Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Fox
Main Page: Lord Fox (Liberal Democrat - Life peer)Department Debates - View all Lord Fox's debates with the Department for Digital, Culture, Media & Sport
(3 years, 5 months ago)
Grand CommitteeThis is an interesting debate—one that we started about a year ago. During the summer, on the then Telecommunications Infrastructure (Leasehold Property) Bill, many of these arguments were rehearsed. This Bill was held out, in a sense, as the carrot that would address these issues, and it has been some time coming.
To some extent, the initial issues that came up last year have been discounted, with the Government largely moving on the Huawei issue. However, as we have heard—and will hear over the course of Committee—many questions are unanswered. We should once again thank the noble Lords, Lord Alton and Lord Blencathra, and my noble friend Lady Northover for bringing forward these amendments, as well as the noble Lord, Lord Coaker. I will be interested to hear his perspective as, having been a Minister, he understands some of the trade-offs in decision-making—it is interesting that he chose to sign this amendment none the less.
I thank the noble Lord, Lord Naseby, for his Second Reading speech. He could not give it to us at Second Reading, so we got it anyway. There are some issues around industrial capacity which I will come back to.
The noble Earl, Lord Erroll, picked up a point on which I queried the Minister and did not get a response: at what point are we examining this technology? You have systems, sub-systems, components and software. Frankly, if we are doing this, it must be done at all levels. The capacity to do that and track a chip, a piece of software or something in the software which we do not even know is supposed to be there is a huge task. Do we have the capacity in the intelligence services, and the industrial ability, to do it? It is a very important question, as there is not much point having this if we cannot actually do it.
Before speaking to Amendments 1 and 20, I will say a few words on Amendment 27, the Five Eyes element. As we know, this requires the Secretary of State to review the UK’s security arrangements with companies banned by Five Eyes partners and to decide whether to take similar action on the UK’s arrangements with those companies. As I think my noble friend Lady Northover said, the Minister will no doubt say that we do this anyway. If we do this anyway then, to some extent, we should not be afraid of putting it in the Bill. It is important that we walk in as lock-step a way as we can with our Five Eyes partners, but the point of the noble Earl, Lord Erroll, is apposite; China understands that and will play the Five Eyes against each other. We must be aware of that; we must not be slavish in how we respond but canny, and work with our partners so that they understand why we are moving in the right direction.
Again, this comes down to capacity. The noble Lord, Lord Naseby, asked who does it. The NCSC is supposed to provide the ammunition for the Secretary of State and Ofcom to operate on. There are big questions around the interface between the NCSC and Ofcom and how they relate to each other. How, for example, does the highly secret information the NCSC is dealing with get to DCMS and Ofcom without either breaching security or eroding transparency, or both? We have big concerns about that, and obviously it will come up later.
The noble Lord, Lord Alton, raised Newport Wafer Fab, which until recently I thought was an ice cream firm somewhere in Aberystwyth. However, now I find that, as he set out, it is our only supplier of this equipment. That is an object lesson in itself but it is also completely appropriate to this point. In its response, BEIS confuses manufacturing capacity with technical novelty and has the idea that, because this is not technically novel, that somehow stops it from being valuable to this country. However, manufacturing capacity is central to the delivery of future technical novelty, and if you want somewhere to look, look at the communications industry. We were pre-eminent global leading companies in analogue communications technology; no country could match us. We lost that manufacturing capacity and the ability to innovate in the digital space, and that is why we have the supply chain issues we have today. If the Government have not learned this lesson, and it seems that BEIS has not, we have a long way to travel yet before we get to a sensible place.
In a sense we have heard from the noble Lord, Lord Alton, and others about specific issues but I would like to rise up a bit and look at the bigger picture slightly. In his Mansion House speech on 1 July 2021, Rishi Sunak crystallises the challenge and perhaps the dichotomy, and points us in a number of different directions at the same time. Your Lordships must excuse me, but I will read out a fairly lengthy passage which is appropriate to this debate. He says:
“And our principles will also guide our relationship with China. Too often, the debate on China lacks nuance. Some people on both sides argue either that we should sever all ties or focus solely on commercial opportunities at the expense of our values. Neither position adequately reflects the reality of our relationship with a vast, complex country, with a long history. The truth is, China is both one of the most important economies in the world and a state with fundamentally different values to ours. We need a mature and balanced relationship. That means being eyes wide open about their increasing international influence and continuing to take a principled stand on issues we judge to contravene our values. After all, principles only matter if they extend beyond our convenience. But it also means recognising the links between our people and businesses; cooperating on global issues like health, aging, climate and biodiversity; and”—
here we come to the rub—
“realising the potential of a fast-growing financial services market with total assets worth £40 trillion”.
What does a mature, balanced relationship look like in context? How nuanced are the examples that we have just heard about the Chinese? First, we can see that because of advanced concerns around the security of at least one Chinese vendor, the UK Government are mandating equipment to be torn out of our existing infrastructure and thrown away at the cost of several billion pounds. That is not a nuance. Secondly, we have heard from the noble Lord, Lord Alton, this time and previously, and we have seen the evidence of malevolence within China to its own people on a scale that is, let us say, unusual even for the age in which we live. Thirdly, we can see transparently what is going on in Hong Kong. That in itself is not a nuance either. Fourthly, we have the Chancellor’s stated desire to realise the potential of a fast-growing financial services market.
All this is the context in which Amendments 1 and 20 have been tabled. This gives the chance for the Minister to explain where she and the Bill sit on that nuanced scale, as the Chancellor puts it. He clearly sets out that the Government’s principles will guide our relationship with China, so what are those principles?
My Lords, this is my first Grand Committee appearance, and I hope that I do not disappoint the noble Lord, Lord Fox. I have been in a number of committees, but not at this end of the building. I am still getting used to some of the processes and procedures, but I am very pleased to be speaking on this Bill.
From our perspective, the Bill is very welcome. The Government are clearly addressing a very real security concern that our nation has, and, in trying to deal with it, have not just my support but that of every single Member of the House of Lords. It is our country, and we want it looked after and defended properly. Many of the amendments and the comments that have been made so far today, and which will be made throughout the Committee and no doubt at Report and beyond, are about challenging the Government, not from an oppositional point of view but from one of trying to improve the legislation. We want to ask the Government testing questions to see where their thinking is. That is what all the various speakers have done so far today.
There are a number of particular issues. As others have said, the amendments in this group, from the noble Lord, Lord Alton, deal with the international context for the security of the telecommunications sector, however you define that. This is really important, because it affects—not infects—every single part of our lives. The noble Lord, Lord Alton, gave the example of Hikvision and CCTV. Whether it is the hardware or the software, this demonstrates that there are examples of new technology and telecommunications which impact on all our lives but which many of us probably do not view as causing a potential security threat to our country and nation. We have only to look at where that is going—whether you look at this sphere or the defence sphere—to know that we are going to see an increase in telecommunications, and in the use of space, drones, artificial intelligence and all those sorts of aspects.
One thing that I will talk about in other debates on other amendments is how you future-proof this—and that is part of some of the later amendments. Hikvision, which the noble Lord, Lord Alton, raised, is an interesting instance. At the nub of it is that, if our allies, who we depend on for our collective security, are banning companies such as Hikvision, as in the United States, how is it in our interests to defend our own security to not do the same? It is unfair to say that it has not been thought about, but there is something of a disjointed approach when one of our closest allies—if not our closest—has banned a tech company that we use. I am sure that there are very good reasons for it, and the Civil Service and others will no doubt tell the Minister X, Y and Z, but it defies common sense. Whatever the reality of it, it just does not appear to be a sensible option, so I very much support the example that the noble Lord, Lord Alton, gave. That is one of the reasons why I added my name to Amendment 27.
With regard to NATO and Five Eyes on a domestic and international level—I shall return to this point on Amendments 18 and 25—who actually holds the ring? Who is the person or what is the department that co-ordinates all this activity across government? Who holds the ring across government? You could say that it is the Prime Minister, but the Minister will know what I mean. Out of all the various aspects of government, who actually in the end decides? And if there is a conflict of interest between them, who then is the judge of that and how does that work on an international level? But as I say, that is more to do with Amendments 18 and 25.
Amendment 27 in particular, as I said, ensures a review of telecoms companies when a Five Eyes partner bans the operation of a vendor of goods or services to public telecommunications providers in its country on security grounds. That is eminently sensible. It a review. The amendment is, essentially, testing the Government by asking, “Why wouldn’t you have a review?” Why would you not—to use a security term—keep that under surveillance?
I have received a request to speak after the Minister, so I call the noble Lord, Lord Fox.
I congratulate the Minister on introducing the Barran scale of nuance, which will no doubt become a classic in future. She did not address the issue of componentry, if you follow my drift. It seems to me, in analysis, that what tipped the balance in the sense of Huawei was the absence of American-made chips. Were that not to have happened, the NCSC would not have recommended the widescale removal that we have seen. That appears to be the implication. There seems to be an element of component monitoring going on, although in this case the monitoring appears to have been done more by the Americans than by the United Kingdom. It comes back to that fundamental point: at what level is the Bill going to be applied? Will it be applied on the overall capability of the system? In other words, is it a systems capability issue? Is it a subsystem operational outcome view, the individual pieces that go to make those subsystems, or the software that drives the overall system? How will the Bill actually be put into process?
I may need to write to the noble Lord about the technical details he has set out. I think for the approach to be effective it needs to incorporate all elements of that. An overall system cannot be a capable system if the subsystem is not. There needs to be coherence across the equipment that is supplied and our understanding of how it operates in practice and the component parts to inform the judgment about its security or not. I am happy to follow up in writing if he is agreeable.
My Lords, I rather agree with the noble Lord, Lord Clement-Jones, on this matter. The Bill is meant to be about security, not about “anything”. I have seen this happen with other legislation—that it suddenly becomes convenient to take something never intended for another purpose and, because it is very broadly worded, use it to beat some company or someone over the head over something completely unrelated. I am afraid that I agree that the Bill needs to be tightened up and brought down to security issues, not just “anything”.
For starters, a powerful, predominant supplier of routing equipment in the IP network would be a security risk. If anyone relies too much on one supplier—and they may unfortunately be pushed in that direction—it becomes a security risk, and we may have to close down some providers: “Oh dear, that’s our network finished”. That would be stupid. We are going to be anti certain companies. Companies get based or controlled elsewhere as takeovers happen internationally, so I see a certain amount of difficulty with this if it is very wide.
I come to what the noble Lord, Lord Fox, said. The reason we lost our manufacturing, of course, was that BT selected Huawei as the preferred supplier of the 21st-century network rewrite in 2005. That is the point at which we closed down our capability, effectively being blackmailed by America to get rid of Huawei while potentially blackmailed by Huawei, which could get too much control. We need to look at these strategic decisions where private companies that used to be government suddenly make companies that affect UK security. I have never been happy about that.
My Lords, in response to the noble Earl, Lord Erroll, I say that it is also a huge issue when you have, essentially, a near-monopolistic private sector supplier, which makes any decision completely catastrophic for the under-bidder. I am speaking not to that but to Amendments 2, 3, 4, 5 and 6, which, as my noble friend Lord Clement-Jones pointed out, bear my name. He set out a very clear rationale for these amendments, which back up the concerns of the Constitution Committee and, indeed, some suppliers. Rather than reiterate those, I beg noble Lords’ indulgence to illustrate the point, inviting them to join me in a thought experiment. They need not worry—it is not going to hurt and I will not be pushing them into a Petri dish or anything like that. I simply ask your Lordships to imagine things the other way around: imagine that the Telecommunications (Security) Bill did indeed include the words currently proposed by my noble friend Lord Clement-Jones and myself, words that clearly identify that the focus of the Bill should be on the security of telecoms.
I ask noble Lords to continue to use their imagination that it was my noble friend and I who were proposing changes to include the words that are currently there; in other words, imagine that we were proposing to take the word “security” from this imaginary Bill and turn it into “anything”. Broadening the cover, as we have heard, would broaden the problem around any interruption very widely. I do not know but I dare say that, if we tried to do that, the Public Bill Office would have something to say, pointing to the Long Title of the Bill, which is:
“To make provision about the security of public electronic communications networks and public electronic communications services”
—in other words, security. Were we to try to take that word out and put in “anything”, I dare say the PBO would not allow us to do so.
If we did however slip it past the PBO, I guarantee that the Minister of the day would tell us that this would subvert the Bill’s intention and would take away the Bill’s focus from security to some of the imaginary things that the noble Lord opposite suggested—or, indeed, a digger backing into a green box somewhere in Kent. This is not the “Telecoms (Mishaps) Bill” but the Telecommunications (Security) Bill. These simple and modest amendments focus the Bill on its stated objective.
This is a really important discussion. I do not want to speak for too long but the noble Earl, Lord Erroll, was right to say that the Bill is about security and not just “anything”. None of us on the Committee wants to compromise the nation’s security or compromise the ability of our military personnel to conduct necessary operations. However, sometimes in legislation words really matter—they are the law of the land. That is why scrutiny of legislation in Committee like this is so important, word by word and line by line, otherwise—and I will have a series of questions for the Minister on this—down the line in one, two, three or five years, something will happen and everybody will go, “How was the word ‘anything’ included?” The unintended consequence of legislation is something that we need to consider, or people will ask how something happened—how that word was allowed.
With that in mind, it is important that the Minister explains to the Committee how this definition is arrived at. The starting point would be to ask her to explain the differences between having the word “anything” and having the phrase “security issue”. Can she give examples of how the Bill would be weakened by having that term rather than “anything”, and what “anything” means—apart from saying that it means “anything”? What does it actually mean, given that the Bill is supposed to be about security issues, as the noble Earl said?
The Government argue that the duty on providers is appropriate and proportionate to ensure that the effects of compromise are limited and to act to remedy the impacts. I understand why Ministers are keen to keep the definition wide, but on its own it is not good enough. For example, can the Minister explain whether there are any thresholds to what amounts to a security compromise, or is it “anything”, and what does that mean to an individual who might stray into territory that they are not sure about? How was the Bill’s definition arrived at? Who came up with it and what advice did they receive? Were alternatives suggested to it, what did security experts say to the Minister was necessary, and were there dissenting voices?
In seeking clarification, I wonder whether the Minister can explain why the definition does not include, as I understand it, the presence of supply chain components, as the noble Lord, Lord Fox, mentioned on the earlier group of amendments, if they represent a security threat. Maybe it does—but could the Minister clarify that? We need to know that to understand the diversification of the supply chain and how effectively or not it is proceeding. It is important to consider the components of the supply chain, particularly when identifying where they are a threat to our national security. As I see it, that is not included in Clause 1, but perhaps the Minister can tell me that it is and that I have not read the clause correctly. If so, where is it?
I go back to where I started. These amendments are important in testing how the Government have arrived at this use of “anything”. I know it sounds like semantics —what does “anything” mean?—but the point made by the noble Earl, Lord Erroll, is crucial. The Bill is a security Bill. That being so, why does “anything” appear and why is “security issue” not the appropriate way to describe this? Why is it not included in the Bill? It is necessary for the Committee to understand the Government’s thinking on this for us to consider whether we need to bring back this matter on Report.
I have received one request to speak after the Minister, from the noble Lord, Lord Fox.
The Minister brought up the review, which was very clear that there are huge potential market failures within the security and resilience telecoms market, the reason being that security is not valued by the networks. It is other things, such as network connectivity and price, which are of maximum importance to those networks—things that might come under the word “anything”, for example.
Let us be clear about the four reasons given by the review that security is undervalued by networks: insufficient clarity on cyber standards and practices; insufficient incentives to internalise the costs and benefits of security; lack of commercial drivers, because consumers of telecoms services do not tend to place a high value on security; and the complexity of delivering, monitoring and enforcing contractual arrangements in relation to security. All four of those issues, which I think are driving the purpose of this Bill, involve the word “security”. Far from these amendments watering down the intent of the Bill, the Minister is watering it down herself by including the word “anything” and ignoring the word “security”. I do not expect her to accept these amendments now, but I would like the department to go away and think about this very carefully, because a catch-all Bill catches nothing.
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.
My Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
My Lords, I speak to Amendment 11 in my name and welcome Amendments 7 and 12 in the names of the noble Lords, Lord Fox and Lord Clement-Jones. I was interested that the noble Lord, Lord Fox, referred to a chorus of agreement, which I certainly heard ringing out, expressing concerns about the role that Parliament should have in scrutinising on codes of practice that this Bill currently does not provide for. To me, the codes remind us that the Bill can provide us only with something of a framework, and for many areas there is a wait for the details to be filled in later. As the noble Earl, Lord Erroll, said, the devil, as always, is in the detail.
Clause 3 allows the Secretary of State to issue new telecom security codes of practice that will set out to providers the details of specific security measures that they should take. As we have heard referred to, the impact assessment states that these codes are the way in which the DCMS seeks to demonstrate what good security practices look like. However, I note that Ministers are proposing only to demonstrate but not actually to secure good practice, which I am sure is the real intent—and it would be very helpful if, through this debate, we could get to that place.
I am interested also to note and draw the Minister’s attention to the fact that the Government have said that these codes will be based on National Cyber Security Centre best practice security guidance. The Government have said that they will consult publicly, including with Ofcom and the industry, as we read in the Minister’s letter following Second Reading. That public consultation will be on implementation and revision. However, it strikes me as very strange that the National Cyber Security Centre is not a statutory consultee; can the Minister say why it is not?
I particularly make the point that, as the codes of practice will be admissible in legal proceedings, they have to be drafted accurately and we have to ensure that security input and expertise is fed into them. The National Cyber Security Centre, which is described as a bridge between industry and government and is, indeed, an organisation of the Government, would seem to be a body that should be, in a statutory sense, invited to make the input and offer its expertise, along with other departments and agencies. After all, we can see, when reading about the centre, that its whole reason for being is that it provides widespread support for the most critical organisations in the United Kingdom as well as the general public, and they are absolutely key when incidents, regrettably, occur. We are trying to address those incidents in respect of this Bill.
As we have heard from all noble Lords who spoke in this section of the debate today, the input needs to come from Parliament, which is why I tabled Amendment 11. As the Bill is drafted, the current reading is that a code of practice must be published and laid before Parliament, but there is no scrutiny procedure. I put it to the Minister that if codes have legal weight, why is Parliament being denied the chance to scrutinise them? We seem to have a complete mismatch there. I was taken by the words in the Delegated Powers Committee report, mentioned by the noble Lord, Lord Clement-Jones, in his introduction, which stated that this way of being was “unacceptable” and called for the negative procedure for codes. That is what Amendment 11 does. Can the Minister address specifically the words of that committee report? I refer her to paragraph 27, which says:
“In our view, the Department’s reasons are unconvincing … the fact that codes of practice would be produced after consultation with interested parties cannot be a reason for denying Parliament any scrutiny role; and … the Department appears not to have recognised the significance of the statutory effects of the codes of practice”,
as has been highlighted today. I therefore hope that the Minister will both comment on the report and seek to make what is a very important and significant change in this regard.
I will pick up on one additional point. The impact assessment also says that the codes of practice will have a tiering system for different-sized operators. The initial code will apply to tier 1, which serves the majority of businesses of critical importance to the United Kingdom. This will also apply to tier 2 medium-sized operators but with lighter oversight by Ofcom and longer timetables. Can the Minister offer a draft list of the operators in tiers 1 and 2, and can it be shared with noble Lords? I would also be interested to know whether the Minister has any concerns that tier 2 operators will somehow be worse at compliance. If she has those concerns, what support will be provided to small and medium-sized enterprises? I look forward to her reply.
In quick response to, or doubling up on, the noble Earl, Lord Erroll, my understanding is that the code is enforceable by law. If it is not, perhaps the Minister can explain how the operators are expected to deliver.
This is relatively simple. The Minister has asserted that this is a technical issue. She has asserted that it is too technical for Parliament to be able to manage, but at the same time, as it is currently structured, there will be a self-referential group of people. If the Covid crisis has told us anything, it is that a self-referential group of people is not good at horizon-scanning. Security is a great big horizon scan. You normally know you have not got security only when you lose it and it is essential to take advantage of the diversity of technical opinion that exists in this country and elsewhere. It is extremely arrogant to believe that the sum of human knowledge is contained in one department, and probably one subsection of one department.
For those reasons alone, a technical advisory board is vital to secure the future of this country. That seems to me self-evident, but clearly it is not, so perhaps the Minister can explain. Was this discussed, when was it discussed and why was it dismissed as an option?
Both these amendments have very cunningly taken advantage of existing structures; they have looked at the Investigatory Powers Act 2016 and read across, with ready-made structures that can deliver both the technical advisory board and the benefits that I have just set out and a judicial commissioner to make sure that there is sufficient proportionality and appropriateness in those measures. It seems to me that it is for the Minister to explain, if this was good enough for the 2016 Act, why it is not appropriate to put it in this Bill for these issues.
I call the noble Lord, Lord Clement-Jones—sorry.
I must admit that I am somewhat baffled by the Minister’s response. The argument on the technical advisory board seems to be, “Oh, we’ve got enough technical advice, so we don’t need one”—but, clearly, it seems that there is a need for this. I quoted providers—I can go into the papers that we have received from them—as saying that real issues arise out of the regulations. These are technical and relate to things such as patches and audit and monitoring issues. There is a feeling that the department is just not listening on those issues, and what is needed is someone who is rather more dispassionate and can advise on the technical issues that are arising—perhaps, if it is seen as a conflict, someone like the noble Earl, Lord Erroll, who can genuinely advise on this kind of thing. It seems to me to be extraordinarily dismissive to say, “We’ve got enough advice. We don’t need a board of this kind”.
In the Investigatory Powers Act 2016, there is a very useful technical advisory board—it is not usable for this purpose because its function is rather different under that Act. When the Minister comes to the point about the judicial commissioners, saying, “Oh, no, they are for an entirely different purpose”, I say that, actually, if you read their function, it is four square with the kind of thing that would be useful under this Bill. They are talking about not technical issues but proportionality, appropriateness and so on—very much the kind of thing that they are dealing with under the 2016 Act.
So I am afraid that I do not buy what the Minister has to say, sadly; I just think that it is pushback based on the thinking that, “Well, the Bill’s the Bill and it’s all drafted, so we don’t really want to do very much with it by way of amendment”. That is the time-honoured government response to this kind of suggested amendment, but I believe that, constructively, both these aspects—a judicial commissioner and a technical advisory board—would make a great difference to the functioning of the Bill and would lead to much better regulations and codes of guidance at the end of the day.
I thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
First, if I may, I will take back the point made by the noble Lord, Lord Fox, about new Section 105H under Clause 3; I will write to him to, I hope, alleviate any concerns and confusion. There are certain legal effects set out; I will write to him to clarify the point about legal enforceability.
I am grateful to the noble Lord, Lord Clement-Jones, for his appreciation. Part of the confusion here may be that two technical advisory boards are mentioned in these groups of amendments. As I think he noted, the one set up under RIPA has a different function, but we are certainly not being dismissive of the points that have been raised. Indeed, as I said, we have spoken to the industry and received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. We will also be glad to look at the information that he mentioned—the views that have come his way—to make sure that these are reconciled; if he is happy to share them, we will look at them and come back him.
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments. As before, it is a pleasure to follow their contributions and that of the noble Earl, Lord Erroll.
On the codes of practice and Amendment 10, I understand the importance of not wanting to put undue burdens on businesses. We should make particular reference to the exceptionally difficult and testing times that businesses and the economy have had to suffer over the past year due to the pandemic. Obviously, a balance needs to be considered. We have to ensure that if the codes are going to be used, they are the most effective way of implementing security measures. How will the Government consider the impact of codes on businesses? For example, will there be specific consultation about undue costs in respect of businesses?
The concerns that we have heard in this debate give a further nod to concerns about lack of parliamentary oversight, which is missing from the codes. I again say gently to the Minister that by giving parliamentarians the opportunity to provide scrutiny there might also be the ability to review the impact on businesses.
Amendments 16, 17 and 21 would ensure that Ofcom’s new powers in the Bill were subject to requirements in Sections 3 and 6 of the Communications Act 2003. Section 3 focuses on the general duties of Ofcom, while Section 6 focuses on reviewing regulatory burdens. It would be helpful to hear from the Minister whether the Bill has been deliberately drafted for the new powers to fall out of scope of those sections in the Communications Act and, if so, why.
What review process will be faced in respect of Ofcom’s new powers? It is very important that, when new powers are given, there is an opportunity to review, reflect and amend, and to keep a close eye on whether those new powers are doing the job intended.
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
My Lords, this is an interesting and nuanced—to coin a word we used earlier—debate. I am probably the only person here who has had to deal with a national security issue that impacted a consumer brand in real time on television. I must say that 30 days was not an option—30 minutes was not an option. Picking up on the point of the noble Earl, Lord Erroll, the time is entirely dependent on the nature of the crisis or security breach. My fear is that 30 days becomes a target rather than an injunction.
I think the point here is “no burial”. I assure colleagues and others in this Room that our amendments do not intend to bury the issue either, but to introduce some equivocation in the event that not announcing something makes things more secure than announcing them. The point of this is not to protect the reputation or otherwise of the network, but to protect consumers and the integrity and security of the network. That is the decision Ofcom would need to make. That would be its call. Its default position would be that it needs to be communicated to consumers as quickly as is sensible, unless there is a reason not to communicate it, and it would be up to the network providers to put their position forward. However, there are definitely times when it should not be communicated. At the moment the Bill seems rather unequivocal in its approach.
I call the noble Baroness, Lady Barran.
Sorry, I have not quite finished.
I would call Amendment 15 a “good manners” amendment. If Ofcom possesses information that the network provider does not, it simply calls for that network to be brought into the loop before the rest of us are. That seems good manners to me—you do not necessarily have to legislate for that, but these days it always helps. I have now finished.
My Lords, I thank the noble Baroness, Lady Merron, and the noble Lords, Lord Clement-Jones and Lord Fox, for tabling these amendments to Clause 4 and for their considered remarks. As we have heard, these amendments speak to reporting requirements placed on industry in the event of a significant risk of a security compromise and the powers bestowed on Ofcom in the event of a compromise or the risk thereof.
Amendments 13 and 14 amend new Section 105J. As the noble Baroness, Lady Merron, summarised, new Section 105J is designed to give users of telecoms networks and services relevant information when there is a significant risk of a security compromise, including the steps that they should take to prevent such a compromise adversely affecting them. Giving users this information will help ensure that, where possible, they can take swift action to protect themselves. It will also contribute to greater awareness of security issues, supporting users to make more informed choices about their telecoms provider.
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
My Lords, I have been very interested to hear the arguments put forward by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Erroll. As we heard from the noble Lord, Lord Clement-Jones, in his opening remarks, concern about oversight is driving this section of the debate. As we know, Clause 13 ensures that when deciding an appeal against certain security-related decisions made by Ofcom, the tribunal is to apply judicial review principles without taking any special account of the merits of the case.
I understand that this does not apply to appeals against Ofcom’s enforcement decisions and that the Government have said that this ensures that it is clear that the tribunal is able to adapt its approach as necessary to ensure compatibility with Article 6, the right to a fair trial. My questions to the Minister are about the legal advice that the Government have received on this clause. What legal advice has been received? Is this external legal advice as well as internal legal advice?
The clause states that
“the Tribunal is to apply those principles without taking any special account of the merits of the case.”
Can the Minister explain what “special account” is expected to mean?