(3 years, 10 months ago)
Public Bill CommitteesI agree. The issue with both Ericsson and Nokia is that they will have Chinese components in their hardware. This is an incredibly complex situation, as my hon. Friend said: we are talking about not just one piece of kit that most of us have in our pockets, but hundreds of thousands of components, pieces of software and other things. What I am trying to put on the record, and what I want the Minister to respond to, is the question of how we get an understanding of any risks that are involved in that, and how the regulator and the Government are going to look at ways in which national security could be compromised, not by the main company being owned by a Chinese state entity, a Russian state entity or any actor that we feel is a threat to us, but by a key component.
I have not yet really understood how the regulator will look at that issue further down the supply chain, and whether it will ask a supplier of kit to the telecoms network, “What is the level of threshold or security that you need?” That is hard enough with hardware, but with open RAN and software—we are talking about bits of code—it is going to be incredibly difficult. One of the issues is around vulnerabilities, and various things have been said about the vulnerability that Huawei poses to our telecoms network. However, I suggest people read the Huawei assessment centre’s annual reports—I am rather sad, because I read such documents. One thing sticks out every single year, and it is not that the Chinese are doing anything nefarious. The reports are highly critical of Huawei for its shoddy workmanship and engineering, but that type of shoddy engineering and a lack of attention to security will lead to security concerns in our telecoms network.
Amendment 7 is designed to tease out from the Government their thinking about the supply chain. We do not want to be over-burdensome on it, because we want to get innovation in the supply chain. We do not want to suddenly give researchers and other people in the supply chain huge regulatory hurdles to jump over, because that would stifle the development that we are looking for. It is about how individual components and the overview of the supply chain will be regulated. I have tabled a later amendment about Ofcom, but again it comes back to the point I made yesterday about the National Security and Infrastructure Bill. What has to be at the heart of it all, every single time, is not to stifle innovation and prosperity, but what has to come first every time is national security.
As I say, amendment 7 is a probing amendment, and I want to understand where the Government are at in terms of the supply chain, the security they feel they need over the supply chain and, more importantly, the visibility of the supply chain.
It is a pleasure to serve under your chairmanship, Mr Hollobone. I echo the thanks of the hon. Member for Newcastle upon Tyne Central to you and the House staff for facilitating this Public Bill Committee. I also echo her praise for the temperature of the room and especially her commitment to crack on and not fill it with further hot air. That is to be welcomed.
Like the hon. Lady, I will briefly talk about the broader context of the Bill before I directly address this group of amendments. As we all know, security should be the first priority for any Government, and the Bill demonstrates this Government’s commitment to securing the UK’s telecoms networks.
Clauses 1 to 14 raise the bar for security across the whole telecoms sector, and the subsequent clauses—15 to 23— provide the mechanism for the Secretary of State to manage the role of high-risk vendors. The part that telecoms plays in our security is undeniable and has become even more evident in the midst of this global pandemic. At present, the internet provides absolutely everything for workplaces, schools, families and friends, and the Government are committed to improving that through our gigabit programme. New technologies have the potential to be transformative, but they have the opportunity to reach their full potential only if they are secure, and the Bill will ensure that.
Before I explain the Government’s response to amendments 7 and 8, it is necessary to explain briefly how they would interact with clause 1. New section 105A in clause 1 places a duty on providers to take “appropriate and proportionate” measures. Those measures oblige providers to identify and reduce the risks of security compromises and require them to prepare appropriately for those risks. New section 105A also addresses the interaction between the duty and the national security and law enforcement activity, such that these activities are appropriately excluded from the definition of a security compromise. I will return to new section 105A later—I know that will excite the Committee.
Alongside the overarching security duty in new section 105A, new section 105B gives the Secretary of State the powers to make regulations that impose duties to take specific security measures. Clause 1 creates a duty for providers to take “appropriate and proportionate” measures to protect their networks and services from security compromises. “Security compromise” is then defined in new section 105A.
I would, and this is really a probing amendment to get an understanding of what the Government think, but may I ask the Minister a direct question about the national security bodies—GCHQ and others? If they came across a component or something that a supplier was producing that raised concerns, how would their concerns be translated into saying that a red warning should be put on a certain component in a supply chain?
I simply say that, as the right hon. Gentleman knows, the NCSC and others already work very closely with the networks. What he seems to be talking about, in some ways, is a very day-to-day way of talking about security concerns. That happens a lot already, and what the codes of practice and other documents will do is set up the framework by which that is formalised. As he knows, that process of very quick action being taken as soon as something is spotted, both by the networks themselves and by our agencies, is already well established, and the Bill gives considerably greater force to it.
As the right hon. Gentleman knows, the Bill is aimed at ensuring that providers take responsibility for the security of their networks and services in a way that has not happened, in legislative terms, in the past, and it then provides the Government with the powers that we need to enforce that. In so far as any supply chain components give rise to risks to the security of a network or service, new section 105A already requires providers to take appropriate action and proportionate measures to identify those risks. I appreciate that this is a probing amendment, but in a sense what the right hon. Gentleman is seeking to do through it is already there, and it will be enforced in the documents, such as the code of practice, that I have mentioned.
Furthermore, the addition of the presence of a supply chain component as a security compromise would not be consistent with the security framework’s definition of a security compromise, but I do not think that we need to get into too much detail about that in the context of a probing amendment. The concept of a security compromise is used in other provisions in the Bill, and it is important that we are consistent.
More fundamentally, the right hon. Gentleman’s amendment would put the onus on providers, rather than the Government, to determine a national security risk, but, as he implied, it is absolutely down to the NCSC and, ultimately, the Government and agencies to make that definition. Placing the responsibility for determining what does and does not constitute a threat to national security on the shoulders of all individual providers is not the right thing to do, and I think, to be fair, the right hon. Gentleman is not really suggesting that it is, either.
I thank the Minister for the way in which he is addressing these important proposals. I think that his concern is that this amendment would put the responsibility on the providers rather than the National Cyber Security Centre, and I understand that, but can he say a little about the following matter, because it is the providers that know their networks? The National Cyber Security Centre is excellent, and we have huge admiration for it, but in terms of the supply chains, changes to the supply chain and new components evolving, how does he envisage that, day to day, working effectively without an amendment of this kind to put this requirement on the providers?
As I have said, new section 105A partly provides the legal basis that the right hon. Gentleman seeks, but in practice no one is suggesting—the Secretary of State talked about this on the Floor of the House—that it is solely the name on the box of a piece of kit that defines international security status. We are not naive to the possibility of the supply chain being another vector of attack. That would be reflected in codes of practice and elsewhere around the legislation.
Public telecoms providers can and should consider the security of the resilience of their networks and services throughout the supply chain in a sensible and proportionate way. National security considerations are inevitably much broader than the issues that can be addressed solely by private companies. I think that is reflected in the distinction drawn up in this Bill.
The amendment would have implications for Ofcom’s monitoring and enforcement of providers’ compliance. The Bill includes provisions for Ofcom to collect information on behalf of the Secretary of State in narrow and specific areas related to national security, but this amendment would require Ofcom more actively to take some of the compliance judgments. In the evidence session the right hon. Gentleman was keen to see that it was not asked to make those judgments.
Clearly NCSC does a tremendous job in terms of education of members of the public and companies —as the Minister outlined, that is a key part of its role. Does he see, therefore, a role for Ofcom as part of that, in terms of ensuring that the supply chain and operators are aware of their responsibility not only under the Bill, but to ask the right questions about supply chains from what might be deemed as high-risk vendors?
In so far as codes of practice will be published by Ofcom, the answer to the right hon. Gentleman’s question is yes. The more nuanced answer is that it is a co-production between Ofcom, the Government, NCSC and others.
To conclude, the Government are immensely sympathetic to the issues that the right hon. Gentleman and the hon. Lady seek to probe, but we take the view that this amendment would do something that is, ultimately, already covered in the Bill. I hope that, in that spirit, she will withdraw the amendment.
I thank the Minister for his response. I am concerned that there is not greater clarity on the role of the supply chain components and the supply chain more generally. We will come to that in further amendments. Given where we are and how we got here, we must take a forward-looking approach to future risks and vectors for risks. This amendment is important in probing that, but I do not seek to put it to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will not detain the Committee long, given that my right hon. Friend the Member for North Durham made such excellent points. I will add one point of consideration, which again, his modesty may have forbidden him from making.
The amendment goes to the heart of our concerns about the scrutiny of the provisions in the Bill. I say again for the record that we support the wide-ranging powers that the Bill gives the Secretary of State, but those powers must come with appropriate scrutiny, not because scrutiny is a “nice to have” or, as my right hon. Friend said, because the ISC needs further work, but because scrutiny of the provisions is essential to the good working of the legislation in practice.
Considering specifically the impact of the requirement to remove Huawei at this stage in our 5G roll-out—the economic impact, the cost to the providers and the cost to our economy—we recognise that it is the right thing to do, but we must also recognise the cost of doing it. Back in 2013, the ISC was one of the first parliamentary organisations to raise the issues around Huawei. I truly urge the Minister to accept this constructive amendment to support the appropriate provision of scrutiny.
My other point is more about the working of the clause, which gives the Secretary of State the power to make regulations that require providers to take specified security measures. As we know, the telecoms security framework and telecoms security requirement, to which all providers must adhere, will be set out in delegated legislation. In his response, will the Minister give us some idea of why the Secretary of State might need to set out additional specified requirements that are not in the draft of the TSR that he has published? Is the intention of the clause to enable him to set out additional specified requirements, or is it to enable him to highlight particular specified requirements that he does not think the providers are meeting quickly enough? In either case, does that not suggest that there are particular security concerns, either about providers or about the circumstances, that require these specific security measures? To come back to my first point, does that not highlight for those concerns to receive parliamentary scrutiny, with the appropriate clearance, which is to say that of the Intelligence and Security Committee?
I start by acknowledging the incredibly important work that the ISC does. Its role in overseeing the work of the UK intelligence community is vital to maintaining public trust, as the right hon. Member for North Durham described, and its members make important contributions to public debates on national security matters of all kinds. The right hon. Gentleman has done that for a number of years. Because he is a member of the ISC, he will know that I have proactively engaged with it on the substance of the Bill. I did so enthusiastically—if any Minister can ever regard a Select Committee appearance enthusiastically—and in recognition of the interest that I knew that Committee would have in the Bill. I will be writing again to the ISC on a number of matters raised in the Bill, and I have instructed officials from my Department to continue to engage with the ISC as the Bill proceeds through Parliament, building on the work that it has already done and on the transparency that we have already demonstrated by publishing the draft of the security framework regulations on 13 January, copies of which have been provided to the members of the ISC and a number of other interested Committees. I hope that all that demonstrates the Department’s commitment to working constructively with the ISC, despite the fact that, as the right hon. Gentleman said, DDCMS does not normally fall within the ISC’s formal remit.
It is none the less important to acknowledge that the ISC is not the only legitimate avenue to scrutinise this framework. We fully intend to make use of all the appropriate parliamentary procedures.
The regulations and the explanatory memorandum accompanying them will all be there for the ISC to scrutinise. There is also further guidance to providers in connection with the measures specified in the regulations that can be provided in the code of practice, which must be published, with a copy laid before Parliament. Also, beyond the usual arrangements for secondary legislation, new section 105Z of the Communications Act 2003 provides for Ofcom to produce security reports. Clause 11 of the Bill enables those reports to be published by the Secretary of State, and clause 13 provides for a review of the effectiveness of the framework, including any regulations, after five years.
It is in that context that I point to the enthusiasm with which we have engaged with the ISC. We will continue to do so and ultimately—this is perhaps the reason why the right hon. Gentleman described this process as an ongoing campaign, rather than something that we should address piecemeal—the ISC is clearly defined in the Justice and Security Act 2013. I do not think it would be right to address the memorandum of understanding that he referred during our consideration of the Bill. We should not go at it in piecemeal fashion. The role of the ISC as set out in that MOU is to oversee the work of the security agencies, to provide oversight of certain intelligence or security matters within Government. Ultimately, if the right hon. Gentleman wants to change the MOU, that is a broader issue for him to take up. I note that he is not the only Member of this House to have made that point, but it is not my place to take a view on the role of the ISC; that should be for the ISC itself.
I am confident that we will continue to engage with the ISC; I personally will certainly do so. I know that the DCMS Committee will continue to take an interest, and I will simply say that we will co-operate as fully as possible. I will set out more in the letter I mentioned, and I look forward to the future salvos in the right hon. Gentleman’s campaign.
I make no criticism of the Minister, because he has been very proactive, as has his Secretary of State. The problem is this: we have two pieces of legislation going through Parliament. We do not have security Bills very often in this place, and now we have two in a very short period of time. Both make eminent sense and I support them, but this is not something that comes up regularly.
In terms of the Minister’s co-operation, I have no complaints about the way he has operated, but he is not going to be there forever and neither is his Secretary of State, so we need to put in place something that will weather the passage of time, and create an arrangement whereby it will be seen that Parliament is scrutinising these measures. I do not know why the Government—I am sure it is not the Minister, or even his Secretary of State—are resisting this. Frankly, I am not really bothered whether it goes on the face of the Bill or in the MOU, but the Justice and Security Act 2013 is very clear that as a Committee, the ISC has the ability to look at this.
I accept that it would be wrong to get into issues around this Bill that are quite rightly, as the Minister said, for the relevant Select Committee—the Committee on Digital, Culture, Media and Sport—to deal with. We would never do that, so I will withdraw this probing amendment, but we will come back to this issue. I am not usually a betting man, but I suspect that by the time this Bill and the other Bill go through, we will have got to where both I and the Minister—I think, privately—think we should be. I therefore ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.