(3 years, 9 months ago)
Public Bill Committees(3 years, 9 months ago)
Public Bill Committees(3 years, 9 months ago)
Public Bill CommitteesI beg to move amendment 12, in clause 6, page 10, line 12, at end insert—
“(3) In this section “another person” means a UK government agency or a person from a UK government agency.
(4) OFCOM may not incur costs exceeding £50,000 in carrying out, or arranging or another person to carry out, an assessment under this section.”.
This amendment restricts those who Ofcom may arrange to carry out an assessment under this section to a UK government agency or person from such an agency. It also caps the cost of an individual security assessment at £50,000 for Ofcom.
The desire of the Committee is to crack on, so I will not detain us for too long. The clause, which covers more than three pages of the Bill, is extensive in outlining the powers of Ofcom to assess compliance with security duties and will amend sections of the Communications Act 2003 to that end. The Opposition’s probing amendment intends to bring clarity in two areas in particular.
The clause will insert proposed new section 105N into the Communications Act to give authority to Ofcom or “another person” to undertake an assessment of whether a network or service provider is carrying out its duties—an inspection, spot check or audit, whatever you will, Mr McCabe. That is all fine, but the appointment of “another person” is far too vague and needs clarity. Since this is a matter of national security, we believe such an authority can be vested only in an agency or arm of the UK Government. It would be wholly inappropriate to outsource it to a telecoms, IT or other consultancy in part because of the need for full co-operation from the business being audited, which must have absolute confidence to be open and transparent and, therefore, must have confidence in the inspector. Ofcom therefore cannot appoint any Tom, Dick or Harry to do the job but only someone who rides above the industry and will not give the inspected business any reason to think that its commercial confidentiality is at stake.
My hon. Friend the Member for Newcastle upon Tyne Central, with her extensive experience of the telecoms sector, has told me that it is a tight-knit industry in which everyone has worked for everyone else at some point. We got that impression from the oral evidence as a lot of the experts had worked with or knew one another. Perhaps it is an exaggeration to say that everyone has worked for everyone else, but it is illustrative of the nature of the sector, so there will be limits on who could be appointed. Does the Minister agree that the current suggestion of “another person” is too wide?
The impression that I have given my hon. Friend about the telecoms sector being tight-knit is absolutely right. One concern that that brings is that there will therefore be conflicts of interest. Ofcom, as a public servant with the status of a quango, has rules and regulations for declaring interests that mean previous conflicts of interest will not weigh into its work. The concern that I have articulated to my hon. Friend in the past is that that would not apply to “other persons”, so broadly defined.
I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.
My right hon. Friend the Member for North Durham raised the Test and Trace programme. I do not want to dwell on that, as it is not within the scope of the Bill, but it is important to understand the extent to which the programme has been used as a vehicle to privatise parts of the NHS by building up private sector skills as opposed to public sector skills. There must be some concern that the huge new powers for and requirements on Ofcom might effectively be used to privatise some of its duties.
My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.
This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.
It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.
Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.
Again, I rise mainly to support the excellent contributions made by my hon. Friend the Member for City of Chester in moving this amendment. I will raise a couple of points from my experience in this area.
As I said to my hon. Friend, having worked in telecoms for 20 years, when I joined Ofcom in 2004, I had worked with, or worked with someone who had worked with, just about every operator and network provider in the business. Those personal relationships can be helpful in ensuring quick, effective collaboration, but they can also bring about conflicts of interest. Ofcom, as a public body, has processes and procedures to address those conflicts of interest. However, the Bill makes no provision for that to be applied to whoever is “another person”.
It is also the case that, unfortunately, as a regulator, one can be subject to regulatory capture by those who are regulated. The large operators often have tens or, in some cases, hundreds of lawyers and public affairs spokespeople. However, the smaller operators, unfortunately, cannot afford to dedicate so much time and resource to engaging with the regulator. It is critical that this huge increase in new powers and work for Ofcom is carried out in the right way.
As my hon. Friend said, the £50,000 figure has not been calculated on the basis of the likely costs to Ofcom, because the impact assessment does not indicate what they could be. However, it is merely the cost of five consultants at £1,000 a day for 10 days. We know that hundreds of consultants have been hired as part of the Test and Trace programme at those sorts of prices. That likely cost is within scope of any programme that is to be carried out by bringing in large private sector organisations. I hope the Minister will reassure us that he is taking these considerations into account.
Finally—I think we will discuss this point in more detail—this is a huge additional requirement on Ofcom. In the evidence session, Ofcom said that it thought it would need to hire 50 or 60 people to address the requirements of the Bill. There is always going to be an inclination to reduce internal resources, especially if they are in short supply, such as those to do with network engineering resources and the current skill set. So it is really important that the Bill should have a better definition than it currently does of who may carry out the work.
If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.
On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.
I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 13, in clause 6, page 10, line 20, at end insert—
“(aa) provide a report on the diversity of their network’s supply chains;”
This amendment gives Ofcom the power to request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.
It is a great pleasure to speak to this amendment, which goes to the absolute heart of one of our key concerns about the Bill—the lack of any reference to the diversification of our supply chain. That is absolutely critical and should be integral to our national security. Our amendment 13 affects clause 6, which we have already discussed. The objective of the amendment is to give Ofcom the power to
“request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.”
As we have heard, clause 6 amends the Communications Act 2003 to insert section 105N, which gives Ofcom powers to assess compliance with the security duties set out in earlier sections, and section 105O, which gives Ofcom the power to impose on providers the duty to do any of a significant list of things, from (a) to (k)—to
“carry out specified tests or tests of a specified description…make arrangements of a specified description…direct an authorised person to documents on the premises…”
or
“assist an authorised person to view information”.
As I have said, this is an integral part of the Bill and requires some considerable debate, so it may detain the Committee for some time, but this debate can be continued at a later time if necessary. There is a long list of requirements that Ofcom might place on network providers, but nowhere is there a requirement for those providers to give a report on the diversity of their supply chains, yet the diversity of a network provider’s supply chains is absolutely integral to the security and resilience of that network provider.
We heard that very clearly during our evidence sessions. In particular, I asked Dr Drew:
“Is it possible for the UK to have secure networks without a diverse supply chain for them?”
Her answer was:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
The reason I have highlighted that particular quote—there were a number of quotations supporting the diversification of supply chains—is that it sets out really well what might happen if a network provider has only one possible supplier. If every aspect of its network is supplied by, let us say, Ericsson, and Ericsson then has supply issues itself or is bought or acquired by another operator from a different country that we might not be so close to, or—I do not mean to imply that this is a possibility—should fail in some way, that network provider no longer has any support for their network and no longer has the ability to maintain it securely.
The dependence of our telecoms security on diversifying the supply chain was set out in the 2019 telecoms supply chain report; yet the Bill fails to mention it at all. The objective of the clause is really for Ofcom to assess how successful a network provider is in meeting our nation’s security requirements. My argument is that it is not possible to do that without understanding the diversity of that network provider’s supply chain; yet the clause as it stands makes no reference to that.
(3 years, 9 months ago)
Public Bill CommitteesI thank the hon. Member for his intervention, which raises a really important point that I will say something about. As I am sure you are aware, Mr Hollobone, yesterday was the Third Reading of the National Security and Investment Bill. I refer Members to the report by the Select Committee on Foreign Affairs, published on Tuesday, on the critical issue of national security and its definition. In fact, the Opposition sought to put into the National Security and Investment Bill not a definition of national security but a minimum standard of what national security should refer to. We wanted to include elements such as critical national infrastructure—of course, telecoms infrastructure is a part of that—and supply chains, which the amendment deals with, and also human rights. I do not want to anticipate what we might table in future, but one reason we have not so far tabled a framework for guidance in national security is that we had hoped that the Minister responsible would recognise both the advice of the Foreign Affairs Committee and the Intelligence and Security Committee in giving greater guidance on what national security was, and that that was a better place for it.
The other opportunity for the definition to be addressed would be when the Government next produce their defence and security review, which comes out no more than every five years. They might address what national security is or whether it is indeed desirable, as my hon. Friend has said, to specify that in an ever-changing world.
I thank my hon. Friend for that helpful intervention. I do not want to take up too much of the Committee’s time on the way in which national security should be defined, or guidance given, although it is relevant to the Bill. As my hon. Friend says, there are other places where a framework for understanding national security would be better placed. One of our concerns about this Bill is that, as I have alluded to, Ofcom and the Department are not experienced in security issues, and they are not the best organisations to make security decisions. Putting a framework to define national security in the Bill might not be as helpful, but if as our debates progress we see a need for greater clarity on guidance around national security, and it is not to be found anywhere else, we might take up his challenge, and I hope to have his support if that should happen.
With regard to the amendment, it is important that the supply chain components are understood. As we proceed through the Bill, we will come to understand better that the steps to remove high-risk vendors from UK networks that the Minister is in the process of taking are welcome, but that is not enough to secure our networks. We also need an effective diversification of our network supply chains. Part of the challenge here is that if we remove high-risk vendors, as the Bill enables, and leave only one or two approved vendors, our networks remain insecure because they are less resilient. In fact, they are not resilient at all. The loss of one vendor would mean that there would be only one vendor for our entire 5G network supply chain, as things stand.
I am slightly confused, to be honest, because there was a contradiction there. It is a basic, inherent requirement under the Bill to understand the security implications of a network—the security implications, the security threat and future compromises. It goes to the amendment tabled by my right hon. Friend the Member for North Durham. Given that different components might provide different threats, it is essential to understand the kit that is in the equipment in order to meet the requirements of the security framework. So no, I do not think it is draconian that there should be an audit of the equipment. Indeed, providers should have this information already, but I know from my own experience and the experience of those who gave evidence, which I will come to in a moment, that this is not always the case because networks are so complex, and because our networks today have built up over decades and decades. There is software running in some of our networks that has been around for 40 or 50 years, as well as copper lines that have been around for even longer. So it is not always the case that this information is known.
Does my hon. Friend agree with me that having the carrot of an audit might help firms to avoid the stick of a draconian fine that the hon. Member for Bracknell referred to?
As always, my hon. Friend makes an excellent point. Indeed, the audit, which I agree is burdensome if the information is not already in the management systems, which it should be, would, I hope, be less burdensome than the potential fines for not meeting the basic requirements of knowing what is in the network and where it is. Also, that challenge has been made more complex by the subcontracting of different parts of the telecoms networks.
For example, network providers such as Vodafone or Three have primary vendors—currently Ericsson or Nokia—but there might be subcontractors who provide particular elements of the network and particular management elements. We hope that that will be increasingly the case as we seek to open up the supply chains and make them more diverse. A basic and critical requirement for the Bill to be effective is to have a more diversified supply chain. More suppliers go hand in hand with a diversified supply chain, and therefore different types of equipment, of which we will need to keep track.
My right hon. Friend makes an excellent point. As someone who worked for a regulator for six years, I might be expected to agree with my right hon. Friend on the point of regulation; in this context, regulation should not be seen as a burden. As my hon. Friend the Member for City of Chester set out, it should be seen as a carrot—an incentive—to get things right. Imagine we had known and been able to see how Huawei’s presence in BT’s network, over the last 15 years or so, would rise from small beginnings to becoming the principal vendor. That might have rung more alarm bells and been an incentive to have transparency.
Regulation is also about levelling the playing field and enabling more effective competition. The better providers will do that, but some providers may not. We want a level playing field, particularly because the 2019 UK Telecoms Supply Chain Review said that there was not an incentive for security in mobile networks. It concluded specifically that there was no incentive for security in mobile networks. Given that conclusion and some of the points provided in the evidence sessions, the Bill does not address incentives to ensure security by design in our mobile networks. It has burdens and fines for not doing that, but it does not have positive incentives.
Was not that exactly the problem with Huawei, which has undercut and undermined so much of the telecoms sector elsewhere, either on price or on shoddy workmanship, as my right hon. Friend the Member for North Durham said? This amendment addresses that issue. By raising standards, we help existing and future contributors to the sector to come in and address the problem that Huawei caused.
Again, my hon. Friend makes an excellent point with regard to the way in which Huawei grew in the telecoms sector. I do not want to detain the Committee on that history, but Huawei grew by under-cutting existing vendors, building up scale and making its profits by locking in network providers, despite issues with the quality of the equipment, which, as we have discussed, our security services identified.
Having visibility of network equipment, as well as the level of concentration of any one provider, will enable us, in part, not to get into such a situation of dependency in future. Again, I would emphasise that this is about incentivising what should happen but is unfortunately not always the case. That is not simply my view or that of the Labour party; it is the view of witnesses who participated in our evidence sessions. For example, Andrea Donà said:
“It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 13-14, Q10.]
Dr Bennett said:
“I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q62.]
Dr Bennett later said:
“I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]
Ofcom said that it was more or less impossible to meet the requirements set out in the codes of practice for the operators, unless it had a detailed asset register of everything in its system. We will expect to see evidence of that, and we expect that it will be regularly checked, audited and so on. We recognise the potential costs of an audit, particularly for smaller providers, although most of them have newer networks and equipment and should have a lot of this information already available. Ofcom is anticipating that this is something it would need to have access to, yet there is no requirement in the Bill or, as far as I can see, in the delegated legislation that has been published to make that requirement.
I have mentioned that this is a probing amendment. I am not sure that it is necessary to have it on the face of the Bill, and it might be that it will be provided for in delegated legislation, but we need a clear and strong strategy for the detection and removal of high-risk components, vendor hardware and software. Otherwise, the Bill will not protect our national security effectively. I hope the Minister will give clarification on that.
(3 years, 9 months ago)
Public Bill CommitteesQ
Lindsey Fussell: I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.
It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?
Simon Saunders: Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.
Q
I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.
Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.
Lindsey Fussell: The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.
Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.
On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.
I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.
Simon Saunders: Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.
I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.