mentioned this—in the IT space, where they moved from generic servers. I want to reinstate that, with servers generically available everywhere. The whole thing has really flipped on to different software. That will definitely boost the ability of a lot of companies to bring innovation.
As we always repeat, competition means innovation, and innovation is the only way. Many years ago, I was part of Vodafone. I built the 3G network for Vodafone in the UK, and at that time I had only one supplier in my network—I will not say who. I introduced another one, and it was only then that the other suppliers started to be active. Some legacy suppliers—I would say most of them—start to sit down and lie back if they are the only one in the network, because there is no motivation. From my experience from all these 30 years, that component is so important.
Q
Stefano Cantarelli: Let me just address that initially before anyone else. We are a supplier in other places in the network, so they consider us a reliable supplier. We supply voice services, messaging services and everything else. You mentioned the initial deployment of open RAN by Vodafone this morning. That relates to us, because we are the supplier that it has deployed and is continuing to deploy. We are actually deploying sites for it.
I think that you have to look at two aspects when you are on an operator’s side. I am speaking from experience. It is not just about the technology; it is also about your processes and how you are able to move forward and change your mindset. I think that operators have a lot of complexity. We sympathise with them, of course—it is not an easy environment—but there are a couple of mindsets that they need to over-pass, if you let me use that word.
First, the world is changing. It is not hardware and software together; it is software and hardware disaggregated, and that of course requires some different capabilities. It is the same as when we passed from circuit voice to packet voice. Some people here may not get the example completely, but it is just a different point of view. That does not mean that it is more complex or whatever; it is just a different point of view, and you need to change. We know that change is not an easy thing. That is the first aspect that we need to take into consideration.
The second aspect is that, despite the technology that is available, you still need to consider the in-life service that you need to swap over. You have to consider that you did some planning or design based on certain principles that were available before, and you need to rethink how you are going to do that. For example, most of the 5G deployed today just uses additional frequencies on the existing sites that they have deployed with 4G, 3G and 2G. This is not what I consider full 5G, with all the characteristics of low latencies and so on. You need to start to think about the densification of sites. The Government can help a lot—with policies, by helping to define new capabilities, and by allowing the operators to change their architecture by enabling them to get more sites, and get permits more easily to build new sites.
These sites will not be like sites today; on these sites, there will be lot of carriers, a lot of technologies, and a lot of frequencies. As Pardeep said, a site today is probably just a radio unit that connects, through an internet connection—not necessarily just fibre—to a software data centre. These things are more important, and they are the reason why, although operators are in the middle of that transformation, it is taking a bit of time.
I am just going to go to the Minister; if there is time, I will come back. Minister.
Q
Julius Robson: I think it is important. What we are looking at in the 5G era is the application of mobile technologies for specialist industries, and it is entirely relevant that those industries have their own requirements for security and other requirements that apply on top of what is necessary in the basic mobile network. I do not think we need to duplicate that effort. Where we are using mobile in certain scenarios, the scenario should define the requirements. The base level of mobile connectivity should be something suitable, and affordable, for the consumers and the masses.
Dr Bennett: I am aware of the work you have been doing on security for the internet of things. I think it is complementary and extremely important. Everything should have security by design in it. It is very important to cover these types of points.
Q
I would have expected you to say, if I can put words in your mouth, that you would like the agility of the regulator’s ability to update those codes of practice, to be able to say to networks, “This is what secure looks like. If you are complying with these kinds of codes of practice, then we will be able to understand that you are meeting the requirement.” You seem to actually be saying that you want greater rigidity. I am interested to understand whether you would like the codes of practice to have the flexibility offered by the writing from the regulator or whether you would like to see them on the face of the Bill.
Dr Bennett: I think we actually want both. There should be mention in the Bill of some of the ones that I think are key, so that people realise that there is going to be a code of practice on that they should follow. It is very important to be able to be agile and to get early information, from something like a technology reference panel, about things that are coming along, in order that you think about them before they get attached to the network. Trying to do it after you have attached something to the network is frankly a nightmare, so you need to be anticipating. It is not clear that there are mechanisms for that anticipation in the Bill.
Given the SolarWinds Orion hacking, which is a recent example of something that will take a long time to sort out and is precisely what you do not want to happen in the future, it would be sensible to get someone like NCSC to test whether the things in the Bill, and things that should be in the Bill, would have enabled the mitigation of that problem to happen faster than it has. The Bill ought to be doing something like what the Americans are doing in response to that now. The Government should consider a rapid response, co-ordinated unit to deal with similar incidents in the future, because they will happen. That is the kind of thing that ought to be in the Bill to say, “This is how we are going to be able to mitigate these problems when they happen, as quickly and sensibly as possible.”
Q
Dr Bennett: Yes, and anticipating things as early as possible.
Chi, we have time for another quick question. I think you had a point that you wanted to come back to.
I am going to interrupt you. I am sorry, but I want to let the Minister get a last question in. My apologies.
Q
Dr Steedman: Thank you, Minister. I might suggest that this is very much a matter of horses for courses. There is a range of organisations. I mentioned the ORAN-ALLIANCE; that is clearly one. We know, obviously, about 3GPP and the role of ETSI and 3GPP; that is another. And there may be roles for the formal bodies. We need to discuss the ITU-T, the UK participation in ITU-T and how we can strengthen that. With respect, this is an area that we need to work further on; and in the diversification taskforce, we are talking about the detail of that and how we might approach it from a United Kingdom perspective.
I am optimistic that the initiatives that have been taken today with the diversification taskforce, under Lord Livingston’s leadership, are going to produce for you really quite powerful ideas and initiatives to be taken forward in the years ahead. This is possibly the first time that the UK has really co-ordinated its input in this way to try to achieve some industry transformation and behavioural change.
The other areas I have mentioned, Minister, that are really important are in the area of procurement. This is not just about the technical standards; it is also about the way standards are used in the supply chain to stimulate behaviours and to enable SMEs to participate, rather than our just being locked into large-scale providers. I am very keen that we should comment on and discuss that, and those standards are not in the technical environment; they tend to be more in the business environment, where the UK has a very strong position already in global business standards. So there is another tool in our tool shed, to be used when we come to looking at shaping the market. I am looking forward to discussing that further with you in the taskforce.
Q
Charles Parton: I cannot possibly deal with this in one minute. Obviously, telecoms is a very crucial—an increasingly crucial—part of critical national infrastructure, so they are very closely linked. It goes back to what I was saying earlier. There is this question of where in the science and technology field and our research and development we allow ourselves to co-operate with China, given that its attitude is one, I think, that is really quite risky. So, when the DCMS talks about the extremely fine idea of setting up a national telecoms laboratory, I do hope that, in setting it up—it talks about co-operating widely internationally—it takes that sort of thing into account, too. I think that there will have to be great restrictions there.
This might be another example. I am well out of my field here, but we have designated high-risk and non-high-risk vendors, but what happens if some of the Chinese—they do not have to be Chinese—higher-risk vendors try to sneak under the wire by purchasing or using proxies? Again, I think that needs to be considered.
I am afraid that brings the time for this witness session to a close. I think that we could all have done with a bit longer with both of you gentlemen, but thank you very much for your evidence. We are extremely grateful to you. That brings the formal part of the proceedings to a close.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
(3 years, 9 months ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I agree. The issue with both Ericsson and Nokia is that they will have Chinese components in their hardware. This is an incredibly complex situation, as my hon. Friend said: we are talking about not just one piece of kit that most of us have in our pockets, but hundreds of thousands of components, pieces of software and other things. What I am trying to put on the record, and what I want the Minister to respond to, is the question of how we get an understanding of any risks that are involved in that, and how the regulator and the Government are going to look at ways in which national security could be compromised, not by the main company being owned by a Chinese state entity, a Russian state entity or any actor that we feel is a threat to us, but by a key component.
I have not yet really understood how the regulator will look at that issue further down the supply chain, and whether it will ask a supplier of kit to the telecoms network, “What is the level of threshold or security that you need?” That is hard enough with hardware, but with open RAN and software—we are talking about bits of code—it is going to be incredibly difficult. One of the issues is around vulnerabilities, and various things have been said about the vulnerability that Huawei poses to our telecoms network. However, I suggest people read the Huawei assessment centre’s annual reports—I am rather sad, because I read such documents. One thing sticks out every single year, and it is not that the Chinese are doing anything nefarious. The reports are highly critical of Huawei for its shoddy workmanship and engineering, but that type of shoddy engineering and a lack of attention to security will lead to security concerns in our telecoms network.
Amendment 7 is designed to tease out from the Government their thinking about the supply chain. We do not want to be over-burdensome on it, because we want to get innovation in the supply chain. We do not want to suddenly give researchers and other people in the supply chain huge regulatory hurdles to jump over, because that would stifle the development that we are looking for. It is about how individual components and the overview of the supply chain will be regulated. I have tabled a later amendment about Ofcom, but again it comes back to the point I made yesterday about the National Security and Infrastructure Bill. What has to be at the heart of it all, every single time, is not to stifle innovation and prosperity, but what has to come first every time is national security.
As I say, amendment 7 is a probing amendment, and I want to understand where the Government are at in terms of the supply chain, the security they feel they need over the supply chain and, more importantly, the visibility of the supply chain.
It is a pleasure to serve under your chairmanship, Mr Hollobone. I echo the thanks of the hon. Member for Newcastle upon Tyne Central to you and the House staff for facilitating this Public Bill Committee. I also echo her praise for the temperature of the room and especially her commitment to crack on and not fill it with further hot air. That is to be welcomed.
Like the hon. Lady, I will briefly talk about the broader context of the Bill before I directly address this group of amendments. As we all know, security should be the first priority for any Government, and the Bill demonstrates this Government’s commitment to securing the UK’s telecoms networks.
Clauses 1 to 14 raise the bar for security across the whole telecoms sector, and the subsequent clauses—15 to 23— provide the mechanism for the Secretary of State to manage the role of high-risk vendors. The part that telecoms plays in our security is undeniable and has become even more evident in the midst of this global pandemic. At present, the internet provides absolutely everything for workplaces, schools, families and friends, and the Government are committed to improving that through our gigabit programme. New technologies have the potential to be transformative, but they have the opportunity to reach their full potential only if they are secure, and the Bill will ensure that.
Before I explain the Government’s response to amendments 7 and 8, it is necessary to explain briefly how they would interact with clause 1. New section 105A in clause 1 places a duty on providers to take “appropriate and proportionate” measures. Those measures oblige providers to identify and reduce the risks of security compromises and require them to prepare appropriately for those risks. New section 105A also addresses the interaction between the duty and the national security and law enforcement activity, such that these activities are appropriately excluded from the definition of a security compromise. I will return to new section 105A later—I know that will excite the Committee.
Alongside the overarching security duty in new section 105A, new section 105B gives the Secretary of State the powers to make regulations that impose duties to take specific security measures. Clause 1 creates a duty for providers to take “appropriate and proportionate” measures to protect their networks and services from security compromises. “Security compromise” is then defined in new section 105A.
I would, and this is really a probing amendment to get an understanding of what the Government think, but may I ask the Minister a direct question about the national security bodies—GCHQ and others? If they came across a component or something that a supplier was producing that raised concerns, how would their concerns be translated into saying that a red warning should be put on a certain component in a supply chain?
I simply say that, as the right hon. Gentleman knows, the NCSC and others already work very closely with the networks. What he seems to be talking about, in some ways, is a very day-to-day way of talking about security concerns. That happens a lot already, and what the codes of practice and other documents will do is set up the framework by which that is formalised. As he knows, that process of very quick action being taken as soon as something is spotted, both by the networks themselves and by our agencies, is already well established, and the Bill gives considerably greater force to it.
As the right hon. Gentleman knows, the Bill is aimed at ensuring that providers take responsibility for the security of their networks and services in a way that has not happened, in legislative terms, in the past, and it then provides the Government with the powers that we need to enforce that. In so far as any supply chain components give rise to risks to the security of a network or service, new section 105A already requires providers to take appropriate action and proportionate measures to identify those risks. I appreciate that this is a probing amendment, but in a sense what the right hon. Gentleman is seeking to do through it is already there, and it will be enforced in the documents, such as the code of practice, that I have mentioned.
Furthermore, the addition of the presence of a supply chain component as a security compromise would not be consistent with the security framework’s definition of a security compromise, but I do not think that we need to get into too much detail about that in the context of a probing amendment. The concept of a security compromise is used in other provisions in the Bill, and it is important that we are consistent.
More fundamentally, the right hon. Gentleman’s amendment would put the onus on providers, rather than the Government, to determine a national security risk, but, as he implied, it is absolutely down to the NCSC and, ultimately, the Government and agencies to make that definition. Placing the responsibility for determining what does and does not constitute a threat to national security on the shoulders of all individual providers is not the right thing to do, and I think, to be fair, the right hon. Gentleman is not really suggesting that it is, either.
I thank the Minister for the way in which he is addressing these important proposals. I think that his concern is that this amendment would put the responsibility on the providers rather than the National Cyber Security Centre, and I understand that, but can he say a little about the following matter, because it is the providers that know their networks? The National Cyber Security Centre is excellent, and we have huge admiration for it, but in terms of the supply chains, changes to the supply chain and new components evolving, how does he envisage that, day to day, working effectively without an amendment of this kind to put this requirement on the providers?
As I have said, new section 105A partly provides the legal basis that the right hon. Gentleman seeks, but in practice no one is suggesting—the Secretary of State talked about this on the Floor of the House—that it is solely the name on the box of a piece of kit that defines international security status. We are not naive to the possibility of the supply chain being another vector of attack. That would be reflected in codes of practice and elsewhere around the legislation.
Public telecoms providers can and should consider the security of the resilience of their networks and services throughout the supply chain in a sensible and proportionate way. National security considerations are inevitably much broader than the issues that can be addressed solely by private companies. I think that is reflected in the distinction drawn up in this Bill.
The amendment would have implications for Ofcom’s monitoring and enforcement of providers’ compliance. The Bill includes provisions for Ofcom to collect information on behalf of the Secretary of State in narrow and specific areas related to national security, but this amendment would require Ofcom more actively to take some of the compliance judgments. In the evidence session the right hon. Gentleman was keen to see that it was not asked to make those judgments.
Clearly NCSC does a tremendous job in terms of education of members of the public and companies —as the Minister outlined, that is a key part of its role. Does he see, therefore, a role for Ofcom as part of that, in terms of ensuring that the supply chain and operators are aware of their responsibility not only under the Bill, but to ask the right questions about supply chains from what might be deemed as high-risk vendors?
In so far as codes of practice will be published by Ofcom, the answer to the right hon. Gentleman’s question is yes. The more nuanced answer is that it is a co-production between Ofcom, the Government, NCSC and others.
To conclude, the Government are immensely sympathetic to the issues that the right hon. Gentleman and the hon. Lady seek to probe, but we take the view that this amendment would do something that is, ultimately, already covered in the Bill. I hope that, in that spirit, she will withdraw the amendment.
I thank the Minister for his response. I am concerned that there is not greater clarity on the role of the supply chain components and the supply chain more generally. We will come to that in further amendments. Given where we are and how we got here, we must take a forward-looking approach to future risks and vectors for risks. This amendment is important in probing that, but I do not seek to put it to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will not detain the Committee long, given that my right hon. Friend the Member for North Durham made such excellent points. I will add one point of consideration, which again, his modesty may have forbidden him from making.
The amendment goes to the heart of our concerns about the scrutiny of the provisions in the Bill. I say again for the record that we support the wide-ranging powers that the Bill gives the Secretary of State, but those powers must come with appropriate scrutiny, not because scrutiny is a “nice to have” or, as my right hon. Friend said, because the ISC needs further work, but because scrutiny of the provisions is essential to the good working of the legislation in practice.
Considering specifically the impact of the requirement to remove Huawei at this stage in our 5G roll-out—the economic impact, the cost to the providers and the cost to our economy—we recognise that it is the right thing to do, but we must also recognise the cost of doing it. Back in 2013, the ISC was one of the first parliamentary organisations to raise the issues around Huawei. I truly urge the Minister to accept this constructive amendment to support the appropriate provision of scrutiny.
My other point is more about the working of the clause, which gives the Secretary of State the power to make regulations that require providers to take specified security measures. As we know, the telecoms security framework and telecoms security requirement, to which all providers must adhere, will be set out in delegated legislation. In his response, will the Minister give us some idea of why the Secretary of State might need to set out additional specified requirements that are not in the draft of the TSR that he has published? Is the intention of the clause to enable him to set out additional specified requirements, or is it to enable him to highlight particular specified requirements that he does not think the providers are meeting quickly enough? In either case, does that not suggest that there are particular security concerns, either about providers or about the circumstances, that require these specific security measures? To come back to my first point, does that not highlight for those concerns to receive parliamentary scrutiny, with the appropriate clearance, which is to say that of the Intelligence and Security Committee?
I start by acknowledging the incredibly important work that the ISC does. Its role in overseeing the work of the UK intelligence community is vital to maintaining public trust, as the right hon. Member for North Durham described, and its members make important contributions to public debates on national security matters of all kinds. The right hon. Gentleman has done that for a number of years. Because he is a member of the ISC, he will know that I have proactively engaged with it on the substance of the Bill. I did so enthusiastically—if any Minister can ever regard a Select Committee appearance enthusiastically—and in recognition of the interest that I knew that Committee would have in the Bill. I will be writing again to the ISC on a number of matters raised in the Bill, and I have instructed officials from my Department to continue to engage with the ISC as the Bill proceeds through Parliament, building on the work that it has already done and on the transparency that we have already demonstrated by publishing the draft of the security framework regulations on 13 January, copies of which have been provided to the members of the ISC and a number of other interested Committees. I hope that all that demonstrates the Department’s commitment to working constructively with the ISC, despite the fact that, as the right hon. Gentleman said, DDCMS does not normally fall within the ISC’s formal remit.
It is none the less important to acknowledge that the ISC is not the only legitimate avenue to scrutinise this framework. We fully intend to make use of all the appropriate parliamentary procedures.
The regulations and the explanatory memorandum accompanying them will all be there for the ISC to scrutinise. There is also further guidance to providers in connection with the measures specified in the regulations that can be provided in the code of practice, which must be published, with a copy laid before Parliament. Also, beyond the usual arrangements for secondary legislation, new section 105Z of the Communications Act 2003 provides for Ofcom to produce security reports. Clause 11 of the Bill enables those reports to be published by the Secretary of State, and clause 13 provides for a review of the effectiveness of the framework, including any regulations, after five years.
It is in that context that I point to the enthusiasm with which we have engaged with the ISC. We will continue to do so and ultimately—this is perhaps the reason why the right hon. Gentleman described this process as an ongoing campaign, rather than something that we should address piecemeal—the ISC is clearly defined in the Justice and Security Act 2013. I do not think it would be right to address the memorandum of understanding that he referred during our consideration of the Bill. We should not go at it in piecemeal fashion. The role of the ISC as set out in that MOU is to oversee the work of the security agencies, to provide oversight of certain intelligence or security matters within Government. Ultimately, if the right hon. Gentleman wants to change the MOU, that is a broader issue for him to take up. I note that he is not the only Member of this House to have made that point, but it is not my place to take a view on the role of the ISC; that should be for the ISC itself.
I am confident that we will continue to engage with the ISC; I personally will certainly do so. I know that the DCMS Committee will continue to take an interest, and I will simply say that we will co-operate as fully as possible. I will set out more in the letter I mentioned, and I look forward to the future salvos in the right hon. Gentleman’s campaign.
I make no criticism of the Minister, because he has been very proactive, as has his Secretary of State. The problem is this: we have two pieces of legislation going through Parliament. We do not have security Bills very often in this place, and now we have two in a very short period of time. Both make eminent sense and I support them, but this is not something that comes up regularly.
In terms of the Minister’s co-operation, I have no complaints about the way he has operated, but he is not going to be there forever and neither is his Secretary of State, so we need to put in place something that will weather the passage of time, and create an arrangement whereby it will be seen that Parliament is scrutinising these measures. I do not know why the Government—I am sure it is not the Minister, or even his Secretary of State—are resisting this. Frankly, I am not really bothered whether it goes on the face of the Bill or in the MOU, but the Justice and Security Act 2013 is very clear that as a Committee, the ISC has the ability to look at this.
I accept that it would be wrong to get into issues around this Bill that are quite rightly, as the Minister said, for the relevant Select Committee—the Committee on Digital, Culture, Media and Sport—to deal with. We would never do that, so I will withdraw this probing amendment, but we will come back to this issue. I am not usually a betting man, but I suspect that by the time this Bill and the other Bill go through, we will have got to where both I and the Minister—I think, privately—think we should be. I therefore ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
(3 years, 9 months ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.
We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.
I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.
It is a pleasure to serve under your chairmanship, Mr McCabe.
We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers
“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.
That is already there and key to the issues that hon. Members have been talking about.
I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.
I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.
This is an important point. The criticism that I will articulate later is that too much of the Bill is based on an assumption that the players in the sector will automatically do the right thing. For example, there is an assumption of a dialogue between Ofcom and the major players. Will the Minister think about whether he is satisfied that an assumption goes far enough in something as important as this?
The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.
The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.
In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.
Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.
It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.
I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.
As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.
Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.
Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.
These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.
As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.
Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.
I am happy to write to the hon. Lady on the matter she has discussed. We anticipate draft directions in due course that will be network specific, because each network is different, but the overall tenor will be in the same direction. This is probably a matter that we can talk about outside the Committee in a bit more detail to make sure she gets the answers she wants.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Duty to take measures in response to security compromises
Question proposed, That the clause stand part of the Bill.
We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.
Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.
In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.
In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.
We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.
I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.
The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.
It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:
“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]
In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.
I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.
Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.
I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.
For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.
I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.
I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.
New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.
The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.
We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.
I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”
The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.
Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.
The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.
I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.
A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.
We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.
I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.
Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.
New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.
New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.
The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life,
and I would expect that to continue in the area in question as well.
Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.
Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.
We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.
I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.
On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.
I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Informing others of security compromises
Question proposed, That the clause stand part of the Bill.
As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.
We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.
New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.
Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.
The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.
The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.
I will pretend I have not finished, and give way to the hon. Lady.
I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.
Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.
Speaking gives me an opportunity to take my face mask off. I will make a few points about clause 4, which is broadly welcome because it clarifies for operators what their responsibilities are, not just from a national security point of view but from a consumer point of view. I think there is an issue, though, which my hon. Friend the Member for Newcastle upon Tyne Central raised.
Again, I do not want the Minister to respond now, but I think the crossover with the Information Commissioner might be one area that we need some clarity on. Is there an example of this? Yes—the TalkTalk case. People might look at this Bill and think national security is about the Russians or the Chinese hacking, but that was a criminal act that led to a lot of people’s data being compromised. From a constituency point of view, as any Member of the House at that time will know, trying to get TalkTalk to do anything about that, in terms of the losses that people incurred, was virtually impossible. That is why these clauses are so important.
We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.
My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.
I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.
I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?
Those are just some general comments. We welcome the clause.
I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.
On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.
I am not sure I fully understand the right hon. Gentleman’s point.
I raised the point, as did my hon. Friend the Member for Newcastle upon Tyne Central, that we are asking operators to inform individuals about data compromises. That is welcome, but as my hon. Friend said, there might also be a breach of the Information Commissioner’s regulations, and we just wanted to get some idea of how the two would mesh together. I do not expect the Minister to know now, but could he write to us to say how the two would interact?
As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.
The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.
I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.
Question put and agreed to.
Clause 4 accordingly ordered to stand part of the Bill.
Clause 5
General duty of OFCOM to ensure compliance with security duties
I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—
“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”
This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.
It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.
I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.
From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.
I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.
A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.
It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.
The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.
The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.
Does the Minister agree that the Bill in its current form is prescriptive enough already?
I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.
In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.
I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?
The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.
I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.
The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.
The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.
I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.
As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.
I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.
Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.
Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.
If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.
On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.
I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—
I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?
The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.
I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.
We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
(3 years, 9 months ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
Before we begin, I have a few preliminary points. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind Members about the importance of social distancing. Spaces for Members are clearly marked. I also remind Members that Mr Speaker has stated that masks should be worn in Committee. The Hansard reporters would be grateful if Members could email any electronic copies of their speaking notes to hansardnotes@parliament.uk.
Today we continue line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. It shows how the selected amendments have been grouped for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.
Clause 6
Powers of OFCOM to assess compliance with security duties
Question proposed, That the clause stand part of the Bill.
It is a pleasure to be back under your chairmanship, Mr Hollobone. As we discussed during the debate on amendments to this clause in our previous sitting, clause 6 inserts proposed new sections 105N to R, providing Ofcom with strengthened powers to assess whether providers of public electronic communications networks and services are complying with their security duty. These powers are vital to enable Ofcom to fulfil its expanded and more active role, giving it the tools to monitor and assess providers’ compliance with the new telecoms security framework and providing the basis for commencing any enforcement action.
Proposed new section 105O provides the power to give assessment notices to a provider. Assessment notices may impose a duty on a provider to do a number of different things, which I will briefly summarise. First, providers can be required to carry out, or arrange for another person to carry out, technical testing in relation to their network or service. Secondly, they can be required to make staff available to be interviewed, enabling Ofcom to gain insights into how a provider’s security practices and policies are implemented.
Thirdly, providers can be required to allow an Ofcom employee or an assessor authorised by Ofcom to enter their premises to view documents or equipment. I recognise that that is a significant power, but it is necessary. It is subject to certain restrictions to protect legally privileged information and to limit entry to non-domestic premises only. To provide clarity for telecoms providers, Ofcom will also publish guidance setting out how and when it will use the power. Importantly, providers have a right of appeal.
The powers of assessment set out in the clause are key to enabling Ofcom to carry out the effective and extensive monitoring and assessment of providers’ security practices that is necessary.
It is a pleasure to serve under your chairmanship, Mr Hollobone, and to come back to this important Bill. I thank the Minister for writing to me and reassuring me on certain matters relevant to the clause. We accept the need for Ofcom to have powers to require information from vendors, but we would like a specific requirement whereby Ofcom can ask vendors for information on the diversity of their supply chains. I will leave further discussion on that for our new clauses. I will support this clause.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Clause 7
Powers of OFCOM to enforce compliance with security duties
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clause 8 stand part.
Clause 9 stand part.
Clause 10 stand part.
I will seek to move relatively rapidly through these four clauses.
Clause 7 provides Ofcom with enforcement powers in relation to providers’ security duties. The Bill gives Ofcom new powers to impose tough financial penalties on providers who breach their security duties. The penalties range to a maximum fine of 10% of a provider’s annual turnover, which is in line with the maximum fines available for breaching other regulatory requirements. For continuing contraventions, Ofcom can levy a daily penalty of up to £100,000. Penalties that are generally lower than that but still significant will also apply for contravening information requirements, which are subject to a maximum penalty of £10 million or, for a continuing contravention, a penalty of up to £50,000 per day. These penalties ensure that there will be a real financial deterrent to poor security practices. I should also say that, in the most serious cases, or in cases where a provider repeatedly contravenes its security duties, Ofcom would be able to use existing powers to suspend or restrict the provider’s entitlements to provide a network or service. Clearly, that is a step that we hope the regulator will never need to take.
The clause also gives Ofcom an important new power to take action where security is being compromised or is at imminent risk of being compromised. Proposed new sections 105U and 105V of the Communications Act 2003 would enable Ofcom to direct a provider to take interim steps to secure its network or service while Ofcom investigates or pursues further action. This power recognises that contravention of a security duty could result in a security compromise that causes real damage to users of that network or service. Where Ofcom uses that power, it will be required to commence and complete the enforcement process as soon as is reasonably practicable. The clause gives Ofcom the tools it needs to effectively enforce compliance with the new security framework.
Clause 8 sets out the position for bringing civil claims against providers who breach their security duties, which is a matter we touched on in earlier debates. It enables providers to be held accountable not just by Ofcom but by service users, such as members of the public, in cases where loss or damage is sustained by those users as the result of a breach of a duty. Providers owe a duty to any person who may be affected by a contravention of their security duties to take security measures, to comply with specific security duties in any regulations and to inform users of security compromises.
This clause allows any affected person to take legal action should providers breach those security duties. However, any affected person can bring legal proceedings against a provider only with the consent of Ofcom, which may be subject to conditions relating to the conduct of the legal action. This reflects the existing position in the Communications Act 2003 and ensures that providers face legal action only in appropriate circumstances. The clause also makes providers responsible to their users, providing another source of accountability. It allows users to bring legal claims for any losses they have suffered, which is only fair and reasonable.
Clause 9 addresses the interaction between provisions in the Bill and other legislation, specifically national security, law enforcement and prisons legislation. The security duties created by the Bill do not conflict with duties imposed on communications providers by other legislation via these clauses. Equally, we do not want the Bill to affect adversely the important work carried out by our law enforcement agencies, criminal justice authorities and intelligence agencies. The clause gives that clarity to providers about their responsibilities.
Finally, clause 10 requires that Ofcom publish a statement of policy about how it will fulfil its general duty and use specific powers to ensure that providers comply with their security duties. This will provide welcome clarity to industry about the expected use of important new powers. I beg to move that these clauses stand part of the Bill.
I will not detain the Committee long, as we are cracking on through the clauses. I will only emphasise that these clauses give Ofcom broad powers—very broad powers—and measures of enforcement, as well as placing duties on the network operators to all users of their network services. We support these broad powers, but it is incumbent on the Minister and indeed on the Committee to consider whether those powers will receive sufficient scrutiny, and sufficient oversight and input from our security services. We anticipate debating those particular questions in more detail later today. In the meantime, we will not stand in the way of these clauses standing part of the Bill.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Reporting on matters related to security
I welcome the spirit of the amendment. I think that the hon. Lady and I share the same ambition. I know that she wants to have the proper debate later, so we look forward to that.
Clause 11 inserts into the Communications Act 2003 proposed new section 105Z, which deals with Ofcom’s reports on security. It requires Ofcom to produce such reports within two years of the Bill receiving Royal Assent and every 12 months thereafter. As the hon. Lady said, amendment 14 is similar to the amendment to clause 6 that we discussed previously. Ultimately, when considering Ofcom’s role and specifically its reporting function, we should note that proposed new section 105Z(2) requires Ofcom security reports to include such information and advice as Ofcom considers may best assist the Secretary of State in the formulation of policy on telecoms security. That could go beyond the list in proposed new subsection (4) to include other relevant information, such as that related to diversification. The Secretary of State can also direct Ofcom to include information that goes beyond that list.
As the Committee and, indeed, Ofcom will be well aware, the Government have recently published a targeted diversification strategy, which will deliver lasting and meaningful change in the 5G supply chain and pave the way for a vibrant, innovative and dynamic supply market. We heard widespread support for the strategy from witnesses during the oral evidence sessions. The strategy demonstrates our commitment to building a healthy supply market and is backed by a £250 million initial investment.
We have publicly announced that the Government will be funding the creation of a UK telecoms lab to research and test new ways of increasing security and interoperability, and we are already partnering with Ofcom and Digital Catapult to fund the industry-facing test facility SONIC—the SmartRAN Open Network Interoperability Centre. Both of those will play a key part in our investment in diversification and demonstrate Ofcom’s existing part in it.
As already mentioned, amendment 14 would require Ofcom to include in its security reports
“an assessment of the impact on security of”
any
“changes to the diversity of the supply chain for network equipment”.
As that requirement is already essentially covered by Ofcom’s existing powers, the amendment is not necessary. The inclusion of any such information is already within Ofcom’s discretion, but I am sure that we will discuss it more later on, as the hon. Lady said.
Clause 12 expands Ofcom’s information-gathering powers for the purposes of its security functions and enhances its ability to share the information with the Government. It enables Ofcom to require a provider to produce, generate, collect or retain security information, and then to analyse that information. Any information sought using this power must always be proportionate to how Ofcom will use it.
Clause 13 makes provision in connection with the standard of review applied by the Competition Appeal Tribunal in appeals against certain of Ofcom’s security-related decisions. Ofcom’s regulatory decisions are subject to a right of appeal to the tribunal, and that will also be the case for most of Ofcom’s decisions relating to the exercise of its regulatory powers conferred by the Bill. This clause makes provision to ensure that the tribunal is not required to modify its approach in appeals against relevant security decisions, and should instead apply ordinary judicial review principles.
I hope that I have sufficiently explained to the Committee why amendment 14 is unnecessary and why clauses 11 to 13 as drafted should stand part of the Bill.
I thank the Minister for his comments. Although we agree on many things in many areas, I think that in this case he is trying to have his cake and eat it, inasmuch as he is saying that amendment 14 is not necessary because Ofcom already has the powers, but he is reluctant or is refusing to specify that those powers will be used for the objective of reporting on the progress of diversification of the supply chain. It was good to hear the Minister reiterate the importance of diversification of the supply chain, but I remain confused about whether he agrees with the evidence and, indeed, with his own Secretary of State that diversification of the supply chain is a prerequisite of the security of our networks and, indeed, our national security—that is what we are discussing with regard to our telecoms networks. If diversification is a prerequisite, why is the Minister so reluctant to refer to it? If he is so confident in the plan to diversify our supply chains, why is he so reluctant to insert any requirements to report on the progress of that diversification?
I listened intently: the Minister said that Ofcom has the powers to report on whatever it considers to be relevant to security. During the evidence session, we heard from Ofcom itself, very clearly and repeatedly, that it is not for Ofcom to make decisions on national security. It will not make national security decisions. That is not within its remit and responsibilities; the witnesses from Ofcom stated that repeatedly and clearly. I would be happy to read from Hansard if that point is in question. Given that Ofcom will not make security decisions and that the diversification of the supply chain is essential for security, I am at a loss to understand why the Minister will not accept a reference to reporting on the progress of diversification. Although, unfortunately, the pandemic means that we are not at full strength on the Opposition side of the Committee, I wish to test the will of the Committee on the amendment.
Question put, That the amendment be made.
I listen with interest to the points that the hon. Lady makes, and to the assertion that she is a member of the party of national security. I welcome her to this side of the House, if that is the case. [Interruption.] Thank you, but no.
As the hon. Lady says, clause 14 is a review clause requiring the impact and effectiveness of clauses 1 to 13 to be reviewed at least every five years by the Secretary of State. The review report must be published and laid before Parliament, but it is by no means the only source of parliament scrutiny, as she knows. Her amendment would increase the frequency of these reports to every year for the first five years after the Bill is passed and then every five years thereafter.
Increasing the frequency of the reports would bring its own challenges for a number of reasons. First, the framework is considerably different from the previous security regime in the Communications Act 2003. It seems to me that we will not be able fully to assess the impact and effectiveness of the new security regime instituted by clauses 1 to 13 until all parts of the framework, including secondary legislation, codes of practice and other things, have been in place for a reasonable period of time. The code of practice that will provide guidance on the detailed security measures that telecoms could take is intended to set clear implementation timelines. Some measures may require significant operational change, as we heard in the evidence sessions for telecoms providers, and we are aware that that may be costly. For that reason, we cannot reasonably expect all changes to be implemented instantly or, indeed, all necessarily at the same time.
There is a further practical difficulty with the amendment. If the first report is to be produced 12 months after Royal Assent, it will require the review to be undertaken well in advance of that deadline. That means that the report will represent an incomplete picture of the Bill’s impact, even at its very first production. Some measures will not even have been implemented by telecoms providers.
My hon. Friend the Member for Hyndburn was exactly right that the current requirement for publishing reports is at least—rather than at most—every five years. We have been deliberate in our choice of this timeframe because five years is the reasonable point by which we expect the majority of telecoms providers to have implemented most, if not all, changes. It is therefore considered appropriate to require a report on the impact and effectiveness of the framework by that time. I recognise that five years is a long time. That does not mean that the framework will be free from scrutiny in the intervening period. As clause 11(3) sets out, the Bill amends section 134B of the Communications Act so that Ofcom’s regular infrastructure reports will include information on public telecoms providers’ compliance with the new security framework. Ofcom publishes the reports annually, rendering the amendment unnecessary.
On a point of clarification, I have the impression that the Minister anticipates that the first report under the Bill would only happen once all the requirements had been implemented. I think that that implies that it would only happen once a high-risk vendor, specifically Huawei, had been removed from the network.
No is the short answer, because while this is a progress report, five years from 2021 is 2026—the deadline is 2027, even at the most extreme end, which is not where we anticipate it will end up—and it would be before the point that she identifies.
The infrastructure reports from Ofcom will help to provide Parliament and the public with a view on how telecoms providers are progressing with compliance with the new framework. As I alluded to earlier, they are not the only means of parliamentary scrutiny. We have the Intelligence and Security Committee and we have Select Committees. I suspect that there might be one or two debates on this matter over the next five years as well. To pretend that this is the only method of parliamentary scrutiny is not accurate.
If the Minister will give way briefly, he may find it saves time. To clarify: for the first report we will not necessarily have to wait until all the provisions of delegated legislation associated with the Bill are in place. As for the infrastructure reports that Ofcom publishes, to which he refers as a form of alternative scrutiny, will they, might they or will they not reflect progress in the diversification of the supply chain?
The hon. Lady asks me to predict what is in a report that has not been written yet by an organisation that is not a Government Department. I agree with the principle of what she is saying. This is an important aspect and one would reasonably expect it to be reflected in the reports that we have talked about. It is, however, important overall to say that Ofcom’s own regular infrastructure reports will, as I have said, include information on public telecoms providers’ compliance with the new security framework, which is the broadest interpretation and gives a huge amount of latitude for the sorts of information that she seeks. I hope that those infrastructure reports will help to provide Parliament with the kind of scrutiny that she seeks, and the public with the kind of scrutiny that we all seek. [Interruption.] For those reasons I hope that she will withdraw the amendment.
I thank my right hon. Friend the Member for North Durham for an exciting intervention from his phone, and I thank the Minister for his comments. As I think I have said, I spent six years working for Ofcom with the Communications Act 2003 on my desk. I know the importance that our independent regulator places on the words of the Minister during such debates as this. As he has indicated that the reports would do well to include reference to everything that appertains to security, including the diversification of supply chain, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 14 ordered to stand part of the Bill.
Clause 15
Designated vendor directions
I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.
As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.
As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2020, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.
I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?
In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.
The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.
Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.
I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.
It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.
The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.
I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.
Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.
The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.
Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.
Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.
Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.
The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.
Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.
Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.
To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.
Thank you for the clarification, Mr Hollobone. I see that we are discussing whether clauses 15 and 16 stand part. I support those clauses and look forward to the Minister’s response to the amendment.
I pre-emptively covered a lot of the hon. Lady’s questions, but I will say two brief things. She talked about consolidation in the cloud sector. While the Bill is very much a national security Bill, the National Security and Investment Bill would cover consolidation in that sort of sector, rather than this one. Obviously they do work together.
The point I am making—clearly, I did not make it effectively—is that that sector is becoming this sector. The cloud sector is becoming the telecoms sector. The reason we need this Bill in addition to the National Security and Investment Bill is to address the security concerns of the telecoms sector specifically. The cloud sector is becoming part of the telecoms sector, yet the Bill does not address those concerns.
The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.
Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.
As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.
Thank you, Mr Hollobone. It is sometimes confusing to know exactly what is being discussed at what point. With that, I ask the Minister to respond to our concerns about the scrutiny of the powers in the clause.
I welcome the second salvo in the campaign to address this matter by the right hon. Member for North Durham. He said it would be an ongoing campaign.
This group of amendments would require the Secretary of State to provide information relating to a designated vendor direction or designation notice to the ISC. The amendments would require the Secretary of State to do this only where directions and designation notices had not been laid before Parliament, whether in full or in part, as a result of the national security exemptions in clause 17. It will not surprise the right hon. Member for North Durham or other Opposition Members that some of these short remarks will overlap with the conversation that we had earlier on a similar matter.
Amendment 20 would require designated vendor directions or designation notices to be provided to the ISC. Amendments 22 to 25 would require the Secretary of State also to provide the ISC with copies of any notifications of contraventions, confirmation decisions and so on. Although I recognise some Members’ desire for the ISC to play a greater role in the oversight of national security decision making across government, including in relation to this Bill, the amendments would, as the right hon. Member for North Durham knows, extend the ISC’s role in an unprecedented way. None the less, I thank his welcome for my unprecedented appearance.
As I said in the debate on amendment 9, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, and the accompanying statutory memorandum of understanding, to which the right hon. Gentleman referred. I do not think he thinks it is my place to take a view on that role, and I do not think this Bill is the place to have that debate.
Yes, but I would ask the Minister’s civil servants to read the Act before they write this stuff for him. The Act refers to “intelligence”. Our remit is not fixed by a Department. I know the Minister sympathises with this and that we will get there eventually, but I say to his civil servants, please read the Act.
I will come on to that. Accepting any of these unilateral amendments to this Bill is not the appropriate place to achieve an overall enhanced role for the ISC—
I am sorry to say to the Minister that it is not looking for an enhanced role at all. It is actually doing what it says in the Justice and Security Act 2013. It is about scrutinising intelligence. A lot of the information, which will be used by him and others in these orders, will be derived from the same decisions that we oversee .
Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.
In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.
I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.
(3 years, 9 months ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
It is a pleasure to be back under your chairmanship, Mr McCabe.
I will try to rattle through these as quickly as I can. Clauses 18 to 23 cover monitoring and enforcement, and further provisions relating to non-disclosure and information requirements. Clause 18 gives the Secretary of State the power to give Ofcom a monitoring direction, requiring the regulator to obtain information relating to a public telecoms provider’s compliance with a designated vendor direction and to provide that information in a report to the Secretary of State.
The clause also includes requirements about the form of such reports and the procedures around their provision, but it does not create any new powers for Ofcom, which already has them under section 135 of the Communications Act 2003. The provisions in the clause are an integral part of the compliance regime. The power to give a monitoring direction to Ofcom is necessary to ensure that the Secretary of State has the ability to require it to provide the information needed to assess compliance with designated vendor directions.
Clause 19 provides Ofcom with the power to give inspection notices to public communications providers. The provisions will apply only where the Secretary of State has given Ofcom a monitoring direction. Inspection notices enable Ofcom to gather information from communications providers in relation to their compliance with a direction. The notices are a tool for Ofcom to give effect to its obligations under a monitoring direction.
Clause 19 also sets out the new duties that inspection notices can impose, the types of information that they can be used to obtain and how the duties in an inspection notice will be enforced. Ofcom may only give inspection notices in order to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to how a provider is preparing to comply with a direction. Ofcom can instead use its other information-gathering powers under section 135 of the Communications Act 2003 to obtain such information.
Clause 20 provides the Secretary of State with the powers necessary to enforce compliance with designated vendor directions, as well as with any requirement for a public communications provider to prepare a plan setting out the steps it intends to take to comply. It is the Secretary of State’s responsibility to issue directions where necessary in the interest of national security. Clause 20 is essential to ensure that the Secretary of State can carry out this role effectively and enforce compliance with any directions issued. New sections 105Z18 to 105Z21 will be inserted into the Communications Act 2003 for this purpose. The provisions set out the process that the Secretary of State will follow in instances where an assessment is made that a public communications provider is not acting in compliance with the direction or with the requirement to provide a plan. The process encompasses giving a contravention notice, enforcing it and imposing penalties for non-compliance. The clause is essential in ensuring that the Secretary of State can carry out the role effectively and deters and penalises instances of non-compliance.
Clause 21 provides the Secretary of State with the power to give urgent enforcement directions. Provisions to enable urgent enforcement are needed in cases where the Secretary of State considers that urgent action is necessary to protect national security or to prevent significant harm to the security of a public electronic communications network, service or facility.
Clause 22 creates a power for the Secretary of State to impose a requirement on public communications providers or vendors not to disclose certain types of information without permission. The provisions are necessary to prevent the unauthorised disclosure of information, which would be contrary to the interest of national security.
Finally, clause 23 creates a power for the Secretary of State to require information from a public communications provider or any other person who may have information relevant to the exercise of the Secretary of State’s functions under clauses 18 to 21. For example, the Secretary of State can require information on a provider’s planned use of such goods or information relating to how a network is provided. It can also include information about the proposed supply of goods or services. The ability to gather such information would ensure that the Secretary of State is able to make well-informed decisions when considering whether to issue designation notices and designated vendor directions. Information obtained through the use of this power can also be used to support the monitoring of compliance, with directions supplementing information gathered by Ofcom through its information-gathering and inspection notice powers.
To summarise, new sections 105Z18 to 105Z21 together establish the power and processes that outline how the designated vendor regime will be monitored and enforced. The provisions in clause 22 are needed to manage the disclosure of information, the unauthorised disclosure of which may be contrary to national security, and clause 23 will ensure that the Secretary of State is able to obtain the information necessary to make assessments to determine whether to give a notice or direction and to assess compliance.
It is a pleasure to serve under your chairmanship once again, Mr McCabe. I will not detain the Committee long with a consideration of the clauses, and I thank the Minister for so ably setting out what the clauses aim to achieve. Indeed, we on this side recognise the importance and the necessity of clauses 18 to 23 in establishing the process and ensuring the powers to obtain information and enforce direction as part of that process.
We only reiterate a small number of important points to draw attention once again to the breadth of the powers, which enable the Secretary of State to require information to an almost unlimited extent. Given the breadth of the powers, the information and progress on the telecommunications diversification strategy is, once again, notable by its absence. Given the breadth of the requirements, it is notable that there is nothing on progress on the diversification strategy. Nor, if my memory serves me correctly, does the impact assessment reflect the potential costs to either the network operators or Ofcom in exercising these powers. The clauses do not set out the impact and they emphasise once again the importance of Ofcom having the appropriate resources to enable it to carry out the requirements effectively. I hope that the Minister will bear those limitations in mind in his ongoing review of the Bill.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clauses 19 to 23 ordered to stand part of the Bill.
Clause 24
Further amendment concerning penalties
Question proposed, That the clause stand part of the Bill.
Clause 24 enables higher penalties than those currently set out in the Communications Act 2003 to be issued by Ofcom, and clause 25 makes two necessary consequential amendments to that Act. The penalties under clause 24 can be imposed for contraventions of requirements to provide information to Ofcom for the purpose of its security-related functions. That includes when providers do not provide information requested by Ofcom for the purpose of providing a report to the Secretary of State.
Penalties can be set at a maximum of £10 million or, in the case of a continuing contravention, up to £50,000 a day. These maximum penalties are a marked increase on the existing ones, which are capped at £2 million, or £500 a day. This clause ensures that the maximum penalties are the same as those in clause 23. The size of these penalties is appropriate given the potential impact of the situation described. Proposed new section 139ZA(5) of the 2003 Act, inserted by this clause, gives the Secretary of State the power to change, by regulations subject to the affirmative procedure, the maximum amount of the fixed and daily penalties. That will help to future-proof the framework by ensuring that penalties can be adjusted over time—for example, because of inflation.
In summary, clause 24 enables Ofcom to issue the financial penalties necessary to ensure that providers supply it with the information that it needs. Clause 25 contains the consequential amendments to that, which are necessary because the Bill creates a number of powers to make regulations and some of those regulations will amend primary legislation.
With this it will be convenient to discuss the following:
Clause 27 stand part.
Government amendments 1 to 4.
Clauses 28 and 29 stand part.
I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.
I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27 ordered to stand part of the Bill.
Clause 28
Commencement
Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.
This amendment would cause clauses 15 to 23 to come into force on Royal Assent.
Amendment 2, in clause 28, page 46, line 19, at end insert—
“(ca) section24, so far as it relates to section18;”.
This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.
Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).
This amendment is consequential upon Amendments 1 and 2.
Amendment 4, in clause 28, page 46, line 30, at end insert—
“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.—(Matt Warman.)
This amendment is consequential upon Amendments 1 and 2.
Clause 28, as amended, ordered to stand part of the Bill.
Clause 29 ordered to stand part of the Bill.
New Clause 3
Duty of Ofcom to report on its resources
‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.
(2) The report required by subsection (1) must include an assessment of—
(a) the adequacy of Ofcom’s budget and funding;
(b) the adequacy of staffing levels in Ofcom; and
(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)
This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.
Brought up, and read the First time.
As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.
My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.
My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.
I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.
The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.
As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.
Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?
Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.
The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.
Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.
The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.
The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.
As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.
I thank the Minister for giving way and for the tone of his response to the different points we made. I will leave the reassurance about writing to the ISC to my right hon. Friend the Member for North Durham. Does the Minister recognise that that does not address the issue of Ofcom’s resources and reporting more generally, particularly lower down the pipeline, when it comes to national security? We have emphasised again and again the breadth of powers. The Minister has said that Ofcom will have the discretion, for example, to require an audit of all operators’ equipment—an asset register audit. It will take significant resource to understand the audit when it comes back. There are significant resource requirements involved that do not necessarily require security clearance but are nevertheless essential to effective security, and the Minister does not really seem to be offering reassurance on those.
I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.
I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.
I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.
Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.
We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.
First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.
I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.
Question put, That the clause be read a Second time.
As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.
Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.
It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.
This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.
The hon. Lady is right, but as of 31 December 2020, section 3(4) states:
“OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services”.
It is absolutely there, but I fear we are getting into a somewhat semantic argument.
The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.
I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.
I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.
Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.
No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.
That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.
Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.
I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
The hon. Lady raised an important issue. Fundamentally, however, the issue of diversification is twofold. The Government want to see greater diversification within our telecoms supply chain. The £250 million allocated for the first three years of that programme to support the diversification strategy is a hugely important part of it.
As we are already seeing in the increased use of open RAN, whether with Vodafone in Wales or the NeutrORAN project with the NEC, there is already significant progress. I think that demonstrates that the industry does regard this—whether the hon. Lady wants to call it as an incentive or a carrot—as something that is making things happen to a greater extent. The Government cannot legislate for the diversification of the market; that is something that we can incentivise and work with the market to do.
We can monitor the diversity of networks, as Ofcom has the powers to do. We can set requirements on what the minimum standards might look like. For instance, NCSC guidance already says that two vendors should be the minimum, rather than one, for a telecoms network. That gives you an indication of what we will be monitoring and looking at, potentially, in codes of practice in the future. The hon. Lady is right to focus on this important issue, but it is wrong to pretend, important though Secretaries of State are, that any Secretary of State could legislate in the way she describes for the greater diversification that we all seek.
The focus of the Bill is on setting clear and robust security standards for our networks that telecoms providers must adhere to, and they must be met regardless of the diversity within any of those networks. To be fair, the diversity within a provider’s supply chain, in and of itself, does not offer the guarantee of network security. A provider using a diverse supply chain needs to be held to the standards set out in this Bill, so that the provider is able to offer the security standards that we need, regardless of the number of suppliers that they have available.
It is important to reassure hon. Members that Ofcom will have the ability to collect information relating to the diversity of suppliers’ networks under section 135 of the Communications Act 2003, as we have discussed. I do not think it is necessary to specify the need to collect information relating to diversification, as that is just one set of information that Ofcom may collect; it is just as important as several others in monitoring and reporting the security and resilience of networks. It is also important to clarify that, although greater diversity is critical in ensuring that we reduce our national dependence on a small number of suppliers, it is part of a broader approach to building security and resilience across the global supply chain that sits outside the Bill, important though it is. Diversification is an issue broader than the make-up of supply chains for UK providers alone, as the hon. Lady knows.
On a point of order, Mr McCabe. I put on the record my gratitude, and that of my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester, to you and your colleague, Mr Hollobone, for the way in which you have expertly chaired proceedings in the Committee. I also sincerely thank all House staff who have supported our work here, including those representing Hansard, and particularly the Clerks, who have been absolutely invaluable in setting out our desires to improve the Bill in clear and orderly amendments and new clauses.
I also thank all members of the Committee from both sides of the House. This detailed, technical Bill is critical for our national security, coming at a time of national crisis, when we are braving—all of us: staff and Members—a pandemic in order to be here. We have had an orderly and constructive debate.
Further to that point of order, Mr McCabe. What fun we have had! It is a pleasure to come to this point in the Bill’s passage. I echo the hon. Lady’s thanks to the House staff and to yourself, Mr McCabe, and Mr Hollobone. I also reiterate her point that this is a crucial Bill—one that I am glad enjoys cross-party support. I look forward to debating its further stages in the House.
Bill, as amended, to be reported.
(3 years, 5 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
Before I call the Minister, may I say that I am anticipating three Divisions, on new clauses 1, 2 and 3? If there is to be an additional vote, I would like to be informed so that I can call it, but I understand that there are going to be only three Divisions.
I thank all those Members who have contributed to the debate today. It is an important debate because digital connectivity is an integral part of all our lives. For countless people across the country, having fast and reliable broadband and a good mobile connection is vital to our way of life, but for us to truly reap the benefits of the gigabit-capable broadband and 5G, we need to have confidence that they are secure and that means securing the networks on which they are built, the supply chains on which they depend, and the equipment and services that support them. The Bill demonstrates clearly the Government’s commitment to ensuring the security and resilience of our telecoms networks.
Let me turn to the new clauses and amendments. I shall start by addressing new clause 1. As the UK’s communications regulator, Ofcom already plays an important role in ensuring the ongoing security and resilience of our networks by enforcing the current security duties under the Communications Act. This Bill will build on that experience, giving Ofcom new responsibilities and a range of new powers. What the new clause would do is require it to publish an additional statement as part of its annual report. Happily, I can reassure hon. Members that the Bill already has various reporting mechanisms included within it. Under the new and snappily named section 105Z, Ofcom will need to regularly report to the Secretary of State. Subsection (4)(a) makes it clear that that report must include information on the providers’ compliance with the duties imposed on them by the Bill.
Ofcom will also need to report on telecoms security in its annual infrastructure report, and clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new sections 105A to 105D. The Secretary of State will also need to regularly report to Parliament on the effectiveness and impact of the new telecoms security framework.
On the final point in the new clause of the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) about publishing information on emerging and future security risks, that is not of itself necessarily the most productive way of handling security risks, but the principle that she is trying to get to is very much part of what the Government are seeking to do and, of course, it would be part of what we intend to make sure that we talk about as much as we can within the bounds of national security.
I turn specifically to budget and resources. The hon. Member has set out her concerns about Ofcom’s access to resources and capabilities. It is an issue that my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes) also touched on. I can tell the House today that Ofcom’s security budget for this financial year has been increased by £4.6 million on top of its current security budget. This funding will allow Ofcom to more than double its headcount of people working on telecoms security, ensuring that it has the necessary capability and capacity to deliver its new responsibilities under the Bill. The hon. Member for Newcastle upon Tyne Central is aware that I have written to the Intelligence and Security Committee about that security resourcing. It was at a level that I cannot go into on the Floor of this House, but I hope that provides the kind of reassurance that she seeks.
Specifically on the future risks that I alluded to a moment ago, we have ensured that the Bill is looking to the future. For example, clause 12(3)(b) amends Ofcom’s information-gathering powers under section 135 of the Communications Act to ensure that it can request information from providers concerning future developments in their networks that could have an impact on security and, when reporting on security, Ofcom must include any information that assists the Secretary of State in the formulation of security policy, allowing him or her to make an informed decision about what should be published as well in due course.
New clause 2 has been the subject of the majority of this debate, and rightly so. One of the phrases used about the ISC was that it adds value; this Government do not dispute for a second that it adds huge value, and I welcome the tone with which the Chairman of the ISC, my right hon. Friend the Member for New Forest East (Dr Lewis), has approached this. I appeared before the ISC with some trepidation, as is probably appropriate for all Government Ministers, but it was a hugely productive part of this process and something that I am more than happy to do again. I do not think that my right hon. Friend necessarily thinks that piecemeal changes to the ISC’s role are the way to pursue what he seeks, but the annual report that he has mentioned will certainly be looked at closely by the Government.
I am very happy to agree with what the Minister has just said. It would not be necessary to keep trying to put these provisions on the face of each individual Bill every time a new unit is set up in a different Department, or a new duty laid on a different Department, if it could be agreed with the Government that the memorandum of understanding would be adjusted as it is meant to be adjusted when these changes occur. However, sadly, no Front Bencher has yet been able to give us an assurance that that is going to happen, and I know that the Minister will not be able to do so, either.
As I say, I am sure that my right hon. Friend will make that point in the annual report, and the Government will look closely at it. However, Members can take some comfort from the fact that much of the advice in relation to the more sensitive technical and national security matters within the scope of this Bill will be provided by the National Cyber Security Centre, and its activities already fall within the scope of the ISC, as my right hon. Friend knows. However, I welcome his approach to this, and I hope that his mechanism, rather than that of new clause 2, will be the one he will support today.
I turn to the last of the new clauses tabled by Opposition Members. New clause 3 aims to include the diversification strategy in the scope of the Bill. Diversification is crucial to the future of our UK networks, which is why the Government set out their plans to diversify those networks in the 5G diversification strategy in November 2020. That strategy includes steps to invest in research and development, to remove technical and commercial barriers to entry for new suppliers, and to increase our influence in standard- setting bodies—all issues that my right hon. Friend the Member for South Holland and The Deepings and others on the ISC are keenly aware of the importance of.
We are pursuing a huge range of different mechanisms to enable diversification, because the Government are fully committed to ensuring that their strategy comes to fruition. However, the diversification strategy moves the whole market forward by broadening the supplier base in many ways that are beyond the security measures that are the purview of this Bill, including increased innovation and competition and the overall growth of the telecoms supply mechanisms.
To give the House an idea of some of the non-legislative measures that we are already pursuing, they include the investment in R&D development facilities such as the National Telecoms Lab and the SONIC—SmartRAN Open Network Interoperability Centre—lab that is jointly at work with Ofcom. We are also working to remove barriers to entry for vendors such as by co-ordinating the sunsetting of legacy network technologies, working internationally to co-ordinate diversification objectives, and exploring the use of commercial incentives to address the cost of incorporating new suppliers into a network.
I asked a question to do with the Northern Ireland Assembly and how cyber-security in Northern Ireland will be protected. Can we have an assurance on the Floor of the House today and through Hansard that that will happen?
I will come on to the devolved aspects in amendment 1 in a moment, but it is of course vital that we continue the collaborative relationship with the Northern Ireland Executive and with the Welsh and the Scottish Governments as well.
The Bill places security requirements on individual operators. They are hugely important, but they are not diversification requirements on the Government’s national scale. Defining diversification in legislation would be limiting in a hugely rapidly evolving market. I know that the hon. Member for Newcastle upon Tyne Central understands the need for agility, and putting what she proposes into legislation would run counter to that ambition.
On the devolved Administrations, amendment 1 would require the Secretary of State to consult Ministers from the devolved Governments when reviewing the impact and effectiveness of clauses 1 to 13. As the hon. Member for Aberdeen South (Stephen Flynn) noted, telecoms is a reserved matter under each of the devolution settlements. I say that, however, in the full knowledge that a constructive and close working relationship with each of the devolved Governments is hugely important, be it in Project Gigabit, in the shared rural network, or indeed in matters such as this. I look forward to that collaboration continuing; it will drive forward our connectivity.
I turn briefly to the amendments that were not selected. My right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) has spoken passionately about these matters, both privately and publicly. I do not want to go into a huge amount of detail on amendments that were not selected, but I simply say that the actions the Government are taking in the Bill speak powerfully for themselves.
On the specific matter of issuing designation notices to vendors headquartered in other countries, it is important to consider not just whether the kinds of laws that my right hon. Friend mentions exist, but how the Government in question intend to use them. A friendly democracy may, as indeed many do, have laws that would enable it to yield information and data from companies headquartered within their territory. The conduct of such a Government, and our relationship with them, may reassure us that they would not use those powers to do harm to the UK, but there are other cases where Governments that have these laws have acted contrary to the national interest of the UK in the past. As we set out in the illustrative notice for Huawei, there is a law in China that enables the Chinese Government to collect information from companies headquartered within its territory. As the Foreign Secretary has stated, we know that the Chinese state has in the past used its power to undertake malicious cyber-activity. The designation notice that I mentioned demonstrates how the Government could take those sorts of laws into account when exercising the powers that are already in the Bill.
I thank my hon. Friend the Member for Wealden (Ms Ghani) for her work on the NATO Science and Technology Organisation. We very much welcome her preliminary draft report. I would like to express the Government’s commitment to deepening our co-operation with partner nations such as Japan and the Republic of Korea.
I thank all hon. Members on the Government Benches, and indeed on the Opposition Benches, for their constructive engagement throughout this debate. This is an important Bill that enjoys strong cross-party support, in the main. The sooner we can pass it, the sooner we can set about the crucial work of ensuring that our public telecoms networks are secure and resilient. I commend the Bill to the House.
I beg to move, That the Bill be now read the Third time.
I thank right hon. and hon. Members for their contributions today, and I also thank the excellent team of Clerks of the House, those at the Department for Digital, Culture, Media and Sport, and all those involved in the preparation of the Bill. In particular, I thank those who work at our agencies to support so much of what goes into our national security: they are the best among us, and all of us in the House are grateful for their service.
The first priority of this Government is to keep people safe and this Bill is just one step in achieving that objective. It is a precise and technical Bill but an important one none the less. While we might have disagreed on some of the details, it is encouraging that there is such broad consensus across this place and I hope that that spirit of co-operation continues when the other place considers the Bill.
The Bill will ensure the security and resilience of the UK’s telecoms networks for years to come. Bringing it into force on Royal Assent cannot come soon enough. It will create one of the toughest regimes for telecoms security in the world. It will protect our networks and shield our critical national infrastructure both now and in the future, as technologies grow and evolve. With this Bill, we are delivering on our commitments in the 2019 telecoms supply chain review, which were informed by the advice from the world-leading NCSC and GCHQ. Today, we have taken an important step towards putting those commitments on a statutory footing and taking action to protect and secure our important networks.
I hope that, in my response to the amendments and new clauses, I provided reassurance on the role of Ofcom, the importance of diversification and the other matters raised. I welcome the constructive challenge of Members on those points, and I hope I have reassured them that we are pushing in the same direction. I thank all Members for their contributions. I commend the Bill to the House and look forward to it passing through the other place.
(3 years, 4 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
That the Bill be now read a second time.
Relevant documents: 5th Report from the Constitution Committee and 4th Report from the Delegated Powers Committee
My Lords, this past year has put into sharp focus the importance of digital connectivity, which has been vital in keeping both people and industries going in these challenging times. In the other place, my right honourable friend the Secretary of State spoke about the potential for 5G and gigabit broadband to transform our lives. The Government are investing billions of pounds into these cutting-edge technologies. However, we can be confident in the technology only if we know that it is secure.
That is why we have introduced the Telecommunications (Security) Bill. The Bill will create one of the toughest telecoms security regimes in the world. It will protect our telecoms networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future. I will briefly outline the context for the Bill and why it is necessary, before turning to the intent of its clauses and delegated powers.
The security and resilience of 5G and full-fibre networks is not just in the national security interests of the UK. It is also crucial to the UK’s economic interests and future prosperity. The House will recall that this Government published the UK Telecoms Supply Chain Review Report in July 2019. It found that telecoms providers lack incentives to apply security best practices and recommended a new framework for the UK’s public telecoms providers that will respond to new and emerging threats to the security of our networks. The review also recommended new national security powers for the Government to control the presence of high-risk vendors in UK networks. The Bill is our response to those recommendations.
I will now outline the intent of the Bill’s clauses, which can be broadly separated into two groups. Clauses 1 to 14 introduce a stronger telecoms security framework, placing new security duties on public telecoms providers. Clauses 15 to 23 introduce new national security powers to address the risks posed by high-risk vendors.
I turn first to Clauses 1 to 14. The Bill amends the Communications Act to create a tough new telecoms security framework, which consists of three layers. First, the Bill places strengthened overarching telecoms security duties on public telecoms providers in primary legislation. Secondly, specific security requirements will be set out in secondary legislation. Thirdly, guidance on the detailed technical measures that providers could take to comply with their legal obligations will be set out in a code of practice. The new legal duties in the Bill and the measures in the secondary legislation will apply to public telecoms providers operating within the UK.
To illustrate the specific measures that providers may be expected to adopt, we published an illustrative first draft of the security framework regulations on GOV.UK in January. We have been, and continue to be, in close contact with industry following the publication of the draft regulations. Comments received as part of this engagement are being considered in the drafting of the final version. We will launch a public consultation on the draft code of practice once the Bill achieves Royal Assent. This will ensure that views from all impacted groups are heard ahead of the new framework coming into force.
The Bill provides Ofcom with a new general duty to seek to ensure that telecoms providers comply with their new security duties and builds on Ofcom’s existing security duties. Ofcom will have new powers to assess providers’ compliance. In cases of non-compliance, Ofcom will be able to issue a notification of contravention and, ultimately, financial penalties of up to 10% of turnover. Recognising that Ofcom will have expanded duties, DCMS is working with it to ensure that it has the necessary capability and capacity to deliver those vital functions. We have already increased Ofcom’s security budget for this financial year by £4.6 million to reflect its enhanced security role, in addition to its existing funding. Ofcom will also continue to work closely with the National Cyber Security Centre in the delivery of its security functions. The two organisations have published a statement, available on Ofcom’s website, which sets out how they plan to work together.
Clauses 15 to 23 introduce new national security powers to manage the risks posed by high-risk vendors in our telecoms networks. The Bill includes new powers for the Secretary of State to designate specific vendors in the interests of national security and issue directions to public communications providers. Those directions will place controls on a provider’s use of goods, services and facilities supplied by a designated vendor. Once a designated vendor direction is issued, the Secretary of State can direct Ofcom to collect information from providers and report back so that the Secretary of State can determine whether a provider is complying with a direction. Government amendments were passed in Committee in the other place to bring the powers in Clauses 15 to 23 into force immediately upon Royal Assent.
The Government have announced that UK telecoms providers should cease to install Huawei equipment in 5G networks after September 2021 and remove all Huawei 5G equipment by the end of 2027. We published an illustrative direction and designation notice in November 2020 to demonstrate how the powers in the Bill could be used in relation to Huawei in line with these announcements. Once the Bill receives Royal Assent, any proposed designated vendor directions and notices will be subject to the relevant consultation requirements set out in the Bill.
I will now turn to the delegated powers in the Bill. It contains nine delegated legislative powers to make secondary legislation and two administrative powers. Six of the delegated legislative powers are to amend the maximum penalties specified in the Bill. These are Henry VIII powers and are subject to the draft affirmative resolution procedure. A further two are powers to create regulations setting out specific measures to be taken to comply with the new security duties and are subject to the negative resolution procedure. Finally, one power is to make regulations commencing certain provisions in the Bill and is not subject to any procedure. The two administrative powers are the power to issue codes of practice and the power to give designated vendor directions to providers.
Our approach to the delegated legislative powers is in keeping with precedent. The powers to amend maximum penalties in the Bill are consistent with those in the Communications Act 2003. I appreciate the need for Parliament to have the right mechanisms to scrutinise the powers that we are taking in the Bill. I am confident that the approach we have taken finds the appropriate balance. As the House would expect, we have submitted the delegated powers memorandum to the Delegated Powers and Regulatory Reform Committee. I thank it very much for its prompt report on the memorandum, which I read with interest. The Government will consider the committee’s recommendation concerning the power to issue codes of practice about security measures and aim to respond to the report fully in due course.
To conclude, the Bill has not been designed around one company, one country or one threat. Its strength is that it will create an enduring and effective telecoms security regime that will be flexible enough to keep pace with changing technology and changing threats. I hope that noble Lords on all sides of the House will welcome it. I beg to move.
My Lords, I thank all noble Lords who contributed to this rich debate for their contributions, for the warm welcome they offered the Bill, and for the way in which, in very different ways, they highlighted the importance of the issues which the Bill seeks to address.
Today’s debate has been wide-ranging. We have debated the principles and the practice of the Bill and we have touched on a number of issues that are beyond its scope. I shall start my closing remarks by focusing on those matters that speak directly to the Bill, as well as those that are closely adjacent to it, such as diversification, before moving on, if, as I hope, time permits, to other matters raised in the debate. Some of the issues raised sit beyond my department’s remit, but I will do my best to respond to them and will write to all noble Lords on any matters that time does not permit me to address today. I stress that I and my officials are very open to continuing these discussions in more detail ahead of Committee.
As my right honourable friend the Secretary of State said at Second Reading in the other place, the Bill raises the security bar across the board and protects us against a whole range of threats. Although there may be disagreement on some points in the Bill, I welcome the fact that it clearly has strong support in this House and, as we saw, the other place. We are all committed to putting the UK’s national security interests first.
Before I go into the detail of the Bill, the noble Baroness, Lady Merron, rightly asked how it fits with wider regulation of critical national infrastructure. This is indeed one of a number of measures that the Government are taking to protect the security and integrity of that infrastructure. So, while this Bill focuses on telecoms security, there is already a range of regulations governing the security of other critical sectors, each tailored to different risks. The Bill will complement those pre-existing regulations by ensuring the security and resilience of the public telecoms networks on which our critical sectors rely.
The recently enacted National Security and Investment Act, to which the noble Baroness referred, empowers the Government to scrutinise, impose conditions on or, as a last resort, block foreign investment wherever there is an unacceptable risk to Britain’s national security. Rather than addressing investment, the Bill would enable the Government to protect our networks from risks posed by vendors who supply, provide or make available goods, services or facilities to public telecommunications providers. Once it is passed, the Bill will work alongside the National Security and Investment Act to protect our networks from threats, both now and in the future. My noble friend Lord Young of Cookham also asked how different government departments were co-ordinating their policy responses in this area. I will take up his kind invitation to write to him, and will of course copy other noble Lords into my response.
A number of your Lordships, including the noble Lord, Lord Clement-Jones, my noble friends Lord Vaizey and Lady Stroud, the noble Lord, Lord Alton, and the noble Baroness, Lady Merron, all asked how we were managing the risk posed by Huawei in the interim, ahead of the Bill becoming law. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecom networks compared with other vendors. There has been a risk mitigation strategy in place since Huawei first began to supply equipment to the UK’s public telecoms providers.
The Government have announced extensive advice to manage the security risk posed by Huawei, based on the analysis of our world-leading experts at the National Cyber Security Centre. The Secretary of State has announced advice that providers should remove all Huawei equipment from 5G networks by the end of 2027 and, in order to clearly set out the pathway to zero, he also announced advice that providers should stop procuring new 5G equipment from Huawei after 31 December 2020 and stop installing Huawei equipment in 5G networks after September 2021. Together, all this advice will protect our networks from the risks posed by Huawei. Once passed, and subject to the relevant consultation requirements, the Bill will enable the Government to give legal effect to all this advice.
My noble friend Lady Stroud asked about other high-risk vendors. The Bill responds to the threats and risks that we outlined in the telecoms supply chain review. It gives us the ability to manage any high-risk vendor, both now and in future. We have named Huawei and ZTE as high-risk vendors, but we will continue to keep the presence of high-risk vendors under review.
A number of your Lordships, including the noble Baroness, Lady Merron, my noble friends Lord Vaizey and Lord Young of Cookham, and the noble Lord, Lord Fox, talked about the role, resources and capacity of Ofcom. We are confident that Ofcom will have the capability and resources to undertake its expanded role, although we recognise the competitive market for recruitment in this area. As I mentioned in my opening remarks, the Bill places a new, general duty on Ofcom to ensure that providers comply with their new security duties. We are working closely with Ofcom to ensure that it has the required resources to meet its new responsibilities, and we will keep that under review.
I shall now cover the issues relating to scrutiny in the Bill. The first of these relates to the Secretary of State’s ability to issue designation notices and designated vendor directions. This issue was discussed at length in the other place throughout the passage of the Bill, and more recently was referred to by the Constitution Committee, and I will address the remarks of both that committee and the Intelligence and Security Committee.
The noble Lord, Lord Clement-Jones, raised the recommendation from the Constitution Committee to increase oversight of the Bill’s powers by making them fall within the remit of the Investigatory Powers Commissioner. I can reassure noble Lords that the Secretary of State will use the power to issue designation notices and designated vendor directions only when it is necessary to do so in the interests of national security and where the requirements to be imposed are proportionate. The Bill already contains effective mechanisms for oversight of the Secretary of State’s use of the powers to give a designated vendor direction or designation notice.
The Bill requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament. This will provide Parliament with the opportunity to scrutinise the use of these powers. On very rare occasions, the Secretary of State may choose not to lay a designation notice or direction before Parliament, because to do so would be contrary to the interests of national security. Where this is the case, the DCMS Select Committee will be able to view such directions and notices.
The Investigatory Powers Commissioner has responsibility for reviewing the use by public authorities, such as intelligence agencies, police and local authorities, of the powers in the Investigatory Powers Act. However, the Investigatory Powers Act regime is not directly comparable with the new powers and framework set out by the Bill. Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act: they are focused on protecting public telecoms networks and services from the threats posed by high-risk vendors.
The noble Lord, Lord West, the noble Baronesses, Lady Merron and Lady Northover, the noble Earl, Lord Erroll, and others raised the issue of scrutiny by the Intelligence and Security Committee. I pay tribute to the noble Lord, Lord West, and all other members of the Intelligence and Security Committee for the important work they do. We recognise the importance of effective scrutiny of the use of the Bill’s powers, and I am happy to correct the impression that the noble Lord, Lord West, suggested—that the Government want to avoid scrutiny in the Bill. That is why, as I said, the Bill requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament, unless doing so would be contrary to the interests of national security. I referred to circumstances where this might be possible in my remarks on the advice of the Constitution Committee.
As noble Lords are aware, the activities of DCMS are not within the remit of the Intelligence and Security Committee. That committee’s remit extends to the intelligence agencies and other government activities related to intelligence or security matters, as set out in its memorandum of understanding. But the advice of the intelligence agencies will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the advice of the National Cyber Security Centre, the Secretary of State will consider, among others, the economic impact, cost to industry and impact on connectivity of the requirements in any designated vendor direction.
The ISC does not have a remit to consider non-security issues, such as the economic and connectivity implications of the requirements in designated vendor directions, but the DCMS Select Committee can consider those wider impacts. That is why, despite my noble friend Lord Balfe’s caution in this regard, we believe the DCMS Select Committee is the correct and appropriate body to see copies of designation notices and designated vendor directions that are not laid before Parliament.
My noble friend Lord Young of Cookham asked whether a designation notice or designated vendor direction is justiciable. Designated vendor directions and designation notices are subject to ordinary judicial review principles. However, the Secretary of State will issue designation notices and designated vendor directions only where they are necessary in the interests of national security and where the requirements in the direction are proportionate. As I mentioned, there are exceptions, which we expect to be rare, where it could be harmful to national security to lay a direction before Parliament, for example where doing so would expose particular security vulnerabilities.
The noble Lord, Lord Clement-Jones, asked about the delegated powers in the Bill and the recommendations of the Delegated Powers and Regulatory Reform Committee, as did my noble friend Lord Young of Cookham. The committee has made one recommendation relating to the power to issue codes of practice about security measures. I am sure that the House will appreciate that we need some time to consider the recommendation. We will respond once we have done that.
A number of noble Lords, including the noble Earl, Lord Erroll, the noble Lord, Lord Fox, and my noble friends Lady Morgan and Lord Vaizey, raised issues about the Government’s work on diversification. Although this is not a matter that the Bill speaks to directly, as your Lordships pointed out, I am delighted to address it. The Government recognise the importance of a diverse supply chain for creating a resilient national telecoms network, which is why we published the 5G diversification strategy alongside this Bill. That takes forward the Government’s commitment in the telecoms supply chain review to respond to the lack of diversity in the supply chain. We are leading the way in solving this through our ambitious diversification strategy.
The diversification task force, led by my noble friend Lord Livingston of Parkhead, has now concluded its initial work. Its findings and recommendations were published on 20 April. As my noble friend Lord Young pointed out, they raise the opportunity for our businesses in this area to win new markets through the creation of shared standards. The Government will respond to the task force’s findings and set out our next steps in this ambitious programme this summer. My noble friend Lord Holmes asked for an update on our UK telecoms lab. We will be able to say more on that later this year, but we plan to respond to all of the priorities raised in the very helpful report from the diversification task force.
The noble Lord, Lord Fox, asked for a definition of “incumbent suppliers”. The diversification strategy defines them as those present in the network that are not high-risk vendors, which therefore would include non-UK businesses such as Nokia and Ericsson.
The noble Baroness, Lady Northover, and the noble Lord, Lord Clement-Jones, asked about our engagement with business. We continue to engage regularly and closely with public telecom providers, including the largest companies, such as BT, and the trade bodies representing small businesses. Their feedback has been invaluable in our policy development. We will consult with them further on the draft code of practice after Royal Assent to ensure that all those affected can make their voices heard.
The noble Lord, Lord Maxton, asked about our international engagement. We have engaged with partner countries throughout the drafting of this Bill and will continue to do so once it has passed. As he rightly pointed out, our networks face similar challenges to those of networks in other countries. It therefore makes absolute sense to find international solutions to them.
The noble Lord, Lord Vaux of Harrowden, obviously has a similar social life to mine. I definitely get more fraudulent calls than I do any other type of communication. As I wrote to him, this Bill is not intended to address the extremely important issues that he raised. The Government are exploring a range of different measures aimed at tackling criminal abuse of the telecommunications network, including fraud. This work is led by the Home Office. I am happy to meet with him to discuss it further if that is helpful or co-ordinates him being in touch with the right colleagues at the Home Office.
Turning to the issues of human rights, the noble Lord, Lord Alton, asked about the compliance of the ministerial statement on the face of the Bill with the Human Rights Act. As printed, I made a statement under Section 19 of that Act that:
“In my view the provisions of the Telecommunications (Security) Bill are compatible with the Convention rights”
as defined by Section 1 of the Act. I stand by my statement. I do not think there are any provisions in this Bill that are incompatible with the convention rights. The statement is about the content of the Bill. The noble Lord has implied that actions of another country might bring the Bill’s compatibility into question, but I think that is a misunderstanding of the purpose of the statement.
Many of your Lordships rightly raised issues of human rights in China, including the noble Baronesses, Lady Northover and Lady Merron, the noble Lord, Lord Fox, and my noble friends Lady Stroud and Lord Balfe. I start by paying tribute to the noble Lord, Lord Alton, for his ongoing commitment to standing up for human rights around the world, including in Xinjiang. The Government stand in complete solidarity with him and the eight others who were sanctioned by China. This House has debated these issues at length and rightly so, as they are important. The Government share the noble Lord’s serious concern about the human rights situation in Xinjiang. Indeed, he recently secured a Question for Short Debate on this topic, to which my noble friend the Minister of State for South Asia and the Commonwealth responded.
It is because this issue is so important that we have, as a Government, taken a wide range of actions this year and I cannot accept his suggestion of complacency on the part of the Government. The UK Government have led international efforts to hold China to account for its human rights violations in Xinjiang. We led the first two statements on Xinjiang at the UN and have utilised our diplomatic network to raise the issue up the international agenda. Most recently, on 22 June, the UK joined 43 other countries at the UN Human Rights Council to condemn China’s human rights violations in Xinjiang and Tibet, as well as the deterioration of fundamental freedoms in Hong Kong referred to by the noble Baroness, Lady Bennett, and others. On 13 June, the G7 leaders’ communiqué called on China to
“respect human rights and fundamental freedoms, especially in relation to Xinjiang”.
Noble Lords will be aware that in January the Foreign Secretary announced a package of measures to help ensure UK businesses and the public sector are not complicit in human rights violations or abuses in Xinjiang. Those measures include robust and detailed new guidance to businesses, a review of export controls as they apply to China, a commitment to introduce financial penalties under the Modern Slavery Act and increasing support for UK government bodies to exclude suppliers complicit in violations.
I know the noble Lord is particularly interested in hearing more about the review of export controls. He will be aware that export controls are already applied to a range of goods which may be used for internal repression or to breach human rights, as set out in the Export Control Act 2002 and accompanying secondary legislation. The review announced by the Foreign Secretary in January will ensure that we have captured the full range of goods as applicable to the current situation in Xinjiang and will determine which additional specific products will in future be subject to export controls. The Government will report back to Parliament on the outcome of the review in due course.
I also note the Private Member’s Bill introduced by the noble Lord, Lord Alton, regarding the duty on businesses to produce modern slavery statements. The Government have already committed to strengthening Section 54 of the Modern Slavery Act 2015 and I know that the noble Lord engages regularly with the Home Office on this matter. I can reassure all your Lordships that tackling modern slavery continues to be a priority for this Government. This is why the Government announced a review of our modern slavery strategy earlier this year.
A new strategy will cover our cross-government response, including how business and government can effect change through their supply chains. In September 2020, the Government committed to take forward an ambitious package of measures to strengthen the Act. As I have mentioned, this was followed in January 2021 by a commitment to introduce financial penalties for organisations that fail to meet their statutory obligations to publish modern slavery statements under the Act. Legislation to take these reforms forward will be introduced when parliamentary time allows.
The amendment tabled and adopted during the passage of the Trade Act further highlights that the Government take these issues seriously. The amendment ensures that a debate and vote in Parliament can happen in response to credible reports, expressed by a responsible Committee, about genocide in a country with which we are proposing a new free trade agreement. I can now confirm that the Foreign Affairs Select Committee in the other place has agreed to be charged with this role, subject to agreement by the House. Discussions are still ongoing in the other place and will begin in this House when there is a willing Committee.
This Bill, however, is focused on the security of the UK public telecoms network and services. It is not the right legislative vehicle to address concerns about human rights and modern slavery. Clause 16 makes it clear that designation notices can be issued to vendors only where the Secretary of State considers that it is necessary to do so in the interests of national security. The Government consider that the Secretary of State should be required to assess national security as strictly about the security of our nations.
I apologise to noble Lords: I know that I have overrun but it was a rich debate. I hope noble Lords will accept that it was worth addressing some of the important points raised. I look forward very much to working with your Lordships across the House to pass this important legislation. As I have said, the Bill will create one of the toughest regimes for telecoms security in the world. It will enable us to protect our critical national infrastructure and shield our networks for years to come. The noble and gallant Lord, Lord Stirrup, gave the Government a helpful and powerful challenge: to be forward-looking as we think through this legislation; to recognise the need for a balance between cost, resilience and risk; and to adopt an approach that combines agility and adaptability. Again, I invite noble Lords who wish to talk about any particular issues related to the Bill to contact me or my officials, and I look forward to debating this further in Committee.
(3 years, 3 months ago)
Grand CommitteeThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I thank all noble Lords for these amendments, which seek to strengthen the resilience of our telecoms networks by putting a new monitoring requirement on providers in relation to vendors in other jurisdictions, adding to the list of matters to which a requirement in a designated vendor direction may refer, and requiring the Secretary of State to review decisions taken by Five Eyes partners to ban vendors on security grounds.
We recognise the aim of having a comprehensive approach to telecoms security that includes the provider and government. The Bill follows this approach. A number of your Lordships said that I could be advised that the amendments are not unnecessary, but one issue the amendments raise is that of clarity of responsibility in the Bill. We believe genuinely that these amendments would blur some of that clarity.
The Bill as drafted is clear that it is the responsibility of government, not public communications providers, to set security duties and to designate vendors who pose a national security risk. In doing so, the Government, via the National Cyber Security Centre and other agencies, will monitor companies globally, including, of course, in the Five Eyes countries. It is then up to the providers to implement the security duties placed upon them and to comply with any designated vendor directions issued to them.
Amendment 1 in particular risks blurring these lines of responsibility and requiring telecoms providers to spend disproportionate resources on monitoring vendors internationally. This amendment seeks to place a new duty on public telecoms providers to review vendors of goods or services to those providers which are prohibited from other jurisdictions on security grounds, and to review the reasons for the prohibition. This would require public telecoms providers to monitor the policies and regulations of all other jurisdictions to understand whether those jurisdictions had banned certain companies from operating. This would be an onerous, disproportionate duty to place on industry.
Furthermore, in some cases, it may be impossible for telecoms providers to comply with the duty. The amendment states that telecoms providers must review the reasons for a vendor’s prohibition from a jurisdiction. As noble Lords will be aware, many jurisdictions have opaque decision-making processes, where it may be difficult, if not impossible, for telecoms providers to review the reasons for the prohibition of certain companies. Moreover, new Section 105A, which is inserted by Clause 1, places a strengthened overarching security duty on public telecoms providers. This duty is centred on an appropriately future-proofed definition of security compromises. Clause 1 therefore already ensures that telecoms providers undertake appropriate risk management to guard against any relevant threats to network security. In the light of this, I do not consider that this amendment is either proportionate or necessary, given the burden that it would place on telecoms providers and the duties already contained in the Bill.
Amendment 20 seeks to clarify that a requirement in a designated vendor direction may make provision by reference to the sourcing of goods, services and equipment from a specified country, or from sources connected with a specified country. While it is important that we protect our networks from the threats posed by hostile state actors, I do not consider this amendment to be necessary. As currently drafted, the Bill already allows for requirements to be included with provisions relating to the “source” of goods, services and facilities supplied by a designated vendor. I would consider that countries, and sources connected to countries, would already be captured by this wording.
Further, the list of matters that the noble Lord seeks to amend is explicitly non-exhaustive. The Bill is clear that the provisions of a requirement may refer to matters other than those listed in the Bill. It is therefore already possible for a requirement in a direction to refer to the country from which goods, services and facilities are sourced, if the Secretary of State considers that such a requirement is necessary in the interests of national security and proportionate to the aim that is sought to be achieved. As such, this amendment would not achieve anything that is not already possible under the provisions of the Bill as drafted.
Amendment 27 seeks to add a new section to the Communications Act 2003. This amendment would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecoms vendors on security grounds and consider whether similar action is required in the UK.
A number of Members of the Committee, including the noble Lords, Lord Alton and Lord Coaker, and the noble Baroness, Lady Northover, stressed the importance of co-operation. She asked whether this was happening anyway. The short answer is that it is. The UK is already committed to a close partnership, and engages regularly with the Five Eyes. The UK’s telecom networks face similar challenges to networks in other countries.
The Government have engaged with partner countries on the approaches to high-risk vendors throughout the drafting of the Bill and will continue to do so once it is passed. I reassure the Committee that we are in regular contact not only with the Five Eyes nations but with other key partner nations—for example, Japan, France and Germany, to name but a few. Therefore, a requirement to review their decisions to ban a high-risk vendor and consider whether to issue a designated vendor direction in the UK would be unnecessary.
The noble Baroness, Lady Northover, asked more broadly how we worked with other countries in relation to national security. We have always maintained that each country needs to implement the mitigations that are right for their national circumstances. Of course in practice, Governments are adopting similar measures to address the risks, and adapting them to meet their own national circumstances. For example, the Netherlands, Germany and Australia have all either adopted or are planning to adopt security measures comparable to those set out in the UK’s draft secondary legislation, which the Bill would allow us to implement.
In July 2020, following advice from the National Cyber Security Centre, the National Security Council considered the impact of US sanctions in relation to Huawei. It considered that further action was needed, as the new US restrictions made oversight of Huawei products significantly more challenging and potentially impossible. That is another example of how the UK already regularly reviews security advice and requirements in response to international considerations.
Some of the issues raised were closely linked to the Bill, while others were slightly less so. The noble Lord, Lord Fox, asked how Ofcom and the NCSC would work together in practice. To formalise the relationship between the two organisations, they are in the process of developing a memorandum of understanding and have published a statement, available on the Ofcom website, that sets out the three key principles that they will follow. They are: first, that the National Cyber Security Centre will provide expert technical cybersecurity advice to Ofcom to support the implementation of the new telecoms security framework; secondly, that they will exchange information where necessary and permitted by law; and, thirdly, that the National Cyber Security Centre will continue to provide incident management support during serious cybersecurity incidents, both to telecoms operators and to Ofcom as needed.
The noble Earl, Lord Erroll, suggested that our broadband rollout programme had stalled—forgive me if I misheard—but I do not accept that. We as a Government remain committed to delivering nationwide gigabit and mobile connectivity as soon as possible. We have put in place £5 billion of funding to roll out next-generation gigabit broadband and have already connected more than 1 million hard-to-reach homes and businesses. Despite the pandemic, the expansion has been extraordinary, with 40% of premises now having access to gigabit-capable broadband, which will rise to 60% by the end of this year.
I congratulate the Minister on introducing the Barran scale of nuance, which will no doubt become a classic in future. She did not address the issue of componentry, if you follow my drift. It seems to me, in analysis, that what tipped the balance in the sense of Huawei was the absence of American-made chips. Were that not to have happened, the NCSC would not have recommended the widescale removal that we have seen. That appears to be the implication. There seems to be an element of component monitoring going on, although in this case the monitoring appears to have been done more by the Americans than by the United Kingdom. It comes back to that fundamental point: at what level is the Bill going to be applied? Will it be applied on the overall capability of the system? In other words, is it a systems capability issue? Is it a subsystem operational outcome view, the individual pieces that go to make those subsystems, or the software that drives the overall system? How will the Bill actually be put into process?
I may need to write to the noble Lord about the technical details he has set out. I think for the approach to be effective it needs to incorporate all elements of that. An overall system cannot be a capable system if the subsystem is not. There needs to be coherence across the equipment that is supplied and our understanding of how it operates in practice and the component parts to inform the judgment about its security or not. I am happy to follow up in writing if he is agreeable.
I thank all noble Lords who have participated in the debate and the Minister for her replies. I thought that the intervention just now by the noble Lord, Lord Fox, was important. It drives at one of the issues that we have debated today in the context of Nexperia and what is happening to a British company that has been acquired by a Chinese company through its Dutch affiliate. It is about computer chips. It is about semiconductors. It is about our ability to be able to control what goes into the technology that the Bill is very much about. That is not an on-the-side question; it is a very important central question and I look forward to seeing the response that the Minister gives to the noble Lord, Lord Fox, when she looks at it further.
I turn now to some of the contributions made today. The noble Baroness, Lady Northover, in a typically powerful and thoughtful intervention, invited us to delve more deeply. That is what we have been doing during this afternoon’s proceedings. She emphasised the importance of countries working together. She regretted, with sadness, that we have been forced to make some of these decisions about our own individual ability to acquire intelligence as a result of our decision to leave the European Union.
I thought it was interesting that, earlier today, the European Commission issued new guidance to combat forced labour in supply chains. It rather puts our laggardly and perfunctory efforts to shame. The guidance provides concrete, practical advice on how to identify, mitigate and address the risks. This issue has been referred to and the noble Baroness has said that she is going to write to us further on modern-day slavery and supply chains. High Representative/Vice-President Josep Borell says that the guidance
“will help EU companies to ensure their activities do not contribute to forced labour practices in any sector, region or country.”
It paves the way for future legislation which will have enforcement mechanisms and should introduce a mandatory due diligence duty, requiring European Union companies to identify, prevent, mitigate and account for sustainability impacts in their operations and supply chains.
Our amendments today would gather that kind of information. I simply do not accept that it is impossible for companies, in partnership with government—a point made by the noble Baroness in opposition to these amendments was that this would place too much responsibility on companies—or countries such as our own to collect this information. Like other noble Lords around the table, I have no staff. The information I gave to the Committee today is publicly available and, with a little bit of research, it can be obtained without too much difficulty. It is absurd to suggest that it is beyond the ability of companies or countries to collect information and share knowledge. The example from the European Union underlines what the noble Baroness said to us today.
The noble Lord, Lord Naseby, was, as always, asking all the right questions. From our many years together in another place, as well as here, I am always happy to stand with the noble Lord, not least because of his experience in many parts of the world. It is important to ensure that our people who are in post in many of our embassies are given the ability to ask these searching questions and to ensure that the information comes back to us, to prevent many of the expensive mistakes that have been made around Huawei, and which have been referred to during the debate, happening all over again.
My noble friend Lord Erroll was right to say that there are human rights abuses in many countries. Like him, I become indignant about some of those abuses; I do not argue, though, that we should no longer trade with those countries. I always prefer that we trade with countries that are on a trajectory to reform, that are law-abiding and that believe in human rights and democracy, but I accept that it would be impossible to take out of supply chains any country that carries out any kind of human rights violation.
However, there are certain markers that we can look to. One of them is our legal duty under the 1948 convention on the crime of genocide. This is not a word to be used lightly. The word “genocide” came into our vocabulary thanks to a Polish Jewish lawyer, Raphael Lemkin, who had seen over 40 of his own family murdered in the Holocaust. During the proceedings on the telecoms infrastructure Bill last year, I gave examples from that period of how companies such as Philips had their own forced labour in the camps where people were dying. I gave the example of Corrie ten Boom, a Dutch woman who had given refuge to escaping Jewish people trying to flee the Holocaust. She and her sister were arrested and sent to work in that factory; her sister died there. Corrie ten Boom wrote a deeply moving book called The Hiding Place. That is the comparison I seek to draw.
It is not just me. In April this year, the House of Commons said that what is taking place in Xinjiang is genocide—it is only the second time that it has ever made such a declaration, so this is of a different order. Where there is genocide, we, as signatories to an international treaty—the 1948 convention on the crime of genocide—have a legal obligation to predict the signs of genocide, prevent it from happening, protect those affected and prosecute those responsible. I accept my noble friend’s argument—we are not going to stop trading tomorrow with Gulf states or whomever it may be who is doing fairly odious things—but the crime of genocide is surely in a different league.
This is a really important discussion. I do not want to speak for too long but the noble Earl, Lord Erroll, was right to say that the Bill is about security and not just “anything”. None of us on the Committee wants to compromise the nation’s security or compromise the ability of our military personnel to conduct necessary operations. However, sometimes in legislation words really matter—they are the law of the land. That is why scrutiny of legislation in Committee like this is so important, word by word and line by line, otherwise—and I will have a series of questions for the Minister on this—down the line in one, two, three or five years, something will happen and everybody will go, “How was the word ‘anything’ included?” The unintended consequence of legislation is something that we need to consider, or people will ask how something happened—how that word was allowed.
With that in mind, it is important that the Minister explains to the Committee how this definition is arrived at. The starting point would be to ask her to explain the differences between having the word “anything” and having the phrase “security issue”. Can she give examples of how the Bill would be weakened by having that term rather than “anything”, and what “anything” means—apart from saying that it means “anything”? What does it actually mean, given that the Bill is supposed to be about security issues, as the noble Earl said?
The Government argue that the duty on providers is appropriate and proportionate to ensure that the effects of compromise are limited and to act to remedy the impacts. I understand why Ministers are keen to keep the definition wide, but on its own it is not good enough. For example, can the Minister explain whether there are any thresholds to what amounts to a security compromise, or is it “anything”, and what does that mean to an individual who might stray into territory that they are not sure about? How was the Bill’s definition arrived at? Who came up with it and what advice did they receive? Were alternatives suggested to it, what did security experts say to the Minister was necessary, and were there dissenting voices?
In seeking clarification, I wonder whether the Minister can explain why the definition does not include, as I understand it, the presence of supply chain components, as the noble Lord, Lord Fox, mentioned on the earlier group of amendments, if they represent a security threat. Maybe it does—but could the Minister clarify that? We need to know that to understand the diversification of the supply chain and how effectively or not it is proceeding. It is important to consider the components of the supply chain, particularly when identifying where they are a threat to our national security. As I see it, that is not included in Clause 1, but perhaps the Minister can tell me that it is and that I have not read the clause correctly. If so, where is it?
I go back to where I started. These amendments are important in testing how the Government have arrived at this use of “anything”. I know it sounds like semantics —what does “anything” mean?—but the point made by the noble Earl, Lord Erroll, is crucial. The Bill is a security Bill. That being so, why does “anything” appear and why is “security issue” not the appropriate way to describe this? Why is it not included in the Bill? It is necessary for the Committee to understand the Government’s thinking on this for us to consider whether we need to bring back this matter on Report.
My Lords, the Committee will recall that the UK Telecoms Supply Chain Review Report in July 2019 found that telecoms providers lack incentives to apply security best practice. This Bill is our response to its recommendations and takes forward the Government’s commitment in the report to introduce a new security framework, including new legal duties and requirements, to ensure that telecoms providers operate secure and resilient networks and services.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for tabling these amendments to Clause 1. Before I address them directly, I hope that it will be helpful if I set out some brief context for the clause as it appears in the Bill and try to address the challenges posed by the noble Lord, Lord Coaker.
Clause 1 inserts a new Section 105A into the Communications Act 2003. New Section 105A places a duty on public telecoms providers, first, to identify the risks of security compromises; secondly, to reduce the risks of compromises occurring; and, thirdly, to prepare for the occurrence of security compromises. To support the duty, new Section 105A creates a new definition of “security compromise”. The definition is purposefully broad and includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. I thank my noble friend Lord Naseby for his support for this approach.
I am genuinely slightly puzzled by the remarks of the noble Lord, Lord Coaker, about what is included and excluded, because Clause 1 goes into great detail—which I shall not read out now, but I know the noble Lord has looked at it. Not only do we define what is included in “compromise” but we are explicit about what is excluded. This comprehensive approach will help ensure that telecoms providers protect their networks and services properly in the future. It creates a new duty on providers to take steps to reduce the risk of incidents and attacks seen globally in recent years.
As we have heard, the amendments tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would narrow the definition of a security compromise. As both noble Lords noted, this was also a matter that the Constitution Committee recommended the House consider in its recent report. As I have said, the definition is designed to support a long-term approach to security. It aims to be focused enough to address risks that are specific to telecoms networks. At the same time, it is broad enough to ensure the Bill is future-proof and has flexibility to enable us to address new and evolving threats.
I appreciate that the noble Lords are seeking to ensure that legal obligations on telecoms providers are targeted and appropriate to specific risks, but it is important to remember that the framework within the Bill is designed to do exactly that. Certainly, we are not aiming, in the words of the noble Earl, to bash suppliers over the head. Rather, the broad definition in the Bill helps future-proof the legislation, whereas the specific security measures which narrow that focus will be set out in secondary legislation. I tried to get my head around the thought experiment from the noble Lord, Lord Fox, but I got stuck at the idea of trying to fit inside a petri dish, which would definitely be impossible.
The Minister brought up the review, which was very clear that there are huge potential market failures within the security and resilience telecoms market, the reason being that security is not valued by the networks. It is other things, such as network connectivity and price, which are of maximum importance to those networks—things that might come under the word “anything”, for example.
Let us be clear about the four reasons given by the review that security is undervalued by networks: insufficient clarity on cyber standards and practices; insufficient incentives to internalise the costs and benefits of security; lack of commercial drivers, because consumers of telecoms services do not tend to place a high value on security; and the complexity of delivering, monitoring and enforcing contractual arrangements in relation to security. All four of those issues, which I think are driving the purpose of this Bill, involve the word “security”. Far from these amendments watering down the intent of the Bill, the Minister is watering it down herself by including the word “anything” and ignoring the word “security”. I do not expect her to accept these amendments now, but I would like the department to go away and think about this very carefully, because a catch-all Bill catches nothing.
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
My Lords, I see a slight chink of light, perhaps, that may be opened by opened by a meeting with the Minister on this subject—because she will appreciate that none of the amendments tabled to the Bill, which we think is important, has been put down lightly, and definition is crucial.
I was somewhat baffled by the noble Lord, Lord Naseby, flying in his jet—I was thinking of perhaps pressing the ejector button, but I thought better of it. The idea that there is an analogy between flying a jet and what we are talking about here was a bit baffling. The only way that I could think of the analogy for a planned outage, which is exactly what the providers are worried about being subject to under this definition of “security compromise”, is where a jet does a planned manoeuvre and everyone scrambles and treats it as an incident—so I cannot see that his analogy holds at all.
I much prefer and give thanks for the contributions of the noble Earl, Lord Erroll, the noble Lord, Lord Coaker, and my noble friend Lord Fox, who, in doubling down on the points raised about the purposes of the Bill, illustrated exactly why we seek to have a much more precise definition. The big problem is that the flexibility demanded by the Government is effectively at businesses’ cost and causes uncertainty. That is the worry about the way that the Bill is currently drafted.
The Minister talked about future-proofing and doing it more precisely, in a sense, by setting out the duties by secondary legislation—but, of course, there are great concerns about the way that the secondary legislation is to be agreed and the codes of practice. So I suppose that, if I were going to ask for a quid pro quo, if there is to be a loose definition of “security compromise”, there must be a very tight way of agreeing the codes of practice and the secondary legislation—but I wonder whether the Minister will actually agree to that trade-off, as we go through the afternoon. I would like to have all of the amendments that we have tabled for today.
I really think that, when the Minister said that this would “undermine the whole approach”, it is good to have it in her script, but that is absolutely not the case. The last thing that we are doing by trying to tighten this definition is to undermine the whole approach; we are trying to create certainty for the providers so that, when they plan outages and there are other planned events, they are not caught by a sidewind when trying to comply with the terms of the Bill. This is a practical issue.
I understand what the Minister says about resilience and, to some degree, that is the case, but there is clearly a great deal of uncertainty surrounding the providers’ interpretation of the Bill, as it currently stands—and they are the ones that will be subject to this. As I said—without wishing to repeat myself too much—the Government’s impact assessment itself makes it very clear that the costs of this exercise, of having to comply with the Bill, are extremely uncertain at this point, and there is quite a lot of concern about that.
I am sure that, if we have a meeting with the Minister in due course, we will be able to persuade her to accept these amendments, and I look forward to it. In the meantime, I beg leave to withdraw Amendment 2.
My Lords, I speak to Amendment 11 in my name and welcome Amendments 7 and 12 in the names of the noble Lords, Lord Fox and Lord Clement-Jones. I was interested that the noble Lord, Lord Fox, referred to a chorus of agreement, which I certainly heard ringing out, expressing concerns about the role that Parliament should have in scrutinising on codes of practice that this Bill currently does not provide for. To me, the codes remind us that the Bill can provide us only with something of a framework, and for many areas there is a wait for the details to be filled in later. As the noble Earl, Lord Erroll, said, the devil, as always, is in the detail.
Clause 3 allows the Secretary of State to issue new telecom security codes of practice that will set out to providers the details of specific security measures that they should take. As we have heard referred to, the impact assessment states that these codes are the way in which the DCMS seeks to demonstrate what good security practices look like. However, I note that Ministers are proposing only to demonstrate but not actually to secure good practice, which I am sure is the real intent—and it would be very helpful if, through this debate, we could get to that place.
I am interested also to note and draw the Minister’s attention to the fact that the Government have said that these codes will be based on National Cyber Security Centre best practice security guidance. The Government have said that they will consult publicly, including with Ofcom and the industry, as we read in the Minister’s letter following Second Reading. That public consultation will be on implementation and revision. However, it strikes me as very strange that the National Cyber Security Centre is not a statutory consultee; can the Minister say why it is not?
I particularly make the point that, as the codes of practice will be admissible in legal proceedings, they have to be drafted accurately and we have to ensure that security input and expertise is fed into them. The National Cyber Security Centre, which is described as a bridge between industry and government and is, indeed, an organisation of the Government, would seem to be a body that should be, in a statutory sense, invited to make the input and offer its expertise, along with other departments and agencies. After all, we can see, when reading about the centre, that its whole reason for being is that it provides widespread support for the most critical organisations in the United Kingdom as well as the general public, and they are absolutely key when incidents, regrettably, occur. We are trying to address those incidents in respect of this Bill.
As we have heard from all noble Lords who spoke in this section of the debate today, the input needs to come from Parliament, which is why I tabled Amendment 11. As the Bill is drafted, the current reading is that a code of practice must be published and laid before Parliament, but there is no scrutiny procedure. I put it to the Minister that if codes have legal weight, why is Parliament being denied the chance to scrutinise them? We seem to have a complete mismatch there. I was taken by the words in the Delegated Powers Committee report, mentioned by the noble Lord, Lord Clement-Jones, in his introduction, which stated that this way of being was “unacceptable” and called for the negative procedure for codes. That is what Amendment 11 does. Can the Minister address specifically the words of that committee report? I refer her to paragraph 27, which says:
“In our view, the Department’s reasons are unconvincing … the fact that codes of practice would be produced after consultation with interested parties cannot be a reason for denying Parliament any scrutiny role; and … the Department appears not to have recognised the significance of the statutory effects of the codes of practice”,
as has been highlighted today. I therefore hope that the Minister will both comment on the report and seek to make what is a very important and significant change in this regard.
I will pick up on one additional point. The impact assessment also says that the codes of practice will have a tiering system for different-sized operators. The initial code will apply to tier 1, which serves the majority of businesses of critical importance to the United Kingdom. This will also apply to tier 2 medium-sized operators but with lighter oversight by Ofcom and longer timetables. Can the Minister offer a draft list of the operators in tiers 1 and 2, and can it be shared with noble Lords? I would also be interested to know whether the Minister has any concerns that tier 2 operators will somehow be worse at compliance. If she has those concerns, what support will be provided to small and medium-sized enterprises? I look forward to her reply.
My Lords, I have heard with interest the contributions of your Lordships regarding the parliamentary oversight of the secondary legislation and codes of practice associated with the Bill. I will try not to disrupt the harmony that broke out so agreeably.
Amendment 7 tabled by the noble Lord, Lord Fox, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require secondary legislation to be laid in Parliament in draft and to be subject to a debate and a vote in both Houses. Both Amendment 11 tabled by the noble Baroness, Lady Merron, and Amendment 12 tabled by the noble Lord, Lord Fox, would require a statutory instrument to be laid in Parliament for the Secretary of State to issue or revise the codes of practice, under the negative or affirmative procedure respectively.
I will first address Amendment 7 and the procedure for the regulations. The Bill currently provides for the statutory instrument containing the regulations to be laid using the negative procedure. This is the standard procedure for instruments under Section 402 of the Communications Act. The only delegated powers in the Bill currently subject to the affirmative procedure are Henry VIII powers to retrospectively amend penalty amounts set out in the primary legislation.
Sorry, I have not quite finished.
I would call Amendment 15 a “good manners” amendment. If Ofcom possesses information that the network provider does not, it simply calls for that network to be brought into the loop before the rest of us are. That seems good manners to me—you do not necessarily have to legislate for that, but these days it always helps. I have now finished.
My Lords, I thank the noble Baroness, Lady Merron, and the noble Lords, Lord Clement-Jones and Lord Fox, for tabling these amendments to Clause 4 and for their considered remarks. As we have heard, these amendments speak to reporting requirements placed on industry in the event of a significant risk of a security compromise and the powers bestowed on Ofcom in the event of a compromise or the risk thereof.
Amendments 13 and 14 amend new Section 105J. As the noble Baroness, Lady Merron, summarised, new Section 105J is designed to give users of telecoms networks and services relevant information when there is a significant risk of a security compromise, including the steps that they should take to prevent such a compromise adversely affecting them. Giving users this information will help ensure that, where possible, they can take swift action to protect themselves. It will also contribute to greater awareness of security issues, supporting users to make more informed choices about their telecoms provider.
My Lords, I am sorry, as ever, to disappoint the noble Lord, Lord Clement-Jones. With regard to his first point, of course the relationship with providers is important, which is why we have worked so closely with industry throughout the preparation of the Bill. However, as the noble Baroness, Lady Merron, said so eloquently, the relationship with users is also very important; it is that balance that we are seeking to strike. I am sorry if the noble Lord found my remarks grudging or negative; there was a lot of thought behind them.
My Lords, this has been a healthy debate. I thank all noble Lords who have contributed on the various amendments. I certainly noted from her response to Amendment 13 in my name that the Minister shares my understanding of the issues for consumers. The debate has shone a light on the fact that it is not possible to simply put one set of interests above another. I felt in the course of the debate that it has been understood that, while fixed time periods may create an unintended consequence, as the noble Earl, Lord Erroll, said, they do ensure that things are not swept under the carpet. That is really where the amendment was seeking to probe.
I appreciate the point made that, while timescale is at the discretion of telecoms providers, there are certain requirements on them. I still have a sense of nervousness; I hope that, as we proceed with this legislation, the telecoms providers will understand the importance of acknowledging and responding to the very real concerns, interests and threats to consumers when they consider what the words “reasonable and proportionate”, as well as the words “timely manner”, mean. With that, I beg leave to withdraw my amendment.
My Lords, I have been very interested to hear the arguments put forward by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Erroll. As we heard from the noble Lord, Lord Clement-Jones, in his opening remarks, concern about oversight is driving this section of the debate. As we know, Clause 13 ensures that when deciding an appeal against certain security-related decisions made by Ofcom, the tribunal is to apply judicial review principles without taking any special account of the merits of the case.
I understand that this does not apply to appeals against Ofcom’s enforcement decisions and that the Government have said that this ensures that it is clear that the tribunal is able to adapt its approach as necessary to ensure compatibility with Article 6, the right to a fair trial. My questions to the Minister are about the legal advice that the Government have received on this clause. What legal advice has been received? Is this external legal advice as well as internal legal advice?
The clause states that
“the Tribunal is to apply those principles without taking any special account of the merits of the case.”
Can the Minister explain what “special account” is expected to mean?
I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment to Clause 13. I am aware that the noble Lord, Lord Clement-Jones, has spoken extensively on the standards of appeal in this House. As the noble Lord remarked, this matter was also raised in the Constitution Committee’s recent report, where it asked for further clarification about the reasoning for the changes made by this clause. I will attempt to address this point today and answer the questions from the noble Lord, Lord Fox, about what we are worried about.
(3 years, 3 months ago)
Grand CommitteeThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I thank the noble Lord, Lord Coaker, for tabling these amendments and for his very generous opening remarks. He reminds us that we must remain vigilant about current and emerging threats to our telecoms networks. Rightly, he also urged the Government to communicate how we will do that in a way that makes sense to the public. Today, we are focusing on this Bill and how it is designed to protect our networks now and into the future.
As we heard, Amendment 18 calls for a body to be set up for the purposes of monitoring current and emerging threats to our telecoms sector. The amendment lists a number of committees, departments, organisations and agencies that should be represented on this body.
The noble and gallant Lord, Lord Stirrup, asked: if not here, where? I will try to answer that question in my remarks.
I assure noble Lords that we already have established procedures to monitor current and emerging threats to the telecoms sector. The National Cyber Security Centre undertakes regular risk assessments of such threats, and those assessments are used to inform government policy. For example, the code of practice the Bill will allow us to issue will be informed by the National Cyber Security Centre’s assessments.
In addition, the Government already have forums in which emerging threats and new technological developments are discussed with industry. The noble Lord, Lord Coaker, asked me to give examples of a particular domestic focus. This is one of them. For example, the National Cyber Security Centre’s network security information exchange is a trusted community of security professionals from across the telecoms sector who come together on a quarterly basis to discuss openly and share information on security issues and concerns. There are also established channels for the kind of cross-government and interagency working that the noble Lord’s amendment seeks to formalise. The Government do not see that it would be necessary to establish a new body corporate, which would simply risk duplicating the work of existing forums.
The noble Lord’s amendment would also make provision for Parliament to receive annual reports on current and emerging threats from this new body. The National Cyber Security Centre already publishes guidance as and when threats develop. Furthermore, as noble Lords are aware, the Intelligence and Security Committee is able to see and scrutinise the National Cyber Security Centre’s assessments of current and emerging threats. Given that there is already this provision for parliamentary oversight, I do not consider that laying a report before Parliament annually would be necessary.
Amendment 25 would require the Government to publish a long-term telecoms security and resilience strategy, covering various topics set out in the amendment, within six months of the Bill’s Royal Assent, and would require this strategy to be laid before Parliament. The Government share the noble Lord’s desire to ensure that this country is fully prepared to overcome future challenges to the security of our telecoms networks. However, the publication of such a strategy is, we feel, unnecessary because recent government reports and announcements, publicly available, already address these topics. The noble Lord will be aware that the Bill is the result of the recommendations put forward in the UK Telecoms Supply Chain Review Report, published in July 2019. That report, along with the Government’s announcements last year, has already set out our strategy for addressing telecoms security risks, particularly relating to supply chains.
In addition, we published our 5G Supply Chain Diversification Strategy last November. This includes our strategy for collaborating with allies on future network research and development, and influencing global telecoms standards. As I will touch on when we debate Amendments 24 and 28, this work is progressing well and the Government’s response to the recent diversification taskforce report, published earlier this month, sets out the steps we are taking to deliver on our goals.
More broadly, the Government’s approach to telecoms security and resilience is informed by cross-government priorities. These include the integrated review, published in March, which committed to launching a new comprehensive cyber strategy this year. The strategy will set out how we will build up the UK’s cyber resilience, deter our adversaries and influence tomorrow’s technologies so that they are safe, secure and open.
Alongside this, a national resilience strategy will ensure that our suite of systems, infrastructure and capabilities for managing the full range of resilience risks becomes more proactive, adaptable and responsive to future threats and challenges. Work is well under way to develop these cross-cutting strategies, and we will ensure that our approach to telecoms security and resilience continues to take them into account.
I think the noble Lord, Lord Coaker, and the noble and gallant Lord, Lord Stirrup, know very well that there is a tension between having a greater degree of focus in a strategy and a wider scope. We believe that we have struck the right balance in this area.
The noble Lord, Lord Coaker, asked about cyber deterrence. He may be aware that the Government will shortly bring forward legislation to counter state threats of the type he described. It will create new offences, tools and powers to detect, deter and disrupt hostile state activity by states targeted at the UK. He also referred, in the context of future-proofing, to the National Security Council. Among its responsibilities is examining forward-looking strategies.
The noble Baroness, Lady Northover, mentioned the role of the FCDO. Of course, she will know that the First Secretary of State provides leadership across departments to ensure that the Government’s response to cyberthreats and our ambition as a cyberpower are fulfilled.
My noble friend Lady Stroud talked about the Government being asleep at the wheel in relation to Huawei. I think that is a little harsh. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecoms networks compared with other vendors. A risk mitigation strategy has been in place since Huawei began to supply equipment to UK public telecoms providers. Obviously, the Government have announced extensive advice to manage those security risks based on the work of the experts at the National Cyber Security Centre. Most recently, the Secretary of State announced advice that providers should remove all equipment made by Huawei from 5G networks by the end of 2027.
The noble Lord, Lord Coaker, asked about the presence of security experts on the recently announced diversification council. I can confirm that a senior official from the National Cyber Security Centre will attend to provide that expertise.
The noble Earl, Lord Erroll, asked what parliamentary scrutiny there was of Ofcom. The chief executive and other senior officials from Ofcom give regular evidence to parliamentary Select Committees, including an annual scrutiny session with the DCMS Select Committee, and it also lay its annual report and accounts before Parliament.
I hope I have managed to address most of the points raised and to reassure your Lordships that, while we recognise the very valid questions that have been asked, we believe that we have the balance right in terms of co-ordination and strategy. With that, I ask the noble Lord to withdraw his amendment.
I thank the Minister and other speakers for this debate, which is really important. The Minister was basically saying in her response, “Don’t worry, we’ve got this covered.” If the Government did indeed have it covered, I suggest that ripping out 40% of the 5G network at the cost of several billion pounds to the industry is a pretty poor cover. The point made by the noble Baroness, Lady Stroud, that it took Back- Benchers to highlight this rather than the Government was particularly apposite.
The Minister portrayed the decision to remove Huawei almost as if it was a success of the process. Will she acknowledge that these billions of pounds are growth that we will not get, that they are investment in this country that has been wasted, and that it has put the country in danger in the process? Will she further acknowledge that there might be others who are able to help in the process of avoiding a repeat of what is a huge debacle?
I tried to present the breadth and depth of approaches that the Government are taking to address this incredibly serious and complex problem. If I may borrow the word used by the noble and gallant Lord, Lord Stirrup, we have tried to show some agility in responding to changing circumstances. The noble Lord will be aware that there were changes to the US foreign-produced direct product rules in May 2020 which changed the risk profile of our engagement with Huawei, and we acted on that, so I do not feel that I have to apologise at this point.
I thank the Minister for her reply and for again seeking to answer the questions. We may well have to come back to some of this, but I take the point that the Government are seeking to address current and emerging threats; I just think that this needs to be more clearly stated in the Bill. The Minister gave examples of cross-government working. We all know that there are examples of cross-government working, but the Committee is saying—I think that there was agreement across the Committee—that sometimes there is a need for a mechanism to ensure that it happens. It may be that another body will do that more effectively in the face of the threats that we face now or may face in the future—it may be that we seek to replace rather than add a body. The Government may want to consider that.
My Lords, I commend the noble Lord, Lord Coaker, and my noble friend Lady Northover for this amendment, which I would have signed had she not done so already. We heard at Second Reading an excellent speech from the noble Lord, Lord West, explaining not only why this amendment is important but why certain figures who would normally speak in this debate are not doing so. He explained that the ISC is seeking to change its MoU. As such, he and others would not speak in this particular debate.
However, we have an analogous debate to refer to, which has already been mentioned. Those of us who are veterans of the National Security and Investment Bill have been through this already. I think the noble and gallant Lord, Lord Stirrup, is the only other person in this Room who was involved in it. I certainly spent some of my life on that Bill.
We sent back to the Commons an amended version of that Bill. Your Lordships adopted an amendment not dissimilar from the one in front of the Committee today. That decision was made, as we heard from the noble Lord, Lord Coaker, because the BEIS Select Committee is not enabled to deal with the level of security information it needs to properly scrutinise the operation of BEIS for the National Security and Investment Act. There is exactly the same situation here. I gather, anecdotally, that the BEIS Committee is already hitting issues with getting the information it needs under that Act.
We also heard anecdotally on Tuesday of the debacle over the Newport Wafer Fab, where the BEIS Secretary of State has failed to use the power given to him by the National Security and Investment Act to do something around national security. The noble Baroness, Lady Stroud, is no longer in her place, but once again the ministry was forced by Back-Bench action to reconsider what it was doing. This should not be how things work. It is beginning to look like these are rhetorical points, rather than actually being usable. I hope the same fate does not befall this legislation and that it actually gets used rather than shelved. But in the same way as BEIS, DCMS will have a Select Committee that cannot access the information it needs to scrutinise the activities covered in this Bill.
The noble Lord, Lord Coaker, notwithstanding the stifling atmosphere of this Committee Room, managed to do a very close approximation of complete incredulity over why the Government should not listen to this fantastic advice. I can say that, having gone through the last Bill and seen how resistant the Government are to advice of this sort, this is neither an accident nor a sin of omission. This is a sin of commission. The Government are very clear that they do not want proper scrutiny of what they are doing, and if this Bill remains as it is, there will not be the scrutiny that is needed. Neutering of that scrutiny is not an accident but a deliberate act of the Government.
My Lords, I thank the noble Baroness, Lady Merron, for tabling this amendment, and the noble Lord, Lord Coaker, for moving it. The role and remit of the Intelligence and Security Committee, as noble Lords have remarked, have been raised a number of times in the other place and at Second Reading of this Bill, so I welcome the opportunity to clarify how appropriate oversight of the Bill’s national security powers will be provided for in the Bill and through existing mechanisms.
Amendment 22 would require the Secretary of State to provide the Intelligence and Security Committee with copies of designation notices and designated vendor directions when such notices, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security. It would also require the Secretary of State to provide copies of notifications of contraventions, confirmation decisions, the reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), and the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
I will try to correct the suggestion made by the noble Baroness, Lady Northover, and the noble Lord, Lord Fox, that the Government are trying to avoid parliamentary scrutiny on this particular point. That simply is not borne out by the way that the Bill is drafted. We are very clear about where parliamentary scrutiny should take place. I recognise the desire of your Lordships for the Intelligence and Security Committee to play a greater role in the oversight of national security decision-making across government, including in relation to this Bill. As I mentioned earlier, through the oversight of the National Cyber Security Centre, the Intelligence and Security Committee can request information around NCSC advice on, and activities relating to, high-risk vendors.
However, this amendment would extend the role of the Intelligence and Security Committee in an unprecedented way. As noble Lords are aware, the activities of the Department for Digital, Culture, Media and Sport are not within the ISC’s remit. That committee’s remit extends to the intelligence agencies and other activities of the Government in relation to intelligence or security matters, as they are set out in its memorandum of understanding.
The noble Lord, Lord Coaker, asked what he called the “central question” of how this will work in practice in terms of security access. My understanding is that according to the Osmotherly rules detailing how the Government may share information with Select Committees, members of the Digital, Culture, Media and Sport Committee are able to view and handle classified and other sensitive material, subject to agreement between the department and the chair of the committee on appropriate handling. Documents may also be shared with the chair of the DCMS Committee on Privy Council terms, subject to agreement between the committee chair and the department.
The advice of the intelligence agencies will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the advice of the National Cyber Security Centre, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity caused by the requirements in any designated vendor direction. The ISC does not have the remit to consider non-security issues such as the economic and connectivity implications of the requirements in designated vendor directions. The Digital, Culture Media and Sport Select Committee can consider those wider aspects and that is why it is the correct and appropriate body to see copies of designation notices and designated vendor directions that are not laid before Parliament. Any future changes to the ISC’s remit would be best managed through consideration of the Justice and Security Act 2013 and the associated memorandum of understanding.
For the reasons that I have set out, I am unable to accept the amendment and I hope that the noble Lord, Lord Coaker, will therefore withdraw it.
I thank the Minister for her reply. The Government are going to have to reconsider this matter. The explanation of what can or cannot be looked at is very unclear. The purpose of the amendment is to make it clear through the legislation that the Intelligence and Security Committee would have an automatic right to look at some of the threats, rather than it being the judgment of someone, who has to consult someone else to make a decision. That is the whole point. It should not be a question of someone deciding after discussion whether the matter should go forward; there should be a requirement in the Bill that that be done.
The point that I keep making is that at security clearance level 3, hardly anyone in the country could look at this matter, but there may well be aspects of a threat to telecommunications from a state that are at that level. All that any of us is saying is that of course Parliament should not be openly told about it, but that does not mean that there should be no scrutiny by the committee set up with that express purpose, so that we have oversight and scrutiny of even the most highly classified information. It would be a great credit to our democracy if the even highest level of security threat were subject to a check, set up by Parliament.
I and the Committee are saying to the Minister that this matter needs to be reconsidered. Even the Government, in response to the debate in the other place, have said that they are going to look at the next annual report of the Intelligence and Security Committee to see whether its remit should be extended to include the DCMS Committee. The Government are therefore aware that there is a problem here and say that they will look at this issue. We are trying to horizon-scan here and are saying that this will be a problem if this proposal is not included in the Bill.
I honestly believe that the Government really are going to have to look at this. I am going to repeat that because it is so important. The Minister herself, even the Secretary of State, will not know of some of this. The noble and gallant Lord, Lord Stirrup, knows how many people know, but it is very few. Yet the Intelligence and Security Committee was set up to consider this issue and we are saying that there should be measures in the Bill to deal with it.
The reason why the noble Lord, Lord Fox, and I are incredulous is that this just does not logically hold together. This is not an opinion but a fact: if the Bill goes through unamended, we in Parliament will not be able to look at the security threats that people are making decisions about. It is accepted that not everybody should be told about such things—of course not—but I doubt whether Parliament thinks that this situation is acceptable. I ask the Minister to reconsider that.
I thank the various noble Lords for their contributions. I will speak to Amendment 24, which bears my name, but I recommend that the noble Baroness, Lady Stroud, reads the Chancellor’s Mansion House speech, in which he calls for a nuanced relationship with China. Failing that, she could read my speech on the first group of amendments, in which I challenged how nuanced a relationship can be with a country threatening both our security and that of its own people. At the heart of the Government’s challenge is to be all things to everyone in this argument. They are doomed to fail if they try to do that.
I turn to the amendment I am supposed to be speaking to. As we discussed at Second Reading, there are essentially three strands to the diversity strategy. The first leg is supporting incumbent suppliers. I was corrected by the Minister: this refers not to domestic suppliers but suppliers we already have, presumably— although it is not explicit—with the ones we do not want having been weeded out. The second is attracting new suppliers into the UK market, and the third is accelerating open interface solutions, which I assume helps the second of those strands in particular.
There is not a strand about growing a domestic industry; some of us—I am one of them—were confused about this. It mostly seems to be about taking advantage of other countries’ businesses that we can trust—or think we can at the moment; I refer the Committee to earlier comments by the noble Earl, Lord Erroll, about today’s allies not always being tomorrow’s allies—rather than massively growing our own national capability. Bearing in mind those three legs, it would be helpful to hear from the Minister how the improvement in the domestic share of this market is planned.
In her letter to many of us on the subject of diversification, the Minister made the point that Vodafone has already attracted six new suppliers, two of which were Samsung and NEC, into the market through the open RAN deployment. I think I asked her at Second Reading when open RAN would become a significant player in telecoms delivery in this country. If she gave an answer then I am afraid I mislaid it, so can she tell us when open RAN will become a significant player or whether it is something of a sideshow? I do not mean that in a bad way; it is a recognition of where it really is in the market at the moment.
The biggest challenge I have with this is that the Government have launched a lot of strategies. They usually come with a glossy document and a picture of a smiling Secretary of State. I can confirm that this strategy is no exception. We have a very nice picture of the Secretary of State, Oliver Dowden, on page 3, but it does not come with a timeline and a delivery plan. The Government would not issue a strategy if they did not have a delivery plan, so I am sure there must be one. I think it would help us all if we understood what the delivery plan is. Perhaps the Minister could share with the Committee the timeline for the delivery of this strategy, otherwise many of us might suspect that it is something that gets only launched, not delivered. I understand that money has been put into it but, again, that does not guarantee that outcomes will be forthcoming.
This amendment has been tabled to reveal how that timeline is going and how the outcomes are being delivered. That is what it is for. It would enable the Government’s spending of taxpayers’ money on delivering this strategy to be tracked by Parliament. That seems a perfectly reasonable function for Parliament to have.
The Minister might come back and say that DCMS is being asked to lay all sorts of things before Parliament. If that is the case, I think that all of us, including me, the noble Baroness, Lady Merron, who spoke very capably on this, the noble Earl, Lord Erroll, the noble Baroness, Lady Stroud, and others are quite capable of coming up with a composite annual report that covers not just the items in Amendment 24, but those in Amendment 25 on strategy, Amendment 23 on Ofcom’s performance, and Amendment 26 on skills. Taken together, I am sure we could put together a composite annual report in the next round of discussions that would save DCMS having to make several different annual reports. I suspect that that might be a way forward and look forward to the Minister embracing this idea, because of course DCMS wants to demonstrate how it is delivering its diversification strategy.
I am grateful to all noble Lords for their contributions to this short debate and consideration of the Government’s ambitious diversification strategy. The amendment tabled by the noble Baroness, Lady Merron, raises the important issue of diversification, which I know is of great interest to your Lordships, as it was to Members in the other place. Diversification is a key part of the Government’s broader approach to ensuring that our critical networks are healthy and resilient. That is why the Government set out their 5G diversification strategy last autumn, and we are fully committed to ensuring that this strategy comes to fruition.
Our long-term vision for the telecoms supply market is one where, first, network supply chains are disaggregated, providing network operators more choice and flexibility; secondly, open interfaces that promote interoperability are the default; thirdly, the global supply chain for components is distributed across regions, creating resilience and flexibility; fourthly, standards are set transparently and independently, promoting quality, innovation, security and interoperability; and finally, security and resilience is a priority and a key consideration in network design and operation. However, the Bill focuses on setting clear security standards for our public networks and services. As the noble Baroness, Lady Merron, pointed out, although diversification is designed to enhance security and resilience, not all diversification activity is relevant to the security and resilience of our networks. That is why we believe the amendment would not be appropriate.
The Government have already made progress since the publication of our strategy, including the creation of the Telecoms Diversification Taskforce, which set out its recommendations in the spring. Work is already under way to implement several of those recommendations. Research and development was highlighted by the task force as a key area of focus in order to promote open-interface technologies that will establish flexibility and interchangeability in the market. As raised by the noble Baroness, Lady Merron, and the noble Lord, Lord Fox, it will also allow a range of new smaller suppliers to compete in a more diverse marketplace.
That is why the Department for Digital, Culture, Media and Sport was delighted to announce the launch of the future radio access network competition on Friday 2 July. Through this, we will invest up to £30 million in open radio access network research and development projects across the UK to address barriers to high-performance open deployments. This competition is part of a wider programme of government initiatives, which includes the SmartRAN Open Network Inter- operability Centre—more friendlily known as SONIC Labs—a facility for testing interoperability and integration of open networking solutions, which opened on 24 June. A number of leading telecoms suppliers are already working together through this facility.
We welcome recent announcements from operators including Airspan, Mavenir, NEC and Vodafone to introduce open radio access networks into their infrastructure. This demonstrates that industry is working alongside us, here in the UK, to drive forward the change needed in the sector. We continue to work with mobile operators, suppliers and users on a number of other important enablers for diversification; for example, we are developing a road map for the long-term use and provision of legacy network services, including 2G and 3G. Alongside this, the Government have led efforts to engage with some of our closest international partners, including the Five Eyes, to build international consensus on this important issue.
We are also working to deliver on UK issues in standard- setting bodies, and working with industry, academia and international partners to ensure that standards are set in a way that aligns with our overall objectives. Ensuring that standards are truly open and interoperable will drive market growth and diversification. Through the UK’s G7 presidency, we took the first step in discussing the importance of secure and diverse supply chains among like-minded partners and the foundational role that telecommunications infrastructure, such as 5G, plays.
The noble Baroness, Lady Merron, asked how we were planning to spend the initial £250 million, which we announced to kick off work to deliver our key priorities. These priorities have been informed by the recommendations of the Telecoms Diversification Taskforce and include: establishing a state-of-the-art UK telecoms lab; exploring commercial incentives for new suppliers; launching test beds and trials for new technologies such as open RAN; investing in an R&D ecosystem; and seeking to lead a global coalition of like-minded partners on an international approach to diversification. In response to questions from the noble Baroness and the noble Lord, Lord Fox, about the growth of UK businesses, we have been clear that we are focused on investing in the UK and in UK businesses, but do not think that a UK-only solution is a wise or realistic option.
We are working closely with operators and suppliers to develop targeted measures that address the needs of industry to deliver our long-term vision for the market. We responded to the task force’s findings in July and outlined our next steps and the use of that initial investment. If the noble Earl, Lord Erroll, has not seen the government response, I am sure he would find it interesting. It also sets out our plans to create a diversification advisory council, which will meet quarterly. I hope that responds to his question.
Before I comment on that excellent speech from the noble Baroness, Lady Merron, I want to return to the answer that the Minister gave on the Newport Wafer Fab issue, which proves the point that we were making on the need for the ISC to be involved. Regarding the ISC issue, the Government furnished themselves with the National Security and Investment Act, which was supposed to deal with issues such as this. However, the Prime Minister has chosen to refer it back not to the people running that unit but to the National Security Adviser, which proves the point that someone with access to national security information is needed to make decisions of this nature, rather than an organisation that does not have access to the information. It absolutely proves the point that our amendment on the ISC is completely appropriate, just as it was appropriate for the BEIS analogue of what is happening here.
The noble Baroness, Lady Merron, made an excellent speech and I am not going to attempt to adorn it either with my normal flippancy or with detail. There is just one issue that I wish to raise regarding Simon Blagden. Are there any outstanding legal liabilities from his time at Fujitsu? In other words, has his activity been fully exonerated or is there potential legal recourse? Other than that, I echo the point that perception of these issues is as important as reality. If the Government continue to operate in a black-box way, everybody will assume that things are going on that they cannot see and that should not be happening. It is therefore in the Government’s interests to be transparent about how that person in particular was appointed and how the advisory council will operate.
My Lords, I thank the noble Baroness, Lady Merron, for tabling the amendment and for giving me an opportunity to provide an update on the work of the Diversification Taskforce and the new diversification advisory council.
The Government recently announced the council, building on the work of the Diversification Taskforce, chaired by my noble friend Lord Livingston of Parkhead. I should like to take this opportunity to offer my thanks to him and the taskforce members for volunteering their valuable time and knowledge to their excellent review. Their recommendations and expertise will remain crucial to helping us bring greater resilience and competition to our future networks as the taskforce now transitions to the new diversification advisory council.
The Government recognise that diversification is a broad and complex issue relating to matters of security and resilience, technology and geopolitics. It is for this reason that we sought the advice of the experts appointed to the diversification task force. Many of the task force members will continue to provide advice as part of the new advisory council. In appointing the membership of the advisory council, the Government have followed all standard processes. The Government have ensured that the council comprises experts from both industry and academia across a wide range of subject matters, including security, of course.
My Lords, I thank the noble Lords, Lord Fox, Lord Clement-Jones and Lord Alton, for tabling this amendment. The noble Lord, Lord Fox, has set out why they believe this definition of a public electronic communications network is needed. I also appreciated his reference to the importance of consumers, who, after all, are core in all our discussions.
It is important to hear from the Minister whether she believes that this definition is limiting for security purposes and what impact it would have. Perhaps she can advise on whether she feels that anything is missing which should be in there. Would this definition inhibit the future-proofing ability of the Bill? I look forward to hearing from the Minister.
This amendment seeks to clarify the definition of a public electronic communications network contained within Section 151 of the Communications Act 2003. I thank the noble Lord, Lord Fox, for moving it. It aims to do this by including specific examples of networks and systems covered by that definition.
In response to the noble Lord’s first question, three of the suggested examples in the amendment are already covered by the current definition of public electronic communications network, to the extent that they are electronic communications networks
“provided wholly or mainly for the purpose of making electronic communications services available to members of the public”.
These three examples are: landline communication systems; mobile data, audio and video networks; and satellite-delivered networks.
However, as the noble Lord explained, the amendment also refers to “digital surveillance networks”. I understand that the noble Lord is referring principally to CCTV and other similar technologies of the kind used by law enforcement and local authorities for specific surveillance purposes. These types of technologies have been raised by a number of noble Lords in previous debates, including the noble Lords, Lord Alton and Lord Fox. Such closed networks do not fall within the definition of a public electronic communications network as set out in Section 151 of the Communications Act. That definition refers to an electronic communications network that is provided
“wholly or mainly for the purpose of making electronic communications services available to members of the public”.
I emphasise “wholly or mainly”, because the noble Lord gave examples of where services might be provided which could reach a member of the public, but not “wholly or mainly”.
The powers in the Bill are intended to create a stronger regulatory and legislative framework to protect against the security threats to our public electronic communications networks and services, such as those provided by companies such as BT and Vodafone. Public networks are those most widely used by businesses and the public and it is right that the Bill should focus on the protection of those networks. Furthermore, any change to the definition of public electronic communications networks to include CCTV and other similar networks to which the noble Lord referred would affect other sections of the Communications Act beyond those relating to security. That is because the current definition of a public electronic communications network is used across Chapter 1 of Part 2 of the Act, and not only in Sections 105A to 105D, which this Bill replaces.
The consequences of such a change would be wide-ranging. For example, Section 127 creates a criminal offence of improper use of public electronic communications networks, as defined by Section 151. If the definition changed, the scope of those caught by that offence would also change. It would also affect other legislation that makes reference to the Act’s definition, such as the Privacy and Electronic Communications (EC Directive) Regulations 2003 or the Insolvency Act 1986. Any such change to the definition would therefore have substantial unintended impacts for providers of digital surveillance networks and for many other entities, including Ofcom, of course.
The noble Lord also asked how the security of digital surveillance networks could be assured. There is of course already legislation and extensive guidance in place to assure security and prevent the abuse of information gathered by CCTV and surveillance camera networks. As noble Lords will be aware, the Information Commissioner’s Office is the UK’s independent regulator for data protection and is responsible for providing advice and guidance on compliance with the UK’s data protection laws. All organisations in the UK that process personal information must comply with the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018. The Information Commissioner’s Office has issued a specific data protection code that provides recommendations on the use of CCTV systems to help organisations comply with the Data Protection Act.
The Information Commissioner’s Office’s code and the Data Protection Act ensure that any personal data gathered via CCTV and similar networks is kept confidential and subject to the highest protections, including secure encryption of data. Where closed networks, such as CCTV and other similar surveillance technology, are used by public bodies or within critical national infrastructure, there are specific arrangements in place. Lead government departments, advisory partners —including the National Cyber Security Centre—and regulators work with infrastructure owners and operators to manage and mitigate the risk of security issues. There are, therefore, already adequate measures in place regarding safe deployment of CCTV and other similar surveillance technologies within the UK. Indeed, we are strengthening the actions we can take in this area.
(3 years ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, as we start Report, I welcome the noble Lord, Lord Parkinson, to his new ministerial role. I am sure we all look forward to working with him.
I remind the House that national security must be the first duty of any Government, which is why we welcome the intention behind the Bill. As we have said repeatedly throughout the passage of the Bill, we believe that there are a number of issues with the Bill that need to be addressed, including parliamentary oversight of the new powers, which this group focuses on. As Comms Council UK said, the Bill represents an
“unprecedented shift of power from Parliament to the Minister in relation to how telecoms networks operate”
and that
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
With reference to Amendment 1, I shall not repeat the arguments made by the noble Lord, Lord Fox. Suffice it to say that we on these Benches appreciate and wish to stress the importance of parliamentary scrutiny, which we have stressed throughout the passage of the Bill.
I thank the Minister for tabling Amendments 3, 4 and 5. They are very similar to our Front-Bench amendments in Committee and reflect a key recommendation from the Delegated Powers Committee. I thank the former Minister, the noble Baroness, Lady Barran, for her work on these amendments. As noble Lords will remember, the Delegated Powers Committee called the powers in Clause 3 unacceptable and called for the negative procedure for the new telecoms security codes of practice. This important change from the Government ensures adequate parliamentary scrutiny, which is a welcome step forward.
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for the amendment standing in their names, and I thank the noble Baroness for welcoming me to the Dispatch Box in my new role.
The question underlying this group is whether the new telecoms security framework will have proper scrutiny. Noble Lords have proposed ways to strengthen that scrutiny throughout the passage of the Bill and your Lordships’ Constitution Committee and Delegated Powers and Regulatory Reform Committee have made their own recommendations, and I thank those committees for their work.
In Committee, the noble Lord, Lord Clement-Jones, invited the Government to make a trade-off, a choice, in his words, between
“a loose definition of ‘security compromise’”
and
“a very tight way of agreeing the codes of practice.”—[Official Report, 13/7/21; col. GC 487.]
With that in mind, I turn first to Amendments 3, 4 and 5 in my name—although I should stress, as the noble Baroness, Lady Merron, kindly did, that they also represent the work of my predecessor, my noble friend Lady Barran. We both listened to the arguments put forward in Committee and these amendments represent her views as well as mine.
We have carefully considered the concerns raised and, as the noble Lord, Lord Clement-Jones, invited us to do, we have proposed how to make that trade-off. The government amendments we have brought forward today affect Clause 3. It provides the Secretary of State with the power to issue and revise codes of practice. The code of practice is a fundamental building block of the new telecoms security framework as it will contain specific information on how telecoms providers can meet their legal duties under any regulations made by the Secretary of State.
In its report on the Bill, the DPRRC noted the centrality of codes of practice to the new telecoms security framework. The committee drew attention to the statutory effects of codes of practice and their role in Ofcom’s regulatory oversight, and because of those factors, the committee recommended that the negative procedure should be applied to the issuing of codes of practice. The noble Baroness, Lady Merron, tabled amendments in Committee to implement that recommendation. We are happy to do that. Our amendments today require the Government to lay a draft of any code of practice before Parliament for 40 days. Your Lordships’ House and the other place will then have that period of time to scrutinise a code of practice before it is issued.
We think that these changes strike the balance that noble Lords have called for today and in previous stages. I hope these government amendments demonstrate that we have listened and are committed to appropriate parliamentary scrutiny across all aspects of the framework.
Amendment 1, tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require the regulations to be laid in Parliament in draft and subject to a debate and vote in both Houses.
I share the noble Lords’ desire, echoed by the noble Lord, Lord Alton of Liverpool, to ensure that Parliament has a full and effective scrutiny role in this Bill, but I fear we disagree on the best way to achieve it. The only powers in the Bill that are subject to the affirmative procedure are delegated, or Henry VIII, powers that enable the amendment of penalty amounts set out in primary legislation. The Bill currently provides for the negative procedure to be used when laying the statutory instrument containing the regulations.
In the context of these new powers, the use of the negative procedure is appropriate for three reasons. First, Parliament will have had to approve the clauses in the Bill that determine the scope of regulations—Clauses 1 and 2—and the regulations will not amend primary legislation. Secondly, evolving technology and threat landscapes mean that the technical detail in regulations will need to be updated in a timely fashion to protect our networks. Thirdly and finally, as I noted in Committee, the negative procedure is the standard procedure for instruments under Section 402 of the Communications Act. The negative procedure delivers the right balance between a nimble parliamentary procedure and putting appropriate and proportionate measures in place effectively and efficiently to secure our networks.
The two noble Lords will also be aware that the changes they propose in their amendment are not ones that the Delegated Powers and Regulatory Reform Committee made. I accept that they are keen to explore avenues for scrutiny of this framework, but that committee made its recommendation for increasing the scrutiny of this regime, and the Government have brought forward our amendments to accept it. For these reasons, we are not able to accept the noble Lords’ Amendment 1. I hope that they will be content with what we have proposed in our amendment, and may be minded to withdraw theirs.
In conclusion, the Government were asked to make a trade-off. Through the passage of this Bill, we have been invited to provide greater opportunities for Parliament to scrutinise this regime. We have listened to those concerns and we have brought forward an answer. We feel that our amendments maintain our flexibility to adapt to an ever-changing technology environment and give your Lordships’ House and the other place a greater say in its operation, so I invite the noble Lord to withdraw the amendment.
My Lords, it was remiss of me not to welcome the Minister formally; I have welcomed him personally, but not formally. Also, it was helpful that he was the Whip during the process thus far, and I should also welcome the new Whip to his seat. I thank the noble Lord, Lord Alton, and the noble Baroness, Lady Merron, for their contributions. The fact that this has been a short debate does not mean to say that it is not an important one. The reason it is short is because we have had the same debate so many times on so many different Bills, with not just this department but others. That is why it is an important issue and why, when the Minister says that we should strike a balance, we agree, but we think the balance is in the wrong place. That is why I am unable to withdraw this amendment and I should like to test the will of the House.
My Lords, I thank the noble Lord, Lord Clement-Jones, for tabling Amendments 2 and 7 again on Report. I will not take up much time discussing them, not least because the Labour Front Bench tabled similar amendments in Committee better to understand what advice the Secretary of State will receive and where it will come from when making regulations under Clause 2. As the noble Lord said, we must ensure that the Secretary of State receives advice from the best experts, not just those who support the Government.
As the former Minister, the noble Baroness, Lady Barran, focused only on the incompatibility of a similar board set up by the Investigatory Powers Act, can the Minister today simply answer this question: without such a board, where will the Secretary of State receive advice, and from whom?
I thank the noble Lord, Lord Clement-Jones, for his welcome, and both him and the noble Lord, Lord Fox, for retabling these amendments. We share the noble Lords’ ambition in this area. We also want to ensure that the telecoms security framework is informed by world-leading expertise, and that all those affected by the framework have appropriate mechanisms to shape it. The noble Lords’ amendments seek to establish a technical advisory board to advise the Secretary of State on matters of telecoms security. They also state that the Secretary of State should give due consideration to this new board’s advice, and that of a judicial commissioner, before making regulations or codes of practice.
I agree with the noble Lords on the importance of the Secretary of State having access to expert advice in the exercising of these new powers. I hope I can reassure them that she can already call upon sufficient advice through existing structures, and that I can demonstrate why, as we have explained previously, these amendments are not necessary, while giving the greater detail that the noble Lord asked for.
It is worth emphasising the level of expertise that DCMS itself retains, both on the telecoms sector and on security policy. DCMS is the lead Government department for the telecoms sector and has telecoms experts embedded in it. The department has established security and resilience teams with suitably cleared individuals, including people with substantial experience in national security. More widely, the department has established procedures through which it can draw upon further expertise across government and industry. Inside government, for example, the National Cyber Security Centre undertakes regular risk assessments of current and emerging threats, and those assessments are used to inform government policy. Regulations and the code of practice made through this Bill will be informed by the NCSC’s assessments. The Government also have fora in which they discuss emerging threats and new technological developments with the industry. The NCSC’s information exchange is one example. This is a trusted community of security professionals from across the telecoms sector who come together on a quarterly basis to discuss and share information on security issues and concerns.
The noble Lord’s amendment also calls for the new board and the judicial commissioner to be consulted before the establishment of new regulations and codes of practice. We share the noble Lord’s view on the importance of consultation. That is why the Bill is clear that any code of practice must be consulted on before it is introduced. However, we still differ in our opinions on who should be consulted. The consultation requirement in the Bill will enable those directly affected by the code of practice, as well as those with an interest in it, to comment and raise concerns without the need for a technical advisory board to be established. Of course, if your Lordships’ House supports the government amendments today, the code of practice itself will be subject to scrutiny both in your Lordships’ House and in another place. Furthermore, we published an illustrative draft of the regulations in January for the purpose of early engagement with the industry, and the feedback it has provided has been invaluable in our development of the policy. We continue to engage regularly and closely with public telecoms providers and trade bodies, ensuring that any concerns are effectively communicated to us. I remind noble Lords that the Secretary of State can make these regulations and measures in a code of practice only where she actively considers that the measures are appropriate and proportionate under the wording of new subsections 105D(2) and 105D(4).
To conclude, I thank the noble Lords for bringing their amendment back. As I have said, I share their ambition to create a robust, well-informed and evidence-led framework for telecoms security. We believe that we already undertake extensive engagement with the affected groups and bodies. The Bill sets out consultation requirements but even if it did not, the Government have strong relationships with those in the sector and would continue to seek their input. That is where the advice referred to by the noble Baroness, Lady Merron, would come from, as well as from across government, the NCSC and others I have mentioned. For the reasons I have set out, we are not able to accept this amendment and I hope the noble Lord will therefore withdraw it.
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment and the noble Lord, Lord Clement-Jones, for his remarks. It certainly is key that Ofcom is able to do the job that it has been entrusted to do. On the matter of providers, I would say that their primary duty has to be to ensure that the networks are secure. We should expect no less from them. I will be very interested to hear how the Minister responds to the points that have been made in respect of this amendment.
I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment to Clause 13. I know the noble Lord, Lord Clement-Jones, in particular, has taken a keen interest in this area, not just in this Bill but in previous ones as well. I am grateful for the way that he set out the debate again today.
Clause 13 makes provision to ensure that the Competition Appeal Tribunal applies ordinary judicial review principles to appeals against certain security decisions made by Ofcom. Under such principles, those decisions can be successfully challenged only where they are unlawful, irrational or procedurally unfair. In setting the standard of appeal in this legislation, we must find a balance between giving telecoms providers a way to challenge Ofcom’s decisions should they be unfair and ensuring that the regulatory regime is effective and efficient.
Ofcom, as an experienced telecoms regulator, believes that changing the standard of appeal to judicial review principles for certain security decisions has the potential to make the regulatory process quicker and more efficient. The Government agree. We want to avoid either Ofcom or telecoms providers spending months in court.
It was never the intention of Parliament to set the standard of appeal, as it is now, to
“duly take into account the merits of the case”,
as this was dictated by EU law. In 2017 the Government changed the standard of appeal for reviewing decisions by Ofcom from a full merits approach to ordinary judicial review principles via Section 87 of the Digital Economy Act, as the noble Lord, Lord Clement-Jones, will well remember.
However, as EU law continued to apply, the Competition Appeal Tribunal subsequently decided that it had to apply a modified approach to
“duly take into account the merits of the case”.
In essence, this has prevented the provision in the Digital Economy Act, which had been approved by Parliament, taking effect. That rather unhappy outcome would continue to be the case for certain security decisions under the Bill should this clause not stand.
To be clear, Clause 13 applies the judicial review standard only to decisions such as those relating to the issuing of an assessment notice, which should be routine and quickly handled rather than being continuously delayed. It is not being applied to decisions about penalties such as those under Section 105T. Public telecoms providers will still be able to appeal those decisions as they do now, and the tribunal will
“duly take into account the merits of the case”.
Ultimately, we want public telecoms providers to spend their time addressing the security of the network. We do not want them to attempt indefinitely to delay an Ofcom decision by bringing cases against the regulator that do not stack up. We are not breaking new ground by changing to this standard of appeal. Judicial review principles are the normal standard by which most decisions of government and public bodies are legally reviewed.
Parliament has already decided that the standard of appeal for similar decisions under the Network and Information Systems Regulations 2018 should be ordinary judicial review principles. That is consistent with our policy approach in this Bill. Therefore, the Government feel that Clause 13 should stand part of this Bill as it will contribute to the efficiency of the regime and ensure that regulatory decisions are not unduly delayed. It will also ensure legislative consistency. I hope that reassures the noble Lord and that he will be content to withdraw his objection to this clause.
My Lords, I thank the Minister for his response. I am afraid it does not particularly reassure but there will be many other occasions on which we can raise the nature of judicial review, its continual erosion, the Government’s approach to judicial review and their dislike of being challenged. This is fairly thin territory on which to be debating a very large issue in terms of the future of judicial review. I am sure that my other legal colleagues will be more than able to dispute some of those issues. There are many other fish to fry of even greater importance on this Bill so I will withdraw my amendment.
I thank the noble Baroness and the noble Lords, Lord Alton of Liverpool and Lord Fox, for tabling and signing this amendment relating to telecoms diversification. I hope that, during my remarks, I can convince them and other noble Lords that the Bill is not the right place for this amendment for two reasons: first, diversification extends well beyond the security focus of the Bill; and, secondly, legislating for a reporting requirement would be limiting and inflexible as our diversification work evolves. I will also outline the progress made against the diversification strategy, in both government policy and industry outcomes, to seek to reassure noble Lords that progress is being made in this important area.
The Bill will create one of the toughest telecoms security regimes in the world. It will protect our networks even as technologies evolve, future-proofing our critical national infrastructure. Throughout the passage of the Bill, there has been a great deal of debate about how diversification can help to support more secure and resilient telecoms infrastructure. While our work on diversification is intended to support our security and resilience ambitions, not all diversification is necessarily relevant to security and resilience.
The telecoms diversification work that the Government are undertaking moves the market forward by broadening the supplier base in many ways which fall beyond pure security measures; these include boosting quality, innovation, competition and choice within our critical networks. It is for this reason that we have consistently argued that it would be limiting for our 5G diversification strategy to appear on the face of this Bill. Legislating for a reporting element within the Bill, by the same token, would also be restrictive.
Furthermore, as the market and technology evolve, our desired outcomes and areas of focus will evolve too. For example, in the short term, a successful outcome could be a third major vendor in the mobile market. However, once open radio access networks are ready for deployment at scale in urban areas, our measure of success might be the level of interoperability within our networks.
At the moment, we are focusing efforts on diversifying the radio access network, which is where the most critical security and resilience risks are found. In future, a focus on other elements of telecoms infrastructure, including fixed networks, will be necessary to ensure all risks to the ways in which we communicate are tackled. Committing to reporting on specific criteria would limit us to reporting against the risks as we find them today; it would not afford us the flexibility that diversification requires.
While the Government cannot accept this amendment, I hope to reassure noble Lords that our work on diversification progresses—and at pace. The Government’s plans to diversify the market were set out in the 5G Supply Chain Diversification Strategy, which was published in November last year. We also established a diversification taskforce, chaired by my noble friend Lord Livingston of Parkhead, who of course has a wealth of experience in this field having served as the chief executive for BT Group. The taskforce’s role is to provide expert advice to the Government on this important agenda.
The taskforce set out its recommendations in the spring and many of its members have agreed to continue providing expertise as part of the Telecoms Supply Chain Diversification Advisory Council, which had its first meeting last month. Work is already underway to implement many of the taskforce’s recommendations and good progress has been made on the priorities set out in the strategy. For example, research and development was highlighted as a key area of focus, in order to promote open interface technologies that will establish flexibility in the market and allow a range of new, smaller suppliers to compete in a diverse marketplace.
That is why DCMS was delighted to announce the launch of the future radio access network competition on 2 July. Through this competition, up to £30 million will be invested in open RAN R&D projects across the UK to address barriers to high-performance open deployments. This competition is part of a wider programme of government initiatives to foster an open, disaggregated network ecosystem in the UK. This includes the Smart Radio Access Network Open Network Interoperability Centre—or SONIC Labs—a facility for testing interoperability and integration of open networking solutions, which opened in June. A number of leading telecoms suppliers are already working together through this facility.
The Government also continue to work with mobile operators, suppliers and users on a number of other important enablers for diversification, for example by developing a road map for the long-term use and provision of legacy network services, expected to be announced later this year. Alongside this, the Government have led efforts to engage with some of our closest international partners, through both multilateral and bilateral mechanisms, to build international consensus on this important issue. Through the UK’s G7 presidency, the Government made the first step in discussing the importance of secure and diverse supply chains among like-minded partners, and the foundational role that telecommunications infrastructure such as 5G plays in underpinning wider digital and technology infrastructure.
We have also seen movement in the market towards diversification objectives. The industry has taken steps to adopt open radio access networks, such as the European memorandum of understanding, co-signed by Telefónica and Vodafone. Furthermore, organisations such as Airspan, Mavenir, NEC and Vodafone have now announced UK-based open radio access network facilities. This demonstrates that the industry is working alongside the Government here in the UK to drive forward the change needed in the sector. That was further evidenced in Vodafone’s commitment to deploy 2,500 open radio access network sites using equipment provided by leading suppliers, including Samsung and NEC. This is the largest deployment of its kind anywhere in Europe and an important first step in delivering the goal of more open networks.
These commitments show a genuine and significant change in the diversification of our mobile networks. I hope they also demonstrate why placing strict legislative reporting requirements on this area of work would be premature. We are at a point of rapid exploration and experimentation in this work, and I hope that noble Lords would not want to inhibit that work before it has had time to mature.
The noble Lord, Lord Alton of Liverpool, asked about the committee report. It will not fall to me to respond to that report, as I perhaps would have done in my previous role as a Whip covering the Foreign Office, among other departments. We will, of course, reply to it in full in due course. He also asked about Newport Wafer Fab. As I am sure noble Lords will appreciate, I am not able to comment on the detail of commercial transactions or of any national security assessments on a particular case. We will continue to monitor the situation closely and, as part of this, the Prime Minister has asked the National Security Adviser to review this case. Separately, work is under way to review the wider semiconductor landscape in the United Kingdom. The National Security Adviser’s review is ongoing, drawing on expertise from across government as necessary. We will continue to monitor the situation closely and will not hesitate to take further action if needed. The Government are, of course, committed to the semiconductor sector and the vital role it plays in the UK’s economy.
For the reasons that I have set out, therefore, I am not able to accept this amendment. I hope noble Lords have been reassured by what I said, and that the noble Baroness will withdraw her amendment.
My Lords, I thank the Minister for his reply. I am, of course, disappointed that the Minister cannot see that this amendment seeks to strengthen the Bill. It gives the Government an opportunity to showcase all the things of which the Minister has apprised the House. It is important to look at this proposed new clause. It would require the Secretary of State to report on the impact of the diversification strategy, something of which the Government are proud, and it allows for a parliamentary debate, something I would have hoped the Government would welcome, but this is clearly not the case.
As the noble Lords, Lord Fox and Lord Alton, have indicated, the absence so far of an effective plan to diversify the supply chain is what makes us concerned about security in this country. The Bill is the opportunity to put that right. Therefore, I feel it is only right and proper, in the interests of the security of the country, that we press this matter to a vote and test the opinion of the House.
My Lords, veterans of the National Security and Investment Bill—I am not sure there are any—will recognise this amendment: it is exactly the same argument that was put forward then. The response from BEIS was to set up a unit, within BEIS, that the relevant Minister said would have the necessary clearance to review potential national security information. It was quite clear to those in your Lordships’ Chamber at that time that that group of people would not get to see the sort of information that the ISC is cleared to see. We are in the same situation now. The Minister will say that there are people in his department who, if necessary, will be able to see the relevant information. That will not be the case and to some extent, those in the Minister’s department making decisions that refer to national security issues will be flying a little bit blind. If this is not recognised, that is regrettable. This is a really important area of security, and decisions should be made on the best available information, with the best available people reviewing that information. The clue is in the name: this is the Telecommunications (Security) Bill, and it is the Intelligence and Security Committee that is best able to review that information. That is why I support the noble Lord’s Amendment 9.
My Lords, I thank the noble Lord, Lord Coaker, for his kind words of welcome and for tabling this amendment. The important matter of parliamentary oversight has been raised a number of times in both your Lordships’ House and another place. I welcome the opportunity to clarify further how appropriate oversight of the Bill’s national security powers will be provided for both in this Bill and through existing mechanisms. The noble Lord’s amendment would require the Secretary of State to provide the Intelligence and Security Committee with copies of a directional notice when such documents, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security.
As regards enforcement, this amendment would also require the Secretary of State to provide the committee with copies of notifications of contraventions and confirmation decisions. Further, it would require the provision of reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), as well as the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
We thoroughly agree with the need for effective scrutiny of the use of the Bill’s national security powers—that is why we have included measures to facilitate parliamentary oversight of the use of those powers. The Bill requires the Secretary of State to lay before Parliament copies of designation notices, designated vendor directions, and variations or revocations of either, unless doing so would be contrary to the interests of national security. We would expect in the vast majority of cases to lay copies of the directions and notices before Parliament. However, on very rare occasions there may be instances where the Secretary of State chooses not to do so because laying the documents would be contrary to the interests of national security. This would only be done in extremis.
We have already demonstrated our commitment to transparency with the publication of the illustrative draft designated vendor direction and designation notice last November. Indeed, it is in the Government’s interest to publish such documents as it sends a clear message to industry of our intent to use the powers in the Bill where necessary. However, while the presumption is to publish the directions and notices, it is right that we have the option to protect the UK if our national security could be put at risk through their publication.
It is worth noting that, under Section 390 of the Communications Act 2003, the Secretary of State is required to prepare and lay before Parliament annual reports on their functions under that Act. Those reports will show when the Bill’s national security powers have been exercised, whether or not copies of directions or notices are laid before Parliament. This will ensure that Parliament will always be made aware of the Secretary of State’s use of the national security powers to issue designated vendor directions and designation notices.
Having thus been made aware, the Intelligence and Security Committee will be able to request relevant information from the vital organisations it already oversees, such as the National Cyber Security Centre. Moreover, the ISC will be able to request such information at any time from the NCSC in relation to its assessment of high-risk vendors. The noble Lord is right to point to the importance of the committee. Given the cross-party support he enjoys, he knows better than most, as a former Security Minister, the important work it undertakes. The ISC will be able to do the work I have just outlined in line with its remit, as set out in the provisions of the Justice and Security Act 2013 and accompanying memorandum of understanding.
At Second Reading, the Noble Lord, Lord West, noted that the ISC had made a request for its memorandum to be formally reviewed. I understand that the chairman of the ISC has written to the Cabinet Office on these matters and that they are under consideration. Discussions and decisions regarding any changes to the ISC’s remit are of course for the Cabinet Office and the ISC to agree. That is the appropriate route for the ISC’s remit to be considered, not this Bill.
As I am sure noble Lords will appreciate, however, the advice of the security services will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the NCSC’s advice, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity of the requirements in any designated vendor direction. Those go beyond security matters and indeed fall under the work of DCMS; therefore, the Digital, Culture, Media and Sport Committee is best placed to consider those wider impacts. Hence, that is the appropriate body to oversee the Government’s use of the powers to issue designation notices and designated vendor directions, including where those directions and notices are not laid before Parliament. The Government will work with the committee to ensure that it has access to all the information it needs to carry out that oversight.
Those are the reasons why the Government cannot accept the amendment. I hope that the noble Lord will be content to withdraw it on that basis.
I thank the Minister for a generally helpful reply and for his engagement with the amendment itself, my remarks and those of the noble Lord, Lord Fox. It is helpful when a Minister engages with a debate, rather than just reading the words in front of him. The Minister did that, and that is to be welcomed.
The Minister offered reassurance on many of the issues that I raised—and they are issues. The debate has in some ways gone beyond the Bill itself and will help the debate within government about how to resolve the issue of national security and parliamentary scrutiny. Of particular importance was the Minister saying that the memorandum of understanding between the Government and the ISC is being reviewed. That MoU is crucial, and the debate we have had on this Bill and, indeed, this amendment, should inform the Government of the view of many in this House and beyond that the memorandum of understanding needs to be clarified and perhaps reviewed and changed. I ask the Minister to ensure that that review happens in the discussions that take place within government.
With those remarks, I beg leave to withdraw the amendment.
My Lords, I thank the noble Lords, Lord Coaker, Lord Alton of Liverpool and Lord Fox, and my noble friend Lord Blencathra, for tabling these amendments, which relate to our national security strategy and engagement with our Five Eyes partners.
The Government’s first and overriding priority is to protect and promote the interests of the British people through our actions at home and overseas. That is a message central to our integrated review of security, defence, development and foreign policy, and one that Ministers in the other place have repeated during the passage of this Bill. What I have heard very clearly in this short but powerful debate is that, regardless of party or affiliation, noble Lords across the House agree that we must do what we can to protect our national security interests.
That is precisely why we have introduced this Bill. It is why we have published the integrated review and why we have such close working relationships with our allies—not only in the Five Eyes but also among our European neighbours and beyond. So I welcome the spirit in which Amendments 10 and 11 have been put forward. I say that so that noble Lords will know that we share their instincts and ambitions in this crucial area, even though we cannot support these amendments today, as I will explain.
I start by addressing Amendment 10, tabled by the noble Lord, Lord Coaker. This amendment would require the Government to publish a long-term telecoms security and resilience strategy, covering various topics, within six months of the Bill’s Royal Assent. It would require this strategy to be laid before Parliament. This amendment is similar to the one tabled by the noble Lord in Committee, except that here he has made additional reference to reporting on Ofcom resources.
As I have said, the Government take their responsibility to protect the British public very seriously. We welcome and share the noble Lord’s desire to ensure that this country is prepared to overcome future challenges to the security of our telecommunications. However, we have—as the noble Lord noted—already published and are implementing a number of strategies that will ensure that our national security in general, and the security of our telecoms networks and services in particular, are safeguarded.
I mentioned the integrated review. That overarching review sets out our commitment to security and resilience, so that that the British people are protected against threats. This starts at home, by defending our people, territory, critical national infrastructure, democratic institutions and way of life, and by reducing our vulnerability to the threat from other states, terrorism and serious and organised crime.
The noble Lord asked where the hierarchy lies. While the integrated review sets out our overall approach across government, the UK telecoms supply chain review guides our work on security and resilience in the telecoms sector specifically. The Government continue to implement the recommendations of the UK Telecoms Supply Chain Review Report, published in 2019. Alongside that, we continue our crucial work on supply chain resilience via implementation of the 5G Supply Chain Diversification Strategy, published last year, which we have debated during the passage of this Bill.
More broadly, the Government’s approach to telecoms security is informed by other cross-government priorities. In March we announced our intention to develop a comprehensive national cyber strategy as part of the integrated review. The cyber strategy will set out the UK’s approach to deterring our adversaries and ensuring that the technologies of the future are safe and secure. Furthermore, the Government intend to engage more widely with partners on the details of that strategy and publish it later this year, ensuring that our plans are aligned with funding decisions in the forthcoming spending review.
As set out in Committee, the Government are also in the process of developing a national resilience strategy that will provide a single, coherent approach to the way the UK approaches national resilience. That will be published in early 2022 and will provide a foundation on which to build a clear and co-ordinated approach to the whole range of resilience challenges.
Through his proposed Amendment 10 I think the noble Lord is seeking reassurance that the UK is working with our international partners to achieve shared objectives, and I am very happy to set out how we are doing that. The Government engage regularly with partner countries, including those mentioned in the noble Lord’s amendment: NATO and the Five Eyes allies. We are committed to a strong and deep relationship with our allies. We have held detailed and productive talks with partner Governments throughout the development of the Bill and will continue to do so as and when it is passed.
Similarly, the Government recognise that co-operation on international standards is vital to our joint efforts as we look to the future. We are working closely with the industry, the National Cyber Security Centre, Ofcom and a wide range of international partners to increase the UK’s influence and presence at major standards development organisations, such as ETSI and 3GPP.
Through his amendment the noble Lord is also, I think, seeking reassurance about the adequacy of Ofcom’s funding for its security arrangements. As the telecoms regulator, Ofcom will have a vital role to play in the compliance and enforcement arrangements for the new security framework. We are working with Ofcom to ensure that it has the required resources to meet its new responsibilities. Ofcom’s budget for telecoms security this financial year has been increased by £4.6 million to reflect that enhanced security role.
As I have explained, we will continue to ensure that our approach to telecoms security is kept up to date in response to the changes in threats and technology. For those reasons, I do not believe that Amendment 10 is necessary, and I hope that, when we come to it, the noble Lord will be content to withdraw it and to see that we are indeed working with our allies on this important area, as he rightly asked.
Amendment 11, tabled by the noble Lords, Lord Alton, Lord Fox and Lord Coaker, and my noble friend Lord Blencathra, seeks to ensure that we take account of the actions of our Five Eyes partners. It would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecoms vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with that vendor and to consider whether to issue a designated vendor direction or to take similar action in the UK.
We certainly agree that the UK Government should engage with international partners, including our important allies in the Five Eyes alliance. That is what we have been doing throughout the drafting of the Bill and what we will continue to do once it has passed. Our Five Eyes relationship is robust, and the UK is committed to a close and enduring partnership. The Five Eyes intelligence and security agencies maintain very close co-operation, including regular and routine dialogue between the NCSC and its international partners. This dialogue includes the sharing of our respective technical expertise on the security of telecoms networks and the question of managing the risks from high-risk vendors. There are mechanisms already in place for the NCSC to share this and wider information with DCMS.
We also agree with noble Lords that the Government should consider the policies of our Five Eyes partners when developing our own security policies, and we do that. However, although we take the position of our Five Eyes partners into consideration, our international interests are not limited to the Five Eyes. That is why the approach we have taken in the Bill provides the flexibility for the Secretary of State to take into consideration a variety of relevant information, which includes but is not limited to assessments of our international partners’ policies. I reassure noble Lords that the Bill enables the Secretary of State to consider a decision by a Five Eyes partner—or, indeed, by any other international partner—to ban a vendor on security grounds.
Clause 16 of the Bill sets out a non-exhaustive list of factors the Secretary of State might take into account when she is considering issuing a designation notice. This illustrates the kinds of factors that the Government will proactively be considering on an ongoing basis as part of our work. The Government’s approach to national security needs to remain flexible and adaptable to future challenges. Every country’s approach to national security will be different; security measures taken in one particular country might not always be appropriate in another, for example due to differences in the composition of their telecoms networks or services.
The Government’s consideration of specific countries’ policies when developing their own national security policy should not therefore be mandated or set out in such a restrictive way in primary legislation.
Yes, we are of course on Report; it has been a while since we were in Committee. Yes, the noble Lord is right: we do not feel that this amendment is necessary. I hope that I am setting out how the Bill provides for the Secretary of State to do what I think noble Lords want to do, not least, as I was just explaining, in Clause 16 and the non-exhaustive list of factors referred to there. Our objection is to setting out the Five Eyes partnership specifically and restrictively when there may be other countries and allies we speak to where she will also rightly want to take that into account. It is important that the Government have the freedom to determine their own national security policies so that they remain flexible and can respond rapidly to changing threats and challenges to our telecoms networks. The Government also need to be able to determine exactly how and when they engage with their Five Eyes partners and consider their actions when developing our policies.
Noble Lords are absolutely right to speak of the importance of the Five Eyes alliance; for more than 60 years it has been doing extremely valuable work for the people of this country and, indeed, for the other partner nations in it. But the Five Eyes alliance was not created through legislation and its importance has not relied on it being set out in statute either. In fact, it would be highly unusual to refer to such an alliance in legislation and we feel that this Bill is not the right place to create such an important national security precedent. That is why we are resisting it.
The noble Lord, Lord Alton, suggested that if we had had such a provision it might have saved some time and effort in the past, in particular with reference to Huawei. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecoms networks compared with other vendors. There has been a risk mitigation strategy in place since Huawei first began to supply equipment to the UK’s public telecoms providers. As he knows, in July last year, following advice from the NCSC, the National Security Council considered the impact of US sanctions in relation to Huawei and considered that further action was needed in relation to Huawei as the new US restrictions made oversight of Huawei products significantly more challenging and potentially impossible. That is an illustration of how the UK already regularly reviews security advice and requirements in response to international considerations and what other Governments are doing.
The noble Lord, Lord Alton, also asked about Hikvision. The UK is aware of reporting that has suggested links between Hikvision and human rights violations in Xinjiang. As he knows, the Government have spoken up at international organisations to condemn the ongoing situation in Xinjiang. In January, my right honourable friend the former Foreign Secretary announced a number of measures to help ensure that UK businesses and the public sector are not complicit in human rights violations or abuses there. Decisions on excluding suppliers would be made on a case-by-case basis by central government contracting authorities when undertaking procurements in line with the relevant regulations.
My noble friend Lord Blencathra raised China more broadly, and indeed the UK wants a mature, positive relationship with China based on mutual respect and trust. There is considerable scope for constructive engagement and co-operation but, as we strive for that positive relationship, we will not sacrifice either our values or our security. China is now a leading member of the world community; its size, economic power and global influence make it a vital partner in tackling the biggest global challenges, but it has always been the case that where we have concerns, we raise them, and where we need to intervene, we will.
In conclusion, I want to return to where I started these remarks. The Government view national security as their number one priority, as any responsible Government would. This debate has highlighted that there is broad agreement on the need for robust, strategic consideration of those issues. So, although I am afraid that we cannot accept the amendments in this group, I warmly welcome the intent behind them. I hope that I have reassured noble Lords sufficiently that we understand their concerns, and that they will be content not to press these amendments.
(3 years ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I thank noble Lords from all sides of the House who have contributed to our debates during the passage of this Bill so far. Although that journey is not complete, their work has certainly helped us to interrogate the Bill and improve it. In particular, I would like to use this opportunity to thank my noble friend Lady Barran, who so expertly guided the Bill up to Committee; I was pleased to hear the tributes and thanks to her on Report a few days ago.
Throughout the passage of the Bill, the noble Baroness, Lady Merron, and the noble Lord, Lord Coaker, have helpfully challenged the Government’s approach from the Opposition Front Bench. I thank them for the constructive way they have done so and for their diligent approach, along with the noble Lords, Lord Fox and Lord Clement-Jones, from the Liberal Democrat Benches, who have also applied keen-eyed scrutiny throughout the Bill’s passage so far. Although we have not always agreed on the fine detail, it is clear that we all share the same ambition: to keep our telecoms networks secure.
I also thank my noble friends on these Benches, particularly my noble friends Lady Morgan of Coates, Lord Vaizey of Didcot, Lord Holmes of Richmond, Lord Young of Cookham, Lady Stroud, Lord Balfe and Lord Naseby for their contributions. The scrutiny that has been applied has already resulted in legislation that will allow the UK to protect our telecoms networks for years to come. It would be remiss of me not to extend my thanks also to parliamentary counsel for their usual brilliance in drafting the Bill, and to the House authorities for ensuring that the parliamentary stages could take place so seamlessly, including during the challenging circumstances of recent months.
I close by thanking the officials within my department, most of whom have been working on this Bill for well over a year now. Their knowledge, organisation and patience has allowed me, and I hope all noble Lords, to understand and scrutinise with relative ease what is a technical but very important Bill. It is a large Bill team and I make no apology for listing their names; it illustrates the breadth of work that has gone into what is quite a technical Bill. I thank Kathryn Roe, John Peart, Byron Grant, Thea Macdonald, Euan Onslow, Alex Walford, Malcolm Campbell, Dan Tor, Rosemary Buckland, Chris Frampton, Charlotte Carew, Will Jones, Yohance Drayton, and our lawyers, Sean Murray, Martha Hartridge, Simon Gomes, Luke Emmons, Richard Lancaster, May Wong, Harriet Preedy, Julia Clayson, Sean Wilson and Matthew Smith. All of them have supported the passage of this Bill excellently.
As my predecessor said at Second Reading:
“The Bill will … protect our telecoms networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future.”—[Official Report, 29/6/21; col. 707.]
I am encouraged that your Lordships’ House agrees that the Bill will achieve this, and I beg to move.
My Lords, this has been my first Bill since I joined your Lordships’ House a little over six months ago. Some would say that I was thrown in at the deep end but in my view, I was simply given the opportunity to swim in rather warm and pleasant parliamentary waters. It has been fascinating and enjoyable and I am very glad that my first Bill has been such an important one for the security of the nation.
The Minister has of course been a constant throughout consideration of this Bill, and we saw his worth recognised as he was promoted from the important role of Whip to the Minister tasked with bringing the Bill home. I thank him for the courteous and professional manner in which he has conducted himself throughout, and I also express my thanks to the former Minister, the noble Baroness, Lady Barran. From these Benches, we also express our gratitude to the Bill team, the clerks, the staff of the House—indeed, all those who have worked front of house as well as behind the scenes to make this Bill possible.
Throughout, it has been my pleasure to work with my noble friend Lord Coaker, who has brought his valuable experience and knowledge to proceedings. We have been blessed to have the highly professional support of Dan Harris, our excellent adviser who has guided and advised us throughout, to whom we express our thanks. Her Majesty’s Opposition strongly believe that our nation’s security is above party politics, and I thank all noble Peers who have worked cross party on this Bill.
New technologies have long transformed how we work, live and, of course, travel. Our experiences during the pandemic have upped the ante on the degree to which we rely on telecommunications networks. At the same time, it has reinforced how intertwined these networks are with issues of national security, including the top priority of any Government: to protect its citizens from risk. This Bill is a necessary step to protect us.
I am very glad to welcome the Government’s acceptance of our arguments that codes of practice, to be issued by the Secretary of State to telecoms providers, must first come before Parliament. However, the Bill raised key questions and concerns, especially given the absence of an effective plan to diversify the supply chain and in respect of our telecom security depending on strengthening our international bonds, in particular through the Five Eyes, involving the UK, the United States, Australia, Canada and New Zealand. I thank the noble Lord, Lord Alton, for his work on that issue.
I hope that the other place will give sympathetic consideration to the changes we have made on both those matters, and that the Minister will recognise that the amendments passed by your Lordships’ House make serious and important improvements to the Bill and have widespread support across the Chamber. My concluding wish for this Bill is that the Government will reflect and feel able to support these improvements to the Bill and the security they provide.
My Lords, before we pass this Bill, may I add to a comment to what the noble Lord, Lord Fox, and the noble Baroness, Lady Merron, said? I express my thanks as well to everyone who was on the long list that the noble Lord, Lord Parkinson, gave us, but also to his predecessor, the noble Baroness, Lady Barran. As Ministers, I do not think they could have been more helpful and more responsive to the points we made both in Committee and on Report.
My noble friend also mentioned the all-party amendment moved last week by myself and the noble Lord, Lord Blencathra, which we also raised in Committee. It raises the need for reviews to take place when another jurisdiction—specifically, in this case, many of us cited the United States of America—had banned a particular company which was not banned in the United Kingdom but working within the telecommunications sector.
One example the noble Lord, Lord Coaker, and I gave in our debates was Hikvision, which is banned in the United States. It makes the surveillance cameras that are used punitively against the Uighur people in Xinjiang but are also used in our own high streets and public buildings. That amendment called for a review: that when any such company is banned in another Five Eyes jurisdiction, it is to be reviewed in the United Kingdom. It is a very reasonable all-party amendment, but it was opposed by the Government. Before the Minister completes his remarks today, could he tell us what has happened to that amendment and how the Government intend to respond to it?
I was remiss in not adding to the long list of names I read out those of the noble Lord, Lord Alton, and my noble friend Lord Blencathra, who signed that cross-party amendment to which the noble Lord just referred. Of course, the amendment goes to the other place, which will look at it, the official record and the debate we had on it. I am sorry I was not able to persuade the noble Lord and my noble friend of it, but I will work with my colleagues in DCMS to make sure that they take into account the views of your Lordships’ House as expressed in the vote. I will not pre-empt the debates that will be had in another place, but I look forward to seeing what it sends us back in continuing that debate.
In the spirit which all noble Lords have mentioned today of wanting to see this important Bill on the statute book swiftly but with the proper scrutiny that both places want to give it, I beg to move.
(2 years, 12 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move, That this House disagrees with Lords amendment 4.
With this it will be convenient to discuss the following:
Lords amendment 5, and Government motion to disagree.
Lords amendments 1 to 3.
I am pleased that the Bill has returned to the House from the other place and for the chance to speak to it. I thank my hon. Friend the Member for Boston and Skegness (Matt Warman) for his tremendous work in bringing it through the House earlier in this Session and in the last.
The Bill will create one of the toughest telecoms security regimes in the world. It will protect networks, even as technologies grow and evolve, shielding our telecoms critical national infrastructure both now and for the future. As the House will be aware, the Bill introduces a stronger telecoms security framework, which places new security duties on public telecoms providers and introduces new national security powers to address the risks posed by high-risk vendors.
I will briefly summarise the changes that have been made to the Bill. Lords amendments 1 to 3 were tabled by my colleague in the other place, Lord Parkinson. Lords amendment 4 relates to reporting on supply chain diversification and Lords amendment 5 relates to reviewing actions taken by Five Eyes nations regarding high-risk vendors. I will speak first to Lords amendments 1 to 3.
The important role of parliamentary scrutiny has been raised in debate throughout the passage of the Bill. In the other place, particular attention has been paid to scrutiny of our strengthened telecoms security framework. In its report on the Bill, the Delegated Powers and Regulatory Reform Committee noted that the new codes of practice were central to this framework, as they will contain specific technical information for telecoms providers. The Committee recommended that the negative procedure should be applied to the issuing of codes of practice. We carefully considered the Committee’s recommendation over the summer, and tabled amendments 1 to 3 in the other place to accept them.
The amendments will require the Government to lay a draft of any code of practice before Parliament for 40 days. Both this House and the other place will then have a period of time to scrutinise the code of practice before it is issued. These amendments demonstrate that we have listened and that we are committed to every aspect of the framework receiving appropriate parliamentary scrutiny. I commend these amendments to the House.
I will now speak to Lords amendment 4, regarding diversification. This amendment would place an annual requirement on the Government to report on the impacts of their 5G telecoms diversification strategy on the security of public telecommunications networks and services. It would also require a debate in the House on that report. The Government cannot support the amendment for two reasons. The first objection relates to the flexibility necessary for diversification. A reporting requirement of this nature is restrictive and premature. This is an evolving market that is rapidly changing, and we need the flexibility to focus our attention where it will have the greatest impact. While our focus is currently on diversifying radio access networks, once that part of the mobile network has been diversified we will move on to focus on other areas. Committing to reporting on specific criteria would limit us to reporting against the risks as we find them today and would not afford us the flexibility that diversification requires.
I am very interested in what the Minister says, because one of the major themes, and one of the big failures of the 5G debacle over Huawei, is the fact that we do not have diversification in the network. How will the Government be able to do a stocktake every year so that we as parliamentarians, and others, will be able to judge that what is being said about a commitment to diversification, which is in a lot of policy papers, is actually happening in practice?
I thank the right hon. Gentleman for his comment. Hon. Members will be able to raise in the normal way, through parliamentary questions, scrutiny at oral questions and Committee work, what we are doing in this area. We are reporting regularly on some of our diversification efforts and some of the money that we are spending from the spending review.
I accept that, although the current Government’s response to parliamentary questions these days is sometimes lacking. What benchmark, then, will the Government use for ensuring diversification? I accept that the Minister is the Minister today, but there will possibly be a future Minister—she will not be there for ever—so how are we to judge that we are actually going to get that diversification? Without that, we will end up as we have done now, with a network that is market-led and diversification is not in the market.
I appreciate the right hon. Gentleman’s concerns. We are committed to reporting to the House on a regular basis, but we do not want to limit ourselves on specifically what we will be reporting on in technological terms, because this is a rapidly evolving marketplace and we need to make sure that we have the flexibility to deal with particular infrastructure challenges as and when they come along.
My sense is that this amendment is intended to hold the Government’s feet to the fire on delivering their diversification strategy. If that is the case, a reporting requirement of this nature is unnecessary. This House and the other place already have mechanisms to hold the Government to account through parliamentary questions, as I said, and through the various Select Committees that can ably scrutinise this work. That is the appropriate way for scrutiny to take place.
Our second objection relates to focus. This is, first and foremost, a national security Bill. It is intended to strengthen the security and resilience of all our public telecoms networks, be they fixed line or mobile—2G, 3G, 4G, 5G and beyond. While the Government’s 5G telecoms diversification strategy has been developed to support that objective, it is not the sole objective of the strategy. This is market-making work. It is not a panacea to raise the security of our public networks. Moreover, the current scope of the strategy is not to address the entire telecoms market but to diversify a specific subset of it. The amendment extends the Bill beyond its intended national security focus and creates an inflexible reporting requirement on a strategy that will need to continue to evolve. We have been insistent on this position, and that is why I ask that this House disagrees with Lords amendment 4.
Lords amendment 5 would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecommunications vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with the vendor and consider whether to issue a designated vendor direction, or take a similar action, in the UK. I welcome the intention behind the amendment, which demonstrates that those in all parts of this House and the other place take the security of this country and its people incredibly seriously.
However, while we support the spirit of the amendment, we cannot accept it for four reasons. First, the House will recall that the Bill will provide the Secretary of State with the power to designate specific vendors in the interests of national security for the purpose of issuing a designated vendor direction. In clause 16 there is a non-exhaustive list of factors that the Secretary of State may take into consideration when issuing these designation notices. That list illustrates the kinds of factors we proactively consider on an ongoing basis as part of our national security work. A decision by a Five Eyes partner, or any other international partner, to ban a vendor on security grounds could be considered as part of that process, so this amendment would require us to do something that has been part of the Bill from the outset.
The key remark that the Minister made there was that it “could be” considered. We have seen the Government’s failures previously in relation to Huawei, so why should we have confidence moving forward that this will be any different?
I appreciate the hon. Member’s comments. When the Secretary of State is looking to designate a vendor, she will put that to the House to be scrutinised, and we will be scrutinised on this issue through the usual procedures that I have outlined in my previous comments.
I welcome the Minister to her place. If we look back over the past few months, even the past year or so, we see very much that the resistance early on by the UK Government with Huawei, when other Five Eyes countries were banning it, has led to a remarkable back-cost for replacing all this stuff because we failed to take an early decision. While the amendment may not be perfect, it indicates clearly a big weakness in the Government’s position, even in this very good Bill. If Five Eyes countries, which are our main allies in intelligence, spot there is a problem, we should pause, investigate the reasons why, and then come back to the House with the reasons why we disagree or agree. The amendment aims at doing that, so perhaps the Government should think about amending the Bill in such a way.
I appreciate my right hon. Friend’s comments, but it is important that we do not put in primary legislation the specific partners that we should have to listen to on these specific issues. It would create a hierarchy of diplomatic networks.
With respect, these are not specific partners; these are our closest allies when it comes to intelligence sharing. They do not get any closer than this. Working with them, as we do in sharing intelligence, means that using systems for sharing that intelligence would corrupt our own ability. I wonder whether the Minister could just slightly reset: these are not just partners.
I appreciate my right hon. Friend’s comments. The amendment would require us to do something that has been part of the legislation from the outset. We believe that our existing approach is the right way to continually consider the decisions of our international allies and partners, whether or not they are part of Five Eyes. That brings me to the second objection to the amendment, which is that it is unnecessary because we regularly engage with our Five Eyes partners and are committed to a close and enduring partnership with them. We agree with the other place that where possible, the UK Government should consider the actions of other countries when developing our own policies, and that is exactly what we do already. It is what we have been doing before and during the passage of this legislation.
The intelligence and security agencies across Five Eyes retain close co-operation, which includes frequent dialogue between the National Cyber Security Centre and its international partners. This dialogue includes the sharing of technical expertise on the security of telecoms networks and managing the risks posed by high-risk vendors. There are mechanisms in place for the NCSC to share this and wider information with the Department for Digital, Culture, Media and Sport.
Collaboration with our Five Eyes partners forms an intrinsic part of our national security work. The alliance was not created through legislation and it has not required legislation for us to develop and strengthen that relationship, and the amendment would set an unhelpful precedent. We do not need the amendment to compel us to work with our Five Eyes partners.
That takes me to our third reason for resisting the amendment, which is that the UK needs to have the flexibility to develop and encourage international relationships in addition to Five Eyes. Naming individual countries in this way would set an unhelpful precedent for national security legislation in future. As I have acknowledged, it is important that we consider the policies of our Five Eyes partners, namely New Zealand, Canada, Australia and the US, when developing our own policies, but we also need to consider the policies of a wide range of other countries, including those of our European neighbours, such as France and Germany, and those of other nations, such as Japan, South Korea and India. Stipulating in primary legislation the countries whose policies the UK Government should consider when developing our own national security policies, whether Five Eyes or other countries, would be unhelpful, given the wide-ranging nature of our international collaboration. It would be highly unusual to refer to specific countries in legislation in this way, and this Bill is not the right place to create such a precedent.
The fourth reason for resisting the amendment is that it is impractical because of the many different ways in which other countries operate their national security decision making. The amendment would require us to act whenever a ban takes place in another Five Eyes country, but it may not be immediately clear when a country has taken a decision to ban a vendor, particularly if they have relied on sensitive intelligence to make that decision.
It may not always be apparent why a particular country has banned a particular vendor. There could be any number of reasons why a foreign Government would choose to restrict a company’s ability to operate within that country. Those reasons may not be based purely on national security grounds. I welcome the intention behind the amendment, but we cannot accept it because we feel that it is duplicative, impractical, restrictive and, ultimately, unnecessary.
In summary, the House is presented with a strengthened Bill as Lords amendments 1, 2 and 3 will increase the chances of parliamentary scrutiny of the telecoms security framework. As I have set out, however, it would be inappropriate to agree to Lords amendments 4 and 5. I thank the other place for its scrutiny of the Bill. I commend Lords amendments 1, 2 and 3 to the House and ask that the House disagrees with Lords amendments 4 and 5.
I thank colleagues in the other place who have worked hard to improve the Bill. National security is the first duty of any Government and Labour will always put our country’s security first.
The pandemic has shown how important telecommunications networks are. I declare an interest as a former telecoms engineer, but I am sure I speak for the whole House in thanking all those who have kept our networks going during the pandemic. We have been dependent on them to work from home or to keep in touch with family and friends. This House could continue its important work thanks to telecommunications networks, as well as the hard work of House staff and the Speaker’s support.
A secure network is of the utmost importance. Labour welcomes the Bill’s intention while recognising its limitations. I am pleased that the Lords amendments that we are discussing reflect issues that Labour has been raising.
Lords amendment 1 seeks to improve transparency in the use of the Secretary of State’s powers to issue codes of practice to communications providers through the negative procedure. It reflects amendments that we tabled in Committee in response to the sweeping powers that the Bill gives to the Secretary of State and Ofcom. As the Comms Council UK said,
“the Minister will be able to unilaterally make decisions that impact the technical operation and direction of technology companies, with little or no oversight or accountability.”
The House has a duty to ensure that those powers are proportionate and accountable, so we are happy that the Government have bowed to pressure from Labour to strengthen parliamentary scrutiny, even if, in our view, it does not go far enough. Two consequential amendments to Lords amendment 1 set out the conditions for the 40-day scrutiny period and ensure that that time cannot be disrupted by recess or Prorogation so that this House and the other place have sufficient time to scrutinise the code.
Lords amendment 5 is cross party and designed to ensure that the Government review a vendor that is banned in a Five Eyes country. We support the amendment and find the Government’s opposition concerning, as we believe it could threaten our national security.
I find the Minister’s arguments against the amendment somewhat confused. She claims that the amendment is unnecessary because we already monitor Five Eyes countries and would always respond to the actions of our closest intelligence partners, but if that is true, why not formalise it? We are stronger together, specifically with our Five Eyes allies. Instead of putting forward further arguments, I turn to the eloquent explanation of Conservative peer Lord Blencathra:
“All it asks the Government to do…is to review the security arrangements with a telecoms provider if one of our vital, strategic Five Eyes partners bans its equipment. We are not calling for a similar immediate ban, or an eventual ban, we are just saying let us review it and come to a conclusion.”—[Official Report, House of Lords, 19 October 2021; Vol. 815, c. 99.]
We will support the amendment.
Lords amendment 4 requires the Secretary of State to report on the diversification strategy’s impact on the security of telecommunications networks. It would also allow for a debate in this House on the report to further strengthen parliamentary scrutiny. Labour supports the removal of high-risk vendors from our telecoms networks, and given the grave situation into which successive Conservative Governments have allowed our networks to fall, it is essential that the Government have the powers to remove Huawei at speed. However, we are left with only two providers, and as we heard repeatedly at every stage of this Bill’s progression, two providers is not diverse, is not resilient and is not secure.
We cannot ensure national security without a diverse supply chain, but I fear that the Government still just do not get it. Let me just take two of the Minister’s arguments. The first argument seems to be, as far as I could comprehend it, that requiring reporting would be “restrictive and premature”, but surely if the Government’s intention is to diversify the supply chain—and we have heard that we cannot have a secure network without a diversified supply chain—the only way a reporting requirement would be limiting is if the Government have no actual intention of doing anything about diversifying it.
The Minister’s second argument seems to be that this is too technologically specific. Lords amendment 4 says:
“The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.”
Would the Minister tell me what in that is specific as to the technology? Indeed, the only specific aspect of technology is a requirement to include future technologies that may be used as a platform, such as cloud computing. I find the Minister’s reasons for not supporting this amendment concerning. I fear that the Government are just not serious about diversifying our supply chain, and that they do not really have a plan for it.
The Minister mentioned asking parliamentary questions. Just last week, I asked her what funding was available for 5G diversification, and she talked about
“a Future RAN Competition (FRANC) and opening the doors of the SmartRAN Open Network Interoperability Centre (SONIC Labs).”
I want to know how diversification is being achieved and how local sovereign UK capability is being built, not an acronym soup that is ad hoc, hard to digest and dangerously complacent.
I rise to speak in favour of Lords amendment 5, which was championed in the other place by my Friend, Lord Alton and which focuses on the Five Eyes partnership. The Minister said that the amendment was unnecessary, but I would argue that if she were to accept it, it would provide a safety net. Last year, the Government were forced into committing to removing Huawei equipment from the UK’s 5G network, which followed on from a ban by the US and Australian Governments. We had even found ourselves in a situation in which one of our closest allies publicly threatened to stop intelligence sharing with us for the first time in our 75-year partnership. I would argue that this amendment would ensure that we did not find ourselves in a similar place again.
Let me give the House an example. Despite being blacklisted by our closest ally for its ongoing links to the ongoing genocide in the Xinjiang, and a Chinese intelligence law which means that the company can not only harvest data but provide data back to the Chinese state, the surveillance company Hikvision continues to be embedded in councils, hospitals and city infrastructure up and down this country. Earlier this year, I led a Business, Energy and Industrial Strategy Committee report, “Uyghur forced labour in Xinjiang and UK value chains”, which also looked at data harvesting. I was deeply unimpressed with Hikvision’s response, and I want to put on record that I thoroughly support the Foreign Affairs Committee’s recent recommendation that the Government should forbid Hikvision from operating in the UK. My Select Committee continues its work on Xinjiang, and I look forward to meeting TikTok in the near future.
The amendment would provide a fantastic safety net to ensure that we do not find ourselves in a difficult relationship with our Five Eyes partners again. Why would we want to risk that? I urge the Minister to recognise the motivation behind the amendment, which would enable trust and deepen our intelligence sharing alliances with our closest partners as well as ensuring security at home. I also urge the Minister, if she has the time, to read the “Uyghur forced labour in Xinjiang and UK value chains” report, and in particular to focus on article 7 of China’s national intelligence law, which states that any company that is registered in China has to provide data to the Chinese Communist party on demand, and also to deny to any other state that it is doing so.
With the leave of the House, I close this debate by thanking hon. Members for their contributions to the debate and for making a number of extremely important points about national security. I am keen to address those not only now, in this legislation, but in the future, through horizon scanning for some of the challenges that are coming up.
I appreciate that some of the trust in the system has been undermined by the Huawei situation, and I am sympathetic to concerns raised about reporting, diversification and resilience. My hon. Friend the Member for Solihull (Julian Knight) is absolutely right that this legislation is just one part of a wider security framework. The development of 5G and full-fibre networks brings new security challenges, which we must be prepared for.
This legislation sets up a strong regime for handling and removing high-risk vendors from our public networks, but it is just the start. Specific security measures will be set out in secondary legislation; there will be a lot of work to do in the next stage as we draw up that legislation, and we will be publishing a code of practice explaining the technical guidance that providers can follow to comply with legal duties.
The final secondary legislation and code will be agreed through public consultation, which I hope will provide another opportunity for hon. Members who have concerns in this area to provide adequate scrutiny. I am alive to some of those concerns, but, as my hon. Friend the Member for Boston and Skegness (Matt Warman) has outlined, MPs and Peers have had multiple chances to scrutinise and feed back on our diversification strategy, and we will continue to report on developments.
I remind the Minister that the members of the ISC present tonight have written to the national security adviser on the revision of the memorandum of understanding from the Prime Minister to the ISC. We really do expect some changes to that, so that we can close the gap on supervision of things that other Select Committees cannot look at.
I thank my right hon. Friend for that point. This issue has been raised throughout the passage of the Bill; I am alive to those concerns from the ISC, which bring particular expertise and scrutiny on matters on which others cannot, by virtue of their security importance. I understand that the ISC’s Chair has written to the Cabinet Office on the matters raised, but I wish to engage with the Committee on its important work. I believe I may—
(2 years, 11 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Telecommunications (Security) Act 2021 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
That this House do not insist on its Amendment 4, to which the Commons have disagreed for their Reason 4A.
My Lords, noble Lords will recall that this Bill will create one of the toughest telecoms security regimes in the world and ensure the security and resilience of the UK’s telecommunications networks and infrastructure.
Amendment 4, which was tabled by the noble Baroness, Lady Merron, and the noble Lords, Lord Alton of Liverpool and Lord Fox, would insert a new clause into the Bill. The clause would require the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and would allow for a debate in another place on the report.
I ask that this House do not insist on its amendment for two reasons. Our first objection to this amendment relates to the flexibility necessary for diversification. The reporting requirement, which is based on the risks as we find them today, is restrictive and premature for a market and technology that is evolving and rapidly changing. Policy work is at an early stage, and the criteria for how we measure its success is evolving in line with our policy. It would not be suitable to set out specific reporting criteria in legislation.
The diversification strategy and any reporting on its progress must be flexible so that we can focus on achieving the greatest impact. As we hope diversification to be a short-term problem, enshrining it in legislation—a long-term solution—would be counterintuitive and unnecessary. We are currently focused on diversifying radio access networks, for instance, but that may change in the future.
The Government take diversification seriously. I reassure noble Lords that mechanisms are already in place, through Parliamentary Questions and Select Committees, to thoroughly scrutinise the strategy and its progress now and in the future. This is the appropriate method of scrutiny for an evolving, time-limited strategy.
Secondly, this is principally a national security Bill intended to strengthen the security and resilience of all our telecoms networks. The Government’s 5G telecoms diversification strategy has been developed to support that objective but it is not the sole objective of the strategy. In addition, the strategy is focused on a specific subset of the telecoms supply market, not the security of public networks as a whole.
From debates in your Lordships’ House so far, it is clear that this amendment intends to hold the Government to account on the impact of the diversification strategy on the security of public networks. We will be happy to provide updates on the strategy’s progress through existing channels, and are encouraged by the developments that we have seen since the strategy’s launch. The amendment would extend the Bill beyond its intended national security focus and creates an inflexible reporting requirement on a strategy that, as I say, will evolve as it fulfils this important work. That is why I ask your Lordships’ House not to insist on Amendment 4.
I shall also speak to Motion B, which asks that this House do not insist on its Amendment 5, to which the Commons have disagreed for their Reason 5A. As noble Lords will recall, Amendment 5 was tabled by the noble Lords, Lord Alton of Liverpool, Lord Coaker and Lord Fox, and my noble friend Lord Blencathra. The amendment would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecommunications vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with that vendor and consider whether to issue a designated vendor direction or take similar action in the UK.
As I said on Report, I welcome the intention of the amendment. It demonstrates that noble Lords across the House take the security of this country and its people incredibly seriously. However, while we support the spirit of the amendment, we cannot accept it for four reasons.
First, this amendment is unnecessary as the Bill already allows the Secretary of State to consider the policies of Five Eyes countries. Clause 16 includes a non-exhaustive list of factors that the Secretary of State may take into consideration when issuing designation notices regarding high-risk vendors. That list illustrates the kinds of factors we will be considering proactively and on an ongoing basis as part of our national security work. A decision by a Five Eyes partner or indeed any other international partner to ban a vendor on security grounds could be considered as part of that process. The amendment asks the Government to do something that has been part of the Bill from the outset. We believe that our existing approach is the right way to continually consider the decisions of all our international allies and partners.
Secondly, the amendment is unnecessary because we are already committed to a close and enduring partnership with the Five Eyes countries. We engage with our partners regularly and, where relevant, consider their actions when developing our own policies. The Five Eyes intelligence and security agencies maintain close co-operation, which includes frequent dialogue between the National Cyber Security Centre and its international partners. This dialogue includes the sharing of technical expertise on the security of telecoms networks and managing the risks posed by high-risk vendors. Engaging with our partners in this way is at the very core of our national security work.
In another place, members of the Intelligence and Security Committee agreed that the amendment was not necessary as the existing intelligence relationship with the Five Eyes, and other international parties, is strong. The chairman of the Intelligence and Security Committee, Dr Julian Lewis, said:
“We looked at Lords amendment 5 and we understood the temptation to flag up the importance of the Five Eyes relationship. We agreed ... whenever a serious objection is raised on security grounds by one of the Five Eyes partners, we take that with the utmost seriousness.”—[Official Report, Commons, 8/11/21; col. 119.]
The chairman of the DCMS Select Committee, Julian Knight MP, agreed and said that
“any Government worth their salt would take very seriously the approach of our closest security partners.”—[Official Report, Commons, 8/11/21; col. 117.]
Our third reason is that naming individual countries in legislation would be restrictive to the development of wider international relations and set an unhelpful precedent on national security legislation. The Five Eyes alliance was not created through legislation and it has not required legislation for us to develop and strengthen that relationship in the past. Moreover, we need to consider the policies of a wide range of countries, including those of our European neighbours such as France and Germany, and those of other nations such as Japan, South Korea and India, to name but a few. It is highly unusual to refer to specific countries in legislation in this way, and the amendment would set an unhelpful precedent for future legislation.
Finally, the amendment is impractical because of the many different ways other countries operate their national security decision-making. It may not be immediately clear when a country has taken a decision to ban a vendor, particularly if it relied on sensitive intelligence. It also may not be clear why a country has taken this decision, and it may not always be based on national security grounds. So, while I welcome the intentions behind the amendment, we cannot accept it and that is why I ask that the House does not insist on Amendment 5 either. I beg to move.
My Lords, I hope my noble friend Lord Fox has given his apologies to the Minister for being unable to be here due to a Select Committee engagement. However, that does not mean that on these Benches we are any less disappointed—or indignant, as I think my noble friend Lord Fox would put it—about the Government having turned down both amendments, which my noble friend signed. The Minister is developing a fine turn of phrase in turning down amendments that appear perfectly sensible. On Report he talked about sharing the ambition and warmly welcoming the intent and then said that they did not quite fit the Bill and the Government could not accept these amendments. It is rather baffling since both are built very firmly on the Government’s expressed intentions —indeed, ambitions—set out in the integrated review. That was very clear in our debates on Report. It seems that the Government’s motives are much more firmly based on resistance to scrutiny and the idea that, somehow, they would be constrained in their work on diversification by having to report, in the case of Lords Amendment 4. However, the words he used were:
“legislating for a reporting requirement would be limiting and inflexible.”—[Official Report, 19/10/21; col. 86.]
Having reread the debate and heard again what the Minister had to say, I still cannot understand the Government’s rationale for this.
The rejection of Lords Amendment 5 is equally baffling because the Minister talks again about the limitation of the amendment to a particular set of countries. Surely, one of the reasons we are where we are, and the Government had to backtrack on their treatment of high-risk vendors, is precisely that they were not in step with their other Five Eyes allies. Therefore, the Government are not even learning from experience. We are where we are, however, and clearly we are not going to take this further, but I believe that the Government will regret not accepting both amendments.
My Lords, I certainly hear the disappointment and perhaps, as the noble Lord, Lord Clement-Jones, said, even the indignation of his noble friend Lord Fox, in his absence. I am sure that if the noble Lord, Lord Alton of Liverpool, who is not able to be with us today, were here he would have had something to say as well. However, I hope to be able to reassure all noble Lords that the Government certainly have listened to and taken on board the points which have been made. Where we respectfully disagree, I would point to the fact that another place has disagreed as well, but, as I said in my opening remarks, we are very conscious of the spirit of scrutiny in which these amendments have been put forward. Noble Lords have wanted to ensure that the Bill does what the Government intend: to set up a framework to protect the national security of our country. We simply disagree about the practicalities of some of the amendments which remain at this late stage.
It may be helpful to say a little more about the opportunities for parliamentary oversight of the diversification strategy which noble Lords and Members of another place will have been able to take advantage of. Since its publication, Members of another place and noble Lords have had the opportunity to scrutinise and provide feedback on the strategy. The Science and Technology Select Committee in another place held an inquiry earlier this year on 5G Market Diversification and Wider Lessons for Critical and Emerging Technologies. The Government responded to the committee’s report in April, agreeing with its assessment of the scale of the diversification challenge and that there is a need to work swiftly to make early progress and build momentum as we work towards our long-term ambitions. We have not yet committed to a specific way of reporting progress, as policy work is at an early stage and the criteria for how we measure its success is evolving in line with our policy, as I said in my opening remarks.
However, we have made and announced a lot of progress on our diversification strategy already: for example, on our programme of targeted R&D support, including the future RAN open competition, the winners of which will be announced soon. We will continue to update on progress and are planning to launch further policy commitments at the same time as announcing the winners of that competition later this year. I know that noble Lords, if they agree with us and do not insist on their amendments today, will certainly continue to watch this issue vigilantly and find every opportunity to pursue these important issues in your Lordships’ House and through Parliamentary Questions and Select Committees, and it is right that they do.
I end by thanking again the Bill team and all officials who have been involved in the development of this important Bill. I listed them in full last time, so I will not try the patience of the Hansard editors by repeating their names but I will add one final name: Daniel Wilson, who has been of great support to me and my noble friend Lady Barran in working on this issue in private office.
I commend the Bill to your Lordships’ House. It will create one of the toughest telecoms security regimes in the world and ensure the security and resilience of the UK’s telecommunications networks and infrastructure.
That this House do not insist on its Amendment 5, to which the Commons have disagreed for their Reason 5A.
My Lords, I have already spoken to Motion B, and I beg to move it formally.