(1 year, 10 months ago)
Lords ChamberMy Lords, several Peers have mentioned the Digital Economy Act 2017 and the sadness of the constitutional impropriety when the Executive refused to implement the will of Parliament. That really concerned me because, if it had been implemented, so many children would have been protected, for several years by now. We learned some useful things during its passage that could very much be applied in this Bill.
The first was on enforcement. This is always the big problem: how do you make them comply? One of the things that will work is the withdrawal of credit card facilities. If a Government or authority ask credit card companies to withdraw facilities from a company, they will, probably internationally. In fact, this happened not that long ago, a few months ago, to one of the big porn sites. It soon fell into line, so we know it works.
The other thing is that anonymous age verification is possible. At the time I chaired it, the British Standards Institution issued PAS 1296 on how to do it, and several companies implemented it. The website itself does not check; it is done by an external company to make sure that it is right. The noble Lord, Lord Browne, has just explained exactly how it works. It was a very good explanation of the whole thing. About a year ago, they were intending to elevate it to an international standard because other countries wanted to use it. Certain European countries were very keen on it and are already implementing stuff.
The other thing that struck me is this: what is meant by “legal but harmful”? It is an expression that has sort of grown up, and I am not sure whether it means the same thing to everybody. In terms of pornography, which I and a lot of us are worried by, we do not want to be a modern Mary Whitehouse on the one hand, so you do not want to regulate for adults. But the noble Baroness, Lady Benjamin, who worked on this, explained all the dangers very well, as did several others. It is not just that children get addicted; they also do not learn how to treat each other and get completely the wrong impression of what they should do. In fact, horrifyingly, I heard that throttling, for instance, is on the increase because it has apparently been appearing on porn sites recently. It does not take long to corrupt the next generation, and that is my real concern: we are destroying the future.
To future-proof it, because that is the other worry, I would suggest quite simply that access to any website, regardless of size, that has any pornography must have anonymous age verification. It is very simple. We may not want to prosecute the small ones or those that do not matter, but it allows us to adapt it to whoever is successful tomorrow—because today’s success may disappear tomorrow, and a new website may come up that may not fall within it.
The other thing I want to mention quickly is that anonymity is necessary because it is not illegal, for instance, for any of your Lordships’ House to go and access pornography, but it is severely career limiting if anyone gets to know about it—and that is the trouble. The same thing applies if you are a Muslim leader and wish to buy some alcohol online. That is why we need to have this. It is perfectly possible, it is out there and lots of companies can do it.
Finally, what is misinformation? It is really the opposite opinion of what you yourself think, and I think there are huge dangers in how we define that.
(2 years, 5 months ago)
Grand CommitteeI shall speak in the gap; I am sorry that I did not get my name down early enough to speak properly. I have one or two quick comments. First, I welcome this useful and excellent report, which will be a useful step forward if something happens about it. I notice that DCMS has responded to it but, actually, regulation involving digital issues runs across all departments, so it almost ought to be a joint response from every single department. That is something that we miss; “divide and rule” in the Executive is very dangerous.
From the summary, I picked out references to
“unnecessary regulatory burdens which could limit the benefits of digital innovation”—
that remains very true—and
“a lack of overarching coordination and oversight of regulatory objectives.”
That is also extremely true, and I have hit it several times. Paragraph 9 states:
“The solution was not to be found in more regulation, but in a different approach to regulation, with a coordinated response across policy areas.”
Therefore, the Government’s response—they are not down as saying that they actually want this to happen—really worries me. I thoroughly agree with the noble Baroness, Lady Stowell, when she said that we should set out the principles in what we do sometimes. We cannot control complex systems using rules, as they start conflicting and alter in unpredictable ways; there is a lot of theory around this. We have to realise that we must set out the objectives and principles behind them.
Paragraph 62 is about “power to resolve conflicts”. Someone needs to have that power. I will illustrate that with a real example. Among other interests, I have been involved in the whole thing about age verification for many years, going back to Bills on ID cards and things like that—although that was not so much about age verification. One of the challenges is that the civil servants who know all about it tend to move within a year and a half to two years, so you lose your expertise the whole time. All those who worked on Part 3 of the Digital Economy Act—we had to get them up to speed—have gone. I do not know where; they are probably desperately hiding somewhere else.
Exactly—we will never see them again. This is the big problem. I chaired the British Standards Institute’s publicly available specification—PAS—1296 on anonymous age verification; we solved the problem, and it is out there. The sad thing is that this is now being elevated to international standards used by Europe, but I do not know whether we still recognise that it exists. In 2020-21, the French started implementing the protection of children in legislation—I am not up to speed on exactly where they are—so it is actually happening there. But what have we done? We have said that we will stop it in the Online Safety Bill, repealing the part that was going to work in the Digital Economy Act. This is complete lunacy and, in fact, goes against the principle of the supremacy of Parliament—but I will not go into constitutional issues.
Looking forwards, the benefits and potential risks of AI will not be a single-department thing; this will run across all departments, because it involves everyone and everything. A lot of people mean different things when they say “AI”, so this is huge.
Finally, yes, we need some horizon scanning, but we do not want to get bogged down in trying to anticipate futures that may not exist. As someone said, a lot of other people are doing this. If you have knowledgeable people in the committee and in the Lords, they can help to spot where things are coming from and go from there. I welcome this report.
(2 years, 6 months ago)
Lords ChamberThe Minister said earlier that the whole point of the Consumer Rights Act was about unsafe goods. I think that he means “unsafe” as referring to physical harm. Actually, a major security breach could render serious physical harm to someone because having all their money removed from their bank account could affect their mental state and result in the breakdown of their marriage, suicide, failure of business, all sorts of things. Therefore, it may have just as damaging physical effects on someone, though not immediately apparent. Although they are different they are equally unsafe, so this has more merit than he is suggesting.
At the risk of a philosophical debate on the nature of security versus safety, I accept some of the points that the noble Earl makes. There are distinct differences between our approach to product security and existing product safety as set out in consumer legislation, but I will address myself to that philosophical point in the letter, if I may. For now, I ask the noble Lord to withdraw Amendment 14.
My Lords, I speak in support of this amendment. My noble friend has just said that he doubts that the Government will adopt it, but, like him, I want to know where their thinking has got to.
The Computer Misuse Act is one of the first bits of legislation passed in the cyber era. It is old and out of date, and it is fair to say that it contains actively unhelpful provisions that place in legal jeopardy researchers who are doing work that is beneficial to cybersecurity. That is not a desirable piece of legislation to have on the statute book.
Last year, before the consultation that closed over a year ago, I corresponded with my noble friend Lady Williams. The common-sense reading of her reply was that the Home Office was quite aware that the Computer Misuse Act needed updating. I confess that I am a bit disappointed that, a year after the consultation closed, there still has not been a peep from the Government on this subject—either a draft or a statement of intention. It would be good to know where the Government are going, because it is quite damaging for this legislation as it stands to remain on the statute book: it needs modernisation.
Like my noble friend, I recognise that actually getting the drafting right is tricky and complex. Drafting language that strikes the right balance is not all that easy. But inability to find an ideal outcome is not a good reason for doing nothing, so I live in expectation, because the best must not be the enemy of the good. If the Government do not intend to produce legislation that updates that Act, I should like to see something in this legislation, taking advantage of it, at least to move the dial forward and protect ethical hackers to a greater extent than is the case at the moment.
If the Government are concerned about our drafting, I am sure we would be willing to listen to suggestions on a better formulation. In the absence of that, perhaps the Minister will say when and how the Government intend actually to modify a piece of legislation that has served its time and now needs to be superseded.
My Lords, very quickly, I remember well during the passage of the Computer Misuse Act and the Police and Justice Act 2006 trying to tidy up language about hacking tools and so on. It became very complicated and no one could quite work out how to do it, because the same thing could be used by baddies to do one thing and by good people to help maintain systems, et cetera. In the end, I think it went into the Act and they just said, “Well, we won’t prosecute the good guys”. Everyone felt that was a little inadequate. I do not know quite what we are going to do about it but it needs to be looked at. Therefore, this is a good start and I would welcome some discussion around it, because we need something in law to protect the good people as well as to catch the criminals.
My Lords, this amendment is countersigned by my noble friend Lord Clement-Jones. I know he will be very disappointed not to be able to speak to this, because it is an issue he feels particularly strongly about, as do I. Also in their absence are the auras of the noble Lords, Lord Vaizey and Lord Holmes, who spoke at Second Reading on this issue—it is a shame they are not here, but I think they have been ably replaced by the noble Baroness, Lady Neville-Jones, and the noble Earl, in their speeches. I will try not to duplicate the points that have been made by the three speakers before me. At the heart of this, as the noble Baroness confirmed, is the need to address the UK’s outdated Computer Misuse Act to create fit-for-purpose cybercrime legislation to protect national security. Clearly, that is not easy, as she pointed out, but that does not mean we should not do it at some point.
The Computer Misuse Act, as we know, was created to criminalise unauthorised access to computer systems or illegal hacking. It entered into force in 1990, before the cybersecurity industry as we know it today had really developed in the UK. Now, 32 years later, many modern cybersecurity practices involve actions for which explicit authorisation is difficult, if not impossible, to obtain. As a result, the Computer Misuse Act now criminalises at least some of the cybervulnerability and threat intelligence research and investigation that UK-based cybersecurity professionals in the private and academic sectors are capable of carrying out. This creates a perverse situation where the cybersecurity professionals, acting in the public interest to prevent and detect crime, are held back by the legislation that seeks to protect the computer systems: it is an anomaly.
As noble Lords will know, under the guidance that will be introduced following the passage of the Bill, manufacturers of consumer-connectable products will be required to provide a public point of contact to report vulnerabilities. This could be an important step forward in ensuring that vulnerability disclosures by cybersecurity researchers are encouraged, leading to improved cyber resilience across these technologies, systems and devices.
I say to the noble Lord, Lord Bassam, we are coming to the Landlord and Tenant Act 1954.
The residential security of rent control caused a seizing up of the private rented sector for the next 25 years. This is something that the Landlord and Tenant Act 1954 avoided doing in the business sector by providing security of tenure, but on market rental terms. The word of warning here from the noble Earl is that Government should be careful what they wish for and how they go about any significant transition in dealing with human sentiment against actuarial robotics, and be aware of whose voices they lend their ears to.
There are apparently three routes to lease renewal: the 1954 Act, which the noble Earl believes is effectively overwritten in some instances by the 2017 code revision; the immediate pre-2017 code for non-LTA leases; and the situation that pertains for agreements following the 2017 changes. This seems a recipe for confusion, and if the noble Earl is confused, where does that leave the rest of us?
There is a lot of detail in quite a short amendment, but this is an issue. I understand, and I think my noble friend Lord Clement-Jones and the noble Earl, Lord Lytton, understand, that there needs to be some clarity over which measures apply where, and whether the Government really want to sanction wholesale renegotiations of the nature that the noble Earl, Lord Lytton, has set out. I think that is a law of unintended consequence, and it will slow down the implementation of what we want to be implemented rather than allow it to happen more quickly.
My Lords, I would add that I completely trust my noble friend Lord Lytton on these affairs and issues. I have talked to him, particularly when discussing burying fibre and things like that, and he knows a lot about it.
My Lords, this is of course the first of a number of amendments that deal with Part 2 of the Bill. The amendment refers to telecoms infrastructure. This is far from the only debate that we will have on broad issues around property rights, operators, access to land and so on but, as a general point, it is worth restating our belief that this country needs access to better digital infrastructure. Our concern is that the Government have not been hitting their targets for the rollout of gigabyte-capable broadband. There have also been issues around the rollout of 5G technology. Although we want to see decent infrastructure, we also want to see fairness in the system, and that is what this amendment speaks to. It seeks to ensure a degree of continuity and fairness as new agreements are made to replace existing ones.
The principles cited by the noble Lord, Lord Fox, and in the amendments tabled by the noble Lord, Lord Clement-Jones, are reasonable. Again, they are principles that I am absolutely sure we will return to next week, as we have ever-more detailed discussions about rents, dispute resolution and so on.
As has been outlined in this debate, the court is not currently bound to consider the terms of an existing agreement. This feels like a significant oversight. Perhaps the Minister can inform us about what actually happens in practice and what will happen in practice. Both operators and landowners have, or should have, certain rights and responsibilities within this process. I look forward to the Minister’s response to Amendment 17 and to moving some of our own amendments during day two of Committee.
(2 years, 6 months ago)
Lords ChamberMy Lords, I want to say just a couple of words because, having read this and listened, I think the amendment has a very good point. I like the concept of a duty of care, because if we do not have that, who are we worrying about? In fact, Clause 7, on “Relevant persons”, is all about the manufacturers, importers, distributors, et cetera, with nothing about the customer, the poor person who is going to get hit by it. It is a very good idea to put that in at the beginning, setting down some principles and duties, because the other trouble is that by the time that we have done all these bits and pieces, made the regulations and the provisions, we are always acting after the event. What we need is a bit of proactivity, and we get that in this suggested new clause, because manufacturers, importers and distributors would have to make sure that products met certain minimum requirements. They would need to understand what “emerging security threats” there were; in other words, thinking ahead to the next stage and not just saying, “Oh, well, it complied with those things last year”, by which time the horse has bolted and we are far too late. So, I like it.
I am grateful to the noble Lord, Lord Fox, and, in his absence, the noble Lord, Lord Clement-Jones, for their Amendment 1 and for the wholly positive intention with which it has been tabled. I was grateful to have had the opportunity to talk to them about it before Second Reading as well. As the noble Lord set out today, he has argued that customers deserve some high-level principles setting out the security protections they should expect when purchasing consumer-connectable technology. In fact, Amendment 1 goes further, as noble Lords have noted, and would require manufacturers to owe their customers a “duty of care” to protect them. We are not as keen as the noble Earl, Lord Erroll, on that.
The first problem we have with a duty of care is that it could give consumers a false sense of security. If consumers buy well-designed technology products which meet the best standards, it considerably lowers risk, but with cybersecurity there is no such thing as zero risk: the most aggressive and well-resourced hacker will find a way. Somebody may have a quality product, but have they secured their wi-fi router? Do they have some legacy technology on their network? Manufacturers of a single device do not control the whole range of apparatus which constitutes the attack surface so cannot always provide an absolute security warranty, and they cannot always predict the next attack vector.
The second problem we have is that we have learned that the security of devices is best served by standards rather than principles. If one sets standards, one can send a device to a laboratory and assure oneself that those standards have been met. If one sets principles, that does not apply. That is why the Bill is designed to give force to standards. Those standards, developed here in the UK and now adopted by Governments and jurisdictions across the globe as well as by international standards bodies, are widely recognised significantly to lower risk for consumers.
Of course, we believe that the responsibility for the security of connectable products most effectively lies with the manufacturer. We expect manufacturers to take security seriously, to implement measures to develop and maintain an awareness of the security of their products, and to be up front with customers about the security support they can expect. We have tried voluntary compliance, with our code of practice which was published in 2018. We now need mandatory requirements, and that needs specific security requirements that can be independently assessed. The legislation must enable the Government to keep pace with market dynamics and the changing technological landscape—as the noble Baroness, Lady Merron, said, it is important that we move with the times. The flexibility to be able to set different security requirements for manufacturers, for importers and for distributors is key to this.
Amendment 1 in the form drafted would place an equal weight on the duties of each of these three groups to secure products. Compelling the Secretary of State to have regard to this general duty could constrain the Government’s ability to set specific security requirements in the future. Crucially, these principles could restrict the use of powers in this part of the Bill, working against the Government’s ability to bring this regime into force and impeding our ability to keep that regime future-proof. I should also say to noble Lords that industry and consumer groups have not raised the need for general principles such as this. Our efforts to engage and communicate our intentions have been clear, and the requirements we have set out for the relevant persons have been widely understood and are in line with international standards.
The noble Lord, Lord Fox, asked why the Government have chosen these three specific security requirements rather than others. During the consultation in 2019, we explored a number of options including mandating that all consumer-connectable products meet all 13 guide- lines in the code of practice. They are all important, but the majority of respondents supported the option that the top three security requirements represented the most appropriate baseline, by balancing the important requirements that are testable, being applicable across a range of devices and creating the right incentives to improve security in these products. That is why the Government are initially mandating the implementation of security requirements that will make the most fundamental impact on the risks posed by insecure consumer-connectable products for consumers, businesses and the wider economy.
The noble Lord also asked about where products end and apps begin. The powers in Part 1 allow Ministers to set out requirements that include products and software. The proposals in the consultation he mentioned relate to those who operate app stores. So, while I acknowledge the good intentions behind it, I hope I have been able to set out why the Government feel that this amendment—
Perhaps, if the noble Lord is happy, we can explore this. The example he gives, as he knows, includes software and technology. Perhaps we can have a detailed discussion where we can work through some of those examples. I would be very happy to talk to him about them because on the question he poses the line is drawn in a different place depending on the product and its nature.
The Minister talked about standards a moment ago. If we are going to rely on standards, who is writing them? I presume that he is talking about British standards; to write a standard will take a year or two. I hope that the Government are going to fund it. We got no help from them in trying to fund stuff around age verification, even though that was core to the Digital Economy Act. If we are going to elevate it to an international standard, that will take another year or two, so we will not see any action for a long time if we are going to rely on externally written standards. I have chaired two BSI standards so far, and it does not happen just like that.
(3 years, 5 months ago)
Grand CommitteeMy Lords, I do not want to bang on for a long time because, in a way, this falls in with things such as the technical advisory committee. It is all part and parcel of the same thing, and we have to keep our eyes open and start forward scanning and see what else is out there.
Ofcom is not in fact a department; I seem to remember that it was set up by Europe through regulations and that originally, it reported via Parliament to the European regulators. I am not entirely sure what Ofcom’s chain of command is; I must do some research into it. Having this buried inside such a body without proper parliamentary scrutiny is unwise, so it is only sensible to embed the principle of having proper advisory committees. This is an obvious no-brainer: we need people with these abilities and skills to be advising on this stuff, and I cannot understand why there would be any objection to it.
Amendment 25 covers the very good point about long-term strategy. As was pointed out on Tuesday, our relationship with the Five Eyes could easily change. There have been efforts from time to time to drive a wedge between us, and we need to start looking at that. One cannot assume that the status quo regarding who is an ally or friend will continue for ever. The fact that we are in different parts of the globe and therefore perhaps in different trading blocs could cause undue pressure, so we must have this horizon-scanning, long-term attitude.
The speech of the noble Lord, Lord Coaker, reminded me of the Tallinn Manual and the question of when cyberwarfare escalates to actual warfare because your entire infrastructure and systems have been taken down. It is a very interesting document. I skimmed through it a long time ago, but it was very eye-opening and before we just leap in, people should take a look at it.
That is really all I have to say. This is so obvious, and I just hope that the Government are going to do something about it.
My Lords, in speaking to Amendments 18 and 25, to which I have added my name, I have in mind the very purpose of the Bill itself, which is, I take it, to ensure the security and resilience of our telecommunications capability here in the UK. The Bill as drafted places certain duties on the providers of those capabilities and gives powers to the Secretary of State to make regulations and issue codes of practice. This is all well and good, but these somewhat mechanistic, albeit welcome, measures will not by themselves result in the necessary degree of security and resilience.
As I said at Second Reading, things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, we will need to be both agile and adaptable. The measures in the Bill will, by themselves, not ensure this.
One of the reasons why we are even considering this Bill is concerns over the position of Huawei in our telecommunications architecture, the clear channel that runs through that company to the Chinese Communist Party, and the ensuing vulnerability of our system. None of this comes as a great surprise, but we have allowed ourselves to get into a position where we are now having to play catch-up. This is largely because we spent the first half of the last decade thinking almost exclusively of the economic opportunities offered by China and very little about the associated security risks; in other words, our decision-making process was unbalanced and distorted. Without proper safeguards, we could easily find ourselves in a similar situation with regard to some future threat.
What sorts of safeguards might help prevent such an occurrence? There is no single answer to this question but at the very least we need a process that provides an appropriate degree of horizon scanning and that, importantly, draws in expertise from across technology, business and security organisations and, indeed, from across different government departments, to give us the best chance of coming to a balanced view.
That is what Amendment 18 seeks to do. It will not cure all ills but it will provide us with a mechanism to drive adaptability, not just in our architecture but in our thinking, something that is traditionally hard to achieve. Of course, the Minister may say that the Bill is not the place for setting out this kind of thing. My response to that would be: if not here, then where? The responsibilities outlined in the amendment must be met if we are to achieve the Bill’s laudable purpose.
Amendment 25 is in many ways a follow-on from Amendment 18. It calls for the deliberations of a horizon-scanning body and the ensuing policies and actions to be presented to Parliament in the form of a comprehensive strategy. Most importantly, it seeks to ensure that such a strategy is coherent with other elements of government policy, as set out in various documents, such as the integrated review, and in other legislation, such as the National Security and Investment Act. It also seeks to encourage international co-operation in this regard. I believe this is essential, since we rely so heavily on collective security for our national safety. The noble Lord, Lord Coaker, has already highlighted the importance that NATO now attaches to the whole area of communications and cyberspace.
Taken together, these two amendments put in place measures that would improve our agility and adaptability and thus strengthen the Bill in terms of its ultimate purpose. If the Government are going to set their face against such measures in this legislation, I ask the Minister to explain how the essential functions they prescribe are to be carried out and how Parliament can be confident of their success.
I apologise to the Committee for having to hear so much of me in the first 48 minutes. This is a really important amendment and I will make a couple of general remarks before making some more specific comments.
Concern has been expressed throughout consideration of this Bill about the extent to which the Bill provides for parliamentary scrutiny. Parliamentary scrutiny is the important area that Amendment 22 seeks to address, and I am grateful for the support of my noble friend Lady Merron and the noble Baroness, Lady Northover.
Amendment 22 seeks to improve and prioritise national security. We have all said that we support the intention behind this Bill and the need for national security, but the sweeping powers that the Bill gives the Secretary of State must be used in the interests of securing our critical national infrastructure. Removing Huawei does not in itself do that, so there is a question of accountability here. Amendment 22 is designed to ensure greater scrutiny, focus and transparency and address the deepening hole in accountability presented by the Government. At its heart, it would
“ensure that the Intelligence and Security Committee … is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security”
by the Secretary of State, as soon as reasonably possible.
The Minister knows that, during the passage of the National Security and Investment Bill, noble Peers from all sides of this House repeatedly tried to ensure that the Intelligence and Security Committee had oversight of national security issues. To be frank with the Minister, it was difficult to understand why the Government were so determined not to give the committee a role. This amendment says to the Government that the ISC is the appropriate place to discuss matters of national security and that it has a unique role in assessing security implications, as even Ministers accept.
The key point is to ask the Minister how this would work. This is the nub of the amendment and goes to the heart of what many noble Lords have said. The DCMS Select Committee and many of the people who will be looking at these documents do not have the required clearance to scrutinise highly classified evidence, so should the ISC, which does have the necessary security clearance, not have a role? It is the only committee of Parliament that has regular access to documents marked “information sensitive for national security reasons”.
I am sure that many of us simply do not understand that when you look at the state security threats to the telecommunications infrastructure that have been identified by the Government, the level of clearance will not be official-sensitive, STRAP 1 or STRAP 2, it will be STRAP 3. No one in this Committee will see that. Some Members of the Committee may have seen it in the past. So how can Parliament be reassured without knowing that the Intelligence and Security Committee has looked at it? Who has oversight of it? Even the Minister will not have the level of clearance to see all of it, yet she will tell the Committee that Parliament has oversight of these matters, when none of us—or very few of us—have the security clearance to actually look at and scrutinise those threats. So how will Parliament scrutinise it if we do not have the security clearance to do that? It is logically inconsistent. Yet time and again, the Government refuse to allow the committee set up with that express purpose—namely, the Intelligence and Security Committee—the function that it was set up to do on behalf of Parliament. With respect, I simply do not understand why the Government are so resistant to that. On many of the other things that we mention, there is a debate and opinions are exchanged. But this is completely and utterly illogical.
I ask the Committee to consider this. Given that the level of security clearance needed to protect our country, its telecommunications structure and that of our allies from the threats posed by other states is above that of the vast majority of Ministers of the Crown, Members of the House of Lords and civil servants, who is to scrutinise these matters if not the Intelligence and Security Committee? I fail to understand what the answer to that is. Parliament deserves to scrutinise these matters and it should be done by the committee set up to do that because it is the only committee of Parliament that has the necessary security clearance. I beg to move.
My Lords, the noble Lord, Lord Coaker, has summed up an important recurring theme that was raised at Second Reading. The Government should take this very seriously indeed.
Oversight by a body with top-level security clearance is essential. I certainly would sleep safer if I knew this was happening. Part of this comes from the Minister’s reply when I started to query the status of Ofcom and its relationship to the Civil Service department. I gather that the relationship of Ofcom is similar to that of an agency—if it is not actually set up as an agency; it is set up as a regulatory body, I think. I remember the huge problem—debacle would be a better word—when Defra failed to bring in the new mapping system back when we were changing the way of paying farmers. Everyone knew that it was about to be disastrous. Everyone could see the train crash coming. The Minister could not do anything about it except stand at the Dispatch Box and say, “I’m not allowed to interfere. It is a separate company. We can only call it to account at the end of the year.” As a result, when it all went pear-shaped and farmers suffered disastrous and severe financial problems, the Minister was retired—and it was not any fault of his. He knew perfectly well what was going on but had no power under the structure.
This is my problem with the agency structure that was set up, I think under Mrs Thatcher, when she was trying to cut back the Civil Service so she took things off the Civil Service books to make the figures look better. We have to be very careful when we are handing huge powers or these momentous decisions to an agency. Therefore, it is important that we get into the Bill mechanisms by which we can know what is going on at the time and make sure that it is not going wrong. This oversight, certainly by the Intelligence and Security Committee, is essential—a no-brainer.
I will just mention that the same principle applies in Amendment 29 in the names of the noble Lords, Lord Clement-Jones and Lord Fox, which I did not put my name to because I thought that was unnecessary. Exactly the same thing applies to the Investigatory Powers Commissioner. Rather than me wasting time speaking again, I will say it now: please will the Government start looking at this more seriously?
My Lords, I move the amendment in my name and thank the noble Lords, Lord Fox and Lord Alton—he could not join us today —for their support.
The amendment is about ensuring that the intent of the Bill can be delivered, and the measures that we are all in favour of will actually happen. There is therefore a link to the earlier debates. Throughout these debates it has become clear that diversity of suppliers is needed at different points of the chain, with sufficient support for the UK’s own start-ups. That will be the only way in which we can secure proper telecoms security.
Even the Government’s 5G diversification strategy demonstrates how diversification and security are inherently linked. It states that if the status quo remains with market consolidation, it will lead to
“an intolerable security and resilience risk”.
However, as was said clearly in earlier debates, the Bill does not even mention supply-chain diversification or the diversification strategy, even though we would all agree that we cannot have a robust and secure network with only two service providers—Ericsson and Nokia—which is the number that will be left once Huawei is removed from our networks. I hope that the noble Baroness the Minister will have the opportunity to address that concern.
It is of course right to remove high-risk vendors from the UK’s networks and enable the Government to designate vendors and require telecoms operators to comply with security requirements. However, as seems obvious, our networks will not be secure if the supply chain is not diversified. All that will happen is that there will be a shift of dependency to another point of failure.
Therefore, the amendment requires that network diversification is reported on annually. That can include an assessment of likely changes of ownership of existing market players, new areas of market consolidation and available public funding. The report could also provide proper accountability for the strategy’s progress, which will lead to real action. That is what we need. We know that that was called for by the Science and Technology Committee, which criticised the current diversification strategy for not having an action plan with clear targets and timeframes for how that funding will be spent.
The Minister will expect a question on how the announced £250 million funding will be spent. We all know that there are small start-up suppliers in this sphere which are desperate for this kind of support. I should also refer to the new advisory council, which, as she knows, I will come to in a later group. There are many unanswered questions about the adequacy and independence of its advice.
We cannot have a secure network with only two service providers, which is what we will effectively be left with after the removal of Huawei. So we need a diversified supply chain, which means diversity of supply at different points in the supply chain and networks not sharing the same vulnerability of a particular supplier. That is incredibly important for network resilience. That is why the amendment has been tabled. We are concerned to ensure that national security is not put at risk due to a lack of diversification. I beg to move.
My Lords, this point is very important and has been put across very well by the noble Baroness, Lady Merron. Network diversification will increase resilience and security for various very obvious reasons. The main thing is not just the supply chain. How the internet works is that messages are split over a whole lot of different routers going all over the place. Two things happen. First, because it is split up, if they are all going across different vendors, it is impossible to intercept the entirety of the messages. If it is all over one vendor and there is a clever way of monitoring that, it might be possible to put it together. Funnily enough, if you have lots of vendors, it does not matter whether Huawei is in there or not, and you will end up with flaws.
Also, the resilience of the internet is such that if you knock out a good chunk of the routers, it will still work and automatically route around the ones that have not been knocked out. If they are all from one vendor and all have the same flaw in them at some point, whether they are friendly vendors or not, you can take the whole lot out at once. The very fact that you have a good mixture gives you greater resilience and security. Everyone seems to think that it still runs over a copper wire from one end to the other, but it does not. The IP world is very different from that. That is the main thing.
Amendment 20 is also about long-term strategy. My noble and gallant friend Lord Stirrup is right about all these things. Although the amendments are not in this group, I might as well say now, rather than waste the Committee’s time later, that this lies with the principle of Amendments 18 and 25, that we need the right advisers, who can then advise on the issues that we are now discussing in Amendment 24. It all hangs together. We should not be chopping this up and structuring the Bill in a way that makes us vulnerable.
We may think that we have got the right people in, but we have clearly failed to do all this so far. This is the place to rectify our blindness. From the Minister’s comment, I think that the major change is the diversification and proliferation of civil service departments that are involved in security. That really does reduce our security. The lack of coherence will cause confusion like nobody’s business and will be very expensive.
My Lords, I support Amendment 24, tabled by the noble Baroness, Lady Merron, which adds a new clause to the Bill that would tackle the pressing issue of network diversification.
As we have heard, the amendment places a duty on the Secretary of State to produce an annual report to Parliament on the progress that has been made in diversifying suppliers for our critical infrastructure in our telecommunications networks and services. The report would then be debated in the other place, ensuring that there is sufficient parliamentary oversight of the successes, challenges and opportunities of our diversification strategy. As I think about it, I am not sure why the Government would not want to commit to such an undertaking. As we have already heard this afternoon, the diversification of our telecoms networks needs to be a priority for this Government and an integral part of Ofcom’s reporting on the progress of these networks.
However, it is important to note that we have a Government who understand the seriousness of this issue. Indeed, the Secretary of State told the other place on 30 November 2020:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”.—[Official Report, Commons, 30/11/20; col. 75.]
This should never have been allowed to happen, and as I have mentioned, I fear that without the adequate parliamentary oversight that this amendment could give us, it is at risk of happening again.
Despite the reassuring statements from the Foreign Secretary, as highlighted in Tuesday’s Committee by the noble Lord, Lord Alton, we have seen new vendors come to market that are also high risk. The noble Lord said:
“Last week, we learned that, in a deal estimated to be worth £63 million … the UK’s largest producer of semiconductors … has been acquired by the Chinese-owned manufacturer Nexperia. Nexperia is a Dutch firm but is owned by China’s Wingtech.”—[Official Report, Lords, 13/7/21; col. GC 461.]
On Wednesday, this led to the Prime Minister expressing concern after the Business Secretary had said that the Government were monitoring the situation closely but did not consider it appropriate to intervene at the current time.
This new challenge is set against the backdrop of the noble Lord, Lord Grimstone, who is at the Department for International Trade, telling the House that he wants to deepen trading relations and trade deals with China, and of China having just overtaken Germany to become the UK’s biggest single import market for the first time since records began. Goods imported from China rose 66% from the start of 2018 to nearly £17 billion in the first quarter of this year.
(3 years, 5 months ago)
Grand CommitteeMy Lords, I apologise to my colleagues that I was not able to speak at Second Reading. I am quite clear, as I suspect we all are, that the security of the UK’s telecoms infrastructure is vital. Sadly, we come pretty late to the scene. The expansion of 5G and full-fibre broadband should have happened years ago, so this is not before time.
I read economics at Cambridge and looked at a number of aspects of economic expansion there, particularly in relation to business sectors. It is all very well saying that we will try to prevent the supply chain to the UK network being dependent on a limited number of suppliers. That may be a good idea in theory, but I just reflect that we have a national grid which is every bit as important as 5G; we have one or two aircraft manufacturers, and we have a couple of shipyards, so I just wonder whether there are a whole lot of suppliers out there for the telecoms world—there will be others who are better qualified than me to judge that. However, it is clear that we need to identify areas of risk, and Huawei is clearly one of them.
I would just ask a couple of simple questions. The noble Baroness, Lady Northover, mentioned Five Eyes. Is there a co-ordinating structure for Five Eyes in relation to this particular structure? If so, where is it based, what is our contribution to it and who exactly is doing it?
Some of our colleagues may have read the recent trading standards report that has just come out—I read it only last evening. A massive number of scams is happening at this point in time and we are dealing with the trouble they cause.
Amendment 20 refers to
“a specified country or … sources connected with a specified country, including by ownership or investment”.
I have worked overseas, including in a fair number of countries in south Asia such as Pakistan, India and Sri Lanka, so I ask: who on the ground will actually be doing the work? Quite frankly, I know of nobody in any of our high commissions capable of doing that sort of analysis. Do we have a floating investigatory system? How are we going to judge the evidence properly?
On Amendment 27, we need to take care, clearly, but we must recognise that there may be a valid opportunity in a company that has upset the host Government. You and I would not know the situation, but we should be aware of that fact.
I am a bit sceptical about the security check. I made a freedom of information inquiry—it was nothing to do with telecoms—and, at the end of the day, the reason given for not producing all the evidence following my FoI request was the security of the country. It was never explained in words of one syllable—or indeed in any syllables at all—what aspect of my inquiry would affect the security of the UK. I would like to know this from the Minister: are we relying on Five Eyes or are we relying on Ofcom? Who is it specifically that will be doing this analysis?
My Lords, I want to say a few words on this. It is highly relevant that we keep a close eye, but on all vendors, including the ones that may seem okay at any given moment—the world keeps changing. I am not an apologist for, and nor do I wish to promote, China in any way whatever, but it happens to be there and it happens to have ripped off a lot of Cisco stuff a few years back and improved it. The Japanese did this to our cars, many years ago—nothing changes.
The real problem is that we do not manufacture this sort of stuff here; some of it is manufactured in Europe, and of course we are no longer part of that, but does that matter anyway? We are reliant for the supply of all this electronic equipment, and the components—such as chips, which I mention specifically —on China and many other places. The Americans also rely on China to manufacture components which they then put in their equipment. We had a security compromise a few years ago, when compromised components were put into some Cisco equipment. It is more complex than trying to ban one company or one country. But there are not many alternatives for us here, and that is the real problem. We need to get some home-grown stuff going and we need to get it done very quickly if we want to be really secure.
What are we going to do about it? The thing that worries me is that you cannot assume that your allies are always your friends in everything. We have to be particularly careful of being dragged into a trade war under the cover of security or defence—and this does happen. The cost of this whole thing is not so much that Huawei will try to cause us problems in some way unknown if we remove it from our system completely; there is the other side of it. If its technology is working and is better, and we can make sure in various ways that we are secure against what Huawei might do, its technology might get us to where we need to be in an internet world a lot quicker. I notice that we have already delayed quite substantially the rollout of broadband everywhere and 5G—everything seems to be stalling because of these rows, which to me are trade rows.
I fully understand the points of the noble Lord, Lord Alton, about supporting regimes that are doing appalling things around the world. The trouble is that there are an awful lot of them. Take the situation he mentioned, to do with cameras. It is actually the software that does the facial recognition, not the camera; it is purely a bit of hardware that takes a very good, high-quality photograph, and there are many alternatives to it. Who is supplying that facial recognition software? That is where I would really target, and I would bet it is China. If there are bits that are useful to us, we need to use them. We need to stay in the world and we need to get ahead. We are not ahead and we are going to drop behind more and more.
The other difficult thing about picking a fight with China is that, if we are really going to go net zero and start going all electric in the next few years, lithium supplies and processing are from China. There is already a shortage of chips and other things in the automotive industry; I am sorry, but we are reliant on an intertwined global supply chain which stretches all over the place. We must be very careful about singling out one country, but we are—and that is why the amendment is useful. We must have something that says that we are keeping a proper eye on the whole lot of them.
My Lords, I rather agree with the noble Lord, Lord Clement-Jones, on this matter. The Bill is meant to be about security, not about “anything”. I have seen this happen with other legislation—that it suddenly becomes convenient to take something never intended for another purpose and, because it is very broadly worded, use it to beat some company or someone over the head over something completely unrelated. I am afraid that I agree that the Bill needs to be tightened up and brought down to security issues, not just “anything”.
For starters, a powerful, predominant supplier of routing equipment in the IP network would be a security risk. If anyone relies too much on one supplier—and they may unfortunately be pushed in that direction—it becomes a security risk, and we may have to close down some providers: “Oh dear, that’s our network finished”. That would be stupid. We are going to be anti certain companies. Companies get based or controlled elsewhere as takeovers happen internationally, so I see a certain amount of difficulty with this if it is very wide.
I come to what the noble Lord, Lord Fox, said. The reason we lost our manufacturing, of course, was that BT selected Huawei as the preferred supplier of the 21st-century network rewrite in 2005. That is the point at which we closed down our capability, effectively being blackmailed by America to get rid of Huawei while potentially blackmailed by Huawei, which could get too much control. We need to look at these strategic decisions where private companies that used to be government suddenly make companies that affect UK security. I have never been happy about that.
My Lords, in response to the noble Earl, Lord Erroll, I say that it is also a huge issue when you have, essentially, a near-monopolistic private sector supplier, which makes any decision completely catastrophic for the under-bidder. I am speaking not to that but to Amendments 2, 3, 4, 5 and 6, which, as my noble friend Lord Clement-Jones pointed out, bear my name. He set out a very clear rationale for these amendments, which back up the concerns of the Constitution Committee and, indeed, some suppliers. Rather than reiterate those, I beg noble Lords’ indulgence to illustrate the point, inviting them to join me in a thought experiment. They need not worry—it is not going to hurt and I will not be pushing them into a Petri dish or anything like that. I simply ask your Lordships to imagine things the other way around: imagine that the Telecommunications (Security) Bill did indeed include the words currently proposed by my noble friend Lord Clement-Jones and myself, words that clearly identify that the focus of the Bill should be on the security of telecoms.
I ask noble Lords to continue to use their imagination that it was my noble friend and I who were proposing changes to include the words that are currently there; in other words, imagine that we were proposing to take the word “security” from this imaginary Bill and turn it into “anything”. Broadening the cover, as we have heard, would broaden the problem around any interruption very widely. I do not know but I dare say that, if we tried to do that, the Public Bill Office would have something to say, pointing to the Long Title of the Bill, which is:
“To make provision about the security of public electronic communications networks and public electronic communications services”
—in other words, security. Were we to try to take that word out and put in “anything”, I dare say the PBO would not allow us to do so.
If we did however slip it past the PBO, I guarantee that the Minister of the day would tell us that this would subvert the Bill’s intention and would take away the Bill’s focus from security to some of the imaginary things that the noble Lord opposite suggested—or, indeed, a digger backing into a green box somewhere in Kent. This is not the “Telecoms (Mishaps) Bill” but the Telecommunications (Security) Bill. These simple and modest amendments focus the Bill on its stated objective.
My Lords, I am sorry that the noble Lord, Lord Clement-Jones, does not like my analogy of flying. I just remind him of a recent series of Boeing airliners that crashed with a huge loss of life when the security of flying was overridden by a piece of machinery. I stick by my analogy but I will not progress that any further in relation to these amendments.
The Bill says clearly:
“publish the code; and … lay a copy of the code before Parliament.”
However, it does not allow Parliament by right to debate that code and any amendments that come. This is a fast-moving market, as we all know. New opportunities have come up that will have a security dimension to them. There will be new developments, I hope, from our own technical universities so there must be some provision for the expertise that both the House of Commons and the House of Lords have within them to debate. Those of us who have been in Parliament for a few decades know that quite often there are unusual people who have a particular niche that they know something about. That is the benefit of the experience of Parliament.
I agree with the noble Lord that it ought to be done on the affirmative procedure. I sat in the chair for five years during the passage of all the Maastricht and other Bills and there are certain areas where it is absolutely crucial that it should be done by affirmative resolution. Therefore I certainly support that dimension.
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.
My Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
My Lords, this is an interesting and nuanced—to coin a word we used earlier—debate. I am probably the only person here who has had to deal with a national security issue that impacted a consumer brand in real time on television. I must say that 30 days was not an option—30 minutes was not an option. Picking up on the point of the noble Earl, Lord Erroll, the time is entirely dependent on the nature of the crisis or security breach. My fear is that 30 days becomes a target rather than an injunction.
I think the point here is “no burial”. I assure colleagues and others in this Room that our amendments do not intend to bury the issue either, but to introduce some equivocation in the event that not announcing something makes things more secure than announcing them. The point of this is not to protect the reputation or otherwise of the network, but to protect consumers and the integrity and security of the network. That is the decision Ofcom would need to make. That would be its call. Its default position would be that it needs to be communicated to consumers as quickly as is sensible, unless there is a reason not to communicate it, and it would be up to the network providers to put their position forward. However, there are definitely times when it should not be communicated. At the moment the Bill seems rather unequivocal in its approach.
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
(3 years, 5 months ago)
Lords ChamberMy Lords, this Bill is generally welcomed and very well intentioned, but it really lacks any effective parliamentary or judicial oversight, as has been quite forcefully pointed out. I agree with everything the noble Lord, Lord West, said on this issue. We should use the ISC for this. As regards the excuse that designating a vendor or something might leak too early, it will leak anyway—something as big as that will be all over the place in five minutes.
This is not without cost and pain, and we are already seeing it. The Government have already revised their target for rolling out full fibre from 100% coverage to only 85% by 2025. The disruption caused by a rule to, say, extract Huawei or anything from the network has far-reaching consequences. After all, way back at the end of the 1990s, I think, we gave the contract for redoing the BT 21st Century Network to Huawei and not Marconi. We bankrupted a British company and gave it to China. That decision was taken a long time ago, so it is embedded in all our ordinary telecoms at the moment—not 5G, but the ordinary stuff that our telecoms are running over. We must be careful about this revising down of our targets, because it will affect our global competitiveness. We must be careful not to cut off our nose to spite our face. It is very easy to take a high moral stand, but at the end of the day we also have to survive on the global stage.
What this Bill does may be very effective for blocking foreign access, in trying to ring-fence the UK, but we could also create a single point of failure if we are not careful. There are not many suppliers of equipment of the type that will run the backbone of the internet. We are basically talking about Cisco and Huawei; Samsung also has a whole load of stuff out there; there are a whole lot of others—such as Nokia, Juniper and Hewlett Packard Enterprise—but nothing is quite as big as Cisco and Huawei. One of our problems is knowing whether Cisco is okay; some of its components, such as motherboards and other things, are manufactured in China. With the global supply chain, it is not as simple as it seems.
The second thing that worries me is this assumption that, just because we do not have Chinese equipment in the UK network, we are safe. First, China is not necessarily the only one interested in what we get up to; when you get into trade wars, many people who may appear to be our allies are maybe not on our side entirely when we are negotiating international contracts, so we should be careful of that. The other thing is that, if we create a monolith with one supplier—it does not matter who it does not include—it is vulnerable. The way the internet works at the moment is that, if you have multiple suppliers sitting in Britain, it does not matter whether they are hostile or not. Routing over the internet is inherently vulnerable because of the way it is constructed. However, it splits your message up into lots of packets that go over different routes. If they are going through lots of different people’s equipment, it is impossible for any of them to get the whole message; if it is all with one supplier, there might be technical ways they could do it. Funnily enough, one of the better security solutions is to mix them all together and keep it that way.
Next, there is a lot about trying to have the right rules and regulations and all that, but ensuring best practice cannot guarantee network security. Our current communications network has grown like Topsy; it is a mixture and mishmash of digital infrastructures all sitting on top of a whole lot of analogue stuff. It is very complex, with lots of ill-defined interfaces sitting in there. If you are going to start ripping some of it out and say that we have to do it by a deadline, you need to know what is there before you do it. This means we will have to maintain very accurate and secure databases—otherwise that is a vulnerability—probably down to component level, but certainly batch level, of what is in there, so that if you suddenly discover a vulnerability somewhere, you can get the other stuff out as well. We must do this categorisation of our assets in the network. That in itself is a security risk because it is very interesting to a foreign supplier, so that part of it is very difficult.
As for Ofcom—I am interested in this—we need some further clarity on how it will interpret the legislation, impose penalties and all the bits and pieces like that. The manner in which it develops its role as regulator will be vital for it to be a success, and how it decides what the significant risks are will be very important. On my noble friend Lord Vaux’s point, I have been told by someone that Ofcom’s reach could be extended because the legislation is very generally written to cover services—for instance, they were talking about banking fraud—and public electronic systems. In fact, it could drag in non-telcos, because they are services. It is not just about the hardware and equipment behind it, though it all started off with Huawei. There is a lack of clarity.
Someone had a very good idea, which has been adopted for some fintech stuff, that we could maybe have sandpits, where new entrants to the market could develop new stuff—new equipment, et cetera—and try out their ideas in a realistic environment to make sure that they are okay and will work before they put them into the network, if it is a secure network. I think that is a very good idea. Another very good idea put to me is that we should have the assistance of an independent commissioner and a technical panel overseen by Parliament and the judiciary. It is needed here. This model is used by the ICO and would probably be very helpful, so I would like it considered.
(4 years ago)
Lords ChamberMy Lords, this is only part of a patchwork of regulation and legislation around online harms—very sadly, we do not have the online harms Bill yet. This regulation highlights the whole problem of the UK having jurisdiction over foreign-domiciled—housed or homed overseas—companies. Companies outside the EU can completely dodge it: it does not cover them at all. The noble Lord, Lord Clement-Jones, mentioned the Digital Economy Act. We put a lot of thought, in Part 3 of that Act, into how we could still exert some degree of serious influence over such foreign companies. There was some stuff in there to allow us to ask payment providers, who all rely on getting money, to refuse payments on behalf of things that have breached UK law. I think that is quite a good mechanism, because we have to hit people in the pocket, otherwise they will just get around it.
A lot of this will come down to age-checking; we need a robust, Government-approved age-checking methodology. It is essential to doing anything and moving forwards. That became apparent after the BBFC failed to do anything effectively, although there was British Standard guidance in place to do it. International regulators will need it too; I know the EU and others are very interested in what we are doing in this space. We also need it for other online harms such as purchasing knives, alcohol, corrosive substances and many other things.
It would cost the BSI about £90,000 to take PAS 1296 to a proper, full specification. That could then be used by certification bodies to certify companies’ websites and age-verification providers against a standard. It would also be written in such a way as to be a seed document for an ISO standard, and can then go straight on to becoming—without further cost—an international standard to be used by EU and international regulators in the same way. They could therefore co-operate more easily, particularly if they decided to act against organisations delivering online material to the UK and their own jurisdictions, because they would all have the same concerns about the young.
Four government bodies should take a serious interest in this. Though DCMS is responsible at the moment, and has offered a small amount towards this, the Home Office, the ICO and Ofcom should all contribute a reasonable amount as well, not just pittances. They should put some money into it and probably also have representation on the BSI steering group, so that they back it properly and state so publicly for a change. The Age Verification Providers Association has already promised money, and we can draw in more industry people if the Government support it.
(4 years, 7 months ago)
Lords ChamberWe believe that our online harms proposals will deliver a much higher level of protection for children, as is absolutely appropriate. We expect companies to use a proportionate range of tools, including age-assurance and age-verification technologies, to prevent children accessing inappropriate behaviour, whether that be via a website or social media.
May I too push the Government to use the design code to cover the content of publicly accessible parts of pornographic websites, since the Government are not implementing Part 3 of the Digital Economy Act to protect children? Any online harms Act will be a long time in becoming effective, and such sites are highly attractive to young teenagers.
We agree absolutely about the importance of protecting young children online and that is why we are aiming to have the most ambitious online harms legislation in the world. My right honourable friend the Secretary of State and the Minister for Digital and Culture meet representatives of the industry regularly to urge them to improve their actions in this area.
(5 years, 2 months ago)
Lords ChamberThe noble Lord is right that children are exposed to harmful pornography every day. I heard a statistic recently that half a million images are uploaded on to social media, I think, on a daily basis. If that is wrong, we will correct it. Shocking things are going on. The noble Lord will be aware that the original Digital Economy Act did not cover social media, so we really hope that this will be more comprehensive. We are doing a number of things in the meantime, such as sex and relationships education—helping children understand the impact of pornography—and we hope to introduce soon the age-appropriate design code, which was included in the Data Protection Act thanks to the noble Baroness, Lady Kidron.
Why is DCMS against protecting children from absorbing unsavoury sexual practices at a formative age? I do not understand why it wants to delay so much. Most adult websites are onside for doing something and adopting age-verification controls, as long as rivals are compelled to do so as well. There has been a lot of publicity about this in that world, I am assured. Over a year ago, I chaired BSI Publicly Available Specification 1296 on how to do this anonymously and check anyone’s age online, so it can also be used for other child-protection issues. It also worked with the Home Office online harms issues. It will protect people’s privacy, which is what everyone is worrying about. The Home Office is not charged with our children’s mental health. Equally, DCMS is not charged with data protection, which is what the BBFC has gone and done; that is the job of the ICO. We can sort all this out. The stuff is there; you just need to implement it. The other real problem—
Okay, right. The question was right at the start. Several AV providers have spent a lot of money on implementing this and getting it all ready to go. Who is going to compensate them? A lot of money has been spent to get this ready in time.
I refute as firmly as possible any idea that DCMS is against protecting children; clearly, that could not be further from the truth. On the work that I know the noble Earl has done in relation to introducing more digital ways of establishing age verification, we are working actively with the industry on that and absolutely recognise the potential role that technology can play. Those costs are not wasted, because age verification will clearly be part of any solution going forward.