(2 years, 5 months ago)
Lords ChamberMy Lords, I rise to move Amendment 1 in my name and that of my noble friend Lord Clement-Jones, who is sadly unable to be here today. Should your Lordships feel at times that I am going on a bit long, just think of the alternative: it could have been both of us.
I should first say in the spirit of co-operation that the aim of this amendment is wholly positive; it is designed to firmly support the intentions of the first half of this Bill—support which we heard right across your Lordships’ House at Second Reading. While introducing this part of the Bill, the Minister set out a clear need for improved security. He told us:
“The average UK household now has nine internet-connected devices, and over 50% of all UK households purchased an additional consumer connectable product during the pandemic.”
The danger to individuals is getting worse. As the Minister also said:
“In the first half of last year alone, we saw 1.5 billion attacks on connectable products—double the figure of the year before.”
With this rise in connectable devices, the Minister said:
“Thousands of people in the UK have been victims of cyberattacks.”—[Official Report, 6/6/22; col. 1033.]
I suggest that this is understating the situation—it must be tens if not hundreds of thousands—but frankly, we just do not know.
This is an international business, which preys on poor security and badly configured devices. Further, our household devices can be co-opted by sophisticated criminal or political hackers to present significant threats to our national infrastructure. That is why this part of the Bill is important; I think we all agree on that. For a connectable device to be secure, it needs to be set up right but then supported throughout its active life to meet the changing environment of security threats. We are all used to updating our laptop security regularly, but how many times have we updated other household-connectable devices? A baby alarm, for example, is never updated.
At Second Reading, I described my fruitless search within the Bill for a definition of the security support that a consumer might reasonably expect for consumer-connectable products in the house. This Bill takes the secondary-legislative route. Rather than set out what consumers should legally expect in terms of through-life product security support, we were promised some SIs, and we heard what the focus would be.
In a letter sent last week, the Minister gave the Government’s reasons for choosing those three areas; I will come back to them briefly. He wrote:
“we are starting with a focus on the three security requirements that will make the most substantial change to consumer device security at a proportionate cost to business”.
But why just these three? The Bill is heavily based on the Code of Practice for Consumer IoT Security, in which 13 security issues were highlighted. To be clear, the first two—“No default passwords” and
“Implement a vulnerability disclosure policy”—
match those of the Minister. Interestingly, on the third one, there is a big difference in language between the Bill—which mentions providing transparency on how long, at a minimum, the product will receive security updates—and the code, which says, “Keep software updated”.
But there are 10 other major areas. I will not list them, but the fourth is:
“Securely store credentials and security-sensitive data”.
The eighth is
“Ensure that personal data is protected”.
Why are those two not as important as the other three? I cannot fathom why those have been left out and the previous three selected. So, given the choice of 13—the Minister can look them up—what was the logic in choosing just those three and dropping the fourth and eighth in particular?
There is also the issue of changing technology. Without a set of principles, the Government’s aim is to chase technological development with a string of statutory instruments, simultaneously keeping up with the world’s most innovative companies and pitting their ingenuity against the world’s top criminals. Life is moving fast—for example, a recent issue of Wired announced the beginning of the end for passwords:
“At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using ‘Passkeys’ with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.”
On that basis, this legislation will be partially obsolete before it is enacted.
I have one further technical problem for the Minister to explain. Once again, different bits of government are moving in parallel. A seemingly entirely different exercise—a consultation on app security and privacy interventions—was published in May this year. The suggested interventions include
“a voluntary Code of Practice for App Store Operators and Developers that is intended as a first step.”
Other possible future options set out in the document include
“certification for app store operators and regulating aspects of the Code to help protect users.”
The document then says:
“These proposals link into the National Cyber Strategy through requiring providers of digital services to meet appropriate standards of cyber security and developing frameworks to secure future technologies.”
No mention of this legislation is made.
So where does a connected device end and an app start? Where does the Bill stop and this new code of practice start? If I install my temperature control system, it will involve connected hardware and an app; which of these two pieces of government activity will cover my system, and how are they connected? The Government have not joined this up, and, once again, two things are going on with no connection to each other.
So, I borrowed some of the Code of Practice for Consumer IoT Security for this amendment, which sets out some of the principles. Proposed subsection 2(a) sets a simple obligation for “manufacturers, importers and distributors” to demonstrate a “duty of care”. Proposed subsection 2(b) sets out that
“customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market”.
Proposed subsection 2(c) calls for
“manufacturers, importers, and distributors … to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.”
The Minister would be hard-pressed to argue against these—and his planned SI on accessibility vulnerability is close to proposed subsection 2(c) anyway.
I would like to hear that the Government recognise the benefits that having clear principles in the Bill can deliver. I am sure that the Minister can see these benefits. Secondly, I am not proprietorial over the exact wording. We can use the time between Committee and Report to fine-tune and wordsmith those principles, but I hope that this is a constructive and helpful start.
My Lords, I restate these Benches’ support for Part 1, which introduces a range of important powers and processes relating to the security of consumer-connectable products, including smart TVs, smartphones, connected baby monitors and connected alarm systems, all of which we use in our day-to-day lives. For me, the legislation that we seek to improve today is much needed and needs to move with the times and the way we live. For example, in 2006 there were just 13 million of these devices but in 2024, there is likely to be more than 150 million in the UK alone—a huge projected rise.
I am grateful to the noble Lord, Lord Fox, for introducing this sensible amendment, and to the noble Lord, Lord Clement-Jones, whose name is also on it. It seeks to introduce or suggest some guiding principles relating to product security. For me, the key principles are that manufactures, importers and distributors have a responsibility and a duty of care to meet minimum cybersecurity requirements and look forward to emerging security threats. It seems wise and sensible to include these, so I hope the Minister will take them into account. As the noble Lord, Lord Fox, said, the exact wording of the amendment does not have to be used; it is about the principles. Indeed, it is about not just principles but practice: the message given to consumers as well as to manufacturers, importers and distributors.
I know that in other legislation the Government are often nervous about using the phrase “duty of care”, but, as the Minister knows, there are very real concerns about data collection and privacy. I suggest that this is the very least that consumers should be able to expect. While it may be said that the other principles are not necessary to include, there have been several cases of manufacturers knowing about, yet failing to act on, significant security flaws. I feel this is something we need to guard against.
(3 years ago)
Lords ChamberMy Lords, this has been my first Bill since I joined your Lordships’ House a little over six months ago. Some would say that I was thrown in at the deep end but in my view, I was simply given the opportunity to swim in rather warm and pleasant parliamentary waters. It has been fascinating and enjoyable and I am very glad that my first Bill has been such an important one for the security of the nation.
The Minister has of course been a constant throughout consideration of this Bill, and we saw his worth recognised as he was promoted from the important role of Whip to the Minister tasked with bringing the Bill home. I thank him for the courteous and professional manner in which he has conducted himself throughout, and I also express my thanks to the former Minister, the noble Baroness, Lady Barran. From these Benches, we also express our gratitude to the Bill team, the clerks, the staff of the House—indeed, all those who have worked front of house as well as behind the scenes to make this Bill possible.
Throughout, it has been my pleasure to work with my noble friend Lord Coaker, who has brought his valuable experience and knowledge to proceedings. We have been blessed to have the highly professional support of Dan Harris, our excellent adviser who has guided and advised us throughout, to whom we express our thanks. Her Majesty’s Opposition strongly believe that our nation’s security is above party politics, and I thank all noble Peers who have worked cross party on this Bill.
New technologies have long transformed how we work, live and, of course, travel. Our experiences during the pandemic have upped the ante on the degree to which we rely on telecommunications networks. At the same time, it has reinforced how intertwined these networks are with issues of national security, including the top priority of any Government: to protect its citizens from risk. This Bill is a necessary step to protect us.
I am very glad to welcome the Government’s acceptance of our arguments that codes of practice, to be issued by the Secretary of State to telecoms providers, must first come before Parliament. However, the Bill raised key questions and concerns, especially given the absence of an effective plan to diversify the supply chain and in respect of our telecom security depending on strengthening our international bonds, in particular through the Five Eyes, involving the UK, the United States, Australia, Canada and New Zealand. I thank the noble Lord, Lord Alton, for his work on that issue.
I hope that the other place will give sympathetic consideration to the changes we have made on both those matters, and that the Minister will recognise that the amendments passed by your Lordships’ House make serious and important improvements to the Bill and have widespread support across the Chamber. My concluding wish for this Bill is that the Government will reflect and feel able to support these improvements to the Bill and the security they provide.
My Lords, as the Minister said, this Bill entered the other place a year ago. It has variously been urgent, in the long grass, urgent again and now quite close to passing. I will not delay its passage many more seconds. I have shelved my inner churl, but I absolutely sign up to the comments of the noble Baroness, Lady Merron. There are outstanding issues that your Lordships commented on and put into the Bill as amendments that I hope can be picked up. I hope that when this Bill is finally put to bed, it really does protect the security of this country, and we will work, on these Benches, to help make that happen. There is a lot of unfinished business in this area. I fear that the Minister himself, or one of his successors, may very well be bringing other Bills before your Lordships quite soon.
I thank the Ministers, first the noble Baroness, Lady Barran, and then the noble Lord, Lord Parkinson, for their work and their willingness to communicate with those of us who were seeking to scrutinise this Bill. I join the noble Lord in congratulating the DCMS Bill team, and I hope he did not leave anybody out. I congratulate the noble Baroness, Lady Merron, and the noble Lord, Lord Coaker, on their legislative debuts. I also thank the noble Lord, Lord Alton, for his spirited, highly principled and really important, contributions on the Bill.
Finally, I thank my noble friends Lord Clement-Jones and Lady Northover, without whom this scrutiny would not have been complete, and Sarah Pughe, our legislative officer, for her invaluable support. With that, we wish this Bill onwards, with speed and effectiveness, because it has a very important job to do.
(3 years, 4 months ago)
Grand CommitteeMy Lords, I am pleased to speak to Amendment 28, which stands in my name. It is the result of a number of recent developments, which I shall refer to. Noble Lords will be aware that on 2 July the Government published their response to the Telecoms Diversification Taskforce’s report and in it announced that the taskforce was now to transition into the Telecoms Supply Chain diversification advisory council, which came up earlier today. The Minister will recall that in response to a Written Question from me she said:
“The Advisory Council will play a key role in overseeing and offering scrutiny to the delivery of the 5G Supply Chain Diversification Strategy. We will also draw on the expertise of the Advisory Council for wider telecoms supply chain diversification issues beyond the RAN (Radio Access Network).”
That is all well and good. However—and this is the point that the amendment seeks to unravel—the Government have also announced that Mr Simon Blagden will be the new chair of this permanent council. Noble Lords will be aware that Mr Blagden was the non-executive director of Fujitsu UK during the Post Office scandal and has donated more than £215,000 to the Conservative Party.
As we have all discussed, diversification is inherently linked to security, so the new advisory council has to provide sound, expert advice that will secure our telecoms network, and we need confidence in that. The point I want to explore with the Minister, as she is already aware from Written Questions that I have submitted, is that the appointment of Mr Blagden raises a number of serious questions about the council’s independence and how the appointment will be able to benefit national security.
In addition to tabling Amendment 28, I have a number of questions to tease out all these points. It is also worth noting that in the past 24 hours there have been reports of a telecoms company, IX Wireless, having given—it has come to light through correct declarations of course—more than £20,000 to Conservative MPs, while the Secretary of State has given this same company glowing endorsement at a launch event, with a promotional film, which I have seen, showing him in his ministerial office with the executives of that company.
I should say to the Minister that it is a question not just of how things are but of how things look. Of course there will be facts on which I am sure the Minister can enlighten us. I have a number of questions in that regard for her relating to an inquiry about the appointment process that was in place for Mr Blagden. Who was involved and which Minister made the final decision? Will there be payment for Mr Blagden in his role as chair? How will the council give independent advice and what happens if Ministers reject that advice? Will there be security experts as members of the advisory council? What knowledge did Mr Blagden have of the faults with the Horizon system during his time at Fujitsu? Can the Minister confirm that Mr Blagden has no remaining financial interests in Fujitsu?
I know that the noble Baroness may not be in a position to answer those questions now. In which case, I hope that she will write to me before we go into the Summer Recess. I beg to move.
Before I comment on that excellent speech from the noble Baroness, Lady Merron, I want to return to the answer that the Minister gave on the Newport Wafer Fab issue, which proves the point that we were making on the need for the ISC to be involved. Regarding the ISC issue, the Government furnished themselves with the National Security and Investment Act, which was supposed to deal with issues such as this. However, the Prime Minister has chosen to refer it back not to the people running that unit but to the National Security Adviser, which proves the point that someone with access to national security information is needed to make decisions of this nature, rather than an organisation that does not have access to the information. It absolutely proves the point that our amendment on the ISC is completely appropriate, just as it was appropriate for the BEIS analogue of what is happening here.
The noble Baroness, Lady Merron, made an excellent speech and I am not going to attempt to adorn it either with my normal flippancy or with detail. There is just one issue that I wish to raise regarding Simon Blagden. Are there any outstanding legal liabilities from his time at Fujitsu? In other words, has his activity been fully exonerated or is there potential legal recourse? Other than that, I echo the point that perception of these issues is as important as reality. If the Government continue to operate in a black-box way, everybody will assume that things are going on that they cannot see and that should not be happening. It is therefore in the Government’s interests to be transparent about how that person in particular was appointed and how the advisory council will operate.
I am moving this amendment on behalf of my noble friend Lord Clement-Jones, in whose name it is, who unfortunately could not come today. He figured that this would be taken on day three of the process, but we have got ahead of ourselves. I also thank the noble Earl, Lord Erroll, for his support for this amendment when he spoke to the second group. It is appreciated. I know that he has had to leave.
As Comms Council UK has pointed out, new Clause 105E is not the only new clause to give the Secretary of State extensive powers; there are others. New Clause 105Z1, for example, gives powers to the Secretary of State to outlaw the use of individual vendors, potentially with no parliamentary oversight, if the Secretary of State considers that it would be contrary to national security.
Clause 15 creates a scheme for dealing with particularly high-risk vendors by inserting new clauses into the Communications Act 2003. These empower the Secretary of State to give designated vendor directions where they consider it
“necessary in the interests of national security”
and the requirements imposed are
“proportionate to what is sought … by the direction.”
The designated vendor direction can impose wide-ranging requirements on providers on their use of
“goods, services or facilities … made available by a designated vendor specified in the direction.”
While vendors are entitled to notice of their designation if “reasonably practicable” to do so, they are not entitled to be consulted or informed of the reasons for the designation if the Secretary of State considers it contrary to national security. Vendors are also entitled to notice when directions are imposed on providers or when a designated vendor direction is revoked, but this right does not apply if the Secretary of State considers it contrary to national security.
The effect of all this is that, while a vendor may know of its designation, the providers with which it does business can have various restrictions imposed because of their relation to the designated vendor without the vendor knowing the reasons or possibly the existence of such directions. This is complicated but serious, and in several scenarios the vendors would have no real prospect of mounting any legal challenge, even under the closed material procedures provided for in the Justice and Security Act 2013.
Cutting to the chase, this amendment would give the Investigatory Powers Commissioner oversight of the power given to the Secretary of State in the Bill to outlaw the use of individual vendors. Without this, we are telling suppliers that they essentially have to operate without full legal protection. I cannot help thinking that this will discourage the future investment we need. I am interested to hear how the Government think they can mitigate an essentially Orwellian situation in which people find themselves in an adverse legal position but they do not know why, and sometimes they do not even know that they are there. I beg to move.
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment. I do not have too much to add to this brief and interesting debate, but I take the opportunity to thank the Constitution Committee for its report on the Bill.
At Second Reading the Minister said:
“Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act”.—[Official Report, 29/6/21; col. 747.]
However, she did not say why it would be wrong for the commissioner’s remit to change. This is the one point I put to the Minister, and it would be helpful to have a response.
We are down to the irreducible minimum. During my Second Reading speech, I asked the Minister about the range of technologies covered by the Bill. I do not recall getting a meaningful answer, so I thought I would try again using this as a probing amendment.
The noble Baroness, Lady Merron, talked about the creativity of your Lordships. I am now going to test your memory functions, which I know can sometimes be stretched in this House. I would like your Lordships to cast your minds back to 2003, the year when the Nokia 1100 mobile phone was introduced. Few noble Lords will remember the number, but most of you will remember the phone. It was an iconic phone that took over mobile telephony. For those who would like to see one, I have two and, for as long as 3G is available, they will continue to work. More than 250 million of these basic GSM phones were sold. It was the best-selling consumer electronics device in the world at that time—the state-of-the-art communications device—and was discontinued in 2009.
Meanwhile, at the same time, the Communications Act 2003 was introduced to regulate machines such as the Nokia 1100. This has not been discontinued but has enjoyed several patches along the way. As I have said, this is a probing amendment seeking to clarify the definition of “public electronic communications network” within the 2003 Act. I think you see what I have done; I have tried to illustrate that the world has changed a bit since 2003.
The amendment seeks to amend Section 151 of the Communications Act by adding a contemporary definition of the range of communication networks that increasingly have emerged since the Act was conceived, when Nokia ruled the roost. It would introduce a new clause to the Bill that would define the “public electronic communications network” as
“landline communications systems … mobile data, audio and video networks … digital surveillance networks … satellite delivered networks”.
My first question to the Minister is: in her opinion and that of the department, which of these categories is covered by the Bill and which is not? I also have some specific scenarios that I would like the Minister to consider. The noble Baroness, Lady Merron, will be pleased to note that they are focused on the consumer—an issue she addressed earlier in the week.
First, when broadband or 5G are delivered by satellite, whether by the BEIS-owned OneWeb or the Musk-owned SpaceX, to what extent is the satellite element covered by this legislation?
Secondly, when a facial recognition camera captures an image, sends that image to a database using a closed network and, in turn, contacts either a public sector or private sector operative via a smartphone, which part of this—if any—is covered by the legislation?
Thirdly, data is being relayed back and forth over smart speakers—Alexa and its, or her, colleagues—so do these transactions fall within the purview of the Communications Act or the Bill? For example, with smart speakers, does the Bill cover only the transmission and not the speaker itself? If that is true, what, if anything, covers the security integrity of the speaker and its software?
My fourth question concerns data travelling between smart meters, home thermostats, camera doorbells and the ever-increasing internet of things. How is their security and integrity protected by the Bill? If the answer is that they are not protected, where do these modern manifestations of communications fit in? How is the security of these things being protected for the consumers of today?
This is not just a piece of legislative housekeeping. The noble Lord, Lord Alton, raised other potentially risky companies in his speech on Amendment 1; at Second Reading I raised a range of other companies. I will not repeat them but they are in Hansard. These are just a few of the businesses involved in the sorts of activities that I have just outlined, so by understanding which activities are included in the Bill we may start to understand which companies and technologies it includes. It is about how satellites, cameras, smart speakers and the internet of things fit in the purview of what is now called communications. Times have changed since 2003. Can the Minister please update us? I beg to move.
My Lords, I thank the noble Lords, Lord Fox, Lord Clement-Jones and Lord Alton, for tabling this amendment. The noble Lord, Lord Fox, has set out why they believe this definition of a public electronic communications network is needed. I also appreciated his reference to the importance of consumers, who, after all, are core in all our discussions.
It is important to hear from the Minister whether she believes that this definition is limiting for security purposes and what impact it would have. Perhaps she can advise on whether she feels that anything is missing which should be in there. Would this definition inhibit the future-proofing ability of the Bill? I look forward to hearing from the Minister.
(3 years, 4 months ago)
Grand CommitteeMy Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
My Lords, I speak to Amendment 11 in my name and welcome Amendments 7 and 12 in the names of the noble Lords, Lord Fox and Lord Clement-Jones. I was interested that the noble Lord, Lord Fox, referred to a chorus of agreement, which I certainly heard ringing out, expressing concerns about the role that Parliament should have in scrutinising on codes of practice that this Bill currently does not provide for. To me, the codes remind us that the Bill can provide us only with something of a framework, and for many areas there is a wait for the details to be filled in later. As the noble Earl, Lord Erroll, said, the devil, as always, is in the detail.
Clause 3 allows the Secretary of State to issue new telecom security codes of practice that will set out to providers the details of specific security measures that they should take. As we have heard referred to, the impact assessment states that these codes are the way in which the DCMS seeks to demonstrate what good security practices look like. However, I note that Ministers are proposing only to demonstrate but not actually to secure good practice, which I am sure is the real intent—and it would be very helpful if, through this debate, we could get to that place.
I am interested also to note and draw the Minister’s attention to the fact that the Government have said that these codes will be based on National Cyber Security Centre best practice security guidance. The Government have said that they will consult publicly, including with Ofcom and the industry, as we read in the Minister’s letter following Second Reading. That public consultation will be on implementation and revision. However, it strikes me as very strange that the National Cyber Security Centre is not a statutory consultee; can the Minister say why it is not?
I particularly make the point that, as the codes of practice will be admissible in legal proceedings, they have to be drafted accurately and we have to ensure that security input and expertise is fed into them. The National Cyber Security Centre, which is described as a bridge between industry and government and is, indeed, an organisation of the Government, would seem to be a body that should be, in a statutory sense, invited to make the input and offer its expertise, along with other departments and agencies. After all, we can see, when reading about the centre, that its whole reason for being is that it provides widespread support for the most critical organisations in the United Kingdom as well as the general public, and they are absolutely key when incidents, regrettably, occur. We are trying to address those incidents in respect of this Bill.
As we have heard from all noble Lords who spoke in this section of the debate today, the input needs to come from Parliament, which is why I tabled Amendment 11. As the Bill is drafted, the current reading is that a code of practice must be published and laid before Parliament, but there is no scrutiny procedure. I put it to the Minister that if codes have legal weight, why is Parliament being denied the chance to scrutinise them? We seem to have a complete mismatch there. I was taken by the words in the Delegated Powers Committee report, mentioned by the noble Lord, Lord Clement-Jones, in his introduction, which stated that this way of being was “unacceptable” and called for the negative procedure for codes. That is what Amendment 11 does. Can the Minister address specifically the words of that committee report? I refer her to paragraph 27, which says:
“In our view, the Department’s reasons are unconvincing … the fact that codes of practice would be produced after consultation with interested parties cannot be a reason for denying Parliament any scrutiny role; and … the Department appears not to have recognised the significance of the statutory effects of the codes of practice”,
as has been highlighted today. I therefore hope that the Minister will both comment on the report and seek to make what is a very important and significant change in this regard.
I will pick up on one additional point. The impact assessment also says that the codes of practice will have a tiering system for different-sized operators. The initial code will apply to tier 1, which serves the majority of businesses of critical importance to the United Kingdom. This will also apply to tier 2 medium-sized operators but with lighter oversight by Ofcom and longer timetables. Can the Minister offer a draft list of the operators in tiers 1 and 2, and can it be shared with noble Lords? I would also be interested to know whether the Minister has any concerns that tier 2 operators will somehow be worse at compliance. If she has those concerns, what support will be provided to small and medium-sized enterprises? I look forward to her reply.
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments. As before, it is a pleasure to follow their contributions and that of the noble Earl, Lord Erroll.
On the codes of practice and Amendment 10, I understand the importance of not wanting to put undue burdens on businesses. We should make particular reference to the exceptionally difficult and testing times that businesses and the economy have had to suffer over the past year due to the pandemic. Obviously, a balance needs to be considered. We have to ensure that if the codes are going to be used, they are the most effective way of implementing security measures. How will the Government consider the impact of codes on businesses? For example, will there be specific consultation about undue costs in respect of businesses?
The concerns that we have heard in this debate give a further nod to concerns about lack of parliamentary oversight, which is missing from the codes. I again say gently to the Minister that by giving parliamentarians the opportunity to provide scrutiny there might also be the ability to review the impact on businesses.
Amendments 16, 17 and 21 would ensure that Ofcom’s new powers in the Bill were subject to requirements in Sections 3 and 6 of the Communications Act 2003. Section 3 focuses on the general duties of Ofcom, while Section 6 focuses on reviewing regulatory burdens. It would be helpful to hear from the Minister whether the Bill has been deliberately drafted for the new powers to fall out of scope of those sections in the Communications Act and, if so, why.
What review process will be faced in respect of Ofcom’s new powers? It is very important that, when new powers are given, there is an opportunity to review, reflect and amend, and to keep a close eye on whether those new powers are doing the job intended.
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
My Lords, I have been very interested to hear the arguments put forward by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Erroll. As we heard from the noble Lord, Lord Clement-Jones, in his opening remarks, concern about oversight is driving this section of the debate. As we know, Clause 13 ensures that when deciding an appeal against certain security-related decisions made by Ofcom, the tribunal is to apply judicial review principles without taking any special account of the merits of the case.
I understand that this does not apply to appeals against Ofcom’s enforcement decisions and that the Government have said that this ensures that it is clear that the tribunal is able to adapt its approach as necessary to ensure compatibility with Article 6, the right to a fair trial. My questions to the Minister are about the legal advice that the Government have received on this clause. What legal advice has been received? Is this external legal advice as well as internal legal advice?
The clause states that
“the Tribunal is to apply those principles without taking any special account of the merits of the case.”
Can the Minister explain what “special account” is expected to mean?