Debates between Baroness Merron and Lord Stirrup during the 2019-2024 Parliament

Thu 15th Jul 2021

Telecommunications (Security) Bill

Debate between Baroness Merron and Lord Stirrup
Baroness Merron Portrait Baroness Merron (Lab)
- Hansard - -

My Lords, I will also speak to Amendment 26, which stands in my name. As I recall raising at Second Reading, the whole point about this legislation is not just its intent but whether it can be delivered in practice. Can it do the job that it intends to do? These amendments are intended to ensure that we know we have the resources, whether in people, funding, infrastructure or whatever, to deliver the protections that the Bill is intended to offer. There are considerable questions about that.

I will focus first on the new responsibilities, remit and powers that are being given to Ofcom. As we know, there has been a vast expansion of Ofcom’s remit over the past 10 years, so it is most important that it is appropriately resourced to carry out its duties and to be very forward-looking. As my noble friend Lord Coaker said earlier, for us, the whole issue of looking forward is a particular concern in the Bill. That has been echoed by many noble Lords this afternoon. I note that reassurance is often given by the noble Baroness, Lady Barran, as the Minister and I am sure that the noble Lord, Lord Parkinson, will also seek to reassure me. But I am sure he will have picked up the feeling in the Room today that we need to go rather further than words of reassurance.

What we know about Ofcom is that experience in national security measures is not its natural and current territory, so the expansion of these duties will absolutely require people with the required level of security clearance and experience. I recall the comments of Emily Taylor of Oxford Information Labs during the debate in the Public Bill Committee in the other place. She has considerable expertise in cyber intelligence and she said at that time that Ofcom

“will have to acquire a very specific set of skills and capabilities, and that will require substantial investment and learning as an organisation”.—[Official Report, Commons, Telecommunications (Security) Bill Committee, 19/1/21; col. 72.]

I also note that a memorandum was published recently by Ofcom and the National Cyber Security Centre about how they will work together as part of the new regulatory regime. On the face of it, I thought that might provide some of the reassurance that I am sure the Minister will wish to give to noble Lords. However, I observe that while the National Cyber Security Centre will indeed be able to provide advice on national security matters, the question is whether Ofcom has the resource and the greater expertise to understand that advice. It is one thing to receive advice but another to be able to work with it. I am sure noble Lords know their own limitations. I certainly know mine when it comes to advice and expertise. For me, that memorandum did not show understanding of the limitations that there are.

Amendment 23 would require Ofcom to report annually on the adequacy of measures taken by network providers to comply with changes introduced in the Bill, empowering the Government to track the effectiveness of the legislation. That seems to be good legislation: to put it in place, to make sure it does the job it ought to do, to resource it and then to track its effectiveness.

Amendment 23 would also ensure that Ofcom will have the human and informational resources to provide an assessment of security risks based on its interrogation of network providers’ asset registers. This needs to include things such as a reference to the adequacy of Ofcom’s budget, funding and staffing levels and any potential skill shortages that might mean that it cannot do the job it is intended to do.

It is interesting to look at the Government’s own impact assessment, which states that the costs of monitoring compliance with the telecoms security requirements could be up to £49.4 million by 2029. Allied to that, Ofcom’s current budget for telecoms security for this financial year has been increased by £4.6 million; that is intended to reflect its enhanced security role under the Bill. The first obvious question to the Minister is whether this funding will be sufficient to meet the demands and to engage those with the right security skills. As a supplementary question to that, what targets does Ofcom have to seek the numbers of new staff it needs?

On staff shortages and funding shortfalls, how does the Minister consider that the Government will be aware of these problems without some kind of annual report? Furthermore, where do the public fit into this? How will they know that everything is in hand without such a reporting requirement being met? In my view, if Ofcom is to do more on security, the Government absolutely have to make sure that it is secure and able in its new role.

We spoke earlier about the absolutely crucial aspects of future proofing and horizon scanning. It seems that Ofcom also needs to be able to assess future risks to the security of UK telecoms. We know that new types of threat have emerged over recent years; for example, attacks on healthcare systems. We are also sensitive to potential future risks; for example, the dependence of cloud computing infrastructure on Amazon Web Services, the dominant vendor in this market. Clearly, dangers could arise if AWS was bought by a hostile foreign state or hacked by a hostile operator. In all these ways, we need to ensure that Ofcom is equipped not just for the present but for the future.

Amendment 26 looks at the very important matter of skills in the wider sector. We know from the Institute of Engineering and Technology that the UK economy is suffering a loss of £1.5 billion per year due to STEM skills shortages, and the Chartered Institute of Personnel and Development has found that two-thirds of employers who have vacancies report that some are proving hard to fill, with engineering being one of the most prevalent.

Amendment 26 seeks to require the Government to publish a review of the implications of skills shortages and training support for the security of the tele- communications network and its supply chain. Again, this amendment looks forward to ensure that we can protect our security capability.

I have a few specific questions for the Minister. I would be interested to know whether he is concerned that the 2027 target for Huawei removal might be delayed due to skills shortages. Can he comment on what skills shortages have been identified as a security risk? What action are the Government taking to fill them? I look forward to hearing from him regarding these amendments. I beg to move.

Lord Stirrup Portrait Lord Stirrup (CB)
- Hansard - - - Excerpts

My Lords, Amendments 23 and 26 touch on the critical issue of skills, in Ofcom and then more widely in the supply chain. They are right to do so, but in my view they are too constrained and do not go nearly far enough. This is not the fault of the drafters—they have to propose amendments that fall within the scope of this particular legislation, and they have done so admirably—but the problem they expose goes much wider than the field of telecommunication.

We find ourselves in this discussion at least in part because of our current reliance on Huawei technology and on the associated vulnerabilities that this introduces. But why have we become so dependent on Huawei? I said earlier that in the first half of the last decade we made unbalanced decisions about our trade and security relationship with China, and that is true. But it is also a fact that Huawei was—and still is—one of the very few companies to have brought the necessary technology to market. Frankly, there were not many options open to us, so our supply chain is anything but resilient in this area.

There are two elements to this problem. One is the level of industrial commitment to and investment in critical technologies; the other is the skills base to support such industries. Both of these interlinked issues must be addressed if we are to resolve the weakness in our supply chain.

The answer does not, of course, have to be wholly national. Industrial capacity and skills that are sufficiently widespread internationally, particularly among responsible countries that abide by international law, norms and standards, would provide us with an acceptable degree of resilience. This will undoubtedly have to be part of the solution, at least in the short term, but we have to ask ourselves why, in technologies that are so important to our security and that promise such future advantage to the companies involved, we are lagging so far behind. I acknowledge that we cannot lead everywhere and provide everything ourselves, but surely an important part of our national strategy should be to put ourselves in the van of those capabilities that will shape and guard our future.

This is certainly not about direct government involvement in business decisions; that approach already has a quite sufficiently inglorious history. It is, though, about government incentives—not least through a clear strategy and consequent procurement decisions—for the appropriate industries and a national effort to provide the necessary skills base to support those industries.

Amendment 26 makes some modest proposals in this regard and I welcome them, as far as they go, but we need to go much further. Telecommunication is not the only area to be hampered by such problems, and I believe we should take a more holistic approach. I have no doubt the Minister will reject the amendment, although I stand ready to be surprised. If, however, he lives up to my expectations, I invite him to say whether the Government agree with my analysis and, if so, how they propose formally to tackle a problem that is so central to our future security and prosperity.