Committee Debate: 3rd sitting: House of Commons
Tuesday 19th January 2021

(3 years, 11 months ago)

Public Bill Committees
Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q I see that William wants to come in. I just want to say that we have also been told that there was a major difference between fixed and mobile architecture when it came to security issues. You seem to be saying that there may be differences, but there are security issues within fixed networks as well as within our mobile networks.

Emily Taylor: Generally, our standard of security across the board is not as high as it should be.

Professor Webb: I realise that Chi had also asked me how the UK can strengthen its ability to provide diversified supply chains, and I did not address that.

I want to pick up on something Emily said as well. I think she is absolutely right—the UK has a great number of really excellent engineers, both in universities and in leading consultancy-type organisations. Here in Cambridge there is a plethora of wonderful consultancies and start-up companies. In my experience, the biggest problem is actually finance. To try to raise the finance to get a start-up company off the ground, particularly one that sells to operators who have huge purchasing power and tend to squeeze all their vendors—quite naturally—is very difficult in the UK. It is much easier in the US. Addressing the ability to provide finance for those kinds of entities and, to Emily’s point, allowing them to exist for many years rather than to be bought as part of that financial process would help more than anything else, for the UK to grow its own major players in this space.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - - - Excerpts

Q Thank you for your comments so far. You will have seen in the diversification strategy that we completely agree with the points you have made around standards and the importance of international co-operation, so I will not go further into that. But it is interesting that a lot of what you have talked about is the diversification strategy rather than the Bill itself. In terms of where we have put increased duties on Ofcom, for instance, where do you feel that there should be more in legislation, rather than in the diversification strategy itself? It seems that tying our hands is not what you are asking us to do, but there is obviously a balance there, isn’t there?

Professor Webb: Yes, I think there is a balance. I do not have strong views on that. The legislation appears to be sufficient and flexible in this space. I think the issue is the way it is implemented, and particularly the downstream actions of the Government and of Ofcom might need a bit more care.

Emily Taylor: The legislation is creating a framework, and a lot of that will be filled out through statutory instrument and the codes of practice that are envisioned. I imagine the codes of practice will reflect the TSRs to a large degree. Thinking particularly about how the legislation might impact on the wish and the essential need to diversify, it imposes very high levels of liability for providers, and almost unlimited duties on everybody for the smallest infractions. That is William Webb’s point about proportionality.

As the measures come to life through secondary legislation, codes of practice and the actions of Ofcom, it is going to be very important that there are checks and balances. I am not sure whether the Committee is hearing from any civil society groups, but I am sure they would be worried about the very wide discretion for the Secretary of State. There is a lot of concentration of power in the Secretary of State and, perhaps, insufficient safeguards, as things are currently drafted.

Also, on the provisions that relate to the identity of the supplier—the nationality—rather than the qualities of security, which I think are the more relevant points, of course identity and nationality can be relevant, but there may need to be more of a look there to ensure that we are on the right side of potential risks of discrimination.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q In response to that, it is worth saying that there will never be such a one-dimensional approach as the one you have described, and I do not think you are suggesting that there is. However, I think we agree that there is a balance to be struck, and, inevitably, that comes in a whole series of advice from agencies and other entities. I was interested in something that Professor Webb said about the carrot and the stick. How would you propose that Governments or, I suspect, Ofcom incentivise operators to provide the greater security that you have been talking about?

None Portrait The Chair
- Hansard -

Emily Taylor?

Emily Taylor: I think that was a question to Professor Webb.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

It was to both of you, to be fair, but I did mention Professor Webb.

None Portrait The Chair
- Hansard -

You will both get a chance. We will go to Professor Webb.

Professor Webb: I am certainly all in favour of placing the requirements on those best placed to deliver them. For diversification, that is certainly the operators. I talked a bit about how you could, for example, offer them some financial incentive to have a more diversified supplier base. That would make some kind of sense, given that this would add costs to their management of the network.

In terms of security, I think it is a bit more difficult to see how that one might follow. I can imagine that there might be certain security issues where, for example, the decision might be made that a replacement is needed for a certain component in the network, or that they need to purchase some additional elements, and then you might imagine that it might help to have some sort of financial incentive to do that. But I think that would be on more of a case-by-case basis—I cannot see a clear, catch-all type of approach that would enable that.

Emily Taylor: I very much agree with what Professor Webb has said. Indeed, one of my reflections on the draft Bill is that it is very much at the stick end rather than the carrot end. Maybe we will start to see a bit more of the incentives coming through as the detail is filled out. But I think that thinking about incentives would very much reflect the close working relationship that there has historically been between the industry and Government. That is not the case in every country; it is actually a benefit in this case.

Security is expensive, and it is also long term. The telecoms supply chain review last year put it very accurately: the market does not reward investment in security—quite the opposite—so I would hope that there would be some recognition from Government about what is needed. I do not think that the investment in the diversification strategy is nearly going to match the investment that is required by the mobile providers who—yes, they are very successful large companies—have not had the great decade that, say, the Googles of the world have had in terms of their margins. So you are asking an already squeezed sector to make substantial investments, and I think that is the place where you could be looking at incentives.

--- Later in debate ---
Sara Britcliffe Portrait Sara Britcliffe
- Hansard - - - Excerpts

Q Can I just quickly follow up on that? I think you have answered it. Were the Government right not to quantify the impact of any delay in roll-out of 5G and full-fibre networks in their impact assessment?

Dr Drew: I believe they were. I have seen a lot of attempts to quantify the damage or impact of limiting our vendor net, as it were. With the removal of Huawei, I have seen multiple attempts to put a value to that—of the slowdown and having to go to different vendors. I am uncertain as to the accuracy of any of those, and I think that it would be very difficult to put a number on that in any useful sense.

My impression is that there is nothing that should stop us from being able to enact the goals of this Bill and the incentives to diversify the market, while also being able to develop and invest in the next stage of 5G use, which is its actual application, and to marry those two up together in a manner that provides us with both security and financial and economic benefit from putting these systems in place.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q Thank you for what you have said thus far. Some of it has touched on the National Security and Investment Bill, which I think is a complementary part of this. A lot of what you talked about regarding any reservations you might have was around, essentially, the resources for Ofcom—something that I think we will be talking about quite a lot in Committee. I am looking forward to saying that Ofcom will have all of the resources that it needs. I wonder how you think the Government could best demonstrate, beyond that short statement, that Ofcom is getting the resources that it needs.

Dr Drew: I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.

I think the biggest issue that Government face—not only in Ofcom, but in regards to future technology policy—is attracting and keeping those individuals who can provide the services and understanding, as well as develop the tools, that a future Government will need. If you can demonstrate a way to capture that talent and retain it, I think that would go a long way to soothing any potential questions about whether Ofcom will be capable of meeting the requirements of this and other Bills. This goes across all Departments, I feel.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q Although is it fair to say that the best way that we demonstrate that capability currently is in the capabilities that we see clearly demonstrated at NCSC and GCHQ?

Dr Drew: Yes. I believe that this is potentially one thing where, as much as possible, greater co-operation between these Departments should be encouraged, to the extent that it is possible to do, given how the security dynamics of the different Departments work. Quite frankly, Government do not have enough of this kind of personnel and expertise. What you do have, you must ensure is used as effectively as possible. That means that you cannot let them languish in one silo or Department, when their expertise would be highly useful in another where suddenly they find themselves dealing with types of issues that are far beyond their normal remit.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I am, of course, talking about co-operation between NCSC and Ofcom.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Q Can I just come back on that? I agree with you that GCHQ has difficulty in retaining staff, as you quite rightly say, Dr Drew, when they get to a certain senior level. I think it is about more than that; it is about culture, as well. Ofcom has a wide number of responsibilities in this sector. Would it not be better, for the security element of this, to give that to the National Cyber Security Centre and GCHQ, rather than leaving it to an organisation, which—we have been told—even if it got the culture right, would take a long time to get there?

I think the Minister is relying on good co-operation between the two organisations, but it is clear from the 2013 ISC report on critical national infrastructure and Huawei that civil servants with a bent for looking at economic development did not have their eye on the ball in terms of security, and they did not even tell Ministers about security concerns that were clear then.

Dr Drew: That is a fantastic question. The best way for me to phrase this is that I believe there is an imbalance that is natural to those who have a particular role within Government or the civil service. Those with responsibility for economic advancement will have a different take on the same issue from those of their colleagues with a security bent to their work.

I find this is a complex topic that needs to be balanced across those different interests. That is why I would generally lean towards co-operation between these groups as opposed to others. I also suspect—although, due to the nature of their work, I cannot be certain—that GCHQ and the NCSC have significant work already, which is only likely to increase. Although they might have the technical capability that Ofcom lacks, I am not sure they have the capacity to take on the sheer volume of work that this is likely to create. I would argue that, actually, more resourcing in general is required for whatever co-operative body is created to carry out the actions of this Bill and other Bills attached to it. That is needed.

--- Later in debate ---
James Sunderland Portrait James Sunderland
- Hansard - - - Excerpts

Q The Bill provides powers to fine vendors up to 10% of their annual turnover or up to £100,000 per day for failing to meet standards. Could I ask for your view, please, on how that compares internationally, and whether you feel that that is appropriate?

Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.

In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.

The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q Thank you for all the work you have done on this matter so far. I wonder if you could just say a little bit more about the responsibilities that Ofcom has had, as you put it, since 2011 on telecoms security. I think that perhaps the extent of that is not as well understood as it could be.

Lindsey Fussell: Yes, of course, I am very happy to do that. As you say, we have responsibility now to monitor and enforce compliance on security. The difference, which is why I think this legislation is so welcome, is that at present we do not have any obligations set out as to how operators need to meet those security requirements. It has been basically up to them to decide what is necessary. While many companies have invested very heavily in their security—I would not want to suggest otherwise—clearly there is a journey to go on and improvements that need to be made. It is very welcome that we now have this much clearer framework, so that operators know what they need to do and we can enforce against it.

The other point that is worth bringing out is that, at present, operators are under a requirement to report incidents to us, but the nature of that reporting tends to be around incidents that cause outages. We do get a lot of those—caused not just by cyber-security but by wind, weather and other issues. Quite a lot of cyber-security incidents are, frankly, precisely designed not to cause outages, because it is in the interests of the malicious actor to allow the network to keep operating while they do whatever they are up to. The new requirements on operators are to tell us not just if there is an outage but if there is an incident where they believe their system may have been compromised. They are wider ranging and welcome powers.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q I think you are also aware that this legislation is backed up by a number of statutory instruments to give further powers.

Lindsey Fussell: Absolutely.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q Would you like to give an assessment of whether you think that is sufficient to address the concerns around, for instance, asset registers, which we have talked about before?

Lindsey Fussell: Yes, so the way the legislation works, as you say, is that there is a primary duty on operators to promote security of their networks, and on us to enforce and monitor compliance against that. My understanding is that the secondary legislation will set out around 40 to 50 sub-duties on operators, which they will all need to meet—that is all operators and providers of electronic communications services.

Underpinning that, each of those sub-duties will be reflected in the code of practice, setting out the details of what the operators need to do to meet each of those sub-duties. As I explained earlier in relation to the questions we discussed on national security, we are entitled, as the regulator, to place quite a lot of weight on the national security judgments that the NCSC and the Government have made in drawing up both those sub-duties in the code of practice, in responding to the threats identified.

None Portrait The Chair
- Hansard -

Any other questions from Members?