Christian Matheson debates involving the Department for Digital, Culture, Media & Sport during the 2019-2024 Parliament

Tue 26th Jan 2021
Tue 26th Jan 2021
Telecommunications (Security) Bill (Seventh sitting)
Public Bill Committees

Committee stage: 7th sitting & Committee Debate: 7th sitting: House of Commons
Tue 26th Jan 2021
Telecommunications (Security) Bill (Eighth sitting)
Public Bill Committees

Committee Debate: 8th sitting: House of Commons
Thu 21st Jan 2021
Telecommunications (Security) Bill (Sixth sitting)
Public Bill Committees

Committee stage: 6th sitting & Committee Debate: 6th sitting: House of Commons
Thu 21st Jan 2021
Telecommunications (Security) Bill (Fifth sitting)
Public Bill Committees

Committee stage: 5th sitting & Committee Debate: 5th sitting: House of Commons
Tue 19th Jan 2021
Telecommunications (Security) Bill (Third sitting)
Public Bill Committees

Committee Debate: 3rd sitting: House of Commons
Tue 19th Jan 2021
Telecommunications (Security) Bill (Fourth sitting)
Public Bill Committees

Committee Debate: 4th sitting: House of Commons
Thu 14th Jan 2021
Telecommunications (Security) Bill (Second sitting)
Public Bill Committees

Committee stage: 2nd sitting & Committee stage & Committee Debate: 2nd sitting: House of Commons
Thu 14th Jan 2021
Telecommunications (Security) Bill (First sitting)
Public Bill Committees

Committee stage: 1st sitting & Committee Debate: 1st sitting: House of Commons

Telecommunications (Security) Bill (Seventh sitting)

Christian Matheson Excerpts
Tuesday 26th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
None Portrait The Chair
- Hansard -

We now come to amendment 20 to clause 17. This is Christian Matheson’s big moment. I call him to move the amendment.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

I beg to move amendment 20, in clause 17, page 29, line 31, at end insert—

“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.

(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”

This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.

None Portrait The Chair
- Hansard -

With this, it will be convenient to discuss the following: amendment 22, in clause 20, page 35, line 30, at end insert—

“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 23, in clause 20, page 37, line 41, at end insert—

“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 24, in clause 21, page 39, line 9, at end insert—

“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.

Amendment 25, in clause 21, page 40, line 6, at end insert—

“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I am sure the Committee has been waiting with bated breath for my big moment all morning, Mr Hollobone. May I say what a great pleasure it is to serve under your chairmanship?

I had prepared some notes to help me present the amendments, but I need not have bothered; I could simply have taken the Hansard report from last week and quoted my right hon. Friend the Member for North Durham. He talked about being a stuck record, but he is not; he is being consistent. I like to think that Labour has been consistent throughout the detailed consideration of the Bill. My hon. Friend the Member for Newcastle upon Tyne Central talked about the three areas that we consistently think would improve the Bill, and the amendment falls into one of those areas: scrutiny and the role of the Intelligence and Security Committee.

I refer to my right hon. Friend’s speech last week on amendment 9, when he talked about the desire to help the Bill. He also laid down a challenge. He commented on the fact that I thought that some parts of his speech were inspirational. They were, because they made me think quite a lot. There was one lightbulb moment when he used his experience of, I believe, 20 years in the House this year—on which I congratulate him—and said that the chances are that a similar amendment will be proposed in their lordships’ House and the Government may well agree to it.

My right hon. Friend also said that it is not necessarily a good thing for the Minister—not in this case, mind you—to be a tough guy who wants to get through the Bill without any amendments, when there is a genuine desire among the Opposition to get the Bill through. I remind the Minister and Government Members that we support the Bill. There have been occasions when an Opposition have tried to scupper, delay or make mischief with a Bill. I assure Government Members—I hope it is obvious to them—that there is no such skulduggery on this side of the House, not with this Bill and not ever, and certainly not when my hon. Friend the Member for Newcastle upon Tyne Central, my right hon. Friend the Member for North Durham and I on the Bill Committee. We are genuinely keen to improve the Bill during its passage.

The amendment again falls into one of the three areas my hon. Friend the Member for Newcastle upon Tyne Central has identified as necessary. As the Minister may have guessed, the chances are that we will not put it to the vote, but we do ask that he gives it careful consideration. I refer the Committee to the speech by my right hon. Friend the Member for North Durham last week about the role of the Intelligence and Security Committee. Amendments 20 to 25 relate to different clauses, but have the common aim of ensuring that there is correct parliamentary oversight of the process outlined in the Bill, specifically by referring all orders made under proposed new section 105Z11 of the Communications Act 2003 to the Intelligence and Security Committee.

It would normally be the Digital, Culture, Media and Sport Committee that would take on telecommunications matters. Additionally, the Secretary of State may lay orders before Parliament for general consideration and scrutiny. However, the Bill has our national security at its heart, and as a proud former member of the Culture, Media and Sport Committee, I am the first to admit that it would not be at all an appropriate forum for the consideration of such reporting to take place, nor would it be the normal procedure for laying orders before this House or the other place, either in general or on the specifics of the order.

As we touched on last week, the temptation is therefore the default position that no reporting at all would take place, which is clearly not desirable. I hope the Minister will confirm that that is not the Government’s intention. To be fair, I think he touched on that point last week, but it would be helpful if he could touch on it again.

The use of the ISC is therefore an elegant and obvious solution. The Committee, of which my right hon. Friend the Member for North Durham is such a distinguished member, has worked well and has the confidence of the House. It provides a secure and trusted forum for decisions of the Secretary of State that may have far-reaching commercial and technical implications, as well as security implications, to be scrutinised and considered by hon. Members who are able to receive the full facts and make a judgement based on them, while giving nothing away to those who wish us ill and would exploit our open democracy in doing so. I see no reason why our determination to protect our communications infrastructure should be used against us by our adversaries, but nor should that determination be traded off with a reduction in parliamentary scrutiny of the Executive and agencies that act on behalf of us all.

The ISC is there for a reason: it is precisely to cover situations such as this. If the Minister can propose an alternative solution that balances security with scrutiny, we would be pleased to hear it. I suspect this solution would also make commercial UK businesses more open to scrutiny themselves by offering a level of confidentiality, although I accept that that is not the primary role of the ISC.

It should also not be option for the Secretary of State to report. Such a chaotic patchwork would undermine the integrity of the Bill and the processes that we are setting up. Failing any alternative being proposed, we believe that these amendments, which involve the ISC acting on behalf of the whole House—indeed, the whole of Parliament—would fill a glaring hole and enhance the Bill. I commend them to the Committee.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

My hon. Friend the Member for City of Chester said that we were going over old ground, and to a certain extent we are because some of the amendments reflect those that I moved last week.

May I say at the outset, Mr Hollobone, that the Minister has been an exemplar in engaging with and briefing the ISC? He has set something of a precedent; usually we have only Cabinet Ministers or Prime Ministers before us to give evidence. He is one of the few junior Ministers to have appeared before us, so I congratulate him. He did it because he wanted to engage with the issues. He must therefore be commended on his commitment to ensure that there is scrutiny. However—this is not to wish his demise, but to argue for his promotion—he will not be there forever. I think he does not quite understand why the Government are not at least moving on this.

The ISC’s remit is defined in the Justice and Security Act 2013. It sets out which Departments we cover, and the Department for Digital, Culture, Media and Sport is not one of them. However, as I said last week, security is increasingly being covered by other Departments, and this Bill is a good example. The National Security and Investment Bill is another one, where security decisions will be taken by the Secretary of State for Business, Energy and Industrial Strategy. Parliament must be able to scrutinise that.

If a high-risk vendor is designated as banned from the network by the Secretary of State for Digital, Culture, Media and Sport, there are perfectly good reasons why the intelligence behind that cannot be put into the public domain. The methods by which such information is acquired are of a highly sensitive nature, so it would not only expose our security services’ techniques, but in some cases would make vulnerable the individuals who have been the source of that information. I think most people would accept that that is a very good reason.

This sort of thing is happening increasingly. We have the two Bills that I have referred to, but we also have the Covert Human Intelligence Sources (Criminal Conduct) Bill, which will come back to the House tomorrow. Covert human intelligence and the ability to collect intelligence on behalf of our security services is very important. Most of that is covered by the Home Office, and covert human intelligence sources are covered by the ISC’s remit and can be scrutinised. However, there is a long list of other organisations that will be covered by tomorrow’s Bill, including—we never quite got to the bottom of this—the Food Standards Agency, for example. Again, how do we ensure that there is scrutiny of the decisions?

We also have—this has come out of the pandemic—the new biosecurity unit in the Department of Health. Again, there is no parliamentary scrutiny, because the Health and Social Care Committee will not be able to look at the intelligence that supports so much of that. An easy way out of this is in the Justice and Security Act 2013: the memorandum of understanding, which just means that, were our remit extended to look at this and other matters, the ISC could oversee and ask for the intelligence.

Having spoken to the Business Secretary and the Minister, who sympathises with us, I am not sure where the logjam is in Government. The point is that an amendment will be tabled in the Lords. Whether the provision is in the Bill or just in the memorandum of understanding between the Prime Minister and the ISC, it is easily done and would give confidence that the process at least had parliamentary oversight.

On many of these decisions, frankly, the oversight would not be onerous; we are asking only that we are informed of them. On some occasions, we might not even want to look at the intelligence. It might be so straightforward that, frankly, it is not necessary, so I do not think that it is an administrative burden. I cannot understand what the problem is. To reiterate what I said last week in Committee, it is not about the ISC wanting to have a veto or block over such things. It is, rightly, for the Government and the Secretary of State to make and defend those decisions.

It is also not about the ISC embarrassing the Government, because we cannot talk in public about a lot of the information that we receive. It is not as though we would publish a publicly available report, because of the highly classified nature of the information. However, the ISC can scrutinise decisions and, if it has concerns, write to the Prime Minister or produce a report for the Prime Minister raising them. That gives parliamentary scrutiny of the Executive’s decisions.

As I say, the report might not be made public. People might ask, “Would that be a new thing?” No—it happens all the time. For example, on the well-publicised Russia report this year, there was a public report with redactions in it and quite an extensive annex, which raised some issues that we were concerned about. That annex was seen only by individuals in Government, including the Prime Minister.

There is already a mechanism, so I fail to understand why the Government want to oppose this. From talking to Ministers privately, I think that there is a lot of sympathy with the position and I think that we will get there eventually. How we get there and in what format, I am not sure—whether the method is to put it in the Bill or to do it through the mechanism in the 2013 Act. That might be a way forward.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.

In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.

None Portrait The Chair
- Hansard -

Order. If the hon. Gentleman would like to chair this afternoon’s sitting, I am sure we could arrange for him to do that. I know Members will be disappointed, but I am instructed to say that as it is 11.25 am, the Committee is now adjourned.

Telecommunications (Security) Bill (Eighth sitting)

Christian Matheson Excerpts
None Portrait The Chair
- Hansard -

I remind the Committee that with this we are discussing the following:

Amendment 22, in clause 20, page 35, line 30, at end insert—

“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 23, in clause 20, page 37, line 41, at end insert—

“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 24, in clause 21, page 39, line 9, at end insert—

“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.

Amendment 25, in clause 21, page 40, line 6, at end insert—

“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.

I need to understand, Mr Matheson, what your intention is.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

As you correctly say, Mr McCabe, I need to announce my intention, but just as I was about to, the Committee was halted. I am reminded of the occasion involving that notorious football referee Clive Thomas. The 1978 World Cup blew up against Brazil because, as the ball was heading towards the goal, he disallowed the goal. That was rather how I felt this morning.

That said, I do not wish to press the matter further, despite the fact that I had devastating remarks that would have swayed the Minister. I will not put my amendments to the vote. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 17 ordered to stand part of the Bill.

Clause 18

Monitoring of designated vendor directions

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss clauses 19 to 23 stand part.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.

I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.

Question put and agreed to.

Clause 26 accordingly ordered to stand part of the Bill.

Clause 27 ordered to stand part of the Bill.

Clause 28

Commencement

Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.

This amendment would cause clauses 15 to 23 to come into force on Royal Assent.

Amendment 2, in clause 28, page 46, line 19, at end insert—

“(ca) section24, so far as it relates to section18;”.

This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.

Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).

This amendment is consequential upon Amendments 1 and 2.

Amendment 4, in clause 28, page 46, line 30, at end insert—

“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.(Matt Warman.)

This amendment is consequential upon Amendments 1 and 2.

Clause 28, as amended, ordered to stand part of the Bill.

Clause 29 ordered to stand part of the Bill.

New Clause 3

Duty of Ofcom to report on its resources

‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.

(2) The report required by subsection (1) must include an assessment of—

(a) the adequacy of Ofcom’s budget and funding;

(b) the adequacy of staffing levels in Ofcom; and

(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)

This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.

Brought up, and read the First time.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I beg to move, That the clause be read a Second time.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss new clause 7— Review of Ofcom’s capacity and capability to undertake duties (No.2)

‘(1) The Communications Act 2003 is amended as follows.

(2) After section 105Z29 insert—

“105Z30 Review of Ofcom’s capacity and capability to undertake duties

The Secretary of State must, not later than 12 months after the day on which the Telecommunications (Security) Act 2021 is passed, lay before Parliament a report on Ofcom’s capacity and capability to undertake its duties under this Act in relation to the security of public electronic communications networks and services.”.’

This new clause would require the Secretary of State to report on Ofcom’s capacity and capability to undertake the duties provided for in the Telecommunications (Security) Bill which would be inserted into the Communications Act 2003 under the cross-heading “Security of public electronic communications networks and services” (which would encompass all the clause numbers which start with 105).

Christian Matheson Portrait Christian Matheson
- Hansard - -

I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.

I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.

In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.

New clause 3 provides a duty on Ofcom to report on its resources, including the

“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.

In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.

We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:

“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.

Emily Taylor of Oxford Information Labs said:

“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]

The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.

Lord Beamish Portrait Mr Kevan Jones (North Durham) (Lab)
- Hansard - - - Excerpts

I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.

I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.

Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.

I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.

There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.

--- Later in debate ---
Christian Matheson Portrait Christian Matheson
- Hansard - -

Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

How to choose?

Christian Matheson Portrait Christian Matheson
- Hansard - -

My hon. Friend is the shadow Minister.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I give way to the hon. Lady.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.

Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.

Christian Matheson Portrait Christian Matheson
- Hansard - -

First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.

I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.

Question put, That the clause be read a Second time.

Telecommunications (Security) Bill (Seventh sitting)

Christian Matheson Excerpts
Committee stage & Committee Debate: 7th sitting: House of Commons
Tuesday 26th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
None Portrait The Chair
- Hansard -

We now come to amendment 20 to clause 17. This is Christian Matheson’s big moment. I call him to move the amendment.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

I beg to move amendment 20, in clause 17, page 29, line 31, at end insert—

“(4) Where the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would, under subsection (2), be contrary to the interests of national security, a copy of the direction or notice must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.

(5) Any information excluded from what is laid before Parliament under the provision in subsection (3)(b) must be provided to the Intelligence and Security Committee of Parliament as soon as reasonably practicable.”

This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction or designation notice which on grounds of national security is not laid before Parliament, thereby enabling Parliamentary oversight of all directions and notices.

None Portrait The Chair
- Hansard -

With this, it will be convenient to discuss the following: amendment 22, in clause 20, page 35, line 30, at end insert—

“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 23, in clause 20, page 37, line 41, at end insert—

“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 24, in clause 21, page 39, line 9, at end insert—

“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.

Amendment 25, in clause 21, page 40, line 6, at end insert—

“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I am sure the Committee has been waiting with bated breath for my big moment all morning, Mr Hollobone. May I say what a great pleasure it is to serve under your chairmanship?

I had prepared some notes to help me present the amendments, but I need not have bothered; I could simply have taken the Hansard report from last week and quoted my right hon. Friend the Member for North Durham. He talked about being a stuck record, but he is not; he is being consistent. I like to think that Labour has been consistent throughout the detailed consideration of the Bill. My hon. Friend the Member for Newcastle upon Tyne Central talked about the three areas that we consistently think would improve the Bill, and the amendment falls into one of those areas: scrutiny and the role of the Intelligence and Security Committee.

I refer to my right hon. Friend’s speech last week on amendment 9, when he talked about the desire to help the Bill. He also laid down a challenge. He commented on the fact that I thought that some parts of his speech were inspirational. They were, because they made me think quite a lot. There was one lightbulb moment when he used his experience of, I believe, 20 years in the House this year—on which I congratulate him—and said that the chances are that a similar amendment will be proposed in their lordships’ House and the Government may well agree to it.

My right hon. Friend also said that it is not necessarily a good thing for the Minister—not in this case, mind you—to be a tough guy who wants to get through the Bill without any amendments, when there is a genuine desire among the Opposition to get the Bill through. I remind the Minister and Government Members that we support the Bill. There have been occasions when an Opposition have tried to scupper, delay or make mischief with a Bill. I assure Government Members—I hope it is obvious to them—that there is no such skulduggery on this side of the House, not with this Bill and not ever, and certainly not when my hon. Friend the Member for Newcastle upon Tyne Central, my right hon. Friend the Member for North Durham and I on the Bill Committee. We are genuinely keen to improve the Bill during its passage.

The amendment again falls into one of the three areas my hon. Friend the Member for Newcastle upon Tyne Central has identified as necessary. As the Minister may have guessed, the chances are that we will not put it to the vote, but we do ask that he gives it careful consideration. I refer the Committee to the speech by my right hon. Friend the Member for North Durham last week about the role of the Intelligence and Security Committee. Amendments 20 to 25 relate to different clauses, but have the common aim of ensuring that there is correct parliamentary oversight of the process outlined in the Bill, specifically by referring all orders made under proposed new section 105Z11 of the Communications Act 2003 to the Intelligence and Security Committee.

It would normally be the Digital, Culture, Media and Sport Committee that would take on telecommunications matters. Additionally, the Secretary of State may lay orders before Parliament for general consideration and scrutiny. However, the Bill has our national security at its heart, and as a proud former member of the Culture, Media and Sport Committee, I am the first to admit that it would not be at all an appropriate forum for the consideration of such reporting to take place, nor would it be the normal procedure for laying orders before this House or the other place, either in general or on the specifics of the order.

As we touched on last week, the temptation is therefore the default position that no reporting at all would take place, which is clearly not desirable. I hope the Minister will confirm that that is not the Government’s intention. To be fair, I think he touched on that point last week, but it would be helpful if he could touch on it again.

The use of the ISC is therefore an elegant and obvious solution. The Committee, of which my right hon. Friend the Member for North Durham is such a distinguished member, has worked well and has the confidence of the House. It provides a secure and trusted forum for decisions of the Secretary of State that may have far-reaching commercial and technical implications, as well as security implications, to be scrutinised and considered by hon. Members who are able to receive the full facts and make a judgement based on them, while giving nothing away to those who wish us ill and would exploit our open democracy in doing so. I see no reason why our determination to protect our communications infrastructure should be used against us by our adversaries, but nor should that determination be traded off with a reduction in parliamentary scrutiny of the Executive and agencies that act on behalf of us all.

The ISC is there for a reason: it is precisely to cover situations such as this. If the Minister can propose an alternative solution that balances security with scrutiny, we would be pleased to hear it. I suspect this solution would also make commercial UK businesses more open to scrutiny themselves by offering a level of confidentiality, although I accept that that is not the primary role of the ISC.

It should also not be option for the Secretary of State to report. Such a chaotic patchwork would undermine the integrity of the Bill and the processes that we are setting up. Failing any alternative being proposed, we believe that these amendments, which involve the ISC acting on behalf of the whole House—indeed, the whole of Parliament—would fill a glaring hole and enhance the Bill. I commend them to the Committee.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.

In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.

Telecommunications (Security) Bill (Eighth sitting)

Christian Matheson Excerpts
None Portrait The Chair
- Hansard -

I remind the Committee that with this we are discussing the following:

Amendment 22, in clause 20, page 35, line 30, at end insert—

“(9) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any notification under this section which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 23, in clause 20, page 37, line 41, at end insert—

“(10) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision relating to a designated vendor direction, designation notice, a notice of a variation or revocation of a designated vendor direction or a notice of a variation or revocation of a designation notice to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation decision which relates to a direction or notice that has not been laid before Parliament on grounds of national security.

Amendment 24, in clause 21, page 39, line 9, at end insert—

“(6) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any urgent enforcement direction which relates to a direction that has not been laid before Parliament on grounds of national security.

Amendment 25, in clause 21, page 40, line 6, at end insert—

“(8) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification relating to a designated vendor direction to which subsection (2) or (3)(b) of section 105Z11 applies.”

This amendment would require the Secretary of State to provide the Intelligence and Security Committee of Parliament with a copy of any confirmation of an urgent enforcement notification which relates to a direction that has not been laid before Parliament on grounds of national security.

I need to understand, Mr Matheson, what your intention is.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

As you correctly say, Mr McCabe, I need to announce my intention, but just as I was about to, the Committee was halted. I am reminded of the occasion involving that notorious football referee Clive Thomas. The 1978 World Cup blew up against Brazil because, as the ball was heading towards the goal, he disallowed the goal. That was rather how I felt this morning.

That said, I do not wish to press the matter further, despite the fact that I had devastating remarks that would have swayed the Minister. I will not put my amendments to the vote. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 17 ordered to stand part of the Bill.

Clause 18

Monitoring of designated vendor directions

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss clauses 19 to 23 stand part.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.

I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.

Question put and agreed to.

Clause 26 accordingly ordered to stand part of the Bill.

Clause 27 ordered to stand part of the Bill.

Clause 28

Commencement

Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.

This amendment would cause clauses 15 to 23 to come into force on Royal Assent.

Amendment 2, in clause 28, page 46, line 19, at end insert—

“(ca) section24, so far as it relates to section18;”.

This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.

Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).

This amendment is consequential upon Amendments 1 and 2.

Amendment 4, in clause 28, page 46, line 30, at end insert—

“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.—(Matt Warman.)

This amendment is consequential upon Amendments 1 and 2.

Clause 28, as amended, ordered to stand part of the Bill.

Clause 29 ordered to stand part of the Bill.

New Clause 3

Duty of Ofcom to report on its resources

‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.

(2) The report required by subsection (1) must include an assessment of—

(a) the adequacy of Ofcom’s budget and funding;

(b) the adequacy of staffing levels in Ofcom; and

(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)

This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.

Brought up, and read the First time.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I beg to move, That the clause be read a Second time.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss new clause 7— Review of Ofcom’s capacity and capability to undertake duties (No.2)—

‘(1) The Communications Act 2003 is amended as follows.

(2) After section 105Z29 insert—

“105Z30 Review of Ofcom’s capacity and capability to undertake duties

The Secretary of State must, not later than 12 months after the day on which the Telecommunications (Security) Act 2021 is passed, lay before Parliament a report on Ofcom’s capacity and capability to undertake its duties under this Act in relation to the security of public electronic communications networks and services.”.’

This new clause would require the Secretary of State to report on Ofcom’s capacity and capability to undertake the duties provided for in the Telecommunications (Security) Bill which would be inserted into the Communications Act 2003 under the cross-heading “Security of public electronic communications networks and services” (which would encompass all the clause numbers which start with 105).

Christian Matheson Portrait Christian Matheson
- Hansard - -

I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.

I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.

In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.

New clause 3 provides a duty on Ofcom to report on its resources, including the

“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.

In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.

We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:

“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.

Emily Taylor of Oxford Information Labs said:

“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]

The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.

Lord Beamish Portrait Mr Kevan Jones (North Durham) (Lab)
- Hansard - - - Excerpts

I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.

I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.

Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.

I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.

There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.

The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.

As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

How to choose?

Christian Matheson Portrait Christian Matheson
- Hansard - -

My hon. Friend is the shadow Minister.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I give way to the hon. Lady.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.

Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.

Christian Matheson Portrait Christian Matheson
- Hansard - -

First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.

I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.

Question put, That the clause be read a Second time.

New Clause 5

Telecommunications (Security) Bill (Sixth sitting)

Christian Matheson Excerpts
Committee stage & Committee Debate: 6th sitting: House of Commons
Thursday 21st January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

This is an important point. The criticism that I will articulate later is that too much of the Bill is based on an assumption that the players in the sector will automatically do the right thing. For example, there is an assumption of a dialogue between Ofcom and the major players. Will the Minister think about whether he is satisfied that an assumption goes far enough in something as important as this?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.

The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.

In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.

Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.

Question put and agreed to.

Clause 4 accordingly ordered to stand part of the Bill.

Clause 5

General duty of OFCOM to ensure compliance with security duties

Christian Matheson Portrait Christian Matheson
- Hansard - -

I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—

“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”

This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.

It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.

I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.

From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.

--- Later in debate ---
Christian Matheson Portrait Christian Matheson
- Hansard - -

I am most grateful for the debate on the amendment. My hon. Friend the shadow Minister made the key point that Ofcom cannot be blamed for not enforcing something that it does not know anything about. The amendment’s intent was to encourage a sense of shared responsibility in what my right hon. Friend the Member for North Durham reminded us is still a competitive industry in which businesses might want to maintain a level of confidentiality about technological changes or the deals they are doing with suppliers. However, if the Minister is satisfied that that is covered in other parts of the legislation, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 5 ordered to stand part of the Bill.

Clause 6

Powers of OFCOM to assess compliance with security duties

Christian Matheson Portrait Christian Matheson
- Hansard - -

I beg to move amendment 12, in clause 6, page 10, line 12, at end insert—

“(3) In this section “another person” means a UK government agency or a person from a UK government agency.

(4) OFCOM may not incur costs exceeding £50,000 in carrying out, or arranging or another person to carry out, an assessment under this section.”.

This amendment restricts those who Ofcom may arrange to carry out an assessment under this section to a UK government agency or person from such an agency. It also caps the cost of an individual security assessment at £50,000 for Ofcom.

The desire of the Committee is to crack on, so I will not detain us for too long. The clause, which covers more than three pages of the Bill, is extensive in outlining the powers of Ofcom to assess compliance with security duties and will amend sections of the Communications Act 2003 to that end. The Opposition’s probing amendment intends to bring clarity in two areas in particular.

The clause will insert proposed new section 105N into the Communications Act to give authority to Ofcom or “another person” to undertake an assessment of whether a network or service provider is carrying out its duties—an inspection, spot check or audit, whatever you will, Mr McCabe. That is all fine, but the appointment of “another person” is far too vague and needs clarity. Since this is a matter of national security, we believe such an authority can be vested only in an agency or arm of the UK Government. It would be wholly inappropriate to outsource it to a telecoms, IT or other consultancy in part because of the need for full co-operation from the business being audited, which must have absolute confidence to be open and transparent and, therefore, must have confidence in the inspector. Ofcom therefore cannot appoint any Tom, Dick or Harry to do the job but only someone who rides above the industry and will not give the inspected business any reason to think that its commercial confidentiality is at stake.

My hon. Friend the Member for Newcastle upon Tyne Central, with her extensive experience of the telecoms sector, has told me that it is a tight-knit industry in which everyone has worked for everyone else at some point. We got that impression from the oral evidence as a lot of the experts had worked with or knew one another. Perhaps it is an exaggeration to say that everyone has worked for everyone else, but it is illustrative of the nature of the sector, so there will be limits on who could be appointed. Does the Minister agree that the current suggestion of “another person” is too wide?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Will my hon. Friend give way?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The impression that I have given my hon. Friend about the telecoms sector being tight-knit is absolutely right. One concern that that brings is that there will therefore be conflicts of interest. Ofcom, as a public servant with the status of a quango, has rules and regulations for declaring interests that mean previous conflicts of interest will not weigh into its work. The concern that I have articulated to my hon. Friend in the past is that that would not apply to “other persons”, so broadly defined.

--- Later in debate ---
Christian Matheson Portrait Christian Matheson
- Hansard - -

I am really grateful for that intervention—not just for the context that my hon. Friend gave, but for prompting me to think that having such a tight-knit sector, and the character of the sector, works both ways. Ofcom might appoint as an inspector to undertake one of the audits somebody who is on very good terms with the business or the provider. They will perhaps take their foot off the pedal and not do quite as thorough an investigation, because they know the business and trust them. As a result, the inspection would not be as thorough.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

My concern is also that the Government do not have a good track record on applying the standards that have been developed over many years to ensure proprieties in public appointments. No doubt somebody who would fit the bill for the role would be Dido Harding, who was responsible for TalkTalk and is now having huge success, as we have been told by the Prime Minister, with Test and Trace. She seems to have a common thread, but success does not seem to be part of that.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Who am I to disagree with my right hon. Friend and his years of experience? So far, we have been fairly consensual in this Committee, because we want the Bill to pass. My right hon. Friend is absolutely right: we have seen a certain level of—

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Chumocracy.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My right hon. Friend the Member for North Durham raised the Test and Trace programme. I do not want to dwell on that, as it is not within the scope of the Bill, but it is important to understand the extent to which the programme has been used as a vehicle to privatise parts of the NHS by building up private sector skills as opposed to public sector skills. There must be some concern that the huge new powers for and requirements on Ofcom might effectively be used to privatise some of its duties.

Christian Matheson Portrait Christian Matheson
- Hansard - -

My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.

This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.

It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I thought that was the case was when I looked at it. Frankly, for anyone to do that job in telecoms for £50,000 would be very unusual.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Again, I rise mainly to support the excellent contributions made by my hon. Friend the Member for City of Chester in moving this amendment. I will raise a couple of points from my experience in this area.

As I said to my hon. Friend, having worked in telecoms for 20 years, when I joined Ofcom in 2004, I had worked with, or worked with someone who had worked with, just about every operator and network provider in the business. Those personal relationships can be helpful in ensuring quick, effective collaboration, but they can also bring about conflicts of interest. Ofcom, as a public body, has processes and procedures to address those conflicts of interest. However, the Bill makes no provision for that to be applied to whoever is “another person”.

It is also the case that, unfortunately, as a regulator, one can be subject to regulatory capture by those who are regulated. The large operators often have tens or, in some cases, hundreds of lawyers and public affairs spokespeople. However, the smaller operators, unfortunately, cannot afford to dedicate so much time and resource to engaging with the regulator. It is critical that this huge increase in new powers and work for Ofcom is carried out in the right way.

As my hon. Friend said, the £50,000 figure has not been calculated on the basis of the likely costs to Ofcom, because the impact assessment does not indicate what they could be. However, it is merely the cost of five consultants at £1,000 a day for 10 days. We know that hundreds of consultants have been hired as part of the Test and Trace programme at those sorts of prices. That likely cost is within scope of any programme that is to be carried out by bringing in large private sector organisations. I hope the Minister will reassure us that he is taking these considerations into account.

Finally—I think we will discuss this point in more detail—this is a huge additional requirement on Ofcom. In the evidence session, Ofcom said that it thought it would need to hire 50 or 60 people to address the requirements of the Bill. There is always going to be an inclination to reduce internal resources, especially if they are in short supply, such as those to do with network engineering resources and the current skill set. So it is really important that the Bill should have a better definition than it currently does of who may carry out the work.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.

On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I beg to move amendment 13, in clause 6, page 10, line 20, at end insert—

“(aa) provide a report on the diversity of their network’s supply chains;”

This amendment gives Ofcom the power to request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.

It is a great pleasure to speak to this amendment, which goes to the absolute heart of one of our key concerns about the Bill—the lack of any reference to the diversification of our supply chain. That is absolutely critical and should be integral to our national security. Our amendment 13 affects clause 6, which we have already discussed. The objective of the amendment is to give Ofcom the power to

“request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.”

As we have heard, clause 6 amends the Communications Act 2003 to insert section 105N, which gives Ofcom powers to assess compliance with the security duties set out in earlier sections, and section 105O, which gives Ofcom the power to impose on providers the duty to do any of a significant list of things, from (a) to (k)—to

“carry out specified tests or tests of a specified description…make arrangements of a specified description…direct an authorised person to documents on the premises…”

or

“assist an authorised person to view information”.

As I have said, this is an integral part of the Bill and requires some considerable debate, so it may detain the Committee for some time, but this debate can be continued at a later time if necessary. There is a long list of requirements that Ofcom might place on network providers, but nowhere is there a requirement for those providers to give a report on the diversity of their supply chains, yet the diversity of a network provider’s supply chains is absolutely integral to the security and resilience of that network provider.

We heard that very clearly during our evidence sessions. In particular, I asked Dr Drew:

“Is it possible for the UK to have secure networks without a diverse supply chain for them?”

Her answer was:

“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]

The reason I have highlighted that particular quote—there were a number of quotations supporting the diversification of supply chains—is that it sets out really well what might happen if a network provider has only one possible supplier. If every aspect of its network is supplied by, let us say, Ericsson, and Ericsson then has supply issues itself or is bought or acquired by another operator from a different country that we might not be so close to, or—I do not mean to imply that this is a possibility—should fail in some way, that network provider no longer has any support for their network and no longer has the ability to maintain it securely.

The dependence of our telecoms security on diversifying the supply chain was set out in the 2019 telecoms supply chain report; yet the Bill fails to mention it at all. The objective of the clause is really for Ofcom to assess how successful a network provider is in meeting our nation’s security requirements. My argument is that it is not possible to do that without understanding the diversity of that network provider’s supply chain; yet the clause as it stands makes no reference to that.

Telecommunications (Security) Bill (Fifth sitting)

Christian Matheson Excerpts
Committee stage & Committee Debate: 5th sitting: House of Commons
Thursday 21st January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the hon. Member for his intervention, which raises a really important point that I will say something about. As I am sure you are aware, Mr Hollobone, yesterday was the Third Reading of the National Security and Investment Bill. I refer Members to the report by the Select Committee on Foreign Affairs, published on Tuesday, on the critical issue of national security and its definition. In fact, the Opposition sought to put into the National Security and Investment Bill not a definition of national security but a minimum standard of what national security should refer to. We wanted to include elements such as critical national infrastructure—of course, telecoms infrastructure is a part of that—and supply chains, which the amendment deals with, and also human rights. I do not want to anticipate what we might table in future, but one reason we have not so far tabled a framework for guidance in national security is that we had hoped that the Minister responsible would recognise both the advice of the Foreign Affairs Committee and the Intelligence and Security Committee in giving greater guidance on what national security was, and that that was a better place for it.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

The other opportunity for the definition to be addressed would be when the Government next produce their defence and security review, which comes out no more than every five years. They might address what national security is or whether it is indeed desirable, as my hon. Friend has said, to specify that in an ever-changing world.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank my hon. Friend for that helpful intervention. I do not want to take up too much of the Committee’s time on the way in which national security should be defined, or guidance given, although it is relevant to the Bill. As my hon. Friend says, there are other places where a framework for understanding national security would be better placed. One of our concerns about this Bill is that, as I have alluded to, Ofcom and the Department are not experienced in security issues, and they are not the best organisations to make security decisions. Putting a framework to define national security in the Bill might not be as helpful, but if as our debates progress we see a need for greater clarity on guidance around national security, and it is not to be found anywhere else, we might take up his challenge, and I hope to have his support if that should happen.

With regard to the amendment, it is important that the supply chain components are understood. As we proceed through the Bill, we will come to understand better that the steps to remove high-risk vendors from UK networks that the Minister is in the process of taking are welcome, but that is not enough to secure our networks. We also need an effective diversification of our network supply chains. Part of the challenge here is that if we remove high-risk vendors, as the Bill enables, and leave only one or two approved vendors, our networks remain insecure because they are less resilient. In fact, they are not resilient at all. The loss of one vendor would mean that there would be only one vendor for our entire 5G network supply chain, as things stand.

--- Later in debate ---
Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

My hon. Friend knows that modesty is one of my trademarks, but no, I do not—I do not understand it, nor do I understand where the Government are coming from. I do not think that the problem is with the Minister or his Secretary of State; I think it is the culture of the Cabinet Office, trying somehow to test the Justice and Security Act to destruction. Its argument, basically, is that DCMS is not on the list of organisations, but the Act and the memorandum of understanding are clear: we have jurisdiction over matters that relate to national security, which this clearly does.

Christian Matheson Portrait Christian Matheson
- Hansard - -

I am grateful to my right hon. Friend for providing inspiration for a speech that I will make later, when I will make similar points on similar provisions. Listening to him and to the hon. and gallant Member for Bracknell—whom I also like, incidentally—talk about the alternatives, it strikes me that there are only three: to provide classified information to be laid before the whole House or the DCMS Committee; to do the right thing and to provide that classified information to the Intelligence and Security Committee, which was surely established for exactly that purpose; or to have no scrutiny at all. It is one of those three alternatives. Surely the Government are not pushing for no scrutiny at all.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I must say that this is the first time I have heard that one of my contributions to a Bill Committee is inspirational. I shall mark that as something to be remembered. However, my hon. Friend summarises the position very clearly: the DCMS Committee cannot deal with this, because the nature of the information garnered could not be shown to them, given its classification. We would not want to do that because this is highly sensitive information—meaning no disrespect to the members of that Select Committee. Some of it is not our intelligence; some of it will come from our Five Eyes partners, so it is about guarding not just our secrets, but theirs. Any leaking or compromise of that type of intelligence affects not only our ability with this type of work, but our relations with our Five Eyes partners. The next option, the ISC, is the obvious one. The third option means that the Government must put through a Bill that does not allow Parliament to scrutinise these matters at all. I do not think that that is what the Minister, or his counterparts in BEIS, believe. I think we will have a to and fro on this, and will get there eventually, but it will be hard work.

As my hon. Friend the Member for City of Chester says, scrutiny is important in helping to ensure that there is not only public but parliamentary confidence that the decisions are at least being looked at. Some of the decisions will be very controversial and the Government need covering. Will that be onerous for the Department? No, because all it will entail is that the report should include the decisions taken and the reasons why. We can ask, and be supplied with that, and that, I think, is important.

Yesterday, speaking on the National Security and Investment Bill, the Under-Secretary of State for Business, Energy and Industrial Strategy, the hon. Member for Stratford-on-Avon (Nadhim Zahawi) said that the ISC can ask for the information and demand that the Secretary of State comes before it. There are two important points about that. First, yes, we could do that. However, and as I said yesterday I do not for one minute suggest that the Secretary of State or the Department would want to refuse, but there is no legal justification behind it. If a future Secretary of State said “No, I am not appearing or giving you the information,” there would be nothing at all that the ISC could do.

I remind the Committee as I reminded the two Ministers in yesterday’s debate that we are all, as the great Robin Day once said, “here today, gone tomorrow” politicians, so any legislation we pass here must be future-proofed. Not only must we be satisfied with it; it must go on. The other important aspect of what the Under-Secretary said was the recognition of the ISC’s role in asking for information in relation to the National Security and Investment Bill. However, if it is possible to ask for information a mechanism is needed to guarantee it. I think that is also the case for the Bill that we are considering.

It will be interesting to see how the Minister responds, and whether he really believes what he will tell me, but there is a mechanism available and it would be easy and not burdensome. I stress that not for one minute is it suggested that the ISC would veto decisions or have any involvement in them. As with much of our work, apart from certain issues, it would be retrospective, looking back at decisions that had been taken. If mistakes, issues and concerns are raised, we can raise those directly with the Prime Minister and Departments. That is another check and balance in the system, of which I think you, Mr Hollobone, would approve, in view of your vociferous wish, whatever the Government, to hold the Executive to account. The mechanism is pretty straightforward. Either we put it on the face of the Bill or we get it into the memorandum of understanding.

There is an increasing problem with the involvement of more and more Government agencies that are not traditionally involved in national security, such as the new Joint Biosecurity Centre, which falls within Department of Health and Social Care. All the information that they will get is classified, so how, again, will Parliament scrutinise it? That will be important.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Perhaps my right hon. Friend will reflect on a third issue. The Committee cannot ask for information if it does not know that it exists. If there is no obligation to report orders to the Committee there is no way for it to know that they have been made, and that it needs to scrutinise them.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

There is, but to give a bit of background, we are quite tenacious on the Committee and if we do not get what we ask for we usually keep on and get it eventually. Some of the agencies are better than others, but overall the working relationship with GCHQ has always been a very good one. The amendment would help the Bill, but I think we will to and fro on this.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I am slightly confused, to be honest, because there was a contradiction there. It is a basic, inherent requirement under the Bill to understand the security implications of a network—the security implications, the security threat and future compromises. It goes to the amendment tabled by my right hon. Friend the Member for North Durham. Given that different components might provide different threats, it is essential to understand the kit that is in the equipment in order to meet the requirements of the security framework. So no, I do not think it is draconian that there should be an audit of the equipment. Indeed, providers should have this information already, but I know from my own experience and the experience of those who gave evidence, which I will come to in a moment, that this is not always the case because networks are so complex, and because our networks today have built up over decades and decades. There is software running in some of our networks that has been around for 40 or 50 years, as well as copper lines that have been around for even longer. So it is not always the case that this information is known.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Does my hon. Friend agree with me that having the carrot of an audit might help firms to avoid the stick of a draconian fine that the hon. Member for Bracknell referred to?

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

As always, my hon. Friend makes an excellent point. Indeed, the audit, which I agree is burdensome if the information is not already in the management systems, which it should be, would, I hope, be less burdensome than the potential fines for not meeting the basic requirements of knowing what is in the network and where it is. Also, that challenge has been made more complex by the subcontracting of different parts of the telecoms networks.

For example, network providers such as Vodafone or Three have primary vendors—currently Ericsson or Nokia—but there might be subcontractors who provide particular elements of the network and particular management elements. We hope that that will be increasingly the case as we seek to open up the supply chains and make them more diverse. A basic and critical requirement for the Bill to be effective is to have a more diversified supply chain. More suppliers go hand in hand with a diversified supply chain, and therefore different types of equipment, of which we will need to keep track.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

My right hon. Friend makes an excellent point. As someone who worked for a regulator for six years, I might be expected to agree with my right hon. Friend on the point of regulation; in this context, regulation should not be seen as a burden. As my hon. Friend the Member for City of Chester set out, it should be seen as a carrot—an incentive—to get things right. Imagine we had known and been able to see how Huawei’s presence in BT’s network, over the last 15 years or so, would rise from small beginnings to becoming the principal vendor. That might have rung more alarm bells and been an incentive to have transparency.

Regulation is also about levelling the playing field and enabling more effective competition. The better providers will do that, but some providers may not. We want a level playing field, particularly because the 2019 UK Telecoms Supply Chain Review said that there was not an incentive for security in mobile networks. It concluded specifically that there was no incentive for security in mobile networks. Given that conclusion and some of the points provided in the evidence sessions, the Bill does not address incentives to ensure security by design in our mobile networks. It has burdens and fines for not doing that, but it does not have positive incentives.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Was not that exactly the problem with Huawei, which has undercut and undermined so much of the telecoms sector elsewhere, either on price or on shoddy workmanship, as my right hon. Friend the Member for North Durham said? This amendment addresses that issue. By raising standards, we help existing and future contributors to the sector to come in and address the problem that Huawei caused.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Again, my hon. Friend makes an excellent point with regard to the way in which Huawei grew in the telecoms sector. I do not want to detain the Committee on that history, but Huawei grew by under-cutting existing vendors, building up scale and making its profits by locking in network providers, despite issues with the quality of the equipment, which, as we have discussed, our security services identified.

Having visibility of network equipment, as well as the level of concentration of any one provider, will enable us, in part, not to get into such a situation of dependency in future. Again, I would emphasise that this is about incentivising what should happen but is unfortunately not always the case. That is not simply my view or that of the Labour party; it is the view of witnesses who participated in our evidence sessions. For example, Andrea Donà said:

“It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 13-14, Q10.]

Dr Bennett said:

“I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q62.]

Dr Bennett later said:

“I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]

Ofcom said that it was more or less impossible to meet the requirements set out in the codes of practice for the operators, unless it had a detailed asset register of everything in its system. We will expect to see evidence of that, and we expect that it will be regularly checked, audited and so on. We recognise the potential costs of an audit, particularly for smaller providers, although most of them have newer networks and equipment and should have a lot of this information already available. Ofcom is anticipating that this is something it would need to have access to, yet there is no requirement in the Bill or, as far as I can see, in the delegated legislation that has been published to make that requirement.

I have mentioned that this is a probing amendment. I am not sure that it is necessary to have it on the face of the Bill, and it might be that it will be provided for in delegated legislation, but we need a clear and strong strategy for the detection and removal of high-risk components, vendor hardware and software. Otherwise, the Bill will not protect our national security effectively. I hope the Minister will give clarification on that.

Telecommunications (Security) Bill (Third sitting)

Christian Matheson Excerpts
None Portrait The Chair
- Hansard -

You will both get a chance. We will go to Professor Webb.

Professor Webb: I am certainly all in favour of placing the requirements on those best placed to deliver them. For diversification, that is certainly the operators. I talked a bit about how you could, for example, offer them some financial incentive to have a more diversified supplier base. That would make some kind of sense, given that this would add costs to their management of the network.

In terms of security, I think it is a bit more difficult to see how that one might follow. I can imagine that there might be certain security issues where, for example, the decision might be made that a replacement is needed for a certain component in the network, or that they need to purchase some additional elements, and then you might imagine that it might help to have some sort of financial incentive to do that. But I think that would be on more of a case-by-case basis—I cannot see a clear, catch-all type of approach that would enable that.

Emily Taylor: I very much agree with what Professor Webb has said. Indeed, one of my reflections on the draft Bill is that it is very much at the stick end rather than the carrot end. Maybe we will start to see a bit more of the incentives coming through as the detail is filled out. But I think that thinking about incentives would very much reflect the close working relationship that there has historically been between the industry and Government. That is not the case in every country; it is actually a benefit in this case.

Security is expensive, and it is also long term. The telecoms supply chain review last year put it very accurately: the market does not reward investment in security—quite the opposite—so I would hope that there would be some recognition from Government about what is needed. I do not think that the investment in the diversification strategy is nearly going to match the investment that is required by the mobile providers who—yes, they are very successful large companies—have not had the great decade that, say, the Googles of the world have had in terms of their margins. So you are asking an already squeezed sector to make substantial investments, and I think that is the place where you could be looking at incentives.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

Q Ms Taylor almost answered this question, but I just want to press both witnesses on this. The Minister referred to Professor Webb’s comment on “carrot and stick”, and obviously we are very keen to see diversification of suppliers increase in domestic capability as far as possible.

There is one way of looking at this legislation, which is that it can provide a market-led opening for suppliers, in a market that is no longer, in the long term, going to be distorted by, for example, Huawei, with its state backing. Is there any evidence, therefore, that other suppliers—first tier and lower suppliers—are looking at this and thinking, “There is a chance here to get back into the game”?

Ms Taylor, you talked about security being quite a difficult and expensive barrier to overcome, but are there any discussions in the wider sector about there being an opportunity to be had here, or about whether, actually, a stronger diversification strategy is necessary?

Emily Taylor: The initiative is welcome—the diversification strategy is welcome—but, as Professor Webb has described, there are many barriers to entry for new suppliers. To build out an entire country’s network requires substantial scale, and, very understandably, the operators are risk-averse. You cannot just turn up and build out a network; open RAN is exciting, but, as you have heard from witnesses—and this morning, from Professor Webb—it is not ready, yet, to build out an entire country.

Also, the market distortions can still happen despite a diversification strategy. You can well imagine that the companies that decide it is attractive to enter this market are not, perhaps, the cheeky start-ups that you would want to encourage; they would be already dominant in other sectors. Imagine if we were sitting here, in five or 10 years’ time, lamenting the fact that the equipment market is now dominated by Microsoft and Google. I am just making that up as a hypothetical example—I have no knowledge to back that up—but those are the companies that have the sufficient scale and skills, and as Chi Onwurah said in her question we are moving to a more hybrid network, where skills in cloud computing and software are going to define the success of the player.

Professor Webb: If you want to encourage a new entrant—be that a company that has some skills in this space but is upping its game to develop a complete system, or a brand-new company—they have got to develop the equipment, and that involves developing a lot of software and hardware, and an awful lot of effort and investment. If you add yet more requirements on them—for example, security requirements—that makes their effort even harder; it makes it even harder for new entrants to compete with existing players, who have already made much of that investment, to have the scale and capability to add on that extra. Adding security is the right thing to do—I am not criticising that—but the implication is that it will make it harder to diversify the supply chain. What you want to do is make it as easy as possible for new entrants, with the minimum requirements on equipment, if you want to bring a larger number in.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q It would level the playing field, would it not? Everybody is having to work to the same level of security standards, rather than others thinking they can jump in there and cut in.

Professor Webb: I am not sure it would quite work like that. I think the operators would always want to procure to a certain security standard, whether there is legislation or not, so everyone would have to get to that standard. Raising the standards bar would essentially require everyone to move up higher above that bar.

Emily Taylor: If I may, just to support Professor Webb’s point, the security standards do not level the playing field, although they are the right thing to do. In just the same way as we have seen some of the perverse consequences of, say, GDPR, the companies that have the scale and capacity to absorb the cost of compliance fare better than the smaller companies, who really do not have the scale and capability. The disincentive to enter the market, or perhaps the incentive to exit the market, as a result of these requirements, hits precisely the type of companies that you want to encourage, although it is welcome to see some recognition of that in the factsheets, with the tiering system. The third tier would probably let the smaller independent ISPs and providers off the hook. It is not quite correct to view it as the security requirements levelling the playing field. They are definitely required, and the market is not delivering that, but it will require close monitoring, I think, to ensure that there is still a competitive market.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q If I have got it completely wrong, feel free to say, by the way, that I have got it completely wrong, because you are the experts here, not me.

Finally, could you sum up the chat around the sector at the moment? I get the impression that you are suggesting there is still a way to go to bring confidence that we can diversify across the broad range of the sector, as a result of this proposed legislation, and that there is still more reassurance and consultation required.

Professor Webb: Certainly, as I look at the information that I get back on ORAN, there is a lot more scepticism than optimism throughout the sector about its ability to do anything in the short term. We have talked a bit about why that is the case.

There is potentially more promise from the vendors that are somewhat established—the Samsungs and the NECs—and there is generally better comment about their ability to do something. If I had to look at what I am seeing around the industry and bring some advice, it would be focused on those vendors, rather than ORAN, as the most likely source of diversification over the next few years.

Emily Taylor: I can talk about the feedback that I have been getting. I come from a segment of the internet environment that has not historically been highly regulated at all. I would reflect that, if this Bill were brought forward to cover that sector, you would hear the screams. One thing that has really surprised me, and reassured me to a certain extent—it came through in the evidence you have heard—is that there is a degree of comfort with the direction of travel, and I think that speaks to the strong relationship that the industry has with Government on that.

--- Later in debate ---
Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Q But the Secretary of State is not Parliament. The Secretary of State can hide behind things, or choose what he or she wants to put in the public domain. Do you think that the Bill needs to establish some role for Parliament at least to have an annual report, whether it is to the DCMS Committee or, if it has classified information in it, to the ISC?

Lindsey Fussell: I think that is really a question for Government rather than the regulator. We will be ready to provide whatever accountability the legislation requires of us, as well as providing direct accountability by talking to Parliament and Select Committees.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q To follow up on one of Mr Jones’s questions, you say that you will not be taking decisions on national security matters. Who decides within Ofcom whether it is a national security matter or not?

Lindsey Fussell: I think the structural framework helps us a great deal here, as I have already indicated. Clearly, the NCSC carried out a really detailed supply chain review, which identified the threats that could occur in different elements of the network, and it has now turned that into telecoms security requirements and, ultimately, into the code of practice. We will be giving—indeed, the legislation requires us to—considerable weight to that code of practice and the judgments that the NCSC has reached on what is required to combat threats. That will then enable us to judge and monitor whether operators are doing what is said in the code of practice.

If, for example, an operator were to say to us that it was not going to meet something set out in the code of practice because it considered that an alternative way would meet that threat, we will have arrangements in place with the NCSC to enable us to seek its advice and guidance at that point on whether that satisfies the requirements of national security.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q Who takes the decision, then, to refer it to the NCSC? Where in Ofcom does that decision sit?

Lindsey Fussell: Clearly, we would start that conversation within the team and escalate it if necessary, but I do not think that it will actually be an issue in practice. We already have very good working relationships in place with the NCSC, and regular collaboration and discussion. The legislation enables us to share information with the NCSC to enable either it or us to perform its duties. I do not think that there will be any issue in practice, or any surprise in terms of our regular interactions with it.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q Can I ask something slightly different now? Do you have much internal movement in Ofcom? Do you have an internal jobs board? Do people move around and develop their careers there?

Lindsey Fussell: Yes, we do. Of course, like any organisation, you would expect that. Ofcom has a range of people with different skills in it, as you would expect. It is actually far broader than, for example, some of the Government Departments that I have worked in before. We have people who are specialist technologists. Simon has talked about his experience. We have economists, lawyers, colleagues who specialise in enforcement, colleagues who specialise in policy, and many other professions. Although people absolutely do move and develop their career, and certainly in relation to these kinds of new responsibilities we will look to upskill existing colleagues where that is possible and where it makes sense to do so, we also employ an awful lot of specialists who will tend to stay more in that specialism and apply that to our work.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q That is the point I am getting at. If I think about recent changes at Ofcom, you have had responsibilities for monitoring the BBC, for example. Online harms is coming to Ofcom. It seems that quite a lot is being asked of you, and demanded of you. How can we be sure that you have the capacity to manage the workload, and the technical capacity to manage these very challenging issues?

Lindsey Fussell: I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.

It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?

Simon Saunders: Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q Thank you very much for sharing your expertise with us. As a previous employee of Ofcom, for six years, I am, not surprisingly, perhaps, a huge admirer of your work, and, to reflect what was implied by the hon. Member for Hyndburn, I think that Parliament will always benefit from increased telecoms expertise here.

I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.

Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.

Lindsey Fussell: The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.

Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.

On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.

I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.

Simon Saunders: Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.

I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.

Telecommunications (Security) Bill (Fourth sitting)

Christian Matheson Excerpts
Dean Russell Portrait Dean Russell (Watford) (Con)
- Hansard - - - Excerpts

Q137 As you know, there are very many benefits to a 5G network in terms of the speed, application development and the new era that it can bring, but would you mind focusing for a moment on the new security risks that 5G will also bring, please?

Dr Sellars: You are quite right that 5G opens up a whole load of new benefits, predominantly high-speed access/lower latency. I think some of the security risks are around who is providing the infrastructure to support 5G. The concern that we have at the moment is that we need to have security of supply—both resilience of the supply chain for that infrastructure, and the cyber-security and encryption element of that infrastructure.

I think it is fair to say that 5G is likely to support a much broader selection of services. It is likely to have an impact on commercial, governmental and security transmission, just because of the widespread access and its very high-speed capability. It is also likely to support a very large number of internet of things devices—the sort of devices that UtterBerry develops. Some of those devices are another potential attack vector, if you like; they are another potential vulnerability. It is broadening the access into the network, which is potentially opening up new sorts of vulnerabilities that we need to take into consideration.

Dr Johnson: Let me start by saying that some aspects of security in 5G networks are actually much more secure than in previous generations. Looking over the lifetime of cellular, you will know that you could just listen into first generation analogue networks with a very high frequency radio. GSM—the global system for mobile communications—was secure, partly at least. The network and the phones would authenticate to each other, but only asymmetrically, so the phone could be captured by a surreptitious network. That sort of attack is still used.

3G is much more secure, with symmetric authentication. It is harder for devices to be captured by the wrong network, but it is still possible. It is also possible for the IMSI—that is to say, the international mobile subscriber identity—of an individual or group to be found from that network. The same is true of 4G. In 5G, that is much more difficult. In terms of the security of the user of the network, 5G has tightened up a lot of the loopholes in previous generations in a way that is very hard to unpick. That creates tactical problems for some law enforcement agencies, which rely on some of the insecurities of earlier generations to do their job.

From the network side of things, there are some issues. There is a new network model in terms of the way nodes are connected in the core network. No longer are there physical interfaces as in previous generations of network, where there would be an S1 connection from the base station to the core. There are still connections, but they are much more in a publish-subscribe-type model. I think those, conceivably at least, bring a little more opportunity for attackers to probe nodes within the core network to find weaknesses and vulnerabilities. That is my take on 5G.

Heba Bevan: We have three elements that the telecoms community could work on: the communication aspect, which is provided by companies such as BT; the hardware aspect, which is probably provided by companies such as Utterberry; and the software element within the system. So there are three types of vulnerability that could be introduced in the path of these three elements. The only problem with these paths is this: who is responsible if there is an attack? Usually, the communication aspect is the most important part to get protected.

Currently with 5G, there is a huge opportunity for opening up a huge economic impact from the sector in terms of healthcare, education and tech industries. These industries will need to move on and having 5G is definitely an important element, but how can we make sure it is secure in providing an effective communications network that provides an end-to-end solution and security? That is where I think we need to concentrate on the telecommunications and how can we make sure that what we are getting from that communication is totally secure, and that the encryption within it passes certain thresholds.

We can follow a certain standard within the hardware and software, but if the network is weak and has not provided us with good reliability, that is where things could be broken.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

Q Thank you for those answers. I have just a couple of questions. First of all, following on from Mr Russell’s question, the impression I get—I am not an expert—is of a network that is a bit like a bowl of spaghetti. There are bits here, there and everywhere. and there are bits of different generations that are all added on. How easy would it be from your point of view, with your different areas of expertise, to audit and identify within any part of that chain in the network exactly where there is equipment—hardware, software, chips or whatever—that perhaps needs to be removed or checked?

Is there a shelf-life of the older versions? I am surprised that we are still talking about 2G—that it has not been removed. Is there a shelf-life for those elements and will they be removed from what I term “the network”, which is of course the whole global telecommunications infrastructure of the UK? Nick, do you want to start on this question?

Dr Johnson: Yes. Let me start on that shelf-life question. GSM is a little bit like Radio Four longwave, right? I do not think that it is ever really going to die; there are just too many people who depend on it for one reason or another, whether that is for emergency calls, or just for coverage in remote locations or wherever. I think GSM will stay there forever, despite its security issues. They are well known and understood, and managed in due course.

The shelf-life of network components is an interesting aspect. Our experience of deploying into cellular networks is that there is always a security audit involved. When we take a piece of equipment into a new operator, there is always a hurdle to be overcome. They have their own audit procedures and those include a sort of paper audit, where they look at the particular software components that the software is built from, some of which we build ourselves, some of which is open source and some of which is commercial off-the-shelf software libraries and so on. They want to make sure that those are all up to date and properly patched, with all the latest security patches and so on. I think that will just continue on. To some extent, that is just the baseline hurdle.

I am not sure this is exactly what you are asking, but what has changed in my mind as we go forward is this idea that there can be software in the network that is not so much interested in security—as in, somebody hacking into it—but is more of a Trojan horse type of software, completely undetectable until some signal or some date comes by and it springs to life and does bad things. The example I have in mind is the SolarWinds example from December last year, where software had been inserted in the supply chain and had been sitting there quite happily for a while. That, to my mind, is very difficult to detect. Until it goes off, you do not know there is a bomb inside it, and that is an issue.

Coming back to the shelf-life question, keeping the software up to date is a major issue. It sounds easy, but practically speaking, I know it is an operational dialogue all the time within vendor businesses: they are striving for revenue from new customers, for new features to be added, and that is acting against updating the software libraries and so on to bring them up to date. There is a continual dialogue in every vendor company to ask, “Do we need these features to get more revenue, or do we need to update these libraries because we need to maintain secure software?” I guess to some extent, the whole reason for this Bill is to try and force that to the front of the conversation; to say, “Look, you can’t go on. That dialogue has to stop now. The software needs to be secure.” That has to be the baseline; it has to be a basic hygiene factor in selling software that it must be secure to a certain level, and the features need to come as value added. If you have some questions coming up on the code of practice, designated vendors and so on, we might talk about that, but those are my comments on shelf-life.

I think I missed your first question. I apologise.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q No, that is grand. Heba or Andy, do you want to add anything to that?

Dr Sellars: I can add a little bit. Your question about auditing systems is very pertinent to the experience we went through at the end of the 1990s with the Y2K bug. Lots of companies were required to do an audit: financial institutions, companies using software-driven automation, were required to do an audit of their systems in response to that threat. It would probably be a fairly similar exercise for telecoms. I am sure they must have a register of the equipment they use.

Nick has made all the points about software shelf-life, but from a hardware point of view, there is a capacity that the hardware can deliver. My understanding is that as they put in a new service such as 5G, it is quite often built on existing infrastructure such as 4G and 3G. Clearly, each piece of hardware has a bandwidth and can support a certain amount of data throughput, so in terms of shelf-life, I would argue that it is mostly capacity-related. I do not think there are any major concerns about things wearing out as such from a hardware perspective.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q Heba, did you want to add anything?

Heba Bevan: If we are auditing basically hardware, it becomes very difficult. You can audit maybe 10 main base stations, 20 or even 100, but every single one of them is quite hard and intensive, and it might also be locking to a certain competition in who the supplier is. If you are getting it from one supplier, you are able to audit that supplier, but if you are getting it from multiple suppliers, how would you audit every single supplier? Would you go 10%, or 20%?

The other thing I would like to highlight is that back in early 2018, Intel had a problem with the security of one of its chips. I can provide written evidence later on to give you the full details on that. One of their chips, as well as AMD and Arm, had a problem, and they knew about it, but it has not been fixed. The problem is that if you put it out there into the community, it becomes a major threat, and a bigger threat.

In terms of hardware, as long as it is supported, maintained and updated on a regular basis, its shelf life will be built to a certain recognised standard. However, if it has not been built to a certain recognised standard and it has not been tested and maintained yearly, it will come to an end very quickly and will need to be replaced. We have a huge problem with a lot of networking in smaller areas and bigger areas in the UK. Some of the areas have an amazing network and speed, and some of them are very bad and are actually degrading. We can see that even in education. Schools currently rely on these networks to have Zooms and Teams meetings, as well as normal meetings. Some areas have not been maintained as other areas in the UK have. Maintaining and auditing them is bound up with the maintenance and making sure that, whoever the supplier is, they maintain the system on a regular basis, update the software and keep a track on that.

None Portrait The Chair
- Hansard -

I am sure Members would appreciate further details on the Intel example, if you can provide that.

--- Later in debate ---
None Portrait The Chair
- Hansard -

That would be helpful, thank you.

Dr Sellars: I agree with the points made by the other two witnesses.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q Thank you for squeezing me in, Mr McCabe. I will direct this question to Ms Bevan; it should really be directed to the Minister, but unfortunately procedure does not allow that. There is a quote on the UtterBerry website:

“I am delighted UtterBerry has been selected as a champion of British technology excellence through the TechHub programme—just one of the new initiatives we have launched in partnership with industry and the Chinese government.”

That is from Sherry Madera, the deputy director general of the Department of International Trade at the British Embassy in China. Are our firms still being pushed to share communications technology with China as this Bill is going through?

Heba Bevan: No, we worked with the Department of International Trade in 2016. The Chongqing Government were interested in having UtterBerry there. We spoke with our lawyers about the amount of IP we have and decided that we would not pursue this. We do not manufacture anything in China. Everything in UtterBerry is manufactured in the UK—software, hardware and everything we do. We mainly have graduates from the UK. We have European engineers, but recruitment is mainly kept closer, because of the IP sensitivity.

None Portrait The Chair
- Hansard -

Thank you for clearing that up. Chi Onwurah.

Telecommunications (Security) Bill (Second sitting)

Christian Matheson Excerpts
Committee stage & Committee Debate: 2nd sitting: House of Commons
Thursday 14th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
None Portrait The Chair
- Hansard -

Anything to add, Mr Evans?

Matthew Evans: No, that is a good analogy.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

Q I want to follow up the point that Mr Jones and Mr Johnston made. The Government are requiring the industry to make these changes for all the reasons that we understand. We are hoping for diversification across the sector to provide innovation. What would the industry be looking for from the Government to assist that and drive it forward? Mr Jones talked about the role of the Government in assisting that. How could they best assist that?

Matthew Evans: The strategy sets out the outline of what the industry would like to see. There are commercial and regulatory barriers that need to be removed or analysed. That includes things like how the lifespan of 2G, 3G and 4G in the UK is going to exist, and setting out a road map. That will allow people to develop technologies in 5G and future generation without having to invest in what are still very good technologies—those that have already been deployed.

What we would like to see in the strategy—this is where the funding is really important—is the R&D and testing ecosystem. We would like to see something like the Future Networks Initiative, which is a proposal for a series of test centres around the UK specialising in different areas of telecoms, particularly open RAN. As I said before, that should help accelerate the adoption of new products and services when utilised in conjunction with the National Telecoms Lab. That is key. As Hamish has said, standards are also really important. Again, we need closer collaboration between the Government and industry, because the technical side is naturally going to be driven by industry.

None Portrait The Chair
- Hansard -

Mr MacLeod, do you have anything to add?

Hamish MacLeod: Very little to add. Personally, I can say that the recent 5G testbed programme that the Government have been initiating to generate interest, applications and scale is a good model. We expect to see that being replicated; indeed, the two might work hand in hand going forward.

--- Later in debate ---
None Portrait The Chair
- Hansard -

I am just going to interrupt you there, because I am conscious of time and a couple of Members are indicating that they want to come in. I call Christian Matheson.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q Thank you, Mr McCabe. I want to follow on directly from the answer that was given to Mr Johnston. This morning, I asked some of the larger mobile firms whether they had done a proper audit, they had an asset register and, when the orders came through from the Government, they knew exactly what to take out and where it was. Those were the largest mobile firms. They all expressed confidence that they did. Dr Bennett, are you suggesting that at that top level we should be querying that confidence a little bit? Perhaps you are suggesting that that confidence should not be taken as read, as we flow down through the rest of the sector from the top level.

Dr Bennett: I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.

When there is this desire, quite rightly, to bring in new and additional suppliers, those suppliers will need help to ensure that their parts of the network are working well. Again, I would suggest that something that is not in the Bill but should be there is the type of sandpit that the City of London has done for FinTech companies, where new entrants can test their equipment against the type of networks that they will be interacting with. That would reduce the risks of security problems in that area and give everyone confidence that the lower tier suppliers are compatible and have the same level of security as the top level of suppliers.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q Should there be some form of external audit of asset registers?

Dr Bennett: Yes.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q And who should do that external auditing?

Dr Bennett: This is the type of thing that would be done by a commissioner. I think NCSC is well placed to be involved in that and things like sandpits. I am not sure whether Ofcom has all the resources it would need to be able to do that. But we also must remember that audits and responses to audits are quite expensive things. If we want the infrastructure to be secure over time, as we all do, we have to agree that that is an expense that we will have. That will make the whole system more expensive to maintain, because it is an important job.

None Portrait The Chair
- Hansard -

Thank you. Mr Robson, do you want to add anything to that?

Julius Robson: I think it is very important. One of our angles on this security Bill is that we see diversity as important not just for building resilience, but for delivering on the promise of 5G, which is to take mobile—which currently is about voice and data for people—and deliver it into organisations, to have e-health, smart industry and connected communities. To do that, you need a diversity in service providers. It is fair to say that mobile operators have done a great job of the outdoor national network, but perhaps not so much delivering into enterprise.

We want to ensure that when we implement new policies, like the telecoms security Bill, we are not introducing large barriers to entry to those smaller players that will come in and diversify our network. This talk of making everyone auditable is a workload that will drive us back towards a monolithic industry, where you have a small number of service providers, and only the largest vendors are able to service that. We need to ensure that whatever policy we implement looks forward and is workable for this diverse ecosystem that we aim for in 2025 and beyond, not the monolithic one we have today.

--- Later in debate ---
Dean Russell Portrait Dean Russell
- Hansard - - - Excerpts

Q Many years ago, I used to work in communications and did some work with Huawei as a client. I remember, 10 or 11 years ago, someone told me that about 80% of all electronic communications go through some form of Huawei technology across Europe. I do not know how true that was, or whether it was inflated, but I am interested to understand from your perspective, given the impact of the Bill, how you see what it proposes compared with what is being done in other countries, in particular looking at comparable countries such as our Five Eyes partners.

Charles Parton: I think you are absolutely right to focus on our Five Eyes allies, in particular America and Australia—Canada and New Zealand at the moment are a little bit undeclared—which have come out very forthrightly to say that we really should not be entertaining Huawei in our systems. We have now followed them—even if only by 2027—and I think that is very much the right decision for a number of reasons, which I could go into if you wish me to.

I am not a technologist, and look at it much more from the political angle. It seems to me, if I may say briefly on the technology and the 5G system that is going to last us for the best part of 25 years and on which, no doubt, 6G will be built, that the idea that we can stay ahead in technology and be absolutely certain for the next two or three decades that we are ahead of the game and can keep them out of manipulating our data or using it in some advantageous fashion, is one of very great trust in our own abilities—first, they are putting enormous resources into it.

There are other reasons why the decision to get rid of Huawei was correct, and one is what I call the “black vulture of policy”. We have seen the way in which China will bully and sit on those countries that go against its wishes, in whatever field—way outside telecom. If you are dependent on another country’s systems, whether for getting equipment on time, or upgrades—let alone the more devious aspects of possible interference—I think that you will be looking at that black vulture and thinking, “Is it safe to pursue a policy that is very much in my interests, on telecoms, if I am going to be hit hard in other areas?” We have seen that: Australia, at the moment, is under the cosh; the UK was under the cosh when the Dalai Lama visited in 2012; Norway has been under the cosh, and so on.

In that context, are we saying that Huawei rules the Chinese Communist party’s policies? Of course not, but they are very intimately linked. I think that if the Chinese Communist party says to Huawei, “Jump!”, the only response from Huawei is, “Yes, sir! In what direction and how high?” You might look at the national security laws and say that those of course oblige them to co-operate and all that, but I do not think that matters so much—if the Communist party says, “Do it!”, they have no choice. If you look at how close they are, as another illustration, look at what is happening in Canada with the two hostages and the chief financial officer, Meng Wanzhou. Again, I could go into more detail if you want.

Also, there is the financial support that Huawei has received over the years, in terms of cheap finance, loans to customers, tax rebates and so on. Why does it do that? Because the Communist party wants to dominate the technology of the future, and Huawei is its tool for doing that. So I think that to trust Huawei in the long term would be a very unwise decision.

Dr Steedman: Can I take us back to the Bill and talk in that context? We are in a period of very rapid technological development and evolution. Many countries, including the Five Eyes countries, have allowed the market to drive this forward and not perhaps paid attention to it. While this was a hardware-driven sort of infrastructure, that was possibly manageable, and we have managed it over the last few years fairly satisfactorily. But looking ahead to the 5G and, perhaps—who knows?—the 6G world, we have moved to a much more vulnerable position away from hardware and towards software.

I welcome this Bill because I think it is incumbent on countries that want to protect themselves with secure and resilient infrastructure, and because it puts in place a structure of regulation, guidance and standards, which I represent, that will enable a transformation in the industry of the United Kingdom. It will enable us to use technology and software from providers all over the world, but also from SMEs and start-ups in the UK that we can encourage, and create a really innovation-friendly future. But to do that we have to create a market framework that is structured under a quality piece of regulation that enables that to take place in a clear way—clear for the market, clear for the regulator Ofcom, and clear for the Department that manages it on behalf of the Government.

In this Bill we see clear statements about new duties, codes of practice and guidance—another form of standard —to be approved by a Secretary of State for the industry, and also indications about the use of industry standards to support and deliver a new policy. We can really play to our strength in the UK, where we work in a very performance-based market structure, and we can enable a pro-innovation culture that will stimulate and deliver the diversification, security and resilience that we are looking for.

It is not unusual in the world that major commercial players, given free rein, try to influence things in the direction that suits them best. It is not unusual. We are talking about China specifically, but it is not unusual. The key to this is ensuring that in the standards landscape, which is used to support the delivery of regulatory bodies, the governance and processes of the development of those standards is managed and influenced with UK stakeholder interest at heart. In the big landscape of standards, which we might want to talk about further, there is a very wide range of organisations developing standards, from the fringes to the formal systems, and we can discuss and deploy that in a coherent and consistent way.

There is evidence from other Departments of how this works in a co-regulatory manner, supporting industry, Government, Departments and the regulator to deliver the outcomes that we as a nation desperately want.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q First to Mr Parton, we talk about Huawei, but is it the case that it is not Huawei but the Chinese state or the Chinese Communist party trading as Huawei? All the focus is on Huawei at the moment, but are there any similar companies, or front companies, that the Bill might have to cover in future? Bearing in mind the view that the Bill can help with diversification among trusted partners in the UK, how did Huawei get into such a dominant position globally? What can we do, perhaps in legislative terms within the framework of this Bill, to avoid that in the future?

Charles Parton: Of course, Huawei got the headlines because of the urgent need for 5G, but you are absolutely right that it is not the only player in telecoms, and indeed telecoms is not the only subject. I think that we need to look much more seriously at the whole question of technological co-operation with China. This gets into the whole question of divergence, or decoupling if you are American.

We have to recognise that, whereas our aim in China relations is to maximise trade, investment, global goods and so on, there are increasingly limits because divergence is happening. The intention of the Chinese Communist party is to dominate. As Xi Jinping in fact said in his first speech to the Politburo, the intention is to dominate western capitalism. He said that the Chinese system will take the superior position. Clearly, technology and its advance is a very important way of doing that, so it is not just Huawei and 5G. Therefore, we have to look very carefully at the whole question—that, I suppose, is what lies behind the National Security and Investment Bill—of how we co-operate on technology with China.

I have called for this a number of times, as many others have. The Government will need to set up a body and give much clearer guidance on which subjects in this field of technology we can co-operate happily with China, as well as which organisations—many are connected with the military, and the distinction between civil and military technology is eroding—and which individuals, because there are a number of individuals who have taken back or collected technology to help the Chinese security apparatus develop it.

You are absolutely right that it is really important to look much more broadly than Huawei. The company that comes immediately to mind is Hikvision, because it has such a large amount of the CCTV market. Secretary of State Dominic Raab made an interesting point in his speech the other day about the reputational harm that could be done to some of our companies if they are co-operating with Chinese companies that are deeply involved in the surveillance state, of which of course Huawei and Hikvision are two. Huawei has three laboratories with the public security bureau in Xinjiang, and is devising for them technology that will enable them to pick out Uyghur faces in crowds. That is on that side.

I think your second question was, why has Huawei been successful?

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q How did they manage that dominant position, and what lessons are there to be learned from that, either in stopping other companies from getting that dominant position or in helping us to diversify?

Charles Parton: I think the Chinese state very strongly supported Huawei through its financing provisions and tax breaks, and indeed worldwide by giving cheap tied loans to countries and companies that would use its equipment. Of course, Huawei has been very successful because it is enabled thereby to provide very cheap goods, and it works extremely hard and quickly. I have to say also that there have been times when we have helped it. I am not a great supporter of the Huawei security cell that checks it. I think Huawei must be delighted with that, because some of the best brains in Britain are paid to pick out the holes in its shoddy system. It does not necessarily have to do the work and it can plough ahead with speed, in the knowledge that the Brits will very kindly point out where its systems are deficient and demand that it fills them. It is a great model, and we need to think a bit more carefully about that in future.

Dr Steedman: Technology companies that secure major positions in the market, wherever they come from, do so either because the market is not being monitored or regulated carefully enough, or because they win the contracts. You would need to ask market experts about why Huawei achieved the position that it did.

Perhaps I could focus on the diversification question and looking to the future. There are very effective ways and means to manage the market structures in our country, and they require a combination of regulation, guidance and standards. You can do that through procurement routes on both the technical side and the supply chain side, and you can do it through the contractual routes. Although we have a very successful and professional regulator in Ofcom—its role is to police the regulatory environment—we can also encourage, through the supply chain channels, the use of standards on specific technical requirements and on specific contractual requirements which encourage better business behaviour.

The Government in the UK use a small proportion of the British standards catalogue—perhaps 10% or 15% of the 37,000 standards that I am responsible for—in support of regulation. This is the area where co-operation can take place in a very effective way between UK experts, industry experts, consumer experts, regulators, academics and other countries of our choosing. Indeed, in the international domain, I have 1,200 committees. The UK chairs, hosts and manages 200 international committees, and a lot of the action, in terms of co-operation outside individual companies and universities working in their laboratories, takes place in the international standards system. It is in this system that we can seek to increase UK participation, co-ordination and influence, in order to get the results that we want. We want to ensure that the standards used are open and interoperable, that their governance is managed in an independent and neutral way, and that British stakeholders have the opportunity to influence the content of those standards.

The key to international co-operation is managing and influencing the international standards through which technologies, software and business processes are all delivered around the world. That is the plug- and-play global economy—trade, innovation and so on. It is an enabler; it is not a level playing field. The Telecommunications (Security) Bill will provide the level playing field for parties in the UK, and standards provide the opportunity. I would encourage us to see beyond the Bill’s provisions on rules, guides and guidance and to see the role of standards as a tool for us to help stimulate the diversification, security, resilience and quality that we are looking for in a future market environment in the UK. That is an area where the diversification taskforce under Lord Livingston, which I am privileged to be a member of, has been working very hard. We have some ideas emerging from that taskforce to support the 5G strategy, which I hope in the medium term will see British influence in international co-operation on standards really ramped out. We look forward to that.

None Portrait The Chair
- Hansard -

I think I might interrupt you there, because we have only until 4.45 pm. I would really like to bring in Mr Sunderland, the Minister and the shadow Minister, so we need very tight questions and very succinct answers.

Telecommunications (Security) Bill (First sitting)

Christian Matheson Excerpts
Committee stage & Committee Debate: 1st sitting: House of Commons
Thursday 14th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
None Portrait The Chair
- Hansard -

I propose drawing this part of our deliberations to a close at 12.30 pm. We have five Members seeking to ask questions. If our panellists keep each of their answers to one minute, we will get everybody in—and we will get all the answers as well. I call Christian Matheson.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - -

Q Thank you, Mr Hollobone. In that case, I might take liberties and squeeze two questions into one.

Gentlemen, can I assume that you have done an audit—an asset register, if you like—and that you know where all the at-risk equipment is in your networks, so that once the Government push through an order, you know exactly where to go to address the requirements of that order? How interconnected are your networks? Are you as confident as Mr McManus, who says that the integrity is fairly good? Do you all rely on each other to maintain an overall integrity? What if one is insecure ?

Patrick Binchy: Of course, the networks are interconnected. As I said, we have full visibility and control of what transverses between the networks, so we can maintain full control over that. I do not think there are any significant risks in this space, because of all the security checks that we do on the equipment that comes into the network. We maintain a regular relationship with NCSC in terms of any future threats or concerns that it has. We all have our asset registers, and an understanding of what we have in our networks. We maintain and update those on an ongoing basis as the technology changes and evolves.

Christian Matheson Portrait Christian Matheson
- Hansard - -

Q So you know where all the dodgy stuff would be, if you were asked to find it.

Patrick Binchy: We know where all the equipment is for our main supplier, yes.

Derek McManus: On the question on the asset register, absolutely. As for whether networks are interconnected, Patrick gave a good answer. The O2 and Vodafone networks are somewhat different, in that we work together on a network share; the O2 team manages and maintains a network in a certain geography, and the Vodafone team manages and maintains a physical network in another geography. In that sense, the O2 and Vodafone networks are very interconnected.

Andrea Donà: It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have. That is a clear aspect of our working together: ensuring that the assets in the telecoms network infrastructure that are in scope are very well defined.

Dean Russell Portrait Dean Russell (Watford) (Con)
- Hansard - - - Excerpts

Q Can you describe in layman’s terms the types of security threats that your organisations face, and how the security framework would address those?

Derek McManus: There are a number of different security threats. I will talk about network from a physical point of view, though there are obviously also scams and threats through direct human contact. It is mostly penetration of the physical network either from attack or from virus software. Attack is where foreign agencies or bodies look for vulnerabilities or holes in your defences. The role of the telecoms operator is to ensure that all its physical equipment and software are of the highest support and variation that defends from attack. We see quite a high volume of attack, either DDoS or penetration, on a regular basis. As I said, we do cyber-security by design. It is built into the fundamental processes of expanding and adding to our network, to protect us from those very things.

Andrea Donà: To add to what Derek says, it is also important that Government play a role in securing the additional security needs across the whole ecosystem of the supply chain, including the vendors. With the ever-changing nature of the threats we are exposed to, as Derek explained in layman’s terms, we have to change the protocols and the rules by which we and our vendors implement our defence mechanisms.

It is important that the Government do not leave providers such as us alone to reinforce these additional minimum security standards; they should play an active role in ensuring that vendors adapt their technology road map, so that things are done in a much more future-ready, cyber-security-compliant manner, because we face an ever-changing picture and ever-changing scenarios.

Patrick Binchy: In terms of the threats and penetration, as Derek said, the key things are that they get into the networks, either to bring the networks down and create chaos for the UK economy, or to extract information from the networks. All our security, as both my colleagues have said, is built into design, right from the very start of the procurement process. How do we protect against, and build networks that are able to detect, avoid and block, any of those risks and threats? We do that through our knowledge, the knowledge of NCSC and the authorities, and the knowledge of the wider industry on what is going on beyond the UK and in the international regime. We are constantly reviewing and updating our capability to protect against any of those threats.