Telecommunications (Security) Bill (Eighth sitting)
Tuesday 26th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
The Committee consisted of the following Members:
Chairs: Mr Philip Hollobone, † Steve McCabe
† Britcliffe, Sara (Hyndburn) (Con)
† Cates, Miriam (Penistone and Stocksbridge) (Con)
† Caulfield, Maria (Lewes) (Con)
Clark, Feryal (Enfield North) (Lab)
Crawley, Angela (Lanark and Hamilton East) (SNP)
† Johnston, David (Wantage) (Con)
† Jones, Mr Kevan (North Durham) (Lab)
† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)
† Matheson, Christian (City of Chester) (Lab)
† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)
† Richardson, Angela (Guildford) (Con)
† Russell, Dean (Watford) (Con)
† Sunderland, James (Bracknell) (Con)
Thomson, Richard (Gordon) (SNP)
† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)
West, Catherine (Hornsey and Wood Green) (Lab)
† Wild, James (North West Norfolk) (Con)
Sarah Thatcher, Huw Yardley, Committee Clerks
† attended the Committee
Public Bill Committee
Tuesday 26 January 2021
(Afternoon)
[Steve McCabe in the Chair]
Telecommunications (Security) Bill
The Chair
Before we begin, I know this is difficult and people forget, but Mr Speaker is clear: we should be wearing our masks if we are not speaking. I ask you to do your best to comply with that, because it is sensitive. The rules under which the House is allowed to operate have been agreed with health and safety, meaning that if we are not complying, not only are you putting everyone at risk, but unfortunately all the work that has been done could be invalidated. I urge people to do their best to remember.
Clause 17
Laying before Parliament
Amendment proposed (this day): 20, in clause 17, page 29, line 31, at end insert—
“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.
(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”—(Christian Matheson.)
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.
Question again proposed, That the amendment be made.
The Chair
I remind the Committee that with this we are discussing the following:
Amendment 22, in clause 20, page 35, line 30, at end insert—
“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 23, in clause 20, page 37, line 41, at end insert—
“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 24, in clause 21, page 39, line 9, at end insert—
“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.
Amendment 25, in clause 21, page 40, line 6, at end insert—
“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.
I need to understand, Mr Matheson, what your intention is.
Christian Matheson (City of Chester) (Lab)
As you correctly say, Mr McCabe, I need to announce my intention, but just as I was about to, the Committee was halted. I am reminded of the occasion involving that notorious football referee Clive Thomas. The 1978 World Cup blew up against Brazil because, as the ball was heading towards the goal, he disallowed the goal. That was rather how I felt this morning.
That said, I do not wish to press the matter further, despite the fact that I had devastating remarks that would have swayed the Minister. I will not put my amendments to the vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 17 ordered to stand part of the Bill.
Clause 18
Monitoring of designated vendor directions
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to be back under your chairmanship, Mr McCabe.
I will try to rattle through these as quickly as I can. Clauses 18 to 23 cover monitoring and enforcement, and further provisions relating to non-disclosure and information requirements. Clause 18 gives the Secretary of State the power to give Ofcom a monitoring direction, requiring the regulator to obtain information relating to a public telecoms provider’s compliance with a designated vendor direction and to provide that information in a report to the Secretary of State.
The clause also includes requirements about the form of such reports and the procedures around their provision, but it does not create any new powers for Ofcom, which already has them under section 135 of the Communications Act 2003. The provisions in the clause are an integral part of the compliance regime. The power to give a monitoring direction to Ofcom is necessary to ensure that the Secretary of State has the ability to require it to provide the information needed to assess compliance with designated vendor directions.
Clause 19 provides Ofcom with the power to give inspection notices to public communications providers. The provisions will apply only where the Secretary of State has given Ofcom a monitoring direction. Inspection notices enable Ofcom to gather information from communications providers in relation to their compliance with a direction. The notices are a tool for Ofcom to give effect to its obligations under a monitoring direction.
Clause 19 also sets out the new duties that inspection notices can impose, the types of information that they can be used to obtain and how the duties in an inspection notice will be enforced. Ofcom may only give inspection notices in order to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to how a provider is preparing to comply with a direction. Ofcom can instead use its other information-gathering powers under section 135 of the Communications Act 2003 to obtain such information.
Clause 20 provides the Secretary of State with the powers necessary to enforce compliance with designated vendor directions, as well as with any requirement for a public communications provider to prepare a plan setting out the steps it intends to take to comply. It is the Secretary of State’s responsibility to issue directions where necessary in the interest of national security. Clause 20 is essential to ensure that the Secretary of State can carry out this role effectively and enforce compliance with any directions issued. New sections 105Z18 to 105Z21 will be inserted into the Communications Act 2003 for this purpose. The provisions set out the process that the Secretary of State will follow in instances where an assessment is made that a public communications provider is not acting in compliance with the direction or with the requirement to provide a plan. The process encompasses giving a contravention notice, enforcing it and imposing penalties for non-compliance. The clause is essential in ensuring that the Secretary of State can carry out the role effectively and deters and penalises instances of non-compliance.
Clause 21 provides the Secretary of State with the power to give urgent enforcement directions. Provisions to enable urgent enforcement are needed in cases where the Secretary of State considers that urgent action is necessary to protect national security or to prevent significant harm to the security of a public electronic communications network, service or facility.
Clause 22 creates a power for the Secretary of State to impose a requirement on public communications providers or vendors not to disclose certain types of information without permission. The provisions are necessary to prevent the unauthorised disclosure of information, which would be contrary to the interest of national security.
Finally, clause 23 creates a power for the Secretary of State to require information from a public communications provider or any other person who may have information relevant to the exercise of the Secretary of State’s functions under new sections 105Z1 to 105Z26. For example, the Secretary of State can require information on a provider’s planned use of such goods or information relating to how a network is provided. It can also include information about the proposed supply of goods or services. The ability to gather such information would ensure that the Secretary of State is able to make well-informed decisions when considering whether to issue designation notices and designated vendor directions. Information obtained through the use of this power can also be used to support the monitoring of compliance, with directions supplementing information gathered by Ofcom through its information-gathering and inspection notice powers.
To summarise, new sections 105Z18 to 105Z21 together establish the power and processes that outline how the designated vendor regime will be monitored and enforced. The provisions in clause 22 are needed to manage the disclosure of information, the unauthorised disclosure of which may be contrary to national security, and clause 23 will ensure that the Secretary of State is able to obtain the information necessary to make assessments to determine whether to give a notice or direction and to assess compliance.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairmanship once again, Mr McCabe. I will not detain the Committee long with a consideration of the clauses, and I thank the Minister for so ably setting out what the clauses aim to achieve. Indeed, we on this side recognise the importance and the necessity of clauses 18 to 23 in establishing the process and ensuring the powers to obtain information and enforce direction as part of that process.
We only reiterate a small number of important points to draw attention once again to the breadth of the powers, which enable the Secretary of State to require information to an almost unlimited extent. Given the breadth of the powers, the information and progress on the telecommunications diversification strategy is, once again, notable by its absence. Given the breadth of the requirements, it is notable that there is nothing on progress on the diversification strategy. Nor, if my memory serves me correctly, does the impact assessment reflect the potential costs to either the network operators or Ofcom in exercising these powers. The clauses do not set out the impact and they emphasise once again the importance of Ofcom having the appropriate resources to enable it to carry out the requirements effectively. I hope that the Minister will bear those limitations in mind in his ongoing review of the Bill.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clauses 19 to 23 ordered to stand part of the Bill.
Clause 24
Further amendment concerning penalties
Question proposed, That the clause stand part of the Bill.
Matt Warman
Clause 24 enables higher penalties than those currently set out in the Communications Act 2003 to be issued by Ofcom, and clause 25 makes two necessary consequential amendments to that Act. The penalties under clause 24 can be imposed for contraventions of requirements to provide information to Ofcom for the purpose of its security-related functions. That includes when providers do not provide information requested by Ofcom for the purpose of providing a report to the Secretary of State.
Penalties can be set at a maximum of £10 million or, in the case of a continuing contravention, up to £50,000 a day. These maximum penalties are a marked increase on the existing ones, which are capped at £2 million, or £500 a day. This clause ensures that the maximum penalties are the same as those in clause 23. The size of these penalties is appropriate given the potential impact of the situation described. Proposed new section 139ZA(5) of the 2003 Act, inserted by this clause, gives the Secretary of State the power to change, by regulations subject to the affirmative procedure, the maximum amount of the fixed and daily penalties. That will help to future-proof the framework by ensuring that penalties can be adjusted over time—for example, because of inflation.
In summary, clause 24 enables Ofcom to issue the financial penalties necessary to ensure that providers supply it with the information that it needs. Clause 25 contains the consequential amendments to that, which are necessary because the Bill creates a number of powers to make regulations and some of those regulations will amend primary legislation.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clause 25 ordered to stand part of the Bill.
Clause 26
Financial provision
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Clause 27 stand part.
Government amendments 1 to 4.
Clauses 28 and 29 stand part.
Matt Warman
I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.
I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27 ordered to stand part of the Bill.
Clause 28
Commencement
Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.
This amendment would cause clauses 15 to 23 to come into force on Royal Assent.
Amendment 2, in clause 28, page 46, line 19, at end insert—
“(ca) section24, so far as it relates to section18;”.
This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.
Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).
This amendment is consequential upon Amendments 1 and 2.
Amendment 4, in clause 28, page 46, line 30, at end insert—
“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.—(Matt Warman.)
This amendment is consequential upon Amendments 1 and 2.
Clause 28, as amended, ordered to stand part of the Bill.
Clause 29 ordered to stand part of the Bill.
New Clause 3
Duty of Ofcom to report on its resources
‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.
(2) The report required by subsection (1) must include an assessment of—
(a) the adequacy of Ofcom’s budget and funding;
(b) the adequacy of staffing levels in Ofcom; and
(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)
This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.
Brought up, and read the First time.
The Chair
With this it will be convenient to discuss new clause 7— Review of Ofcom’s capacity and capability to undertake duties (No.2)—
‘(1) The Communications Act 2003 is amended as follows.
(2) After section 105Z29 insert—
“105Z30 Review of Ofcom’s capacity and capability to undertake duties
The Secretary of State must, not later than 12 months after the day on which the Telecommunications (Security) Act 2021 is passed, lay before Parliament a report on Ofcom’s capacity and capability to undertake its duties under this Act in relation to the security of public electronic communications networks and services.”.’
This new clause would require the Secretary of State to report on Ofcom’s capacity and capability to undertake the duties provided for in the Telecommunications (Security) Bill which would be inserted into the Communications Act 2003 under the cross-heading “Security of public electronic communications networks and services” (which would encompass all the clause numbers which start with 105).
Christian Matheson
I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.
I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.
In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.
New clause 3 provides a duty on Ofcom to report on its resources, including the
“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.
In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.
We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:
“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.
Emily Taylor of Oxford Information Labs said:
“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]
The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.
Mr Kevan Jones (North Durham) (Lab)
I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.
I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.
Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.
I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.
There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.
Chi Onwurah
I support and second the comments and contributions of my hon. Friend the Member for the City of Chester (Christian Matheson) and of my right hon. Friend the Member for North Durham (Mr Kevan Jones), who tabled new clauses 3 and 7. I would also like to congratulate the Committee on having made it through, as it were, the thickets of the Bill as it stands to the sunlit uplands of our new clauses, which are designed to improve it in a constructive and supportive way.
New clauses 3 and 7 both address the challenge of Ofcom’s resources. As Members of the Committee know, I joined Ofcom in 2004. I know that we are not allowed to use props in debates in the Chamber, but the Communications Act 2003, which I am holding in my hand, is the Act with which the Bill is concerned. The changes that the Bill makes are mainly adding to that Act.
When I joined Ofcom in 2004, the Act was about half the size it is now. I am grateful to the Vote Office for printing and binding the enlarged Act which, as I said, is about double the size it was when I joined Ofcom. That is because—my hon. Friend the Member for City of Chester alluded to this—Ofcom has acquired responsibility for critical national infrastructure, the BBC, the Post Office. What is not yet reflected in the Act is Ofcom’s soon-to-be-acquired responsibility for the entirety of our online existence, as reflected in an online safety Bill, which has yet to make its appearance but has the absolute commitment of the Minister’s Department.
This latest expansion of Ofcom’s duties will necessarily add a strain not only to its budget—I shall come on to address that briefly—but, most importantly, to its resources, as was referred to by my right hon. and hon. Friends. In January this year, a colleague of the Minister stated that Ofcom will have the resources that it needs to do its job. If that is the case, may I ask what objection the Minister has to Ofcom reporting to Parliament on the state of its resources, particularly as those resources will be very hard to come by. My right hon. and hon. Friends emphasised the fact that Ofcom lacks experience in national security measures, and that expansion of duties will require the recruitment of people with the required level of security clearance and experience.
We heard in the evidence sessions that that might be a challenge. Dr Alexi Drew said:
“I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 84, Q82.]
I just want to reiterate that the Bill must be forward-looking on security challenges. While we the existing architecture of our telecoms networks requires skills in certain aspects of technology—radio frequencies and so on—as the architecture moves more and more into the cloud and the software domain, those skills and CVs are going to be all the more scarce and difficult to obtain.
We also heard from Dr Drew that he was not sure whether Ofcom had the capacity to take on the sheer volume of work that was likely to be created. Finally, we heard evidence from Lindsey Fussell, Ofcom’s group director for network and communications:
“In relation to Ofcom’s costs, Ofcom is funded in two ways: first, by a levy on the sectors and companies that it regulates and, secondly, through the collection of fees, primarily from our spectrum duties. Our overall funding is obviously agreed by our board but also subject to a cap agreed with Government…We are currently in discussion with the Treasury about the exact technicalities and which of those routes will be used to fund this, but it will be in line with Ofcom’s normal funding arrangements.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 97, Q131.]
Mr Jones
This is about resources for Ofcom as a whole, but there will also be debate within Ofcom about how its resources are spent. Without any ring-fenced moneys for security, is my hon. Friend concerned, like me, that not only the external control of the budget but that debate internally might compromise security?
Chi Onwurah
My right hon. Friend makes an excellent point. This debate is important for the Bill and important for our new clauses. It is also important that the Minister clarifies what the duties and priorities of Ofcom should be. Having worked for Ofcom at a different point in its history, I can tell hon. Members that when there is, say, a complaint about the behaviour of somebody in the “Big Brother” household that is hitting all the headlines in all the newspapers, that attracts the sudden concentration of resource—unnecessarily, one might argue. There needs to be a counterweight, if you like, to those headline-driven resourcing bottlenecks, which would be either ring-fencing or reporting on how resource is being used to support national security.
All Opposition Members are clear that national security must be the first priority of Government, and therefore the first priority of Ofcom. This is all the more relevant as I pick up the Communications Act 2003, in all its weightiness, where we find the general duties of Ofcom in section 3:
“It shall be the principal duty of OFCOM, in carrying out their functions—(a) to further the interests of citizens in relation to communications matters; and (b) to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Security is not mentioned—national security or telecommunications security. During the evidence sessions, the argument was made, although I forget by whom, that security was a necessary part of furthering the interests of citizens in relation to communication matters. That is possibly true, but I still think this important issue would be improved by clarity.
As we know, there is a significant pressure on Ofcom’s resources, which changes week by week and month by month depending on what the issues are in the many and increasing domains in which it operates. If these principal duties of Ofcom do not reflect our national security, the concern is that having no direct reporting mechanism to Parliament could mean these resources being used opaquely, with no direct requirement to prioritise national security. I hope the Minister will agree that new clauses 3 and 7 solve a problem the Bill will have in practice. I hope that if he will not agree to the clauses as they stand, he will agree to consider how Ofcom’s prioritisation of national security interests can be made clearer.
Mr Jones
As I have said before, I am not a great fan of arm’s length regulators, because it is a way of Government Departments and Ministers off-loading their responsibilities. Given how my hon. Friend has described the Bill, the way this is going means that Ofcom will be larger than DCMS in the future. Does she share my concern about accountability if things go wrong? It is a good get-out for the Government to be able to hide behind Ofcom, rather than Ministers taking direct responsibility.
Chi Onwurah
As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.
My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.
My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.
Matt Warman
I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.
The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.
As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.
Christian Matheson
Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?
Matt Warman
Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.
Matt Warman
The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.
Mr Jones
Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.
Matt Warman
The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.
The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.
As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.
Chi Onwurah
I thank the Minister for giving way and for the tone of his response to the different points we made. I will leave the reassurance about writing to the ISC to my right hon. Friend the Member for North Durham. Does the Minister recognise that that does not address the issue of Ofcom’s resources and reporting more generally, particularly lower down the pipeline, when it comes to national security? We have emphasised again and again the breadth of powers. The Minister has said that Ofcom will have the discretion, for example, to require an audit of all operators’ equipment—an asset register audit. It will take significant resource to understand the audit when it comes back. There are significant resource requirements involved that do not necessarily require security clearance but are nevertheless essential to effective security, and the Minister does not really seem to be offering reassurance on those.
Matt Warman
I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.
Christian Matheson
I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.
Matt Warman
I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.
Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.
Matt Warman
We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.
Christian Matheson
First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.
I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.
Question put, That the clause be read a Second time.
New Clause 5
Reporting to Parliament No.2
‘(1) The Communications Act 2003 is amended as follows.
(2) After section 105Z29 insert—
“105Z30 Reporting to Parliament
(1) The Secretary of State must produce an annual report for the Intelligence and Security Committee of Parliament concerning—
(a) designated vendor directions made under section 105Z1; and
(b) designation notices issued under section 105Z8.
(2) The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections.
(3) Ofcom must produce an annual report for the Intelligence and Security Committee of Parliament—
(a) assessing the adequacy of existing security measures within UK public electronic communication networks and services; and
(b) assessing future threats to the security of those networks and services.”’—(Chi Onwurah.)
This new clause introduces a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It also requires Ofcom to produce a forward looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.
Brought up, and read the First time.
Chi Onwurah
I beg to move, That the clause be read a Second time.
New clause 5 is similar in its intent to amendment 19, which we discussed earlier. As with all our amendments and new clauses, it is designed to improve the Bill through ensuring greater scrutiny, focus, transparency and security for the diversification of our network. It would introduce a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It would also require Ofcom to produce a forward-looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.
At the centre of the new clause is a wish to reflect the importance of national security not as a snapshot in time but as something that needs to be continually monitored, considered and assessed for future impact. The new clause would require the Secretary of State to produce an annual report for the Intelligence and Security Committee of Parliament. That would ensure that the report can be comprehensive with regard to security issues that might not be appropriate to share with the public or the Digital, Culture, Media and Sport Committee. The new clause would require that the annual report should concern designated vendor directions made under new section 105Z1 and designation notices issued under new section 105Z8. The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections. That is for the Secretary of State to report.
In addition, Ofcom would be required to produce an annual report for the Intelligence and Security Committee to assess the adequacy of existing security measures within the UK public electronic communication network and services. Critically, it should assess future threats to the security of the networks.
As we have discussed, the Bill gives major sweeping powers to the Secretary of State and Ofcom. We want to ensure that they are proportionate and accountable. Like amendments 5, 9, 10, 20 and 22 to 25, the new clause seeks to address issues of oversight, scrutiny and transparency. We have taken some heart from the Minister’s recognition in the previous debate of the unique role of the Intelligence and Security Committee in assessing security implications, in that case resourcing for Ofcom. The new clause would ensure a focused accountability to Parliament, via the Intelligence and Security Committee, of the notices, designated vendor directions and designation notices made under the provisions of the Bill, and the existing security measures and future threats.
As aspects of this have already been debated, I want to focus on assessing future threats to the security of the network and services. The Minister might say that that is part of the responsibility of the National Cyber Security Centre. What we see is a massive transformation of how the UK addresses security in telecommunication networks, for very good reasons, and a significant amount of the responsibility falls on Ofcom.
The Minister has written to us about how Ofcom and the NCSC will be expected to work effectively together, and we welcome that, but it is also important that Ofcom demonstrates that it has the resources and skills to assess forward-looking threats to the security of our networks. If the measures in the Bill are to be effective for the next five or 10 years, there must be adequate accountability and assessment of future threats, so that we do not find ourselves once more in the position that we are in now because there has been a wholesale change to the networks and Parliament has not been able to assess the implications.
To support the concerns that we have raised, it is worth remembering that Andrea Donà, UK head of networks at Vodafone, said:
“Reviewing the legislation at regular intervals to assess its efficacy in the face of new technological challenges, and also in the light of new strategic aims by Government and that constant review involving the industry, will be very welcome”.––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 8, Q3.]
Dr Alexi Drew of the Centre for Science and Security Studies, talked about making it as hard as possible for attackers to get access, saying:
“We should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met…this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 82, Q100.]
Dr Louise Bennett argued that it was incumbent on the Government to have funding in place if vendor designations affected particular suppliers, because it could have the opposite effect to the one intended as small suppliers might not have
“the resources of skills, time or money”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]
to respond. Reporting to the Intelligence and Security Committee on the impact of vendor designation notices as well as on forward-looking threats would be provide an opportunity to take account of the impact on particular sectors and on small suppliers, for example. Furthermore, we have talked previously about issues of confidentiality in the sector and concerns about changes and evolution in network architecture or the performance and predominance of one particular supplier, and the increasing influence that a supplier might have, which might not be appropriate to be reported in a public domain but would very much gain from being reported in a secure measure.
I know that the Minister is reluctant to add to the duties of Ofcom. He will probably say that Ofcom could do this if it wanted to. I reiterate that Ofcom has a lot of things that it could or should do, and would do, but it does not have as a principal duty ensuring the forward-looking security of our networks. The new clause will ensure that that is regularly considered by Ofcom and that Parliament can exercise adequate and effective scrutiny. It would also contribute greatly to the ability of Ofcom and the National Cyber Security Centre to work together effectively, as they would to produce such a report. I hope the Minister will support the provisions of the new clause.
Matt Warman
As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.
Chi Onwurah
Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.
Matt Warman
It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.
Chi Onwurah
This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.
Matt Warman
The hon. Lady is right, but as of 31 December 2020, section 3(4) states:
“OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services”.
It is absolutely there, but I fear we are getting into a somewhat semantic argument.
Chi Onwurah
The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.
Matt Warman
I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.
I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.
Matt Warman
Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.
Mr Jones
No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.
Matt Warman
That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.
Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.
Chi Onwurah
I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
New Clause 6
Network diversification (No. 2)
‘(1) The Communications Act 2003 is amended as follows.
(2) After section 105Z29 insert—
“105Z30 Network diversification
(1) The Secretary of State must lay before Parliament an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communications networks and services.
(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—
(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;
(b) likely changes in ownership or trading position of existing market players;
(c) new areas of market consolidation and diversification risk including the cloud computing sector;
(d) measures taken to implement the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;
(e) the public funding which is available for telecommunications diversification.
(3) A Minister of the Crown must, not later than two months after a report has been laid before Parliament under this section, make a motion in the House of Commons in relation to the report.’ —(Chi Onwurah.)
This new clause requires the Secretary of State to report on the impact of the Government’s diversification strategy as it relates to the security of telecommunications networks and services, and to allow for a debate in the House of Commons on the report.
Brought up, and read the First time.
Chi Onwurah
I beg to move, that the clause be read a Second time.
It is with some sadness that I come to the last new clause we have to present—[Interruption.]. I see that causes some hilarity in the Committee; I am sure that is just nervous laughter and everyone shares my dismay that the focus on telecommunications that the Committee has ably exhibited for the last few sittings will soon come to an end. Our consideration in some detail of the importance and implications of our telecoms network’s security must conclude, but I am pleased that we end on this new clause, which sums up one of the key themes we have focused on throughout our discussions: the importance of the diversification strategy.
Many amendments tabled by the Opposition reflect our concern that the Bill claims to seek the security of our telecommunications networks and yet does not mention once the diversification strategy. We are moving the new clause to put that right. We support the Bill and the Government’s aims in the Bill. We believe it is right to remove high-risk vendors from the UK’s networks and to take the measures in the Bill that will ensure that the Government will be able to designate vendors and require telecoms operators to comply with security requirements. However, those steps must go hand in hand with credible measures to diversify the supply chain, and that must be subject to parliamentary scrutiny.
As I said, the Bill as drafted fails to mention the Government’s diversification strategy and chooses to ignore the impact that the new powers afforded to the Secretary of State and Ofcom will have on supply chain diversity. The Minister recognises that they will reduce diversity, yet there is no reference to the steps that will be taken to diversify the supply chain. The new clause would require the Secretary of State to report on the Government’s diversification strategy’s impact as it relates to the security of telecommunications networks and services.
The Opposition have argued throughout our deliberations that the sweeping powers afforded to the Secretary of State and Ofcom by the Bill must be put under proportionate scrutiny, and the new clause would do that. It would bring about a debate in the House on the findings of the Secretary of State’s diversification strategy report and require a ministerial response no more than two months after the report’s publication. The new clause would therefore provide accountability for the diversification strategy’s progress and lead to real action, not just talk.
It has been said that
“it is essential that we create a more diverse and competitive supply base for telecoms networks”
because reliance on two providers creates “an intolerable resilience risk”. Those are not my words, but the words of the Secretary of State. Members from across the House agree that we cannot have a robust and secure network with only two service providers. That is something we were repeatedly told in the evidence sessions. The chief technology officer of BT Group, the director of emerging technology at Ofcom and the former head of cyber-security at GCHQ think so, and even the Secretary of State thinks so, yet the lack of link between the diversification strategy implementation and the security of our networks is ongoing cause for concern. Now we have the chance to take action, and I am glad to offer the Minister the opportunity to put this right.
This is not new information. The dependence of our telecoms networks on diversifying the supply chain was set out in the 2019 telecoms supply chain report. A leak from that report caused a Cabinet resignation, so important was it considered to be. Unfortunately, in the intervening year and a half, the Government have failed to act, refusing to take the necessary steps to ensure the diversification of our national supply chain, leaving us at real risk of being short-changed on national security. I emphasise, once again, that we place national security at the heart of everything that we do in this Committee.
The UK defence industry seeks to encourage, support and create markets for UK small and medium-sized enterprises, supporting the very best in innovation and helping innovative small and medium-sized enterprises to grow. We would like to see the UK’s telecommunications industry do likewise, to ensure a sovereign security capability. We want the Bill and the diversification strategy to create significant opportunities for UK businesses, linking them to global supply chains.
I welcome the Government’s diversification strategy. After all, I have been calling for a strategy to grow and diversify our telcoms sector for a long time—even before I came to this House. Although the Government have been talking about such a strategy for some time—there was an awful lot of talk about a diversification strategy and bigging it up before it was published—as is often the case with this Government, the strategy that was published was a bit of a disappointment. It lacked the clear commitment and funding that one would expect to find in any effective strategy.
The £250 million committed by the Government over five years came with little detail on how it would be spent. I have now had assurance that the funding is focused on integration and testing facilities, which are necessary, but there is no emphasis on supporting research and development, and particularly supporting our start-ups in the telecommunications sector. In the evidence sessions, Mike Fake of Lumenisity highlighted that the first year of the £250 million diversification funding was equivalent to only 10% of BT’s annual research and development budget. This is not the bold action of a Government committed to network diversification and our telecommunications security.
The diversification strategy declares itself
“a clear and ambitious plan to grow our telecoms supply chain while ensuring it is resilient to future trends and threats.”
That is a bold ambition. It says it will do that by focusing on three main areas:
“Supporting incumbent suppliers to ensure their resilience and ability to supply the market in the near term, while supporting their transition into the emerging market structure; attracting new suppliers into the UK market to build resilience and competition, prioritising deployments that are in line with our longer term vision; accelerating open-interface solutions and deployment so that we are not reliant on any single vendor and begin to realise our long term vision for a more open and innovative market.”
These are all highly laudable. They are not easy. I recognise the challenge that the Government face. As we discussed in the evidence sessions, this comes after decades of neglect of sovereign capability, not only in the UK but by other countries, which is why we find ourselves with only two vendors, both from Scandinavian countries, and no UK, US or other European capability.
We have heard just how difficult this challenge will be. Will the Minister tell me how we can possibly achieve that bold ambition if we fail to monitor the impact of the strategy? We need an annual report on the progress made by the diversification strategy, so that we can apply appropriate parliamentary scrutiny. After all, the strategy commits the Government to regular reports on progress, which is what the new clause asks for, while adding a focus on the diversification strategy’s impact on our national security. That is what it is all about. The Secretary of State tells us that the Government are implementing one of the toughest telecommunications security regimes in the world, but why is there to be no scrutiny applied to this key part of the regime?
When I asked the Minister in parliamentary questions why the diversification taskforce was not diverse in terms of geography—it includes no one from north of Watford—or discipline, having on it no equipment supply chain expertise, I was told that geography did not matter, and that the taskforce was focusing on cyber-security skills. To be fair, the Minister did say that Ian Livingston, the chair, was Scottish, but I think he will acknowledge that he has not lived in Scotland for some time. Geography does matter. We need to build up concentrations of skills and expertise—clusters. Cyber-security is very important, but focusing on it suggests that we are not serious about developing sovereign capability in other very important areas.
We are agreed that diversification is essential, and I hope that we are agreed that that should include UK capability. We also agree that it is challenging. How do we do it? In an evidence session, Professor Webb said:
“If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, ‘You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.’ The stick might be some kind of licence condition that said, ‘In order to meet your licence, you have to have at least x number of vendors in your network.’”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 73, Q87.]
We also heard from Chris Jackson, who said:
“Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 38, Q43.]
The Government have chosen not to do that. They have chosen to focus on big sticks for security, as set out in the Bill, such as designations, enforcements and fines of up to 10% of turnover, but they have left diversification very much to the market, providing it with a sweetener of £250 million over five years. Surely we have a right—indeed a duty—to monitor how and whether that is successful.
We heard in the evidence sessions that we have significant national promise in terms of capability. Dr Andy Sellars, the strategic development director for the Compound Semiconductor Applications Catapult, said:
“In the UK we have something like 5,000 companies that design and manufacture electronic systems. Something like 600 of them are involved in telecoms. I am not suggesting that all of those 600 become equal players. That would be a crazy scenario. But there are certainly some parts of the telecom network where the UK is pre-eminent. There are some backhaul and fibre technologies that we are very good at. As we deploy 5G into rural communities, that is likely to require low Earth orbit satellites; we are very good at satellite communications.”––[Official Report, Telecommunications (Security) Public Bill Committee, Tuesday 19 January 2021; c. 109, Q142.]
I will give the Minister a specific example of both the opportunity and the challenge, which I hope he will respond to equally specifically. I am very pleased to say that the example comes from my constituency of Newcastle upon Tyne Central: INEX, which is leading the UK’s drive for a sovereign radio frequency and communications gallium nitride semiconductor—an important semiconductor capability for telecommunications.
INEX is currently working with many of the organisations in the north-east communications cluster, including aXenic, Evince, VIPER RF, II-VI, Newcastle University and Durham University. Further afield, it works with companies and organisations in south Wales, Glasgow, Cambridge and Edinburgh, deploying compound semiconductors for RF and microwave applications, and working on the microfabrication of devices for quantum, medical and centres markets. Most recently, that has been expanded to include graphene-based devices.
Despite covid-19, in 2020 INEX grew by 50%, having recruited six highly qualified and experienced people. To address and grow the telecommunications market, those businesses in the north-east will have to extend their reach to partners in tier 1 telecommunications companies and their labs, and demonstrate that they have the skills and resources to scale the delivery of telecommunications hardware. The biggest challenge will be accessing the capital investment to buy the process and manufacturing equipment to deliver at-scale commercial products. That is a fundamental barrier to entry for many small and medium-sized enterprises in the sector. I ask the Minister what specifically he is doing to redress that. He will say that the diversification strategy suggests that there will be funding for testing and integration, but we are specifically looking at the challenge regarding capital investment.
If that group of companies is to be an intrinsic part of telecommunications deployment, we must ensure that it can reach into and benefit from the competitive pull of tier 1 labs and access the global telecommunications industry. I strongly believe that although direct procurement of critical subsystems, cyber-certification and sponsoring the UK’s attendance on standards bodies is beneficial —I will talk a bit about that—for truly secure telecommunications, the UK’s sovereign businesses, both hardware and software, need to be embedded in the global supply chain from which telecoms infrastructure is built.
The Bill needs to ensure that the UK is an embedded development partner, rather than simply a taker of technology. I am afraid that right now the Bill simply tries to ensure that we are a taker of technology. During the evidence sessions, we heard repeatedly of the importance of standards from numerous sources. Emily Taylor, the chief executive officer of Oxford Information Labs, heralded the exciting opportunities presented by inter-operable standards, and the impact that they could have on prevention of vendor blocking. The diversification strategy recognises that too, stating that standards
“play a critical role in determining the barriers to entry for new suppliers and establishing principles such as open interfaces and interoperability”,
but the Bill gives no requirement for reporting on the progress of standards, and no indication of how our involvement in standards, which is necessary for diversification, will be achieved.
Emily Taylor also said:
“The ITU is headed by a Chinese national, and of 11 working groups within the ITU’s Telecommunication Standardisation Sector …China has a chair or vice-chair in 10, and a total of 25 positions at chair or vice-chair”.––[Official Report, Telecommunications (Strategy) Public Bill Committee, Tuesday 19 January 2021; c. 71, Q82.]
Clearly there is a huge challenge in increasing UK participation in the standards necessary for telecommunications security, but how are we to see the progress that I am sure the Minister envisages if we do not have a report on the progress of the diversification strategy and its implications for security?
On standards, Professor William Webb told us:
“The UK Government themselves could not really have an influence, and nor could a university or any other organisation like that, not unless they spent inordinate amounts of money and hired a lot of people to write a lot of papers. There needs to be a concerted global or western European effort, or some kind of larger scale activity that can help the larger companies with the resources and expertise and the standards bodies to step up their efforts”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 72, Q83.]
yet we see no reflection of that in the Bill.
The impact that standards can have on vendor supply chain diversity is reflected in the diversification taskforce and the diversification strategy, which put a lot of emphasis on open RAN. We had much discussion in the evidence sessions about the maturity or otherwise of open RAN. The Government seem to have placed open RAN technology at the centre of their strategy to diversify 5G hardware, and aim to see live 5G open RAN in the UK this year. We support utilising open RAN, but evidence suggests that the technology may not be mature for another five to eight years, and Doug Brake stated that open RAN may not even be ready to be incorporated into 5G.
I acknowledge that through open RAN, the Government are thinking about how we will build the next generation of UK networks, but the UK currently has only two vendors. Our telecoms security is desperately in need of diversification and the development of a sovereign capability as soon as possible. We need an appropriate way of measuring that success.
We have also discussed the implications of changes in the architecture of telecommunications networks, and of moving control and services to the cloud. We have discussed the importance of forward-looking assessment, but I feel that a report to Parliament would ensure that those matters were kept very much at the forefront of the minds of Ofcom and the Department. It is worth mentioning that, on diversification and strategy, Dr Bennett suggested that a commissioner could help by
“keeping an eye on what is going on here, and in order to be able to help policy makers and the Secretary of State to make the right changes.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q61.]
I will make a couple more points before I bring my remarks to a close. First, we heard concerns from a number of operators that they might be left in a contractual limbo, with designated vendor notices rendering them unable to buy from a supplier but contractually obligated to. If the Government will not address that now, they should at least allow us visibility, through a report, of the impact. Secondly, as discussed, neither the Bill nor the diversification strategy include incentives to diversify, but the Government could put in place incentives to innovate, which might have the same effect—requiring improving rates of spectral efficiency, and network SIP funds, such as the rural one, for example. Is the Minister considering that?
Finally, I think we can all agree that this should involve working with our allies. We heard in evidence that the new Administration in the United States, for example—we all congratulate the new President, Joe Biden —would be inclined to do that. Doug Brake said:
“What we have seen over the last several years in the United States is a variety of different agencies doing what they can to mitigate the risks. It is less a co-ordinated whole of Government approach in the US and more a disjointed and fragmented policy response across different agencies, so I am hopeful that under a Biden Administration we will see a much more co-ordinated effort and one that is more co-operative with allies.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 123, Q163.]
We also heard from Emily Taylor about the idea of a D10, which the Defence Committee has talked about—a Five Eyes-type of collaboration among our allies. That idea has been kicking around for some time, yet we are yet to see it progress to anything concrete. Bringing together allies to work internationally and collaboratively on reinvigorating our telecoms sector is a laudable aim, but why is the Minister so afraid of monitoring its success?
A decade of neglect of our telecoms infrastructure has left us vulnerable and created the need for this Bill. We support the Bill, but it is clear that to protect our national security now and in future we must have an effective network supply chain diversification strategy, plan and implementation. New clause 6 would ensure that this vital aspect of our telecoms security is regularly reviewed and scrutinised, so that the UK is never again forced to choose between technological progress and national security.
Matt Warman
The hon. Lady raised an important issue. Fundamentally, however, the issue of diversification is twofold. The Government want to see greater diversification within our telecoms supply chain. The £250 million allocated for the first three years of that programme to support the diversification strategy is a hugely important part of it.
As we are already seeing in the increased use of open RAN, whether with Vodafone in Wales or the NeutrORAN project with the NEC, there is already significant progress. I think that demonstrates that the industry does regard this—whether the hon. Lady wants to call it as an incentive or a carrot—as something that is making things happen to a greater extent. The Government cannot legislate for the diversification of the market; that is something that we can incentivise and work with the market to do.
We can monitor the diversity of networks, as Ofcom has the powers to do. We can set requirements on what the minimum standards might look like. For instance, NCSC guidance already says that two vendors should be the minimum, rather than one, for a telecoms network. That gives you an indication of what we will be monitoring and looking at, potentially, in codes of practice in the future. The hon. Lady is right to focus on this important issue, but it is wrong to pretend, important though Secretaries of State are, that any Secretary of State could legislate in the way she describes for the greater diversification that we all seek.
The focus of the Bill is on setting clear and robust security standards for our networks that telecoms providers must adhere to, and they must be met regardless of the diversity within any of those networks. To be fair, the diversity within a provider’s supply chain, in and of itself, does not offer the guarantee of network security. A provider using a diverse supply chain needs to be held to the standards set out in this Bill, so that the provider is able to offer the security standards that we need, regardless of the number of suppliers that they have available.
It is important to reassure hon. Members that Ofcom will have the ability to collect information relating to the diversity of suppliers’ networks under section 135 of the Communications Act 2003, as we have discussed. I do not think it is necessary to specify the need to collect information relating to diversification, as that is just one set of information that Ofcom may collect; it is just as important as several others in monitoring and reporting the security and resilience of networks. It is also important to clarify that, although greater diversity is critical in ensuring that we reduce our national dependence on a small number of suppliers, it is part of a broader approach to building security and resilience across the global supply chain that sits outside the Bill, important though it is. Diversification is an issue broader than the make-up of supply chains for UK providers alone, as the hon. Lady knows.
At this stage, there is a limited number of suppliers in the global market—a smaller number that are capable of providing equipment suitable for the UK market. It is a global challenge that requires a global solution, which is why it is an integral part of the diversification strategy that the hon. Lady mentions. Our primary objective has to be to grow the supplier base and give operators more choice about the vendors that they use.
As we heard in evidence sessions, operators are equally committed to increasing diversity in UK networks. To achieve that, the Government will take forward the programme of works that the hon. Lady mentioned, with trials and testbeds for new suppliers and open RAN technology. We will ensure that telecoms standards are set in a way that promotes security and interoperability, and we will remove barriers to entry for new suppliers.
As the hon. Lady said, all that work is being informed by an independent taskforce looking at all options to drive increased market diversification. That includes incentives in forms other than those that I have already described, and the taskforce will be making recommendations in the coming months. It is also looking forward to identify areas where market consolidation might occur in the future, what can be done to offset those risks and where the UK can establish its sovereign capability.
The hon. Lady asks why there were not suppliers on the taskforce. If there had been suppliers directly on the taskforce, they would have been conflicted, but the taskforce has worked closely with suppliers because they are obviously very important. Indeed, Manevir, NEC and others who gave evidence are among those who we have spoken to and worked closely with, as we have with Nokia, Ericsson and Samsung.
As the Government deliver our strategy across all these areas, we will be making announcements and providing regular updates as required. That approach, rather than the one the hon. Lady seeks through the new clause, will enable us to provide up-to-date and timely information on progress. With that, I hope she will be content that there is plenty in the diversification strategy that will deliver what she wants, but it is not an issue for the new clause.
Chi Onwurah
I thank the Minister for his comments; having spoken for so long myself, I was reluctant to interrupt him. I am pleased that he has clarified that the £250 million is over three years, as opposed to being over five years—I had not seen that before. That is welcome, and I anticipate further funding.
However, the Minister says that the Government cannot legislate for the diversification of the network. Why not? The Government can legislate to break up consolidation in other markets, and they have legislated to do so—for example, competition law does exactly that. We heard in evidence sessions from some who felt that diversification could be achieved only through direct intervention. He implies that I am arguing that diversification delivers telecoms security on its own, but I am not arguing that. I am arguing that it is necessary though not sufficient—clearly, other methods are needed.
The Minister suggests that diversification is one of many things that Ofcom can report on, if it so chooses. That is equally important, but let us be clear that it was the diversification of a supply chain that was the critical report—a report so important that the current Secretary of State for Education was forced to resign because of its leaking, which is why we are here today. The diversification of the supply chain is absolutely critical.
The Minister says that we heard from operators that were committed to diversification, but we also heard that there were real challenges in their commitment to diversification. We would not be where we are today if they were so committed to diversification of their supply chain. That is why there is a need for incentives and intervention. On that basis, it is important to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
The Chair
Mr Jones, new clause 7 has already been debated. Do you want to put it to a Division?
The Chair
I realise that this will come as a devastating blow to all of you, but the final question I must put is that—
Chi Onwurah
On a point of order, Mr McCabe. I put on the record my gratitude, and that of my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester, to you and your colleague, Mr Hollobone, for the way in which you have expertly chaired proceedings in the Committee. I also sincerely thank all House staff who have supported our work here, including those representing Hansard, and particularly the Clerks, who have been absolutely invaluable in setting out our desires to improve the Bill in clear and orderly amendments and new clauses.
I also thank all members of the Committee from both sides of the House. This detailed, technical Bill is critical for our national security, coming at a time of national crisis, when we are braving—all of us: staff and Members—a pandemic in order to be here. We have had an orderly and constructive debate.
Matt Warman
Further to that point of order, Mr McCabe. What fun we have had! It is a pleasure to come to this point in the Bill’s passage. I echo the hon. Lady’s thanks to the House staff and to yourself, Mr McCabe, and Mr Hollobone. I also reiterate her point that this is a crucial Bill—one that I am glad enjoys cross-party support. I look forward to debating its further stages in the House.
Bill, as amended, to be reported.
Committee rose.
Written evidence reported to the House
TSB 11 Stefano Cantarelli, Chief Marketing Officer, Mavenir.
Telecommunications (Security) Bill (Seventh sitting)
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Committee consisted of the following Members:
Chairs: † Mr Philip Hollobone, Steve McCabe
† Britcliffe, Sara (Hyndburn) (Con)
† Cates, Miriam (Penistone and Stocksbridge) (Con)
† Caulfield, Maria (Lewes) (Con)
Clark, Feryal (Enfield North) (Lab)
Crawley, Angela (Lanark and Hamilton East) (SNP)
† Johnston, David (Wantage) (Con)
† Jones, Mr Kevan (North Durham) (Lab)
† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)
† Matheson, Christian (City of Chester) (Lab)
† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)
† Richardson, Angela (Guildford) (Con)
† Russell, Dean (Watford) (Con)
† Sunderland, James (Bracknell) (Con)
Thomson, Richard (Gordon) (SNP)
† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)
West, Catherine (Hornsey and Wood Green) (Lab)
† Wild, James (North West Norfolk) (Con)
Sarah Thatcher, Huw Yardley, Committee Clerks
† attended the Committee
Public Bill Committee
Tuesday 26 January 2021
(Morning)
[Mr Philip Hollobone in the Chair]
Telecommunications (Security) Bill
The Chair
Before we begin, I have a few preliminary points. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind Members about the importance of social distancing. Spaces for Members are clearly marked. I also remind Members that Mr Speaker has stated that masks should be worn in Committee. The Hansard reporters would be grateful if Members could email any electronic copies of their speaking notes to hansardnotes@parliament.uk.
Today we continue line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. It shows how the selected amendments have been grouped for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.
Clause 6
Powers of OFCOM to assess compliance with security duties
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to be back under your chairmanship, Mr Hollobone. As we discussed during the debate on amendments to this clause in our previous sitting, clause 6 inserts proposed new sections 105N to R, providing Ofcom with strengthened powers to assess whether providers of public electronic communications networks and services are complying with their security duty. These powers are vital to enable Ofcom to fulfil its expanded and more active role, giving it the tools to monitor and assess providers’ compliance with the new telecoms security framework and providing the basis for commencing any enforcement action.
Proposed new section 105O provides the power to give assessment notices to a provider. Assessment notices may impose a duty on a provider to do a number of different things, which I will briefly summarise. First, providers can be required to carry out, or arrange for another person to carry out, technical testing in relation to their network or service. Secondly, they can be required to make staff available to be interviewed, enabling Ofcom to gain insights into how a provider’s security practices and policies are implemented.
Thirdly, providers can be required to allow an Ofcom employee or an assessor authorised by Ofcom to enter their premises to view documents or equipment. I recognise that that is a significant power, but it is necessary. It is subject to certain restrictions to protect legally privileged information and to limit entry to non-domestic premises only. To provide clarity for telecoms providers, Ofcom will also publish guidance setting out how and when it will use the power. Importantly, providers have a right of appeal.
The powers of assessment set out in the clause are key to enabling Ofcom to carry out the effective and extensive monitoring and assessment of providers’ security practices that is necessary.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairmanship, Mr Hollobone, and to come back to this important Bill. I thank the Minister for writing to me and reassuring me on certain matters relevant to the clause. We accept the need for Ofcom to have powers to require information from vendors, but we would like a specific requirement whereby Ofcom can ask vendors for information on the diversity of their supply chains. I will leave further discussion on that for our new clauses. I will support this clause.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Clause 7
Powers of OFCOM to enforce compliance with security duties
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Clause 8 stand part.
Clause 9 stand part.
Clause 10 stand part.
Matt Warman
I will seek to move relatively rapidly through these four clauses.
Clause 7 provides Ofcom with enforcement powers in relation to providers’ security duties. The Bill gives Ofcom new powers to impose tough financial penalties on providers who breach their security duties. The penalties range to a maximum fine of 10% of a provider’s annual turnover, which is in line with the maximum fines available for breaching other regulatory requirements. For continuing contraventions, Ofcom can levy a daily penalty of up to £100,000. Penalties that are generally lower than that but still significant will also apply for contravening information requirements, which are subject to a maximum penalty of £10 million or, for a continuing contravention, a penalty of up to £50,000 per day. These penalties ensure that there will be a real financial deterrent to poor security practices. I should also say that, in the most serious cases, or in cases where a provider repeatedly contravenes its security duties, Ofcom would be able to use existing powers to suspend or restrict the provider’s entitlements to provide a network or service. Clearly, that is a step that we hope the regulator will never need to take.
The clause also gives Ofcom an important new power to take action where security is being compromised or is at imminent risk of being compromised. Proposed new sections 105U and 105V of the Communications Act 2003 would enable Ofcom to direct a provider to take interim steps to secure its network or service while Ofcom investigates or pursues further action. This power recognises that contravention of a security duty could result in a security compromise that causes real damage to users of that network or service. Where Ofcom uses that power, it will be required to commence and complete the enforcement process as soon as is reasonably practicable. The clause gives Ofcom the tools it needs to effectively enforce compliance with the new security framework.
Clause 8 sets out the position for bringing civil claims against providers who breach their security duties, which is a matter we touched on in earlier debates. It enables providers to be held accountable not just by Ofcom but by service users, such as members of the public, in cases where loss or damage is sustained by those users as the result of a breach of a duty. Providers owe a duty to any person who may be affected by a contravention of their security duties to take security measures, to comply with specific security duties in any regulations and to inform users of security compromises.
This clause allows any affected person to take legal action should providers breach those security duties. However, any affected person can bring legal proceedings against a provider only with the consent of Ofcom, which may be subject to conditions relating to the conduct of the legal action. This reflects the existing position in the Communications Act 2003 and ensures that providers face legal action only in appropriate circumstances. The clause also makes providers responsible to their users, providing another source of accountability. It allows users to bring legal claims for any losses they have suffered, which is only fair and reasonable.
Clause 9 addresses the interaction between provisions in the Bill and other legislation, specifically national security, law enforcement and prisons legislation. The security duties created by the Bill do not conflict with duties imposed on communications providers by other legislation via these clauses. Equally, we do not want the Bill to affect adversely the important work carried out by our law enforcement agencies, criminal justice authorities and intelligence agencies. The clause gives that clarity to providers about their responsibilities.
Finally, clause 10 requires that Ofcom publish a statement of policy about how it will fulfil its general duty and use specific powers to ensure that providers comply with their security duties. This will provide welcome clarity to industry about the expected use of important new powers. I beg to move that these clauses stand part of the Bill.
Chi Onwurah
I will not detain the Committee long, as we are cracking on through the clauses. I will only emphasise that these clauses give Ofcom broad powers—very broad powers—and measures of enforcement, as well as placing duties on the network operators to all users of their network services. We support these broad powers, but it is incumbent on the Minister and indeed on the Committee to consider whether those powers will receive sufficient scrutiny, and sufficient oversight and input from our security services. We anticipate debating those particular questions in more detail later today. In the meantime, we will not stand in the way of these clauses standing part of the Bill.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Reporting on matters related to security
Chi Onwurah
I beg to move amendment 14, in clause 11, page18, line 26, at end insert—
“(aa) an assessment of the impact on security of changes to the diversity of the supply chain for network equipment;”
This amendment requires that network supply chain diversification is included in Ofcom reports on security.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Clause 12 stand part.
Clause 13 stand part.
Chi Onwurah
We start this debate where we ended our sitting on Thursday, on the diversity of the supply chain. But this is not groundhog day; this is a very different aspect of the diversity of the supply chain. I hope the Minister has noticed that there are three themes to our amendment: national security, diversity of the supply chain and appropriate scrutiny. Those are our key concerns about the Bill as it stands.
We wish to see the Bill debated as speedily as possible. For the record, I reiterate my concern that, in the midst of a pandemic lockdown, where the advice is to stay at home, the Leader of the House requires that Members of Parliament should congregate in one room for several hours. With that in mind, we are cracking on as quickly as possible, and we have made significant progress only this morning. However, we feel strongly that, given the speed at which we are providing the appropriate scrutiny, more time should be devoted to debating the Bill on the Floor of the House. We are cracking on in order to protect, as far as we can, the public health of Members of Parliament, staff, House officials and Clerks, who are doing an amazing job in the midst of a pandemic.
Clause 11 makes provision for reporting by Ofcom on security matters. That includes a duty to provide an annual security report to the Secretary of State. Amendment 14, in my name and those of my right hon. and hon. Friends, requires that network supply chain diversification is included in Ofcom’s report on security. As I said, we anticipate having a broader debate this afternoon on the importance of the diversification of the supply chain to security, as part of the debates on our new clauses, so I will only summarise our key points and concerns now.
This amendment follows amendment 13, which sought to give Ofcom the power to request reports from operators on their supply and the progress of their supply chain diversification. We support steps to remove high-risk vendors from the UK networks, but they must go hand in hand with credible measures to diversify the supply chain. I am afraid it remains the fact that we have no reference to the diversification of the supply chain in the Bill, despite the fact that, as I will briefly outline, both the Secretary of State and experts during our evidence sessions emphasised that we could not have network security without effective diversification.
We cannot have a robust and secure network with only two service providers. Supply chain diversification is absolutely vital to protecting our national security. If a vulnerability exists in one vendor or service provider, that intrusion may be limited to that one vendor or service provider alone. A diversity of suppliers in the supply chain limits the exposure of vital information. This amendment ensures that network supply chain diversification is addressed in Ofcom’s report on security. My key question to the Minister is, how can Ofcom report on security if it is not reporting on supply chain diversification?
The Minister may well say that Ofcom has the power to report on supply chain diversification and to request information on supply chain diversification. As I have said on a number of occasions, the powers in the Bill are broad. That is why effective scrutiny requires some specification of what will be reported upon.
The security report to the Secretary of State should be made as
“soon as practicable after the end of each reporting period”
and
“must contain… information and advice… to assist the Secretary of State in the formulation of policy”.
It must also include the extent to which providers have complied with security duties. That is as an example of some of what may be included in the security report. Given that the Secretary of State has said on a number of occasions that supply chain diversification goes hand in hand with the security of the network, it is essential that supply chain diversification is specifically mentioned in the Bill, so that we can have accurate and detailed reports from Ofcom on key aspects of network security.
The amendment will help provide the Secretary of State with the information to update Parliament on the progress of the Government’s diversification strategy, depending on Ofcom’s findings. The Secretary of State has promised to give Parliament such updates, so this is an enabling amendment to ensure that the Secretary of State has the information he needs to provide the reporting that he has committed to.
In support of the amendment, I would like to cite one of the witnesses in our evidence sessions. Dr Alexi Drew, from Kings College, London, was asked whether it was possible to have a secure network without a diverse supply chain, and answered:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—insecure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
That is a risk that, I am sorry to say, the Bill currently does not sufficiently address. I hope that, by accepting this amendment, the Minister will recognise that we are, as always, seeking to improve the Bill and to ensure that it provides a credible and effective means to secure our networks.
With regard to clauses 11, 12 and 13 stand part, we recognise the importance of providing Ofcom with the appropriate powers to request information, but also to share information related to security. In that respect, these provisions are ones that we can support.
Matt Warman
I welcome the spirit of the amendment. I think that the hon. Lady and I share the same ambition. I know that she wants to have the proper debate later, so we look forward to that.
Clause 11 inserts into the Communications Act 2003 proposed new section 105Z, which deals with Ofcom’s reports on security. It requires Ofcom to produce such reports within two years of the Bill receiving Royal Assent and every 12 months thereafter. As the hon. Lady said, amendment 14 is similar to the amendment to clause 6 that we discussed previously. Ultimately, when considering Ofcom’s role and specifically its reporting function, we should note that proposed new section 105Z(2) requires Ofcom security reports to include such information and advice as Ofcom considers may best assist the Secretary of State in the formulation of policy on telecoms security. That could go beyond the list in proposed new subsection (4) to include other relevant information, such as that related to diversification. The Secretary of State can also direct Ofcom to include information that goes beyond that list.
As the Committee and, indeed, Ofcom will be well aware, the Government have recently published a targeted diversification strategy, which will deliver lasting and meaningful change in the 5G supply chain and pave the way for a vibrant, innovative and dynamic supply market. We heard widespread support for the strategy from witnesses during the oral evidence sessions. The strategy demonstrates our commitment to building a healthy supply market and is backed by a £250 million initial investment.
We have publicly announced that the Government will be funding the creation of a UK telecoms lab to research and test new ways of increasing security and interoperability, and we are already partnering with Ofcom and Digital Catapult to fund the industry-facing test facility SONIC—the SmartRAN Open Network Interoperability Centre. Both of those will play a key part in our investment in diversification and demonstrate Ofcom’s existing part in it.
As already mentioned, amendment 14 would require Ofcom to include in its security reports
“an assessment of the impact on security of”
any
“changes to the diversity of the supply chain for network equipment”.
As that requirement is already essentially covered by Ofcom’s existing powers, the amendment is not necessary. The inclusion of any such information is already within Ofcom’s discretion, but I am sure that we will discuss it more later on, as the hon. Lady said.
Clause 12 expands Ofcom’s information-gathering powers for the purposes of its security functions and enhances its ability to share the information with the Government. It enables Ofcom to require a provider to produce, generate, collect or retain security information, and then to analyse that information. Any information sought using this power must always be proportionate to how Ofcom will use it.
Clause 13 makes provision in connection with the standard of review applied by the Competition Appeal Tribunal in appeals against certain of Ofcom’s security-related decisions. Ofcom’s regulatory decisions are subject to a right of appeal to the tribunal, and that will also be the case for most of Ofcom’s decisions relating to the exercise of its regulatory powers conferred by the Bill. This clause makes provision to ensure that the tribunal is not required to modify its approach in appeals against relevant security decisions, and should instead apply ordinary judicial review principles.
I hope that I have sufficiently explained to the Committee why amendment 14 is unnecessary and why clauses 11 to 13 as drafted should stand part of the Bill.
Chi Onwurah
I thank the Minister for his comments. Although we agree on many things in many areas, I think that in this case he is trying to have his cake and eat it, inasmuch as he is saying that amendment 14 is not necessary because Ofcom already has the powers, but he is reluctant or is refusing to specify that those powers will be used for the objective of reporting on the progress of diversification of the supply chain. It was good to hear the Minister reiterate the importance of diversification of the supply chain, but I remain confused about whether he agrees with the evidence and, indeed, with his own Secretary of State that diversification of the supply chain is a prerequisite of the security of our networks and, indeed, our national security—that is what we are discussing with regard to our telecoms networks. If diversification is a prerequisite, why is the Minister so reluctant to refer to it? If he is so confident in the plan to diversify our supply chains, why is he so reluctant to insert any requirements to report on the progress of that diversification?
I listened intently: the Minister said that Ofcom has the powers to report on whatever it considers to be relevant to security. During the evidence session, we heard from Ofcom itself, very clearly and repeatedly, that it is not for Ofcom to make decisions on national security. It will not make national security decisions. That is not within its remit and responsibilities; the witnesses from Ofcom stated that repeatedly and clearly. I would be happy to read from Hansard if that point is in question. Given that Ofcom will not make security decisions and that the diversification of the supply chain is essential for security, I am at a loss to understand why the Minister will not accept a reference to reporting on the progress of diversification. Although, unfortunately, the pandemic means that we are not at full strength on the Opposition side of the Committee, I wish to test the will of the Committee on the amendment.
Question put, That the amendment be made.
Clause 11 ordered to stand part of the Bill.
Clauses 12 and 13 ordered to stand part of the Bill.
Clause 14
Reviews of sections 1 to 13
Chi Onwurah
I beg to move amendment 15, in clause 14, page 21, line 28, leave out from beginning to end of line 30 and insert—
“(3) The reports must be published not more than 12 months apart for the first 5 years, then not more than 5 years apart.
(4) The first report must be published within the period of 12 months beginning with the day on which this Act is passed.”.
This amendment requires the Secretary of State to report on the impact and effectiveness of clauses 1 to 13 every year for the first five years after the Act is passed, and then every five years following.
The amendment reflects another of our key concerns about the Bill, which is the level and extent of appropriate scrutiny for such broad and sweeping powers. It seeks to ensure appropriate scrutiny. Clause 14 requires the Secretary of State to review the impact and effectiveness of clauses 1 to 13 at least every five years. Our amendment would require the report to be published every year for the first five years after the legislation is passed, and then up to every five years after that.
As we have said, the Bill gives the Secretary of State and Ofcom sweeping powers. We want to ensure both that they are proportionate and that there is accountability. As we have previously emphasised, we are sure that the Minister and the Secretary of State are inclined to exercise the powers in a proportionate and accountable way, but they will not be in their posts forever, and perhaps not for the entire first five years of the legislation’s operation, so it is important that the Bill requires that Parliament be able to scrutinise its effectiveness, as that is so important to our national security. In that sense, this amendment follows amendments 5, 9 and 10 with respect to the requirement for appropriate oversight and accountability.
I emphasise—I am sure that you will understand, Mr Hollobone—that in some ways we are here because of a lack of effective parliamentary scrutiny of the presence and growth of high-risk vendors in our networks. It was only when Parliament became aware of and was able to give its full-throated input on concerns about the dominance of high-risk vendors in our telecommunications market that the Government took action. We do not want to be in the position of finding again that there has been a dramatic change in the security of our networks without appropriate scrutiny.
Clause 14 states that the Secretary of State must
“carry out reviews of…impact and effectiveness”
and that the report must be laid before Parliament for parliamentary scrutiny. However, we are to wait up to five years before it will be made possible to give parliamentary scrutiny to a Bill that is so important to national security, as both the Minister and the Secretary of State, and indeed the security services, have emphasised. We are not to review its effectiveness for five years.
Sara Britcliffe (Hyndburn) (Con)
Does not the clause state that the period is up to five years? The review could be done during that period; it would not have to be at the five-year mark every time.
Chi Onwurah
The hon. Lady is absolutely right. The clause enables the Minister or Secretary of State to choose to lay a report more frequently. Again, I do not want to impute anything against the Minister or the Secretary of State, but given the importance of the subject and of parliamentary review, why not ensure that it is more frequent?
I am sure that the hon. Lady will agree that Parliament has many things to consider, and so does the Secretary of State. There is competition for parliamentary time, particularly in a pandemic and in view of the challenges that we shall face in the next few years. How can I put this? We have concerns that the priority may slip in the face of, for example, economic challenges, investment challenges and recovery challenges. We want to be sure what is happening. We are the party of national security and we want to ensure that, in this context, national security is brought to Parliament to be debated, discussed and reviewed at least every year.
I have outlined the importance of parliamentary scrutiny as part of our wish to do that, but we should also consider what might happen in the next five years, before the first review mandated by the Bill. We have seen vast technical, technological and geopolitical shifts in the last five years. We face security challenges from China and Russia, and terrorist threats in a complex security environment. I am sure the Minister does not anticipate that those hostile actors against whom the measures in the Bill securing our networks are primarily directed will not respond; they will do so. We cannot imagine that we will take these measures to secure our networks against those who seek to attack or undermine our telecommunications capability in their own interests and they will not respond in some way. As it stands, the first review of that response could be five years after it has happened.
In addition, specifically with regard to the hope on which the Government might be placing an unjustified amount of assurance in diversifying our supply chains using open radio access network technology, we heard from witnesses that the next five years are key. The next five years will be the period in which we will see—or not see—the maturity of open RAN technology. There was a discussion about whether open RAN will be a viable and credible alternative in the next year, two years, three years or four years. While there are technological changes and the maturity of open RAN is in question, spending the next five years without having a review of its effectiveness seems to me to lack appropriate oversight.
There is support for increased review measures. We heard from Derek McManus, the chief operating officer of O2, about the evolution of open RAN. He said:
“There are trials in the UK…it will be at least a couple of years before you have a viable technical and commercial product, focused initially on rural.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 11, Q5.]
As things stand, that period could pass without any review or report. We also heard from Emily Taylor, the chief executive of Oxford Information Labs, who said:
“Imagine if we were sitting here, in five or 10 years’ time, lamenting the fact that the equipment market is now dominated by Microsoft and Google. I am just making that up as a hypothetical example—I have no knowledge to back that up—but those are the companies that have the sufficient scale and skills, and as Chi Onwurah said in her question we are moving to a more hybrid network, where skills in cloud computing and software are going to define the success of the player.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 77, Q92.]
I am quoting someone quoting me, who says that
“skills in cloud computing and software are going to define…success”
but we are going to wait five years to review, when, as I am sure the Minister is well aware, given his background, five years could be five technological generations in this area.
The next five years will be key to the maturation of the technologies about which the Minister has so many hopes to help with the diversification of our supply chain and in terms of the global security and geopolitical environment and landscape, yet we have no requirement for reporting or accountability during that time. That is what the amendment is designed to change.
Matt Warman
I listen with interest to the points that the hon. Lady makes, and to the assertion that she is a member of the party of national security. I welcome her to this side of the House, if that is the case. [Interruption.] Thank you, but no.
As the hon. Lady says, clause 14 is a review clause requiring the impact and effectiveness of clauses 1 to 13 to be reviewed at least every five years by the Secretary of State. The review report must be published and laid before Parliament, but it is by no means the only source of parliament scrutiny, as she knows. Her amendment would increase the frequency of these reports to every year for the first five years after the Bill is passed and then every five years thereafter.
Increasing the frequency of the reports would bring its own challenges for a number of reasons. First, the framework is considerably different from the previous security regime in the Communications Act 2003. It seems to me that we will not be able fully to assess the impact and effectiveness of the new security regime instituted by clauses 1 to 13 until all parts of the framework, including secondary legislation, codes of practice and other things, have been in place for a reasonable period of time. The code of practice that will provide guidance on the detailed security measures that telecoms could take is intended to set clear implementation timelines. Some measures may require significant operational change, as we heard in the evidence sessions for telecoms providers, and we are aware that that may be costly. For that reason, we cannot reasonably expect all changes to be implemented instantly or, indeed, all necessarily at the same time.
There is a further practical difficulty with the amendment. If the first report is to be produced 12 months after Royal Assent, it will require the review to be undertaken well in advance of that deadline. That means that the report will represent an incomplete picture of the Bill’s impact, even at its very first production. Some measures will not even have been implemented by telecoms providers.
My hon. Friend the Member for Hyndburn was exactly right that the current requirement for publishing reports is at least—rather than at most—every five years. We have been deliberate in our choice of this timeframe because five years is the reasonable point by which we expect the majority of telecoms providers to have implemented most, if not all, changes. It is therefore considered appropriate to require a report on the impact and effectiveness of the framework by that time. I recognise that five years is a long time. That does not mean that the framework will be free from scrutiny in the intervening period. As clause 11(3) sets out, the Bill amends section 134B of the Communications Act so that Ofcom’s regular infrastructure reports will include information on public telecoms providers’ compliance with the new security framework. Ofcom publishes the reports annually, rendering the amendment unnecessary.
Chi Onwurah
On a point of clarification, I have the impression that the Minister anticipates that the first report under the Bill would only happen once all the requirements had been implemented. I think that that implies that it would only happen once a high-risk vendor, specifically Huawei, had been removed from the network.
Matt Warman
No is the short answer, because while this is a progress report, five years from 2021 is 2026—the deadline is 2027, even at the most extreme end, which is not where we anticipate it will end up—and it would be before the point that she identifies.
The infrastructure reports from Ofcom will help to provide Parliament and the public with a view on how telecoms providers are progressing with compliance with the new framework. As I alluded to earlier, they are not the only means of parliamentary scrutiny. We have the Intelligence and Security Committee and we have Select Committees. I suspect that there might be one or two debates on this matter over the next five years as well. To pretend that this is the only method of parliamentary scrutiny is not accurate.
Chi Onwurah
If the Minister will give way briefly, he may find it saves time. To clarify: for the first report we will not necessarily have to wait until all the provisions of delegated legislation associated with the Bill are in place. As for the infrastructure reports that Ofcom publishes, to which he refers as a form of alternative scrutiny, will they, might they or will they not reflect progress in the diversification of the supply chain?
Matt Warman
The hon. Lady asks me to predict what is in a report that has not been written yet by an organisation that is not a Government Department. I agree with the principle of what she is saying. This is an important aspect and one would reasonably expect it to be reflected in the reports that we have talked about. It is, however, important overall to say that Ofcom’s own regular infrastructure reports will, as I have said, include information on public telecoms providers’ compliance with the new security framework, which is the broadest interpretation and gives a huge amount of latitude for the sorts of information that she seeks. I hope that those infrastructure reports will help to provide Parliament with the kind of scrutiny that she seeks, and the public with the kind of scrutiny that we all seek. [Interruption.] For those reasons I hope that she will withdraw the amendment.
Chi Onwurah
I thank my right hon. Friend the Member for North Durham for an exciting intervention from his phone, and I thank the Minister for his comments. As I think I have said, I spent six years working for Ofcom with the Communications Act 2003 on my desk. I know the importance that our independent regulator places on the words of the Minister during such debates as this. As he has indicated that the reports would do well to include reference to everything that appertains to security, including the diversification of supply chain, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 14 ordered to stand part of the Bill.
Clause 15
Designated vendor directions
Mr Kevan Jones (North Durham) (Lab)
I beg to move amendment 16, in clause 15, page 22, line 12, at end insert—
“(2A) When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering when to issue a designated vendor direction.
The Chair
With this it will be convenient to discuss the following:
Amendment 17, in clause 16, page 27, line 8, at end insert—
“(3A) When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering whether to issue a designation notice.
Amendment 18, in clause 16, page 28, line 3, at end insert—
“(m) the person’s control of data flows.”
This amendment requires the Secretary of State to consider a person’s potential control of data flows when issuing a designation notice.
Clause 16 stand part.
Amendment 19, in clause 17, page 29, line 19, at end insert
“, together with an assessment of the impact the designation notice will have on supply chain diversity;”.
This amendment requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity, enabling parliamentary scrutiny.
Mr Jones
I thought I would bring some light relief to the Committee’s proceedings. Amendments 16 and 17 are both probing amendments. I might sound like a broken record, but they are really just to ensure that we get a situation where the necessary advice is taken. Amendment 16 states:
“When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
I accept that the entire purpose of the Bill is to have national security at its heart, but I still have a nagging doubt about whether Ofcom will be able to put national security at the heart of its considerations.
Amendment 17 states:
“When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This is an attempt to future-proof the Bill. As I mentioned the other day, when we pass legislation in this place it is important that it outlives present Ministers, and us all. Unfortunately, there is form on this—look at the Intelligence and Security Committee’s 2013 report on critical national infrastructure. I accept it was then the Cabinet Office, not Ofcom, that dealt with this, but when BT negotiated its contract with Huawei, the Cabinet Office was told about it but did not feel it necessary to tell Ministers for another three years, until 2006. I am concerned that national security will not be at the forefront when people look at such matters. The amendment is really just to ensure that that takes place, and codifies it into law.
I do not wish to criticise civil servants in any way, but having been a Minister myself, I know they sometimes have a tendency not to put forward things that might have a political dimension that they do not recognise. That is why it is important for national security that the Secretary of State has first-hand knowledge and information directly from the security services. We have very effective security services in this country—I pay tribute to them—but we also have the Cabinet Office. I know the Minister might think I am a bit obsessive, but I am sure he has come up against the buffer of the Cabinet Office, which seems to want to intervene in everything and anything that does not really concern it.
The Secretary of State should have access directly to the security information and should not have to go through the filter of the Cabinet Office or Ofcom. I accept the assurances that the Minister gave about Ofcom’s ability to give advice and work closely with the security services, and these are probing amendments. I am interested in what he says about how we can ensure that when the Secretary of State takes a decision, national security is at its heart, and that he or she got it straight from the horse’s mouth—in other words, from the security services—rather than its being filtered through the membrane that sometimes exists in Whitehall.
Matt Warman
I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.
As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.
As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2010, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.
Mr Jones
I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?
Matt Warman
In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.
The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.
Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.
I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.
It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.
The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.
I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.
Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.
The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.
Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.
Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.
Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.
The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.
Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.
Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.
To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.
Chi Onwurah
I will speak to amendments 18 and 19, standing in my name and those of my hon. Friends, and to clauses 15 to 17. As the Minister set out, the clauses are about key powers in the Bill that seek to secure our networks and to regularise requirements already in place, albeit informally or not legally, to remove Huawei as a specific high-risk vendor from our networks. The clauses give Government the powers to do what they have said they will do.
On the clauses, I will not repeat what the Minister said, and I congratulate him on clearly setting out their powers, which the Opposition believe are necessary. I also join the Minister and my right hon. Friend the Member for North Durham in paying tribute to our security services, which do such great work to keep us secure across a wide range of threats and challenges—both present and evolving—and on whose continued work and effectiveness the Bill is highly dependent. As my right hon. Friend set out, we want to ensure that national security is absolutely at the heart of the Bill.
As the Minister set out, the clauses are rightly not specific to Huawei or any vendor or country of origin. It is also important, as the Minister clarified to me in a letter, that they sit in addition to the current process for identifying and designating high-risk vendors and then issuing designated vendor directions, which set out how a designated vendor is to be treated and are critical to ensuring that we do not again find ourselves in a position where we have a high-risk vendor dominant in our telecommunications networks.
Although I accept that the clauses were not designed for Huawei, as is right, the Minister and the Committee must recognise that their impact will be different for Huawei and for future vendors. Parliament and the sector have spent some years considering the level of risk posed by Huawei specifically, and we have spent some time in this Committee discussing the impact of removing Huawei on the diversity of our supply chain. We have agreement from the Secretary of State, the sector and experts that that leaves us in a position where we have only two vendors, effectively, which is not, as the Minister set out, an acceptable position.
Any further designated vendor notices after the one to deal with Huawei will have a considerable impact and will require considerable consultation. We are in a position now where our telecommunications networks supply chains are not diverse or resilient; that is the general consensus. A further designated vendor notice will therefore have a significant impact on the progress of the diversification of our supply chains, which I do not feel is adequately reflected in the Bill or the debate around it. That is partially what our amendments seek to probe.
We are quite focused on Huawei and the process that got us into the mess that we are in at the moment, having to rip a vendor out of our existing networks. I am not sure that we are sufficiently focused on what will happen in the future should there be a need to designate another vendor, perhaps from a hostile state or perhaps not, because of the impact on security. Our amendments probe whether there is sufficient understanding there.
Amendment 18 amends the list of concerns in clause 16 to which the Secretary of State must pay attention when issuing a designation notice, by adding,
“the person’s control of data flows.”
The list is already quite long, at about 40 lines, and includes,
“the nature of the goods… the reliability of the supply of those goods… the extent to which and the manner in which goods, services or facilities supplied, provided or made available by the person are or might be used in the United Kingdom”.
Our concern, which we are highlighting, is whether those are sufficiently forward-looking, whether we are—as was suggested in evidence sessions—fixated on Huawei, the current architecture and current major security threats, and whether we are looking forward to the evolving security threats. That is because—as we have said and I will repeat—the Labour party puts national security at the heart of our scrutiny of this Bill, as the party of national security, a priority which is above the economic considerations that have too often been prioritised above our national security.
Our concern is that failings in the Bill show that the Government may take risks with the security critical network infrastructure and, as part of that, with our long-term economic security. Data is absolutely central to the information economy, which is the economy. Almost all digital services gather personal data and use it for commercial purposes. Data is often described as the new oil. I prefer to call it the engine of our economy. The international and national flows of data are critical to our security, as well as to our economy. We would like the Minister to explain that the protection for UK data flows is recognised as a threat, which is taken into account by the Secretary of State when considering designation notices.
One reason behind the amendment is what we heard from the Committee’s expert witnesses. In response to my question about different aspects of network security that might not be fully addressed by the Bill as it stands, Dr Louise Bennett, the director of the Digital Policy Alliance, said:
“I think most people would agree that the diversity of end points, of interfaces and of applications running over complex networks all pose security problem areas. The more of those you have, the more resilient your network might be on the one hand, because there are multiple parts, but on the other hand, the harder it is to maintain them adequately.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q68.]
Dr Bennett suggested that control of data flows was a threat that needed to be specifically addressed by the Bill. Howard Watson, the chief technology officer of BT Group, also said:
“We also faced logical threats, such as malware implants, DDoS attacks and what are called advanced persistent threats, which is an actor embedding themself into parts of the environment, staying hidden for a while and potentially collecting credentials—think of the SolarWinds hack that is in the news at the moment.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 17, Q16.]
Emily Taylor, chief executive of Oxford Information Labs, said
“It is also the case that consolidation of infrastructure providers, like the cloud providers, is a security risk, because they become too big to fail. There was a brief outage of Google just before Christmas, and people just cannot work. When Cloudflare or Dyn go down, they introduce massive outages, particularly at a point where we are all so reliant on technology to do our work. These are security risks, and that highlights the need for a flexible approach. You have to be looking across all sectors.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 74, Q88.]
The witness evidence testimonies show that this is not only about the ability to control our signalling systems and protocols in the 5G network as it stands, but as the network evolves more and more of the network control will be both in the centre and on different infrastructure, such as Amazon Web Services in the cloud.
What I particularly want the Minister to respond to the question of how he anticipates the threat from consolidation as the network evolves—this consolidation at cloud level—will be addressed by designation notices? He said that the amendment talks about having regard to designation notices rather than the directions, which would specify the steps that operators have to take. When it comes to making decisions when issuing a designation notice, this requirement fits in with paragraphs (a) to (l), which are already included.
Amendment 19 to clause 17 requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity to enable parliamentary scrutiny. The amendment seeks to provide greater scrutiny of the diversification of the telecoms market supply chain, which, as we have all agreed, is a prerequisite for the Bill to be effective. It follows amendments 13 and 14, which we have already discussed, in addressing supply chain diversity.
I have mentioned a number of times that the Bill does not refer to the diversification strategy. We heard during the evidence sessions that it was a strategy and not yet a plan. The security of our networks depends on an effective plan to diversify the supply chain, which should also include support for UK capability. The amendment would require that a report be laid before Parliament to set out the impact that the designation notice will have on supply chain diversity. The Minister commented on whether it should be the designation notice or the direction. The objective of the amendment is to ensure discussion and understanding of the impact on the diversification strategy. It is particularly important because, as I have said, any future designation notice will be in the context of a telecoms supply chain that has been significantly reduced as a consequence of Huawei’s removal. It is important that the further impact be understood.
To be clear, we recognise that a designation notice is an appropriate response where there are risks to our national security and to the security of our telecommunication networks, regardless of the impact on diversification. However, we feel strongly that it is important to understand the impact, because of the reduced state of diversification in our supply chain. We cannot have a robust and secure network with only two vendors, and the Government’s emphasis on open RAN technology is yet to be shown to be sufficient to ensure the diversification of our networks in a reasonable timeframe.
I want us to imagine that the Government chose, for whatever reason, to issue a designation notice against one of the remaining vendors—Ericsson or Nokia. It would be critical for the impact on the progress of the diversification strategy to be set out, as well as for discussions to be had with industry and so on. A designated vendor notice could remove a vendor from the supply chain, further reducing resilience and security. I am sure the Minister will agree that it would be important to fully understand the implications, even as we put in place a designation notice. I think we all agree that we are aiming to have a rich diversity of suppliers, but it is also essential to understand the impact of designation notices on that.
We want to encourage the network operators to diversify their supply chains, as we discussed in the evidence sessions. The Bill contains a lot of stick and not very much carrot. A designation notice is absolutely a stick. A requirement to report on the impact on supply chain diversity would encourage the Government to put in place appropriate carrots to increase the incentives for diversification with one hand, as they take away potential vendor diversity in the supply chain with the other.
I support the clauses standing part of the Bill.
The Chair
Order. The hon. Lady has done really well, but we are not debating clause 17 stand part. She can refer to the other clause if she wishes.
Chi Onwurah
Thank you for the clarification, Mr Hollobone. I see that we are discussing whether clauses 15 and 16 stand part. I support those clauses and look forward to the Minister’s response to the amendment.
Matt Warman
I pre-emptively covered a lot of the hon. Lady’s questions, but I will say two brief things. She talked about consolidation in the cloud sector. While the Bill is very much a national security Bill, the National Security and Investment Bill would cover consolidation in that sort of sector, rather than this one. Obviously they do work together.
Chi Onwurah
The point I am making—clearly, I did not make it effectively—is that that sector is becoming this sector. The cloud sector is becoming the telecoms sector. The reason we need this Bill in addition to the National Security and Investment Bill is to address the security concerns of the telecoms sector specifically. The cloud sector is becoming part of the telecoms sector, yet the Bill does not address those concerns.
Matt Warman
The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.
Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.
As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.
The Chair
We now come to amendment 20 to clause 17. This is Christian Matheson’s big moment. I call him to move the amendment.
Christian Matheson (City of Chester) (Lab)
I beg to move amendment 20, in clause 17, page 29, line 31, at end insert—
“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.
(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.
The Chair
With this, it will be convenient to discuss the following: amendment 22, in clause 20, page 35, line 30, at end insert—
“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 23, in clause 20, page 37, line 41, at end insert—
“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 24, in clause 21, page 39, line 9, at end insert—
“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.
Amendment 25, in clause 21, page 40, line 6, at end insert—
“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.
Christian Matheson
I am sure the Committee has been waiting with bated breath for my big moment all morning, Mr Hollobone. May I say what a great pleasure it is to serve under your chairmanship?
I had prepared some notes to help me present the amendments, but I need not have bothered; I could simply have taken the Hansard report from last week and quoted my right hon. Friend the Member for North Durham. He talked about being a stuck record, but he is not; he is being consistent. I like to think that Labour has been consistent throughout the detailed consideration of the Bill. My hon. Friend the Member for Newcastle upon Tyne Central talked about the three areas that we consistently think would improve the Bill, and the amendment falls into one of those areas: scrutiny and the role of the Intelligence and Security Committee.
I refer to my right hon. Friend’s speech last week on amendment 9, when he talked about the desire to help the Bill. He also laid down a challenge. He commented on the fact that I thought that some parts of his speech were inspirational. They were, because they made me think quite a lot. There was one lightbulb moment when he used his experience of, I believe, 20 years in the House this year—on which I congratulate him—and said that the chances are that a similar amendment will be proposed in their lordships’ House and the Government may well agree to it.
My right hon. Friend also said that it is not necessarily a good thing for the Minister—not in this case, mind you—to be a tough guy who wants to get through the Bill without any amendments, when there is a genuine desire among the Opposition to get the Bill through. I remind the Minister and Government Members that we support the Bill. There have been occasions when an Opposition have tried to scupper, delay or make mischief with a Bill. I assure Government Members—I hope it is obvious to them—that there is no such skulduggery on this side of the House, not with this Bill and not ever, and certainly not when my hon. Friend the Member for Newcastle upon Tyne Central, my right hon. Friend the Member for North Durham and I on the Bill Committee. We are genuinely keen to improve the Bill during its passage.
The amendment again falls into one of the three areas my hon. Friend the Member for Newcastle upon Tyne Central has identified as necessary. As the Minister may have guessed, the chances are that we will not put it to the vote, but we do ask that he gives it careful consideration. I refer the Committee to the speech by my right hon. Friend the Member for North Durham last week about the role of the Intelligence and Security Committee. Amendments 20 to 25 relate to different clauses, but have the common aim of ensuring that there is correct parliamentary oversight of the process outlined in the Bill, specifically by referring all orders made under proposed new section 105Z11 of the Communications Act 2003 to the Intelligence and Security Committee.
It would normally be the Digital, Culture, Media and Sport Committee that would take on telecommunications matters. Additionally, the Secretary of State may lay orders before Parliament for general consideration and scrutiny. However, the Bill has our national security at its heart, and as a proud former member of the Culture, Media and Sport Committee, I am the first to admit that it would not be at all an appropriate forum for the consideration of such reporting to take place, nor would it be the normal procedure for laying orders before this House or the other place, either in general or on the specifics of the order.
As we touched on last week, the temptation is therefore the default position that no reporting at all would take place, which is clearly not desirable. I hope the Minister will confirm that that is not the Government’s intention. To be fair, I think he touched on that point last week, but it would be helpful if he could touch on it again.
The use of the ISC is therefore an elegant and obvious solution. The Committee, of which my right hon. Friend the Member for North Durham is such a distinguished member, has worked well and has the confidence of the House. It provides a secure and trusted forum for decisions of the Secretary of State that may have far-reaching commercial and technical implications, as well as security implications, to be scrutinised and considered by hon. Members who are able to receive the full facts and make a judgement based on them, while giving nothing away to those who wish us ill and would exploit our open democracy in doing so. I see no reason why our determination to protect our communications infrastructure should be used against us by our adversaries, but nor should that determination be traded off with a reduction in parliamentary scrutiny of the Executive and agencies that act on behalf of us all.
The ISC is there for a reason: it is precisely to cover situations such as this. If the Minister can propose an alternative solution that balances security with scrutiny, we would be pleased to hear it. I suspect this solution would also make commercial UK businesses more open to scrutiny themselves by offering a level of confidentiality, although I accept that that is not the primary role of the ISC.
It should also not be option for the Secretary of State to report. Such a chaotic patchwork would undermine the integrity of the Bill and the processes that we are setting up. Failing any alternative being proposed, we believe that these amendments, which involve the ISC acting on behalf of the whole House—indeed, the whole of Parliament—would fill a glaring hole and enhance the Bill. I commend them to the Committee.
Mr Jones
My hon. Friend the Member for City of Chester said that we were going over old ground, and to a certain extent we are because some of the amendments reflect those that I moved last week.
May I say at the outset, Mr Hollobone, that the Minister has been an exemplar in engaging with and briefing the ISC? He has set something of a precedent; usually we have only Cabinet Ministers or Prime Ministers before us to give evidence. He is one of the few junior Ministers to have appeared before us, so I congratulate him. He did it because he wanted to engage with the issues. He must therefore be commended on his commitment to ensure that there is scrutiny. However—this is not to wish his demise, but to argue for his promotion—he will not be there forever. I think he does not quite understand why the Government are not at least moving on this.
The ISC’s remit is defined in the Justice and Security Act 2013. It sets out which Departments we cover, and the Department for Digital, Culture, Media and Sport is not one of them. However, as I said last week, security is increasingly being covered by other Departments, and this Bill is a good example. The National Security and Investment Bill is another one, where security decisions will be taken by the Secretary of State for Business, Energy and Industrial Strategy. Parliament must be able to scrutinise that.
If a high-risk vendor is designated as banned from the network by the Secretary of State for Digital, Culture, Media and Sport, there are perfectly good reasons why the intelligence behind that cannot be put into the public domain. The methods by which such information is acquired are of a highly sensitive nature, so it would not only expose our security services’ techniques, but in some cases would make vulnerable the individuals who have been the source of that information. I think most people would accept that that is a very good reason.
This sort of thing is happening increasingly. We have the two Bills that I have referred to, but we also have the Covert Human Intelligence Sources (Criminal Conduct) Bill, which will come back to the House tomorrow. Covert human intelligence and the ability to collect intelligence on behalf of our security services is very important. Most of that is covered by the Home Office, and covert human intelligence sources are covered by the ISC’s remit and can be scrutinised. However, there is a long list of other organisations that will be covered by tomorrow’s Bill, including—we never quite got to the bottom of this—the Food Standards Agency, for example. Again, how do we ensure that there is scrutiny of the decisions?
We also have—this has come out of the pandemic—the new biosecurity unit in the Department of Health. Again, there is no parliamentary scrutiny, because the Health and Social Care Committee will not be able to look at the intelligence that supports so much of that. An easy way out of this is in the Justice and Security Act 2013: the memorandum of understanding, which just means that, were our remit extended to look at this and other matters, the ISC could oversee and ask for the intelligence.
Having spoken to the Business Secretary and the Minister, who sympathises with us, I am not sure where the logjam is in Government. The point is that an amendment will be tabled in the Lords. Whether the provision is in the Bill or just in the memorandum of understanding between the Prime Minister and the ISC, it is easily done and would give confidence that the process at least had parliamentary oversight.
On many of these decisions, frankly, the oversight would not be onerous; we are asking only that we are informed of them. On some occasions, we might not even want to look at the intelligence. It might be so straightforward that, frankly, it is not necessary, so I do not think that it is an administrative burden. I cannot understand what the problem is. To reiterate what I said last week in Committee, it is not about the ISC wanting to have a veto or block over such things. It is, rightly, for the Government and the Secretary of State to make and defend those decisions.
It is also not about the ISC embarrassing the Government, because we cannot talk in public about a lot of the information that we receive. It is not as though we would publish a publicly available report, because of the highly classified nature of the information. However, the ISC can scrutinise decisions and, if it has concerns, write to the Prime Minister or produce a report for the Prime Minister raising them. That gives parliamentary scrutiny of the Executive’s decisions.
As I say, the report might not be made public. People might ask, “Would that be a new thing?” No—it happens all the time. For example, on the well-publicised Russia report this year, there was a public report with redactions in it and quite an extensive annex, which raised some issues that we were concerned about. That annex was seen only by individuals in Government, including the Prime Minister.
There is already a mechanism, so I fail to understand why the Government want to oppose this. From talking to Ministers privately, I think that there is a lot of sympathy with the position and I think that we will get there eventually. How we get there and in what format, I am not sure—whether the method is to put it in the Bill or to do it through the mechanism in the 2013 Act. That might be a way forward.
Chi Onwurah
I rise to support the excellent comments made by my hon. Friend the Member for City of Chester and my right hon. Friend the Member for North Durham. I did well to delay my remarks till after my right hon. Friend had spoken, because he has set out very effectively, based on his considerable experience as a long-standing member of the Intelligence and Security Committee, both why it is important that that Committee should be consulted and receive the reports, and why it is hard to understand the Minister’s reluctance both in this Bill and in the National Security and Investment Bill to involve a source of such credible security expertise and, importantly, security clearance in key issues of national security.
I want to add two points to those made by my right hon. and hon. Friends. The first is to reiterate a point made previously: our security threats are changing, evolving and, unfortunately, diversifying. We see that in changes to our defence spending, in changes in the national review of our defence capabilities, and in changes in the evolution of the geopolitical landscape—the potential source of threats. However, the Minister does not seem able to support reflecting that by ensuring that, rather than keeping to our existing modes of parliamentary scrutiny, we enable parliamentary scrutiny of issues of national security by those who are best placed to carry out such scrutiny—undoubtedly members of the Intelligence and Security Committee.
I want to point briefly to a discussion in the evidence sessions. Ofcom made it clear that it does not consider itself in a position to make national security decisions, which is understandable, and that some of the decisions and considerations about national security with regards to telecommunications networks would require people who have STRAP clearance. Ofcom’s group director for networks and communications pointed to the fact that she had had STRAP clearance previously, and she said that if the NCSC
“feels that that is needed for the type of information that we may need to handle, we would make sure that happened.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 90, Q115.]
To my knowledge, Digital, Culture, Media and Sport Committee members do not have STRAP clearance. I would like the Minister to comment specifically on the level of security clearance required for members of the Committee that he has identified as being the location for scrutiny of important issues of national security. What level of security clearance do its members have? Would that enable the scrutiny that we all agree is in the best interests of the Bill?
I would like the Minister to respond to a specific example. Amendments 20, 22, 23, 24 and 25 are designed to require that the Intelligence and Security Committee has access to the appropriate information. There is a requirement for the Secretary of State to lay before Parliament a copy of a designated vendor direction, as set out in clause 15, which inserts new section 105Z11 into the Communications Act 2003. The new section states:
“The Secretary of State must lay before Parliament a copy of—
(a) a designated vendor direction;
(b) a designation notice;
(c) a notice of a variation or revocation of a designated vendor direction; and
(d) a notice of a variation or revocation of a designation notice.”
So far, so good—we have that scrutiny. However, the new section also says:
“The requirement in subsection (1) does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.”
My right hon. Friend the Member for North Durham alluded to occasions when, we can see, that would be the case. I should like the Minister to respond specifically. Imagine, for example, that through the work of our excellent security services we became aware that a telecoms start-up in this country or abroad was under the undue influence of someone hostile to our national interest, and its integrity was compromised, and that those who had come by the information did not want to share with the wider world how they had done so. Indeed, as my right hon. Friend said, sharing that information might compromise the means by which it was acquired. It might also have a significant impact on the stock market price of the company, and perhaps of other companies or British institutions that were invested in it. That information could not be shared publicly. Yet there could not be an understanding of the reason for the designation notice or effective scrutiny of it by Parliament unless the information was shared in some secure way. Surely that secure way would be sharing it with the ISC.
To take another example, what would happen if the security services became aware that the billionaire owner of one of our major suppliers for, say, cloud services was compromised in some way or that it was going to be bought by a hostile actor? I have previously suggested that I want to understand how the Bill would address the potential for, say, Amazon Web Services to be bought by a hostile actor, and the influence that that would have on our security.
That information would be incredibly security-sensitive, but it would also be market-sensitive. My hon. Friend the Member for City of Chester said that market sensitivity is not the primary reason for the amendments. We prioritise national security. However, let us recognise that questions of national security have a huge impact on our markets as well, and our markets are influential on national security.
Under the clause the Secretary of State would not need to lay a copy of the direction or notice before Parliament if it would be contrary to the interests of national security. Revealing the way we obtain security information through our excellent security services would clearly be contrary to the interests of national security. How would the Minister ensure that there would be an appropriate level of scrutiny for a notice of that kind, which would not be laid before Parliament for reasons of national security? How would scrutiny be maintained?
I look forward to the Minister’s response. I emphasise that we support clause 18—[Interruption.] I am sorry. We are discussing clause 17.
Chi Onwurah
We support clause 17 and our amendments are intended to make it more accountable to Parliament and therefore more successful and effective in securing our national security.
The Chair
Order. I misled the hon. Lady. We are now discussing amendments 20 and 22 to 25. When we finish the debate on those amendments, we will debate clause 17 stand part. The hon. Lady may want to save this part of her remarks until the next debate.
Chi Onwurah
Thank you, Mr Hollobone. It is sometimes confusing to know exactly what is being discussed at what point. With that, I ask the Minister to respond to our concerns about the scrutiny of the powers in the clause.
Matt Warman
I welcome the second salvo in the campaign to address this matter by the right hon. Member for North Durham. He said it would be an ongoing campaign.
This group of amendments would require the Secretary of State to provide information relating to a designated vendor direction or designation notice to the ISC. The amendments would require the Secretary of State to do this only where directions and designation notices had not been laid before Parliament, whether in full or in part, as a result of the national security exemptions in clause 17. It will not surprise the right hon. Member for North Durham or other Opposition Members that some of these short remarks will overlap with the conversation that we had earlier on a similar matter.
Amendment 20 would require designated vendor directions or designation notices to be provided to the ISC. Amendments 22 to 25 would require the Secretary of State also to provide the ISC with copies of any notifications of contraventions, confirmation decisions and so on. Although I recognise some Members’ desire for the ISC to play a greater role in the oversight of national security decision making across government, including in relation to this Bill, the amendments would, as the right hon. Member for North Durham knows, extend the ISC’s role in an unprecedented way. None the less, I thank his welcome for my unprecedented appearance.
As I said in the debate on amendment 9, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, and the accompanying statutory memorandum of understanding, to which the right hon. Gentleman referred. I do not think he thinks it is my place to take a view on that role, and I do not think this Bill is the place to have that debate.
Mr Jones
Yes, but I would ask the Minister’s civil servants to read the Act before they write this stuff for him. The Act refers to “intelligence”. Our remit is not fixed by a Department. I know the Minister sympathises with this and that we will get there eventually, but I say to his civil servants, please read the Act.
Matt Warman
I will come on to that. Accepting any of these unilateral amendments to this Bill is not the appropriate place to achieve an overall enhanced role for the ISC—
Mr Jones
I am sorry to say to the Minister that it is not looking for an enhanced role at all. It is actually doing what it says in the Justice and Security Act 2013. It is about scrutinising intelligence. A lot of the information, which will be used by him and others in these orders, will be derived from the same decisions that we oversee .
Matt Warman
Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.
In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.
Christian Matheson
I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.
The Chair
Order. If the hon. Gentleman would like to chair this afternoon’s sitting, I am sure we could arrange for him to do that. I know Members will be disappointed, but I am instructed to say that as it is 11.25 am, the Committee is now adjourned.
The Chair adjourned the Committee without Question put (Standing Order No. 88).
Adjourned till this day at Two o’clock.
Telecommunications (Security) Bill (Seventh sitting)
Tuesday 26th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Chair
Before we begin, I have a few preliminary points. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind Members about the importance of social distancing. Spaces for Members are clearly marked. I also remind Members that Mr Speaker has stated that masks should be worn in Committee. The Hansard reporters would be grateful if Members could email any electronic copies of their speaking notes to hansardnotes@parliament.uk.
Today we continue line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. It shows how the selected amendments have been grouped for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.
Clause 6
Powers of OFCOM to assess compliance with security duties
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to be back under your chairmanship, Mr Hollobone. As we discussed during the debate on amendments to this clause in our previous sitting, clause 6 inserts proposed new sections 105N to R, providing Ofcom with strengthened powers to assess whether providers of public electronic communications networks and services are complying with their security duty. These powers are vital to enable Ofcom to fulfil its expanded and more active role, giving it the tools to monitor and assess providers’ compliance with the new telecoms security framework and providing the basis for commencing any enforcement action.
Proposed new section 105O provides the power to give assessment notices to a provider. Assessment notices may impose a duty on a provider to do a number of different things, which I will briefly summarise. First, providers can be required to carry out, or arrange for another person to carry out, technical testing in relation to their network or service. Secondly, they can be required to make staff available to be interviewed, enabling Ofcom to gain insights into how a provider’s security practices and policies are implemented.
Thirdly, providers can be required to allow an Ofcom employee or an assessor authorised by Ofcom to enter their premises to view documents or equipment. I recognise that that is a significant power, but it is necessary. It is subject to certain restrictions to protect legally privileged information and to limit entry to non-domestic premises only. To provide clarity for telecoms providers, Ofcom will also publish guidance setting out how and when it will use the power. Importantly, providers have a right of appeal.
The powers of assessment set out in the clause are key to enabling Ofcom to carry out the effective and extensive monitoring and assessment of providers’ security practices that is necessary.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairmanship, Mr Hollobone, and to come back to this important Bill. I thank the Minister for writing to me and reassuring me on certain matters relevant to the clause. We accept the need for Ofcom to have powers to require information from vendors, but we would like a specific requirement whereby Ofcom can ask vendors for information on the diversity of their supply chains. I will leave further discussion on that for our new clauses. I will support this clause.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Clause 7
Powers of OFCOM to enforce compliance with security duties
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Clause 8 stand part.
Clause 9 stand part.
Clause 10 stand part.
Matt Warman
I will seek to move relatively rapidly through these four clauses.
Clause 7 provides Ofcom with enforcement powers in relation to providers’ security duties. The Bill gives Ofcom new powers to impose tough financial penalties on providers who breach their security duties. The penalties range to a maximum fine of 10% of a provider’s annual turnover, which is in line with the maximum fines available for breaching other regulatory requirements. For continuing contraventions, Ofcom can levy a daily penalty of up to £100,000. Penalties that are generally lower than that but still significant will also apply for contravening information requirements, which are subject to a maximum penalty of £10 million or, for a continuing contravention, a penalty of up to £50,000 per day. These penalties ensure that there will be a real financial deterrent to poor security practices. I should also say that, in the most serious cases, or in cases where a provider repeatedly contravenes its security duties, Ofcom would be able to use existing powers to suspend or restrict the provider’s entitlements to provide a network or service. Clearly, that is a step that we hope the regulator will never need to take.
The clause also gives Ofcom an important new power to take action where security is being compromised or is at imminent risk of being compromised. Proposed new sections 105U and 105V of the Communications Act 2003 would enable Ofcom to direct a provider to take interim steps to secure its network or service while Ofcom investigates or pursues further action. This power recognises that contravention of a security duty could result in a security compromise that causes real damage to users of that network or service. Where Ofcom uses that power, it will be required to commence and complete the enforcement process as soon as is reasonably practicable. The clause gives Ofcom the tools it needs to effectively enforce compliance with the new security framework.
Clause 8 sets out the position for bringing civil claims against providers who breach their security duties, which is a matter we touched on in earlier debates. It enables providers to be held accountable not just by Ofcom but by service users, such as members of the public, in cases where loss or damage is sustained by those users as the result of a breach of a duty. Providers owe a duty to any person who may be affected by a contravention of their security duties to take security measures, to comply with specific security duties in any regulations and to inform users of security compromises.
This clause allows any affected person to take legal action should providers breach those security duties. However, any affected person can bring legal proceedings against a provider only with the consent of Ofcom, which may be subject to conditions relating to the conduct of the legal action. This reflects the existing position in the Communications Act 2003 and ensures that providers face legal action only in appropriate circumstances. The clause also makes providers responsible to their users, providing another source of accountability. It allows users to bring legal claims for any losses they have suffered, which is only fair and reasonable.
Clause 9 addresses the interaction between provisions in the Bill and other legislation, specifically national security, law enforcement and prisons legislation. The security duties created by the Bill do not conflict with duties imposed on communications providers by other legislation via these clauses. Equally, we do not want the Bill to affect adversely the important work carried out by our law enforcement agencies, criminal justice authorities and intelligence agencies. The clause gives that clarity to providers about their responsibilities.
Finally, clause 10 requires that Ofcom publish a statement of policy about how it will fulfil its general duty and use specific powers to ensure that providers comply with their security duties. This will provide welcome clarity to industry about the expected use of important new powers. I beg to move that these clauses stand part of the Bill.
Chi Onwurah
I will not detain the Committee long, as we are cracking on through the clauses. I will only emphasise that these clauses give Ofcom broad powers—very broad powers—and measures of enforcement, as well as placing duties on the network operators to all users of their network services. We support these broad powers, but it is incumbent on the Minister and indeed on the Committee to consider whether those powers will receive sufficient scrutiny, and sufficient oversight and input from our security services. We anticipate debating those particular questions in more detail later today. In the meantime, we will not stand in the way of these clauses standing part of the Bill.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Reporting on matters related to security
Chi Onwurah
I beg to move amendment 14, in clause 11, page18, line 26, at end insert—
“(aa) an assessment of the impact on security of changes to the diversity of the supply chain for network equipment;”
This amendment requires that network supply chain diversification is included in Ofcom reports on security.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Clause 12 stand part.
Clause 13 stand part.
Chi Onwurah
We start this debate where we ended our sitting on Thursday, on the diversity of the supply chain. But this is not groundhog day; this is a very different aspect of the diversity of the supply chain. I hope the Minister has noticed that there are three themes to our amendment: national security, diversity of the supply chain and appropriate scrutiny. Those are our key concerns about the Bill as it stands.
We wish to see the Bill debated as speedily as possible. For the record, I reiterate my concern that, in the midst of a pandemic lockdown, where the advice is to stay at home, the Leader of the House requires that Members of Parliament should congregate in one room for several hours. With that in mind, we are cracking on as quickly as possible, and we have made significant progress only this morning. However, we feel strongly that, given the speed at which we are providing the appropriate scrutiny, more time should be devoted to debating the Bill on the Floor of the House. We are cracking on in order to protect, as far as we can, the public health of Members of Parliament, staff, House officials and Clerks, who are doing an amazing job in the midst of a pandemic.
Clause 11 makes provision for reporting by Ofcom on security matters. That includes a duty to provide an annual security report to the Secretary of State. Amendment 14, in my name and those of my right hon. and hon. Friends, requires that network supply chain diversification is included in Ofcom’s report on security. As I said, we anticipate having a broader debate this afternoon on the importance of the diversification of the supply chain to security, as part of the debates on our new clauses, so I will only summarise our key points and concerns now.
This amendment follows amendment 13, which sought to give Ofcom the power to request reports from operators on their supply and the progress of their supply chain diversification. We support steps to remove high-risk vendors from the UK networks, but they must go hand in hand with credible measures to diversify the supply chain. I am afraid it remains the fact that we have no reference to the diversification of the supply chain in the Bill, despite the fact that, as I will briefly outline, both the Secretary of State and experts during our evidence sessions emphasised that we could not have network security without effective diversification.
We cannot have a robust and secure network with only two service providers. Supply chain diversification is absolutely vital to protecting our national security. If a vulnerability exists in one vendor or service provider, that intrusion may be limited to that one vendor or service provider alone. A diversity of suppliers in the supply chain limits the exposure of vital information. This amendment ensures that network supply chain diversification is addressed in Ofcom’s report on security. My key question to the Minister is, how can Ofcom report on security if it is not reporting on supply chain diversification?
The Minister may well say that Ofcom has the power to report on supply chain diversification and to request information on supply chain diversification. As I have said on a number of occasions, the powers in the Bill are broad. That is why effective scrutiny requires some specification of what will be reported upon.
The security report to the Secretary of State should be made as
“soon as practicable after the end of each reporting period”
and
“must contain… information and advice… to assist the Secretary of State in the formulation of policy”.
It must also include the extent to which providers have complied with security duties. That is as an example of some of what may be included in the security report. Given that the Secretary of State has said on a number of occasions that supply chain diversification goes hand in hand with the security of the network, it is essential that supply chain diversification is specifically mentioned in the Bill, so that we can have accurate and detailed reports from Ofcom on key aspects of network security.
The amendment will help provide the Secretary of State with the information to update Parliament on the progress of the Government’s diversification strategy, depending on Ofcom’s findings. The Secretary of State has promised to give Parliament such updates, so this is an enabling amendment to ensure that the Secretary of State has the information he needs to provide the reporting that he has committed to.
In support of the amendment, I would like to cite one of the witnesses in our evidence sessions. Dr Alexi Drew, from Kings College, London, was asked whether it was possible to have a secure network without a diverse supply chain, and answered:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—insecure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
That is a risk that, I am sorry to say, the Bill currently does not sufficiently address. I hope that, by accepting this amendment, the Minister will recognise that we are, as always, seeking to improve the Bill and to ensure that it provides a credible and effective means to secure our networks.
With regard to clauses 11, 12 and 13 stand part, we recognise the importance of providing Ofcom with the appropriate powers to request information, but also to share information related to security. In that respect, these provisions are ones that we can support.
Matt Warman
I welcome the spirit of the amendment. I think that the hon. Lady and I share the same ambition. I know that she wants to have the proper debate later, so we look forward to that.
Clause 11 inserts into the Communications Act 2003 proposed new section 105Z, which deals with Ofcom’s reports on security. It requires Ofcom to produce such reports within two years of the Bill receiving Royal Assent and every 12 months thereafter. As the hon. Lady said, amendment 14 is similar to the amendment to clause 6 that we discussed previously. Ultimately, when considering Ofcom’s role and specifically its reporting function, we should note that proposed new section 105Z(2) requires Ofcom security reports to include such information and advice as Ofcom considers may best assist the Secretary of State in the formulation of policy on telecoms security. That could go beyond the list in proposed new subsection (4) to include other relevant information, such as that related to diversification. The Secretary of State can also direct Ofcom to include information that goes beyond that list.
As the Committee and, indeed, Ofcom will be well aware, the Government have recently published a targeted diversification strategy, which will deliver lasting and meaningful change in the 5G supply chain and pave the way for a vibrant, innovative and dynamic supply market. We heard widespread support for the strategy from witnesses during the oral evidence sessions. The strategy demonstrates our commitment to building a healthy supply market and is backed by a £250 million initial investment.
We have publicly announced that the Government will be funding the creation of a UK telecoms lab to research and test new ways of increasing security and interoperability, and we are already partnering with Ofcom and Digital Catapult to fund the industry-facing test facility SONIC—the SmartRAN Open Network Interoperability Centre. Both of those will play a key part in our investment in diversification and demonstrate Ofcom’s existing part in it.
As already mentioned, amendment 14 would require Ofcom to include in its security reports
“an assessment of the impact on security of”
any
“changes to the diversity of the supply chain for network equipment”.
As that requirement is already essentially covered by Ofcom’s existing powers, the amendment is not necessary. The inclusion of any such information is already within Ofcom’s discretion, but I am sure that we will discuss it more later on, as the hon. Lady said.
Clause 12 expands Ofcom’s information-gathering powers for the purposes of its security functions and enhances its ability to share the information with the Government. It enables Ofcom to require a provider to produce, generate, collect or retain security information, and then to analyse that information. Any information sought using this power must always be proportionate to how Ofcom will use it.
Clause 13 makes provision in connection with the standard of review applied by the Competition Appeal Tribunal in appeals against certain of Ofcom’s security-related decisions. Ofcom’s regulatory decisions are subject to a right of appeal to the tribunal, and that will also be the case for most of Ofcom’s decisions relating to the exercise of its regulatory powers conferred by the Bill. This clause makes provision to ensure that the tribunal is not required to modify its approach in appeals against relevant security decisions, and should instead apply ordinary judicial review principles.
I hope that I have sufficiently explained to the Committee why amendment 14 is unnecessary and why clauses 11 to 13 as drafted should stand part of the Bill.
Chi Onwurah
I thank the Minister for his comments. Although we agree on many things in many areas, I think that in this case he is trying to have his cake and eat it, inasmuch as he is saying that amendment 14 is not necessary because Ofcom already has the powers, but he is reluctant or is refusing to specify that those powers will be used for the objective of reporting on the progress of diversification of the supply chain. It was good to hear the Minister reiterate the importance of diversification of the supply chain, but I remain confused about whether he agrees with the evidence and, indeed, with his own Secretary of State that diversification of the supply chain is a prerequisite of the security of our networks and, indeed, our national security—that is what we are discussing with regard to our telecoms networks. If diversification is a prerequisite, why is the Minister so reluctant to refer to it? If he is so confident in the plan to diversify our supply chains, why is he so reluctant to insert any requirements to report on the progress of that diversification?
I listened intently: the Minister said that Ofcom has the powers to report on whatever it considers to be relevant to security. During the evidence session, we heard from Ofcom itself, very clearly and repeatedly, that it is not for Ofcom to make decisions on national security. It will not make national security decisions. That is not within its remit and responsibilities; the witnesses from Ofcom stated that repeatedly and clearly. I would be happy to read from Hansard if that point is in question. Given that Ofcom will not make security decisions and that the diversification of the supply chain is essential for security, I am at a loss to understand why the Minister will not accept a reference to reporting on the progress of diversification. Although, unfortunately, the pandemic means that we are not at full strength on the Opposition side of the Committee, I wish to test the will of the Committee on the amendment.
Question put, That the amendment be made.
Chi Onwurah
I beg to move amendment 15, in clause 14, page 21, line 28, leave out from beginning to end of line 30 and insert—
“(3) The reports must be published not more than 12 months apart for the first 5 years, then not more than 5 years apart.
(4) The first report must be published within the period of 12 months beginning with the day on which this Act is passed.”.
This amendment requires the Secretary of State to report on the impact and effectiveness of clauses 1 to 13 every year for the first five years after the Act is passed, and then every five years following.
The amendment reflects another of our key concerns about the Bill, which is the level and extent of appropriate scrutiny for such broad and sweeping powers. It seeks to ensure appropriate scrutiny. Clause 14 requires the Secretary of State to review the impact and effectiveness of clauses 1 to 13 at least every five years. Our amendment would require the report to be published every year for the first five years after the legislation is passed, and then up to every five years after that.
As we have said, the Bill gives the Secretary of State and Ofcom sweeping powers. We want to ensure both that they are proportionate and that there is accountability. As we have previously emphasised, we are sure that the Minister and the Secretary of State are inclined to exercise the powers in a proportionate and accountable way, but they will not be in their posts forever, and perhaps not for the entire first five years of the legislation’s operation, so it is important that the Bill requires that Parliament be able to scrutinise its effectiveness, as that is so important to our national security. In that sense, this amendment follows amendments 5, 9 and 10 with respect to the requirement for appropriate oversight and accountability.
I emphasise—I am sure that you will understand, Mr Hollobone—that in some ways we are here because of a lack of effective parliamentary scrutiny of the presence and growth of high-risk vendors in our networks. It was only when Parliament became aware of and was able to give its full-throated input on concerns about the dominance of high-risk vendors in our telecommunications market that the Government took action. We do not want to be in the position of finding again that there has been a dramatic change in the security of our networks without appropriate scrutiny.
Clause 14 states that the Secretary of State must
“carry out reviews of…impact and effectiveness”
and that the report must be laid before Parliament for parliamentary scrutiny. However, we are to wait up to five years before it will be made possible to give parliamentary scrutiny to a Bill that is so important to national security, as both the Minister and the Secretary of State, and indeed the security services, have emphasised. We are not to review its effectiveness for five years.
Sara Britcliffe (Hyndburn) (Con)
Does not the clause state that the period is up to five years? The review could be done during that period; it would not have to be at the five-year mark every time.
Chi Onwurah
The hon. Lady is absolutely right. The clause enables the Minister or Secretary of State to choose to lay a report more frequently. Again, I do not want to impute anything against the Minister or the Secretary of State, but given the importance of the subject and of parliamentary review, why not ensure that it is more frequent?
I am sure that the hon. Lady will agree that Parliament has many things to consider, and so does the Secretary of State. There is competition for parliamentary time, particularly in a pandemic and in view of the challenges that we shall face in the next few years. How can I put this? We have concerns that the priority may slip in the face of, for example, economic challenges, investment challenges and recovery challenges. We want to be sure what is happening. We are the party of national security and we want to ensure that, in this context, national security is brought to Parliament to be debated, discussed and reviewed at least every year.
Matt Warman
I listen with interest to the points that the hon. Lady makes, and to the assertion that she is a member of the party of national security. I welcome her to this side of the House, if that is the case. [Interruption.] Thank you, but no.
As the hon. Lady says, clause 14 is a review clause requiring the impact and effectiveness of clauses 1 to 13 to be reviewed at least every five years by the Secretary of State. The review report must be published and laid before Parliament, but it is by no means the only source of parliament scrutiny, as she knows. Her amendment would increase the frequency of these reports to every year for the first five years after the Bill is passed and then every five years thereafter.
Increasing the frequency of the reports would bring its own challenges for a number of reasons. First, the framework is considerably different from the previous security regime in the Communications Act 2003. It seems to me that we will not be able fully to assess the impact and effectiveness of the new security regime instituted by clauses 1 to 13 until all parts of the framework, including secondary legislation, codes of practice and other things, have been in place for a reasonable period of time. The code of practice that will provide guidance on the detailed security measures that telecoms could take is intended to set clear implementation timelines. Some measures may require significant operational change, as we heard in the evidence sessions for telecoms providers, and we are aware that that may be costly. For that reason, we cannot reasonably expect all changes to be implemented instantly or, indeed, all necessarily at the same time.
There is a further practical difficulty with the amendment. If the first report is to be produced 12 months after Royal Assent, it will require the review to be undertaken well in advance of that deadline. That means that the report will represent an incomplete picture of the Bill’s impact, even at its very first production. Some measures will not even have been implemented by telecoms providers.
My hon. Friend the Member for Hyndburn was exactly right that the current requirement for publishing reports is at least—rather than at most—every five years. We have been deliberate in our choice of this timeframe because five years is the reasonable point by which we expect the majority of telecoms providers to have implemented most, if not all, changes. It is therefore considered appropriate to require a report on the impact and effectiveness of the framework by that time. I recognise that five years is a long time. That does not mean that the framework will be free from scrutiny in the intervening period. As clause 11(3) sets out, the Bill amends section 134B of the Communications Act so that Ofcom’s regular infrastructure reports will include information on public telecoms providers’ compliance with the new security framework. Ofcom publishes the reports annually, rendering the amendment unnecessary.
Chi Onwurah
On a point of clarification, I have the impression that the Minister anticipates that the first report under the Bill would only happen once all the requirements had been implemented. I think that that implies that it would only happen once a high-risk vendor, specifically Huawei, had been removed from the network.
Matt Warman
No is the short answer, because while this is a progress report, five years from 2021 is 2026—the deadline is 2027, even at the most extreme end, which is not where we anticipate it will end up—and it would be before the point that she identifies.
The infrastructure reports from Ofcom will help to provide Parliament and the public with a view on how telecoms providers are progressing with compliance with the new framework. As I alluded to earlier, they are not the only means of parliamentary scrutiny. We have the Intelligence and Security Committee and we have Select Committees. I suspect that there might be one or two debates on this matter over the next five years as well. To pretend that this is the only method of parliamentary scrutiny is not accurate.
Chi Onwurah
If the Minister will give way briefly, he may find it saves time. To clarify: for the first report we will not necessarily have to wait until all the provisions of delegated legislation associated with the Bill are in place. As for the infrastructure reports that Ofcom publishes, to which he refers as a form of alternative scrutiny, will they, might they or will they not reflect progress in the diversification of the supply chain?
Matt Warman
The hon. Lady asks me to predict what is in a report that has not been written yet by an organisation that is not a Government Department. I agree with the principle of what she is saying. This is an important aspect and one would reasonably expect it to be reflected in the reports that we have talked about. It is, however, important overall to say that Ofcom’s own regular infrastructure reports will, as I have said, include information on public telecoms providers’ compliance with the new security framework, which is the broadest interpretation and gives a huge amount of latitude for the sorts of information that she seeks. I hope that those infrastructure reports will help to provide Parliament with the kind of scrutiny that she seeks, and the public with the kind of scrutiny that we all seek. [Interruption.] For those reasons I hope that she will withdraw the amendment.
Chi Onwurah
I thank my right hon. Friend the Member for North Durham for an exciting intervention from his phone, and I thank the Minister for his comments. As I think I have said, I spent six years working for Ofcom with the Communications Act 2003 on my desk. I know the importance that our independent regulator places on the words of the Minister during such debates as this. As he has indicated that the reports would do well to include reference to everything that appertains to security, including the diversification of supply chain, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 14 ordered to stand part of the Bill.
Clause 15
Designated vendor directions
Mr Kevan Jones (North Durham) (Lab)
I beg to move amendment 16, in clause 15, page 22, line 12, at end insert—
“(2A) When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering when to issue a designated vendor direction.
The Chair
With this it will be convenient to discuss the following:
Amendment 17, in clause 16, page 27, line 8, at end insert—
“(3A) When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering whether to issue a designation notice.
Amendment 18, in clause 16, page 28, line 3, at end insert—
“(m) the person’s control of data flows.”
This amendment requires the Secretary of State to consider a person’s potential control of data flows when issuing a designation notice.
Clause 16 stand part.
Amendment 19, in clause 17, page 29, line 19, at end insert
“, together with an assessment of the impact the designation notice will have on supply chain diversity;”.
This amendment requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity, enabling parliamentary scrutiny.
Mr Jones
I thought I would bring some light relief to the Committee’s proceedings. Amendments 16 and 17 are both probing amendments. I might sound like a broken record, but they are really just to ensure that we get a situation where the necessary advice is taken. Amendment 16 states:
“When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
I accept that the entire purpose of the Bill is to have national security at its heart, but I still have a nagging doubt about whether Ofcom will be able to put national security at the heart of its considerations.
Amendment 17 states:
“When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This is an attempt to future-proof the Bill. As I mentioned the other day, when we pass legislation in this place it is important that it outlives present Ministers, and us all. Unfortunately, there is form on this—look at the Intelligence and Security Committee’s 2013 report on critical national infrastructure. I accept it was then the Cabinet Office, not Ofcom, that dealt with this, but when BT negotiated its contract with Huawei, the Cabinet Office was told about it but did not feel it necessary to tell Ministers for another three years, until 2006. I am concerned that national security will not be at the forefront when people look at such matters. The amendment is really just to ensure that that takes place, and codifies it into law.
I do not wish to criticise civil servants in any way, but having been a Minister myself, I know they sometimes have a tendency not to put forward things that might have a political dimension that they do not recognise. That is why it is important for national security that the Secretary of State has first-hand knowledge and information directly from the security services. We have very effective security services in this country—I pay tribute to them—but we also have the Cabinet Office. I know the Minister might think I am a bit obsessive, but I am sure he has come up against the buffer of the Cabinet Office, which seems to want to intervene in everything and anything that does not really concern it.
Matt Warman
I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.
As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.
As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2020, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.
Mr Jones
I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?
Matt Warman
In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.
The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.
Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.
I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.
It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.
The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.
I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.
Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.
The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.
Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.
Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.
Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.
The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.
Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.
Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.
To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.
Chi Onwurah
I will speak to amendments 18 and 19, standing in my name and those of my hon. Friends, and to clauses 15 to 17. As the Minister set out, the clauses are about key powers in the Bill that seek to secure our networks and to regularise requirements already in place, albeit informally or not legally, to remove Huawei as a specific high-risk vendor from our networks. The clauses give Government the powers to do what they have said they will do.
On the clauses, I will not repeat what the Minister said, and I congratulate him on clearly setting out their powers, which the Opposition believe are necessary. I also join the Minister and my right hon. Friend the Member for North Durham in paying tribute to our security services, which do such great work to keep us secure across a wide range of threats and challenges—both present and evolving—and on whose continued work and effectiveness the Bill is highly dependent. As my right hon. Friend set out, we want to ensure that national security is absolutely at the heart of the Bill.
The Chair
Order. The hon. Lady has done really well, but we are not debating clause 17 stand part. She can refer to the other clause if she wishes.
Chi Onwurah
Thank you for the clarification, Mr Hollobone. I see that we are discussing whether clauses 15 and 16 stand part. I support those clauses and look forward to the Minister’s response to the amendment.
Matt Warman
I pre-emptively covered a lot of the hon. Lady’s questions, but I will say two brief things. She talked about consolidation in the cloud sector. While the Bill is very much a national security Bill, the National Security and Investment Bill would cover consolidation in that sort of sector, rather than this one. Obviously they do work together.
Chi Onwurah
The point I am making—clearly, I did not make it effectively—is that that sector is becoming this sector. The cloud sector is becoming the telecoms sector. The reason we need this Bill in addition to the National Security and Investment Bill is to address the security concerns of the telecoms sector specifically. The cloud sector is becoming part of the telecoms sector, yet the Bill does not address those concerns.
Matt Warman
The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.
Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.
As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.
The Chair
We now come to amendment 20 to clause 17. This is Christian Matheson’s big moment. I call him to move the amendment.
Christian Matheson (City of Chester) (Lab)
I beg to move amendment 20, in clause 17, page 29, line 31, at end insert—
“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.
(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.
The Chair
With this, it will be convenient to discuss the following: amendment 22, in clause 20, page 35, line 30, at end insert—
“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 23, in clause 20, page 37, line 41, at end insert—
“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 24, in clause 21, page 39, line 9, at end insert—
“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.
Amendment 25, in clause 21, page 40, line 6, at end insert—
“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.
Christian Matheson
I am sure the Committee has been waiting with bated breath for my big moment all morning, Mr Hollobone. May I say what a great pleasure it is to serve under your chairmanship?
I had prepared some notes to help me present the amendments, but I need not have bothered; I could simply have taken the Hansard report from last week and quoted my right hon. Friend the Member for North Durham. He talked about being a stuck record, but he is not; he is being consistent. I like to think that Labour has been consistent throughout the detailed consideration of the Bill. My hon. Friend the Member for Newcastle upon Tyne Central talked about the three areas that we consistently think would improve the Bill, and the amendment falls into one of those areas: scrutiny and the role of the Intelligence and Security Committee.
I refer to my right hon. Friend’s speech last week on amendment 9, when he talked about the desire to help the Bill. He also laid down a challenge. He commented on the fact that I thought that some parts of his speech were inspirational. They were, because they made me think quite a lot. There was one lightbulb moment when he used his experience of, I believe, 20 years in the House this year—on which I congratulate him—and said that the chances are that a similar amendment will be proposed in their lordships’ House and the Government may well agree to it.
My right hon. Friend also said that it is not necessarily a good thing for the Minister—not in this case, mind you—to be a tough guy who wants to get through the Bill without any amendments, when there is a genuine desire among the Opposition to get the Bill through. I remind the Minister and Government Members that we support the Bill. There have been occasions when an Opposition have tried to scupper, delay or make mischief with a Bill. I assure Government Members—I hope it is obvious to them—that there is no such skulduggery on this side of the House, not with this Bill and not ever, and certainly not when my hon. Friend the Member for Newcastle upon Tyne Central, my right hon. Friend the Member for North Durham and I on the Bill Committee. We are genuinely keen to improve the Bill during its passage.
The amendment again falls into one of the three areas my hon. Friend the Member for Newcastle upon Tyne Central has identified as necessary. As the Minister may have guessed, the chances are that we will not put it to the vote, but we do ask that he gives it careful consideration. I refer the Committee to the speech by my right hon. Friend the Member for North Durham last week about the role of the Intelligence and Security Committee. Amendments 20 to 25 relate to different clauses, but have the common aim of ensuring that there is correct parliamentary oversight of the process outlined in the Bill, specifically by referring all orders made under proposed new section 105Z11 of the Communications Act 2003 to the Intelligence and Security Committee.
It would normally be the Digital, Culture, Media and Sport Committee that would take on telecommunications matters. Additionally, the Secretary of State may lay orders before Parliament for general consideration and scrutiny. However, the Bill has our national security at its heart, and as a proud former member of the Culture, Media and Sport Committee, I am the first to admit that it would not be at all an appropriate forum for the consideration of such reporting to take place, nor would it be the normal procedure for laying orders before this House or the other place, either in general or on the specifics of the order.
As we touched on last week, the temptation is therefore the default position that no reporting at all would take place, which is clearly not desirable. I hope the Minister will confirm that that is not the Government’s intention. To be fair, I think he touched on that point last week, but it would be helpful if he could touch on it again.
The use of the ISC is therefore an elegant and obvious solution. The Committee, of which my right hon. Friend the Member for North Durham is such a distinguished member, has worked well and has the confidence of the House. It provides a secure and trusted forum for decisions of the Secretary of State that may have far-reaching commercial and technical implications, as well as security implications, to be scrutinised and considered by hon. Members who are able to receive the full facts and make a judgement based on them, while giving nothing away to those who wish us ill and would exploit our open democracy in doing so. I see no reason why our determination to protect our communications infrastructure should be used against us by our adversaries, but nor should that determination be traded off with a reduction in parliamentary scrutiny of the Executive and agencies that act on behalf of us all.
The ISC is there for a reason: it is precisely to cover situations such as this. If the Minister can propose an alternative solution that balances security with scrutiny, we would be pleased to hear it. I suspect this solution would also make commercial UK businesses more open to scrutiny themselves by offering a level of confidentiality, although I accept that that is not the primary role of the ISC.
It should also not be option for the Secretary of State to report. Such a chaotic patchwork would undermine the integrity of the Bill and the processes that we are setting up. Failing any alternative being proposed, we believe that these amendments, which involve the ISC acting on behalf of the whole House—indeed, the whole of Parliament—would fill a glaring hole and enhance the Bill. I commend them to the Committee.
Mr Jones
My hon. Friend the Member for City of Chester said that we were going over old ground, and to a certain extent we are because some of the amendments reflect those that I moved last week.
May I say at the outset, Mr Hollobone, that the Minister has been an exemplar in engaging with and briefing the ISC? He has set something of a precedent; usually we have only Cabinet Ministers or Prime Ministers before us to give evidence. He is one of the few junior Ministers to have appeared before us, so I congratulate him. He did it because he wanted to engage with the issues. He must therefore be commended on his commitment to ensure that there is scrutiny. However—this is not to wish his demise, but to argue for his promotion—he will not be there forever. I think he does not quite understand why the Government are not at least moving on this.
The ISC’s remit is defined in the Justice and Security Act 2013. It sets out which Departments we cover, and the Department for Digital, Culture, Media and Sport is not one of them. However, as I said last week, security is increasingly being covered by other Departments, and this Bill is a good example. The National Security and Investment Bill is another one, where security decisions will be taken by the Secretary of State for Business, Energy and Industrial Strategy. Parliament must be able to scrutinise that.
If a high-risk vendor is designated as banned from the network by the Secretary of State for Digital, Culture, Media and Sport, there are perfectly good reasons why the intelligence behind that cannot be put into the public domain. The methods by which such information is acquired are of a highly sensitive nature, so it would not only expose our security services’ techniques, but in some cases would make vulnerable the individuals who have been the source of that information. I think most people would accept that that is a very good reason.
This sort of thing is happening increasingly. We have the two Bills that I have referred to, but we also have the Covert Human Intelligence Sources (Criminal Conduct) Bill, which will come back to the House tomorrow. Covert human intelligence and the ability to collect intelligence on behalf of our security services is very important. Most of that is covered by the Home Office, and covert human intelligence sources are covered by the ISC’s remit and can be scrutinised. However, there is a long list of other organisations that will be covered by tomorrow’s Bill, including—we never quite got to the bottom of this—the Food Standards Agency, for example. Again, how do we ensure that there is scrutiny of the decisions?
We also have—this has come out of the pandemic—the new biosecurity unit in the Department of Health. Again, there is no parliamentary scrutiny, because the Health and Social Care Committee will not be able to look at the intelligence that supports so much of that. An easy way out of this is in the Justice and Security Act 2013: the memorandum of understanding, which just means that, were our remit extended to look at this and other matters, the ISC could oversee and ask for the intelligence.
Having spoken to the Business Secretary and the Minister, who sympathises with us, I am not sure where the logjam is in Government. The point is that an amendment will be tabled in the Lords. Whether the provision is in the Bill or just in the memorandum of understanding between the Prime Minister and the ISC, it is easily done and would give confidence that the process at least had parliamentary oversight.
On many of these decisions, frankly, the oversight would not be onerous; we are asking only that we are informed of them. On some occasions, we might not even want to look at the intelligence. It might be so straightforward that, frankly, it is not necessary, so I do not think that it is an administrative burden. I cannot understand what the problem is. To reiterate what I said last week in Committee, it is not about the ISC wanting to have a veto or block over such things. It is, rightly, for the Government and the Secretary of State to make and defend those decisions.
It is also not about the ISC embarrassing the Government, because we cannot talk in public about a lot of the information that we receive. It is not as though we would publish a publicly available report, because of the highly classified nature of the information. However, the ISC can scrutinise decisions and, if it has concerns, write to the Prime Minister or produce a report for the Prime Minister raising them. That gives parliamentary scrutiny of the Executive’s decisions.
As I say, the report might not be made public. People might ask, “Would that be a new thing?” No—it happens all the time. For example, on the well-publicised Russia report this year, there was a public report with redactions in it and quite an extensive annex, which raised some issues that we were concerned about. That annex was seen only by individuals in Government, including the Prime Minister.
There is already a mechanism, so I fail to understand why the Government want to oppose this. From talking to Ministers privately, I think that there is a lot of sympathy with the position and I think that we will get there eventually. How we get there and in what format, I am not sure—whether the method is to put it in the Bill or to do it through the mechanism in the 2013 Act. That might be a way forward.
Chi Onwurah
I rise to support the excellent comments made by my hon. Friend the Member for City of Chester and my right hon. Friend the Member for North Durham. I did well to delay my remarks till after my right hon. Friend had spoken, because he has set out very effectively, based on his considerable experience as a long-standing member of the Intelligence and Security Committee, both why it is important that that Committee should be consulted and receive the reports, and why it is hard to understand the Minister’s reluctance both in this Bill and in the National Security and Investment Bill to involve a source of such credible security expertise and, importantly, security clearance in key issues of national security.
I want to add two points to those made by my right hon. and hon. Friends. The first is to reiterate a point made previously: our security threats are changing, evolving and, unfortunately, diversifying. We see that in changes to our defence spending, in changes in the national review of our defence capabilities, and in changes in the evolution of the geopolitical landscape—the potential source of threats. However, the Minister does not seem able to support reflecting that by ensuring that, rather than keeping to our existing modes of parliamentary scrutiny, we enable parliamentary scrutiny of issues of national security by those who are best placed to carry out such scrutiny—undoubtedly members of the Intelligence and Security Committee.
I want to point briefly to a discussion in the evidence sessions. Ofcom made it clear that it does not consider itself in a position to make national security decisions, which is understandable, and that some of the decisions and considerations about national security with regards to telecommunications networks would require people who have STRAP clearance. Ofcom’s group director for networks and communications pointed to the fact that she had had STRAP clearance previously, and she said that if the NCSC
“feels that that is needed for the type of information that we may need to handle, we would make sure that happened.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 90, Q115.]
To my knowledge, Digital, Culture, Media and Sport Committee members do not have STRAP clearance. I would like the Minister to comment specifically on the level of security clearance required for members of the Committee that he has identified as being the location for scrutiny of important issues of national security. What level of security clearance do its members have? Would that enable the scrutiny that we all agree is in the best interests of the Bill?
I would like the Minister to respond to a specific example. Amendments 20, 22, 23, 24 and 25 are designed to require that the Intelligence and Security Committee has access to the appropriate information. There is a requirement for the Secretary of State to lay before Parliament a copy of a designated vendor direction, as set out in clause 15, which inserts new section 105Z11 into the Communications Act 2003. The new section states:
“The Secretary of State must lay before Parliament a copy of—
(a) a designated vendor direction;
(b) a designation notice;
(c) a notice of a variation or revocation of a designated vendor direction; and
(d) a notice of a variation or revocation of a designation notice.”
So far, so good—we have that scrutiny. However, the new section also says:
“The requirement in subsection (1) does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.”
Chi Onwurah
We support clause 17 and our amendments are intended to make it more accountable to Parliament and therefore more successful and effective in securing our national security.
The Chair
Order. I misled the hon. Lady. We are now discussing amendments 20 and 22 to 25. When we finish the debate on those amendments, we will debate clause 17 stand part. The hon. Lady may want to save this part of her remarks until the next debate.
Chi Onwurah
Thank you, Mr Hollobone. It is sometimes confusing to know exactly what is being discussed at what point. With that, I ask the Minister to respond to our concerns about the scrutiny of the powers in the clause.
Matt Warman
I welcome the second salvo in the campaign to address this matter by the right hon. Member for North Durham. He said it would be an ongoing campaign.
This group of amendments would require the Secretary of State to provide information relating to a designated vendor direction or designation notice to the ISC. The amendments would require the Secretary of State to do this only where directions and designation notices had not been laid before Parliament, whether in full or in part, as a result of the national security exemptions in clause 17. It will not surprise the right hon. Member for North Durham or other Opposition Members that some of these short remarks will overlap with the conversation that we had earlier on a similar matter.
Amendment 20 would require designated vendor directions or designation notices to be provided to the ISC. Amendments 22 to 25 would require the Secretary of State also to provide the ISC with copies of any notifications of contraventions, confirmation decisions and so on. Although I recognise some Members’ desire for the ISC to play a greater role in the oversight of national security decision making across government, including in relation to this Bill, the amendments would, as the right hon. Member for North Durham knows, extend the ISC’s role in an unprecedented way. None the less, I thank his welcome for my unprecedented appearance.
As I said in the debate on amendment 9, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, and the accompanying statutory memorandum of understanding, to which the right hon. Gentleman referred. I do not think he thinks it is my place to take a view on that role, and I do not think this Bill is the place to have that debate.
Mr Jones
Yes, but I would ask the Minister’s civil servants to read the Act before they write this stuff for him. The Act refers to “intelligence”. Our remit is not fixed by a Department. I know the Minister sympathises with this and that we will get there eventually, but I say to his civil servants, please read the Act.
Matt Warman
I will come on to that. Accepting any of these unilateral amendments to this Bill is not the appropriate place to achieve an overall enhanced role for the ISC—
Mr Jones
I am sorry to say to the Minister that it is not looking for an enhanced role at all. It is actually doing what it says in the Justice and Security Act 2013. It is about scrutinising intelligence. A lot of the information, which will be used by him and others in these orders, will be derived from the same decisions that we oversee .
Matt Warman
Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.
In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.
Christian Matheson
I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.
The Chair
Order. If the hon. Gentleman would like to chair this afternoon’s sitting, I am sure we could arrange for him to do that. I know Members will be disappointed, but I am instructed to say that as it is 11.25 am, the Committee is now adjourned.
Telecommunications (Security) Bill (Eighth sitting)
Tuesday 26th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 3 / Noes: 10 - Question accordingly negatived.
The Chair
Before we begin, I know this is difficult and people forget, but Mr Speaker is clear: we should be wearing our masks if we are not speaking. I ask you to do your best to comply with that, because it is sensitive. The rules under which the House is allowed to operate have been agreed with health and safety, meaning that if we are not complying, not only are you putting everyone at risk, but unfortunately all the work that has been done could be invalidated. I urge people to do their best to remember.
Clause 17
Laying before Parliament
Amendment proposed (this day): 20, in clause 17, page 29, line 31, at end insert—
“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.
(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”—(Christian Matheson.)
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.
Question again proposed, That the amendment be made.
The Chair
I remind the Committee that with this we are discussing the following:
Amendment 22, in clause 20, page 35, line 30, at end insert—
“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 23, in clause 20, page 37, line 41, at end insert—
“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.
Amendment 24, in clause 21, page 39, line 9, at end insert—
“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.
Amendment 25, in clause 21, page 40, line 6, at end insert—
“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”
This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.
I need to understand, Mr Matheson, what your intention is.
Christian Matheson (City of Chester) (Lab)
As you correctly say, Mr McCabe, I need to announce my intention, but just as I was about to, the Committee was halted. I am reminded of the occasion involving that notorious football referee Clive Thomas. The 1978 World Cup blew up against Brazil because, as the ball was heading towards the goal, he disallowed the goal. That was rather how I felt this morning.
That said, I do not wish to press the matter further, despite the fact that I had devastating remarks that would have swayed the Minister. I will not put my amendments to the vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 17 ordered to stand part of the Bill.
Clause 18
Monitoring of designated vendor directions
Question proposed, That the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to be back under your chairmanship, Mr McCabe.
I will try to rattle through these as quickly as I can. Clauses 18 to 23 cover monitoring and enforcement, and further provisions relating to non-disclosure and information requirements. Clause 18 gives the Secretary of State the power to give Ofcom a monitoring direction, requiring the regulator to obtain information relating to a public telecoms provider’s compliance with a designated vendor direction and to provide that information in a report to the Secretary of State.
The clause also includes requirements about the form of such reports and the procedures around their provision, but it does not create any new powers for Ofcom, which already has them under section 135 of the Communications Act 2003. The provisions in the clause are an integral part of the compliance regime. The power to give a monitoring direction to Ofcom is necessary to ensure that the Secretary of State has the ability to require it to provide the information needed to assess compliance with designated vendor directions.
Clause 19 provides Ofcom with the power to give inspection notices to public communications providers. The provisions will apply only where the Secretary of State has given Ofcom a monitoring direction. Inspection notices enable Ofcom to gather information from communications providers in relation to their compliance with a direction. The notices are a tool for Ofcom to give effect to its obligations under a monitoring direction.
Clause 19 also sets out the new duties that inspection notices can impose, the types of information that they can be used to obtain and how the duties in an inspection notice will be enforced. Ofcom may only give inspection notices in order to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to how a provider is preparing to comply with a direction. Ofcom can instead use its other information-gathering powers under section 135 of the Communications Act 2003 to obtain such information.
Clause 20 provides the Secretary of State with the powers necessary to enforce compliance with designated vendor directions, as well as with any requirement for a public communications provider to prepare a plan setting out the steps it intends to take to comply. It is the Secretary of State’s responsibility to issue directions where necessary in the interest of national security. Clause 20 is essential to ensure that the Secretary of State can carry out this role effectively and enforce compliance with any directions issued. New sections 105Z18 to 105Z21 will be inserted into the Communications Act 2003 for this purpose. The provisions set out the process that the Secretary of State will follow in instances where an assessment is made that a public communications provider is not acting in compliance with the direction or with the requirement to provide a plan. The process encompasses giving a contravention notice, enforcing it and imposing penalties for non-compliance. The clause is essential in ensuring that the Secretary of State can carry out the role effectively and deters and penalises instances of non-compliance.
Clause 21 provides the Secretary of State with the power to give urgent enforcement directions. Provisions to enable urgent enforcement are needed in cases where the Secretary of State considers that urgent action is necessary to protect national security or to prevent significant harm to the security of a public electronic communications network, service or facility.
Clause 22 creates a power for the Secretary of State to impose a requirement on public communications providers or vendors not to disclose certain types of information without permission. The provisions are necessary to prevent the unauthorised disclosure of information, which would be contrary to the interest of national security.
Finally, clause 23 creates a power for the Secretary of State to require information from a public communications provider or any other person who may have information relevant to the exercise of the Secretary of State’s functions under clauses 18 to 21. For example, the Secretary of State can require information on a provider’s planned use of such goods or information relating to how a network is provided. It can also include information about the proposed supply of goods or services. The ability to gather such information would ensure that the Secretary of State is able to make well-informed decisions when considering whether to issue designation notices and designated vendor directions. Information obtained through the use of this power can also be used to support the monitoring of compliance, with directions supplementing information gathered by Ofcom through its information-gathering and inspection notice powers.
To summarise, new sections 105Z18 to 105Z21 together establish the power and processes that outline how the designated vendor regime will be monitored and enforced. The provisions in clause 22 are needed to manage the disclosure of information, the unauthorised disclosure of which may be contrary to national security, and clause 23 will ensure that the Secretary of State is able to obtain the information necessary to make assessments to determine whether to give a notice or direction and to assess compliance.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairmanship once again, Mr McCabe. I will not detain the Committee long with a consideration of the clauses, and I thank the Minister for so ably setting out what the clauses aim to achieve. Indeed, we on this side recognise the importance and the necessity of clauses 18 to 23 in establishing the process and ensuring the powers to obtain information and enforce direction as part of that process.
We only reiterate a small number of important points to draw attention once again to the breadth of the powers, which enable the Secretary of State to require information to an almost unlimited extent. Given the breadth of the powers, the information and progress on the telecommunications diversification strategy is, once again, notable by its absence. Given the breadth of the requirements, it is notable that there is nothing on progress on the diversification strategy. Nor, if my memory serves me correctly, does the impact assessment reflect the potential costs to either the network operators or Ofcom in exercising these powers. The clauses do not set out the impact and they emphasise once again the importance of Ofcom having the appropriate resources to enable it to carry out the requirements effectively. I hope that the Minister will bear those limitations in mind in his ongoing review of the Bill.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clauses 19 to 23 ordered to stand part of the Bill.
Clause 24
Further amendment concerning penalties
Question proposed, That the clause stand part of the Bill.
Matt Warman
Clause 24 enables higher penalties than those currently set out in the Communications Act 2003 to be issued by Ofcom, and clause 25 makes two necessary consequential amendments to that Act. The penalties under clause 24 can be imposed for contraventions of requirements to provide information to Ofcom for the purpose of its security-related functions. That includes when providers do not provide information requested by Ofcom for the purpose of providing a report to the Secretary of State.
Penalties can be set at a maximum of £10 million or, in the case of a continuing contravention, up to £50,000 a day. These maximum penalties are a marked increase on the existing ones, which are capped at £2 million, or £500 a day. This clause ensures that the maximum penalties are the same as those in clause 23. The size of these penalties is appropriate given the potential impact of the situation described. Proposed new section 139ZA(5) of the 2003 Act, inserted by this clause, gives the Secretary of State the power to change, by regulations subject to the affirmative procedure, the maximum amount of the fixed and daily penalties. That will help to future-proof the framework by ensuring that penalties can be adjusted over time—for example, because of inflation.
In summary, clause 24 enables Ofcom to issue the financial penalties necessary to ensure that providers supply it with the information that it needs. Clause 25 contains the consequential amendments to that, which are necessary because the Bill creates a number of powers to make regulations and some of those regulations will amend primary legislation.
The Chair
With this it will be convenient to discuss the following:
Clause 27 stand part.
Government amendments 1 to 4.
Clauses 28 and 29 stand part.
Matt Warman
I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.
I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.
Question put and agreed to.
Clause 26 accordingly ordered to stand part of the Bill.
Clause 27 ordered to stand part of the Bill.
Clause 28
Commencement
Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.
This amendment would cause clauses 15 to 23 to come into force on Royal Assent.
Amendment 2, in clause 28, page 46, line 19, at end insert—
“(ca) section24, so far as it relates to section18;”.
This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.
Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).
This amendment is consequential upon Amendments 1 and 2.
Amendment 4, in clause 28, page 46, line 30, at end insert—
“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.—(Matt Warman.)
This amendment is consequential upon Amendments 1 and 2.
Clause 28, as amended, ordered to stand part of the Bill.
Clause 29 ordered to stand part of the Bill.
New Clause 3
Duty of Ofcom to report on its resources
‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.
(2) The report required by subsection (1) must include an assessment of—
(a) the adequacy of Ofcom’s budget and funding;
(b) the adequacy of staffing levels in Ofcom; and
(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)
This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.
Brought up, and read the First time.
The Chair
With this it will be convenient to discuss new clause 7— Review of Ofcom’s capacity and capability to undertake duties (No.2)—
‘(1) The Communications Act 2003 is amended as follows.
(2) After section 105Z29 insert—
“105Z30 Review of Ofcom’s capacity and capability to undertake duties
The Secretary of State must, not later than 12 months after the day on which the Telecommunications (Security) Act 2021 is passed, lay before Parliament a report on Ofcom’s capacity and capability to undertake its duties under this Act in relation to the security of public electronic communications networks and services.”.’
This new clause would require the Secretary of State to report on Ofcom’s capacity and capability to undertake the duties provided for in the Telecommunications (Security) Bill which would be inserted into the Communications Act 2003 under the cross-heading “Security of public electronic communications networks and services” (which would encompass all the clause numbers which start with 105).
Christian Matheson
I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.
I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.
In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.
New clause 3 provides a duty on Ofcom to report on its resources, including the
“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.
In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.
We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:
“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.
Emily Taylor of Oxford Information Labs said:
“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]
The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.
Mr Kevan Jones (North Durham) (Lab)
I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.
I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.
Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.
I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.
There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.
Chi Onwurah
I support and second the comments and contributions of my hon. Friend the Member for the City of Chester (Christian Matheson) and of my right hon. Friend the Member for North Durham (Mr Kevan Jones), who tabled new clauses 3 and 7. I would also like to congratulate the Committee on having made it through, as it were, the thickets of the Bill as it stands to the sunlit uplands of our new clauses, which are designed to improve it in a constructive and supportive way.
New clauses 3 and 7 both address the challenge of Ofcom’s resources. As Members of the Committee know, I joined Ofcom in 2004. I know that we are not allowed to use props in debates in the Chamber, but the Communications Act 2003, which I am holding in my hand, is the Act with which the Bill is concerned. The changes that the Bill makes are mainly adding to that Act.
Mr Jones
This is about resources for Ofcom as a whole, but there will also be debate within Ofcom about how its resources are spent. Without any ring-fenced moneys for security, is my hon. Friend concerned, like me, that not only the external control of the budget but that debate internally might compromise security?
Chi Onwurah
My right hon. Friend makes an excellent point. This debate is important for the Bill and important for our new clauses. It is also important that the Minister clarifies what the duties and priorities of Ofcom should be. Having worked for Ofcom at a different point in its history, I can tell hon. Members that when there is, say, a complaint about the behaviour of somebody in the “Big Brother” household that is hitting all the headlines in all the newspapers, that attracts the sudden concentration of resource—unnecessarily, one might argue. There needs to be a counterweight, if you like, to those headline-driven resourcing bottlenecks, which would be either ring-fencing or reporting on how resource is being used to support national security.
All Opposition Members are clear that national security must be the first priority of Government, and therefore the first priority of Ofcom. This is all the more relevant as I pick up the Communications Act 2003, in all its weightiness, where we find the general duties of Ofcom in section 3:
“It shall be the principal duty of OFCOM, in carrying out their functions—(a) to further the interests of citizens in relation to communications matters; and (b) to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Security is not mentioned—national security or telecommunications security. During the evidence sessions, the argument was made, although I forget by whom, that security was a necessary part of furthering the interests of citizens in relation to communication matters. That is possibly true, but I still think this important issue would be improved by clarity.
As we know, there is a significant pressure on Ofcom’s resources, which changes week by week and month by month depending on what the issues are in the many and increasing domains in which it operates. If these principal duties of Ofcom do not reflect our national security, the concern is that having no direct reporting mechanism to Parliament could mean these resources being used opaquely, with no direct requirement to prioritise national security. I hope the Minister will agree that new clauses 3 and 7 solve a problem the Bill will have in practice. I hope that if he will not agree to the clauses as they stand, he will agree to consider how Ofcom’s prioritisation of national security interests can be made clearer.
Mr Jones
As I have said before, I am not a great fan of arm’s length regulators, because it is a way of Government Departments and Ministers off-loading their responsibilities. Given how my hon. Friend has described the Bill, the way this is going means that Ofcom will be larger than DCMS in the future. Does she share my concern about accountability if things go wrong? It is a good get-out for the Government to be able to hide behind Ofcom, rather than Ministers taking direct responsibility.
Chi Onwurah
As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.
My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.
My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.
Matt Warman
I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.
The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.
As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.
Christian Matheson
Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?
Matt Warman
Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.
Matt Warman
The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.
Mr Jones
Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.
Matt Warman
The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.
The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.
As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.
Chi Onwurah
I thank the Minister for giving way and for the tone of his response to the different points we made. I will leave the reassurance about writing to the ISC to my right hon. Friend the Member for North Durham. Does the Minister recognise that that does not address the issue of Ofcom’s resources and reporting more generally, particularly lower down the pipeline, when it comes to national security? We have emphasised again and again the breadth of powers. The Minister has said that Ofcom will have the discretion, for example, to require an audit of all operators’ equipment—an asset register audit. It will take significant resource to understand the audit when it comes back. There are significant resource requirements involved that do not necessarily require security clearance but are nevertheless essential to effective security, and the Minister does not really seem to be offering reassurance on those.
Matt Warman
I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.
Christian Matheson
I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.
Matt Warman
I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.
Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.
Matt Warman
We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.
Christian Matheson
First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.
I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.
Question put, That the clause be read a Second time.
Chi Onwurah
I beg to move, That the clause be read a Second time.
New clause 5 is similar in its intent to amendment 19, which we discussed earlier. As with all our amendments and new clauses, it is designed to improve the Bill through ensuring greater scrutiny, focus, transparency and security for the diversification of our network. It would introduce a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It would also require Ofcom to produce a forward-looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.
At the centre of the new clause is a wish to reflect the importance of national security not as a snapshot in time but as something that needs to be continually monitored, considered and assessed for future impact. The new clause would require the Secretary of State to produce an annual report for the Intelligence and Security Committee of Parliament. That would ensure that the report can be comprehensive with regard to security issues that might not be appropriate to share with the public or the Digital, Culture, Media and Sport Committee. The new clause would require that the annual report should concern designated vendor directions made under new section 105Z1 and designation notices issued under new section 105Z8. The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections. That is for the Secretary of State to report.
In addition, Ofcom would be required to produce an annual report for the Intelligence and Security Committee to assess the adequacy of existing security measures within the UK public electronic communication network and services. Critically, it should assess future threats to the security of the networks.
As we have discussed, the Bill gives major sweeping powers to the Secretary of State and Ofcom. We want to ensure that they are proportionate and accountable. Like amendments 5, 9, 10, 20 and 22 to 25, the new clause seeks to address issues of oversight, scrutiny and transparency. We have taken some heart from the Minister’s recognition in the previous debate of the unique role of the Intelligence and Security Committee in assessing security implications, in that case resourcing for Ofcom. The new clause would ensure a focused accountability to Parliament, via the Intelligence and Security Committee, of the notices, designated vendor directions and designation notices made under the provisions of the Bill, and the existing security measures and future threats.
As aspects of this have already been debated, I want to focus on assessing future threats to the security of the network and services. The Minister might say that that is part of the responsibility of the National Cyber Security Centre. What we see is a massive transformation of how the UK addresses security in telecommunication networks, for very good reasons, and a significant amount of the responsibility falls on Ofcom.
Matt Warman
As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.
Chi Onwurah
Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.
Matt Warman
It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.
Chi Onwurah
This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.
Matt Warman
The hon. Lady is right, but as of 31 December 2020, section 3(4) states:
“OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services”.
It is absolutely there, but I fear we are getting into a somewhat semantic argument.
Chi Onwurah
The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.
Matt Warman
I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.
I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.
Matt Warman
Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.
Mr Jones
No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.
Matt Warman
That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.
Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.
Chi Onwurah
I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
Chi Onwurah
I beg to move, that the clause be read a Second time.
It is with some sadness that I come to the last new clause we have to present—[Interruption.]. I see that causes some hilarity in the Committee; I am sure that is just nervous laughter and everyone shares my dismay that the focus on telecommunications that the Committee has ably exhibited for the last few sittings will soon come to an end. Our consideration in some detail of the importance and implications of our telecoms network’s security must conclude, but I am pleased that we end on this new clause, which sums up one of the key themes we have focused on throughout our discussions: the importance of the diversification strategy.
Many amendments tabled by the Opposition reflect our concern that the Bill claims to seek the security of our telecommunications networks and yet does not mention once the diversification strategy. We are moving the new clause to put that right. We support the Bill and the Government’s aims in the Bill. We believe it is right to remove high-risk vendors from the UK’s networks and to take the measures in the Bill that will ensure that the Government will be able to designate vendors and require telecoms operators to comply with security requirements. However, those steps must go hand in hand with credible measures to diversify the supply chain, and that must be subject to parliamentary scrutiny.
As I said, the Bill as drafted fails to mention the Government’s diversification strategy and chooses to ignore the impact that the new powers afforded to the Secretary of State and Ofcom will have on supply chain diversity. The Minister recognises that they will reduce diversity, yet there is no reference to the steps that will be taken to diversify the supply chain. The new clause would require the Secretary of State to report on the Government’s diversification strategy’s impact as it relates to the security of telecommunications networks and services.
The Opposition have argued throughout our deliberations that the sweeping powers afforded to the Secretary of State and Ofcom by the Bill must be put under proportionate scrutiny, and the new clause would do that. It would bring about a debate in the House on the findings of the Secretary of State’s diversification strategy report and require a ministerial response no more than two months after the report’s publication. The new clause would therefore provide accountability for the diversification strategy’s progress and lead to real action, not just talk.
It has been said that
“it is essential that we create a more diverse and competitive supply base for telecoms networks”
because reliance on two providers creates “an intolerable resilience risk”. Those are not my words, but the words of the Secretary of State. Members from across the House agree that we cannot have a robust and secure network with only two service providers. That is something we were repeatedly told in the evidence sessions. The chief technology officer of BT Group, the director of emerging technology at Ofcom and the former head of cyber-security at GCHQ think so, and even the Secretary of State thinks so, yet the lack of link between the diversification strategy implementation and the security of our networks is ongoing cause for concern. Now we have the chance to take action, and I am glad to offer the Minister the opportunity to put this right.
This is not new information. The dependence of our telecoms networks on diversifying the supply chain was set out in the 2019 telecoms supply chain report. A leak from that report caused a Cabinet resignation, so important was it considered to be. Unfortunately, in the intervening year and a half, the Government have failed to act, refusing to take the necessary steps to ensure the diversification of our national supply chain, leaving us at real risk of being short-changed on national security. I emphasise, once again, that we place national security at the heart of everything that we do in this Committee.
The UK defence industry seeks to encourage, support and create markets for UK small and medium-sized enterprises, supporting the very best in innovation and helping innovative small and medium-sized enterprises to grow. We would like to see the UK’s telecommunications industry do likewise, to ensure a sovereign security capability. We want the Bill and the diversification strategy to create significant opportunities for UK businesses, linking them to global supply chains.
I welcome the Government’s diversification strategy. After all, I have been calling for a strategy to grow and diversify our telcoms sector for a long time—even before I came to this House. Although the Government have been talking about such a strategy for some time—there was an awful lot of talk about a diversification strategy and bigging it up before it was published—as is often the case with this Government, the strategy that was published was a bit of a disappointment. It lacked the clear commitment and funding that one would expect to find in any effective strategy.
The £250 million committed by the Government over five years came with little detail on how it would be spent. I have now had assurance that the funding is focused on integration and testing facilities, which are necessary, but there is no emphasis on supporting research and development, and particularly supporting our start-ups in the telecommunications sector. In the evidence sessions, Mike Fake of Lumenisity highlighted that the first year of the £250 million diversification funding was equivalent to only 10% of BT’s annual research and development budget. This is not the bold action of a Government committed to network diversification and our telecommunications security.
The diversification strategy declares itself
“a clear and ambitious plan to grow our telecoms supply chain while ensuring it is resilient to future trends and threats.”
That is a bold ambition. It says it will do that by focusing on three main areas:
“Supporting incumbent suppliers to ensure their resilience and ability to supply the market in the near term, while supporting their transition into the emerging market structure; attracting new suppliers into the UK market to build resilience and competition, prioritising deployments that are in line with our longer term vision; accelerating open-interface solutions and deployment so that we are not reliant on any single vendor and begin to realise our long term vision for a more open and innovative market.”
These are all highly laudable. They are not easy. I recognise the challenge that the Government face. As we discussed in the evidence sessions, this comes after decades of neglect of sovereign capability, not only in the UK but by other countries, which is why we find ourselves with only two vendors, both from Scandinavian countries, and no UK, US or other European capability.
We have heard just how difficult this challenge will be. Will the Minister tell me how we can possibly achieve that bold ambition if we fail to monitor the impact of the strategy? We need an annual report on the progress made by the diversification strategy, so that we can apply appropriate parliamentary scrutiny. After all, the strategy commits the Government to regular reports on progress, which is what the new clause asks for, while adding a focus on the diversification strategy’s impact on our national security. That is what it is all about. The Secretary of State tells us that the Government are implementing one of the toughest telecommunications security regimes in the world, but why is there to be no scrutiny applied to this key part of the regime?
When I asked the Minister in parliamentary questions why the diversification taskforce was not diverse in terms of geography—it includes no one from north of Watford—or discipline, having on it no equipment supply chain expertise, I was told that geography did not matter, and that the taskforce was focusing on cyber-security skills. To be fair, the Minister did say that Ian Livingston, the chair, was Scottish, but I think he will acknowledge that he has not lived in Scotland for some time. Geography does matter. We need to build up concentrations of skills and expertise—clusters. Cyber-security is very important, but focusing on it suggests that we are not serious about developing sovereign capability in other very important areas.
We are agreed that diversification is essential, and I hope that we are agreed that that should include UK capability. We also agree that it is challenging. How do we do it? In an evidence session, Professor Webb said:
“If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, ‘You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.’ The stick might be some kind of licence condition that said, ‘In order to meet your licence, you have to have at least x number of vendors in your network.’”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 73, Q87.]
We also heard from Chris Jackson, who said:
“Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 38, Q43.]
The Government have chosen not to do that. They have chosen to focus on big sticks for security, as set out in the Bill, such as designations, enforcements and fines of up to 10% of turnover, but they have left diversification very much to the market, providing it with a sweetener of £250 million over five years. Surely we have a right—indeed a duty—to monitor how and whether that is successful.
We heard in the evidence sessions that we have significant national promise in terms of capability. Dr Andy Sellars, the strategic development director for the Compound Semiconductor Applications Catapult, said:
“In the UK we have something like 5,000 companies that design and manufacture electronic systems. Something like 600 of them are involved in telecoms. I am not suggesting that all of those 600 become equal players. That would be a crazy scenario. But there are certainly some parts of the telecom network where the UK is pre-eminent. There are some backhaul and fibre technologies that we are very good at. As we deploy 5G into rural communities, that is likely to require low Earth orbit satellites; we are very good at satellite communications.”––[Official Report, Telecommunications (Security) Public Bill Committee, Tuesday 19 January 2021; c. 109, Q142.]
Matt Warman
The hon. Lady raised an important issue. Fundamentally, however, the issue of diversification is twofold. The Government want to see greater diversification within our telecoms supply chain. The £250 million allocated for the first three years of that programme to support the diversification strategy is a hugely important part of it.
As we are already seeing in the increased use of open RAN, whether with Vodafone in Wales or the NeutrORAN project with the NEC, there is already significant progress. I think that demonstrates that the industry does regard this—whether the hon. Lady wants to call it as an incentive or a carrot—as something that is making things happen to a greater extent. The Government cannot legislate for the diversification of the market; that is something that we can incentivise and work with the market to do.
We can monitor the diversity of networks, as Ofcom has the powers to do. We can set requirements on what the minimum standards might look like. For instance, NCSC guidance already says that two vendors should be the minimum, rather than one, for a telecoms network. That gives you an indication of what we will be monitoring and looking at, potentially, in codes of practice in the future. The hon. Lady is right to focus on this important issue, but it is wrong to pretend, important though Secretaries of State are, that any Secretary of State could legislate in the way she describes for the greater diversification that we all seek.
The focus of the Bill is on setting clear and robust security standards for our networks that telecoms providers must adhere to, and they must be met regardless of the diversity within any of those networks. To be fair, the diversity within a provider’s supply chain, in and of itself, does not offer the guarantee of network security. A provider using a diverse supply chain needs to be held to the standards set out in this Bill, so that the provider is able to offer the security standards that we need, regardless of the number of suppliers that they have available.
It is important to reassure hon. Members that Ofcom will have the ability to collect information relating to the diversity of suppliers’ networks under section 135 of the Communications Act 2003, as we have discussed. I do not think it is necessary to specify the need to collect information relating to diversification, as that is just one set of information that Ofcom may collect; it is just as important as several others in monitoring and reporting the security and resilience of networks. It is also important to clarify that, although greater diversity is critical in ensuring that we reduce our national dependence on a small number of suppliers, it is part of a broader approach to building security and resilience across the global supply chain that sits outside the Bill, important though it is. Diversification is an issue broader than the make-up of supply chains for UK providers alone, as the hon. Lady knows.
Chi Onwurah
I thank the Minister for his comments; having spoken for so long myself, I was reluctant to interrupt him. I am pleased that he has clarified that the £250 million is over three years, as opposed to being over five years—I had not seen that before. That is welcome, and I anticipate further funding.
However, the Minister says that the Government cannot legislate for the diversification of the network. Why not? The Government can legislate to break up consolidation in other markets, and they have legislated to do so—for example, competition law does exactly that. We heard in evidence sessions from some who felt that diversification could be achieved only through direct intervention. He implies that I am arguing that diversification delivers telecoms security on its own, but I am not arguing that. I am arguing that it is necessary though not sufficient—clearly, other methods are needed.
The Minister suggests that diversification is one of many things that Ofcom can report on, if it so chooses. That is equally important, but let us be clear that it was the diversification of a supply chain that was the critical report—a report so important that the current Secretary of State for Education was forced to resign because of its leaking, which is why we are here today. The diversification of the supply chain is absolutely critical.
The Minister says that we heard from operators that were committed to diversification, but we also heard that there were real challenges in their commitment to diversification. We would not be where we are today if they were so committed to diversification of their supply chain. That is why there is a need for incentives and intervention. On that basis, it is important to test the will of the Committee on the new clause.
Question put, That the clause be read a Second time.
The Chair
Mr Jones, new clause 7 has already been debated. Do you want to put it to a Division?
The Chair
I realise that this will come as a devastating blow to all of you, but the final question I must put is that—
Chi Onwurah
On a point of order, Mr McCabe. I put on the record my gratitude, and that of my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester, to you and your colleague, Mr Hollobone, for the way in which you have expertly chaired proceedings in the Committee. I also sincerely thank all House staff who have supported our work here, including those representing Hansard, and particularly the Clerks, who have been absolutely invaluable in setting out our desires to improve the Bill in clear and orderly amendments and new clauses.
I also thank all members of the Committee from both sides of the House. This detailed, technical Bill is critical for our national security, coming at a time of national crisis, when we are braving—all of us: staff and Members—a pandemic in order to be here. We have had an orderly and constructive debate.
Matt Warman
Further to that point of order, Mr McCabe. What fun we have had! It is a pleasure to come to this point in the Bill’s passage. I echo the hon. Lady’s thanks to the House staff and to yourself, Mr McCabe, and Mr Hollobone. I also reiterate her point that this is a crucial Bill—one that I am glad enjoys cross-party support. I look forward to debating its further stages in the House.
Bill, as amended, to be reported.