Product Security and Telecommunications Infrastructure Bill
Lord Fox ExcerptsTuesday 21st June 2022
(3 years, 7 months ago)
Lords ChamberRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 16-I(a) Amendment for Committee (Supplementary to the Marshalled List) - (20 Jun 2022)
“General principles relating to product security
(1) The provisions in Part 1 of this Act should be read alongside the general principles relating to product security as outlined in subsection (2).(2) The principles are—(a) in regard to the security of internet-connectable products and products capable of connecting to such products, manufacturers, importers and distributors have a duty of care towards their customers to secure their privacy and safety;(b) customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market;(c) manufacturers, importers, and distributors should be able to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.(3) In making regulations under Part 1 of this Act the Secretary of State must have regard to the principles outlined in subsection (2).”Member’s explanatory statement
This amendment would introduce a set of principles relating to product security into the bill.
Lord Fox (LD)
My Lords, I rise to move Amendment 1 in my name and that of my noble friend Lord Clement-Jones, who is sadly unable to be here today. Should your Lordships feel at times that I am going on a bit long, just think of the alternative: it could have been both of us.
I should first say in the spirit of co-operation that the aim of this amendment is wholly positive; it is designed to firmly support the intentions of the first half of this Bill—support which we heard right across your Lordships’ House at Second Reading. While introducing this part of the Bill, the Minister set out a clear need for improved security. He told us:
“The average UK household now has nine internet-connected devices, and over 50% of all UK households purchased an additional consumer connectable product during the pandemic.”
The danger to individuals is getting worse. As the Minister also said:
“In the first half of last year alone, we saw 1.5 billion attacks on connectable products—double the figure of the year before.”
With this rise in connectable devices, the Minister said:
“Thousands of people in the UK have been victims of cyberattacks.”—[Official Report, 6/6/22; col. 1033.]
I suggest that this is understating the situation—it must be tens if not hundreds of thousands—but frankly, we just do not know.
This is an international business, which preys on poor security and badly configured devices. Further, our household devices can be co-opted by sophisticated criminal or political hackers to present significant threats to our national infrastructure. That is why this part of the Bill is important; I think we all agree on that. For a connectable device to be secure, it needs to be set up right but then supported throughout its active life to meet the changing environment of security threats. We are all used to updating our laptop security regularly, but how many times have we updated other household-connectable devices? A baby alarm, for example, is never updated.
At Second Reading, I described my fruitless search within the Bill for a definition of the security support that a consumer might reasonably expect for consumer-connectable products in the house. This Bill takes the secondary-legislative route. Rather than set out what consumers should legally expect in terms of through-life product security support, we were promised some SIs, and we heard what the focus would be.
In a letter sent last week, the Minister gave the Government’s reasons for choosing those three areas; I will come back to them briefly. He wrote:
“we are starting with a focus on the three security requirements that will make the most substantial change to consumer device security at a proportionate cost to business”.
But why just these three? The Bill is heavily based on the Code of Practice for Consumer IoT Security, in which 13 security issues were highlighted. To be clear, the first two—“No default passwords” and
“Implement a vulnerability disclosure policy”—
match those of the Minister. Interestingly, on the third one, there is a big difference in language between the Bill—which mentions providing transparency on how long, at a minimum, the product will receive security updates—and the code, which says, “Keep software updated”.
But there are 10 other major areas. I will not list them, but the fourth is:
“Securely store credentials and security-sensitive data”.
The eighth is
“Ensure that personal data is protected”.
Why are those two not as important as the other three? I cannot fathom why those have been left out and the previous three selected. So, given the choice of 13—the Minister can look them up—what was the logic in choosing just those three and dropping the fourth and eighth in particular?
There is also the issue of changing technology. Without a set of principles, the Government’s aim is to chase technological development with a string of statutory instruments, simultaneously keeping up with the world’s most innovative companies and pitting their ingenuity against the world’s top criminals. Life is moving fast—for example, a recent issue of Wired announced the beginning of the end for passwords:
“At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using ‘Passkeys’ with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.”
On that basis, this legislation will be partially obsolete before it is enacted.
I have one further technical problem for the Minister to explain. Once again, different bits of government are moving in parallel. A seemingly entirely different exercise—a consultation on app security and privacy interventions—was published in May this year. The suggested interventions include
“a voluntary Code of Practice for App Store Operators and Developers that is intended as a first step.”
Other possible future options set out in the document include
“certification for app store operators and regulating aspects of the Code to help protect users.”
The document then says:
“These proposals link into the National Cyber Strategy through requiring providers of digital services to meet appropriate standards of cyber security and developing frameworks to secure future technologies.”
No mention of this legislation is made.
So where does a connected device end and an app start? Where does the Bill stop and this new code of practice start? If I install my temperature control system, it will involve connected hardware and an app; which of these two pieces of government activity will cover my system, and how are they connected? The Government have not joined this up, and, once again, two things are going on with no connection to each other.
So, I borrowed some of the Code of Practice for Consumer IoT Security for this amendment, which sets out some of the principles. Proposed subsection 2(a) sets a simple obligation for “manufacturers, importers and distributors” to demonstrate a “duty of care”. Proposed subsection 2(b) sets out that
“customers are entitled to have a reasonable expectation that manufacturers, importers, and distributors make sure their consumer connectable products meet minimum cyber security requirements before they are placed on the UK market”.
Proposed subsection 2(c) calls for
“manufacturers, importers, and distributors … to demonstrate an understanding of emerging security threats and a proactive, ongoing support programme to mitigate these risks and ensure that their products are safe by design.”
The Minister would be hard-pressed to argue against these—and his planned SI on accessibility vulnerability is close to proposed subsection 2(c) anyway.
I would like to hear that the Government recognise the benefits that having clear principles in the Bill can deliver. I am sure that the Minister can see these benefits. Secondly, I am not proprietorial over the exact wording. We can use the time between Committee and Report to fine-tune and wordsmith those principles, but I hope that this is a constructive and helpful start.
Baroness Merron (Lab)
My Lords, I restate these Benches’ support for Part 1, which introduces a range of important powers and processes relating to the security of consumer-connectable products, including smart TVs, smartphones, connected baby monitors and connected alarm systems, all of which we use in our day-to-day lives. For me, the legislation that we seek to improve today is much needed and needs to move with the times and the way we live. For example, in 2006 there were just 13 million of these devices but in 2024, there is likely to be more than 150 million in the UK alone—a huge projected rise.
I am grateful to the noble Lord, Lord Fox, for introducing this sensible amendment, and to the noble Lord, Lord Clement-Jones, whose name is also on it. It seeks to introduce or suggest some guiding principles relating to product security. For me, the key principles are that manufactures, importers and distributors have a responsibility and a duty of care to meet minimum cybersecurity requirements and look forward to emerging security threats. It seems wise and sensible to include these, so I hope the Minister will take them into account. As the noble Lord, Lord Fox, said, the exact wording of the amendment does not have to be used; it is about the principles. Indeed, it is about not just principles but practice: the message given to consumers as well as to manufacturers, importers and distributors.
I know that in other legislation the Government are often nervous about using the phrase “duty of care”, but, as the Minister knows, there are very real concerns about data collection and privacy. I suggest that this is the very least that consumers should be able to expect. While it may be said that the other principles are not necessary to include, there have been several cases of manufacturers knowing about, yet failing to act on, significant security flaws. I feel this is something we need to guard against.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Parkinson of Whitley Bay) (Con)
I am grateful to the noble Lord, Lord Fox, and, in his absence, the noble Lord, Lord Clement-Jones, for their Amendment 1 and for the wholly positive intention with which it has been tabled. I was grateful to have had the opportunity to talk to them about it before Second Reading as well. As the noble Lord set out today, he has argued that customers deserve some high-level principles setting out the security protections they should expect when purchasing consumer-connectable technology. In fact, Amendment 1 goes further, as noble Lords have noted, and would require manufacturers to owe their customers a “duty of care” to protect them. We are not as keen as the noble Earl, Lord Erroll, on that.
The first problem we have with a duty of care is that it could give consumers a false sense of security. If consumers buy well-designed technology products which meet the best standards, it considerably lowers risk, but with cybersecurity there is no such thing as zero risk: the most aggressive and well-resourced hacker will find a way. Somebody may have a quality product, but have they secured their wi-fi router? Do they have some legacy technology on their network? Manufacturers of a single device do not control the whole range of apparatus which constitutes the attack surface so cannot always provide an absolute security warranty, and they cannot always predict the next attack vector.
The second problem we have is that we have learned that the security of devices is best served by standards rather than principles. If one sets standards, one can send a device to a laboratory and assure oneself that those standards have been met. If one sets principles, that does not apply. That is why the Bill is designed to give force to standards. Those standards, developed here in the UK and now adopted by Governments and jurisdictions across the globe as well as by international standards bodies, are widely recognised significantly to lower risk for consumers.
Of course, we believe that the responsibility for the security of connectable products most effectively lies with the manufacturer. We expect manufacturers to take security seriously, to implement measures to develop and maintain an awareness of the security of their products, and to be up front with customers about the security support they can expect. We have tried voluntary compliance, with our code of practice which was published in 2018. We now need mandatory requirements, and that needs specific security requirements that can be independently assessed. The legislation must enable the Government to keep pace with market dynamics and the changing technological landscape—as the noble Baroness, Lady Merron, said, it is important that we move with the times. The flexibility to be able to set different security requirements for manufacturers, for importers and for distributors is key to this.
Amendment 1 in the form drafted would place an equal weight on the duties of each of these three groups to secure products. Compelling the Secretary of State to have regard to this general duty could constrain the Government’s ability to set specific security requirements in the future. Crucially, these principles could restrict the use of powers in this part of the Bill, working against the Government’s ability to bring this regime into force and impeding our ability to keep that regime future-proof. I should also say to noble Lords that industry and consumer groups have not raised the need for general principles such as this. Our efforts to engage and communicate our intentions have been clear, and the requirements we have set out for the relevant persons have been widely understood and are in line with international standards.
The noble Lord, Lord Fox, asked why the Government have chosen these three specific security requirements rather than others. During the consultation in 2019, we explored a number of options including mandating that all consumer-connectable products meet all 13 guide- lines in the code of practice. They are all important, but the majority of respondents supported the option that the top three security requirements represented the most appropriate baseline, by balancing the important requirements that are testable, being applicable across a range of devices and creating the right incentives to improve security in these products. That is why the Government are initially mandating the implementation of security requirements that will make the most fundamental impact on the risks posed by insecure consumer-connectable products for consumers, businesses and the wider economy.
The noble Lord also asked about where products end and apps begin. The powers in Part 1 allow Ministers to set out requirements that include products and software. The proposals in the consultation he mentioned relate to those who operate app stores. So, while I acknowledge the good intentions behind it, I hope I have been able to set out why the Government feel that this amendment—
Lord Fox (LD)
I thank the Minister for giving way. That does not answer the question of where an app starts. If I am downloading Nest for my heating system, I am getting it from an app store, so where is the regulation coming? Is it the app that is coming from the app store, or is it the connectable device law that is coming through here? In which case, I think some explicit connectivity between the apps that run the connected devices needs to be written into the Bill.
Lord Parkinson of Whitley Bay (Con)
Perhaps, if the noble Lord is happy, we can explore this. The example he gives, as he knows, includes software and technology. Perhaps we can have a detailed discussion where we can work through some of those examples. I would be very happy to talk to him about them because on the question he poses the line is drawn in a different place depending on the product and its nature.
Lord Parkinson of Whitley Bay (Con)
Some of the standards in this area have been set in the UK and have already been adopted by other jurisdictions, so I hope that we can give the noble Earl some reassurances. While I acknowledge his point about the time it takes for these to be adopted internationally, in some areas the UK is setting the way, and these are being picked up across the globe.
As I said, while I note the good intentions behind Amendment 1, these are the reasons why the Government are unable to support it. However, I am very happy to pick up the questions about apps and products with the noble Lord and others who wish to join that conversation. I hope that, for now, the noble Lord will be content to withdraw his amendment.
Lord Fox (LD)
My Lords, while that was a relatively disappointing response, I am pleased that we can have the discussion about apps. I thank noble Baroness, Lady Merron, and the noble Earl, Lord Erroll. I think he put his finger on it. If we are to keep pace with the speed of change only through a standards regime without making the companies delivering these products in some way responsible—whether through a code of practice or a duty of care, I am not quibbling—there is no way that a standards regime can keep pace with the innovative speed that international crime is running at on cybercrime.
The idea that we can chase this down the road is wholly wrong. I ask the Minister to sit down with the department and perhaps we can come up with a different way of doing it. I am totally agnostic about how we go about it, but some sense that we are not just chasing this needs to be in this Bill, otherwise it is going to be after the fact. That said, I am happy to beg leave to withdraw Amendment 1.
Lord Fox (LD)
My Lords, I will speak to Amendments 3 and 5 and in support of the other two amendments in this group. All these amendments refer to Clause 1 and seek to add some specificity to its general nature. The first amendment in my name and that of my noble friend Lord Clement-Jones is Amendment 3. This inserts a new paragraph (c) into Clause 1(1), adding the text
“children where they are not primary users of products but are subjects of product use”.
Why is this necessary? Here I am indebted to a report on cybersecurity, the UK Code of Practice for Consumer IoT Security produced by the PETRAS National Centre of Excellence for IoT Systems Cybersecurity. Noble Lords may be aware of this group; it has a very strong record in this area. It is a consortium of leading UK universities dedicated to understanding the critical issues of the privacy, ethics, trust, reliability, acceptability and security of IoT. I commend this organisation to the small number of noble Lords in this Chamber interested in this area.
This report highlighted, among other things, the importance of children’s connected toys receiving the necessary scrutiny, due to the implications of embedded cameras and microphones, with the aim of ensuring the child’s and the parents’ protection and right to privacy. Such devices include a wide range of everyday artefacts with internet connectivity intended for use by children or in caring for them, such as interactive toys, learning development devices and baby or child monitors.
These connected toys and tools have the potential for misuse and unauthorised contact with vulnerable minors. The British Toy & Hobby Association has responded by offering a range of guidance notes and by interpreting the code of practice, but with SMEs manufacturing most of these devices, there is much more to be done to ensure that those organisations are sufficiently informed and equipped to produce and market toys that are secure.
Security is not straightforward, as the Minister has already pointed out. While these devices offer a range of advantages through their connectivity, they also potentially expose children and their families to risks that have not yet been fully articulated to many of the consumers who are buying these toys.
A real-life example is that the toy giant Mattel launched Hello Barbie. The Minister may be familiar with it—I do not know. This was as far back as 2015. It was a very innovative toy which it launched with a start-up business called ToyTalk. The principle of this toy was that it could converse using internet connectivity with speech recognition, so as well as talking it could listen. Hello Barbie also allowed parents to log in later and eavesdrop on their children’s conversations with their toys. I will leave your Lordships to decide the ethics of that.
But this connectivity raised some concerns, primarily around who could listen in and record these devices and store conversations and behavioural and location data, and for what purpose this data could be used. Toys like these are now prevalent and they raise significant questions about the appropriate support and guidance for the toy manufacturers, which understand an awful lot about conventional safety—they know how to make physically safe toys—but do not have a track record on developing informationally and data-safe toys because they have never been asked to do that before. This is a new venture for them, and it requires a totally new set of skills and standards, as the Minister might say.
As technology evolves hacking is increasing in sophistication, so it is necessary to keep moving forward. The challenge for cybersecurity in remaining ahead of the risks is inevitably a technological one, and the Minister may remember that the Hello Barbie toy, having been launched and lauded for its security, was ultimately found at some point to have serious security issues. Even that toy, from a very large manufacturer, fell foul of the progress of information crime.
Nevertheless, it is clear that today some toy manufacturers are releasing connected toys without adequate safety and security features. This is a competitive and dynamic marketplace—a lot of it is to do with price—and first movers are rewarded. In addition, the skillset and knowledge base, as I have just said, for conventional toy safety is mismatched with these new toys and we need to find a way of addressing that divergence. This is going to require investment and new learning and will not happen unless the toy manufacturers are required to do it.
Secure software development and cybersecurity are novel demands on this sector. However, the fact remains that these toy manufacturers are potentially placing consumer safety and privacy at risk. It does not matter whether this occurs due to the immaturity of the sector, market pressures or the lack of sectoral attention to the problem.
In the view of the Petras report,
“there are no indications that this will be addressed through market forces. Instead, the certainty of legislation to maintain standards would level the playing field and make clear for SMEs where they need to invest to make their toys market ready.”
Thus, more than the technological challenge of staying ahead of hackers, what is salient here are the challenges to the implementation of basic security features in manufacturing such as basic authentication and encryption, without which children’s safety and security is at risk.
This amendment explicitly places child security front and centre in this Bill. In other legislation involving the internet and digital issues, such as the Online Safety Bill, the Government have imposed more onerous duties on those delivering services to children than to adults. This amendment would be entirely consistent with that approach—very much in the spirit of understanding that our children and young people are more vulnerable and therefore need more protection from harms.
I turn next to Amendment 5. The eagle-eyed among your Lordships will spot that it is very similar to Amendment 4, proposed by the noble Baroness, Lady Merron, and set out very elegantly by the noble Lord, Lord Bassam. In fact, I would suggest that, largely, its construction is better than ours because they managed to do the same thing in fewer words. I will speak to Amendment 5 but my comments apply to Amendment 4 as well.
Amendment 5 seeks to ensure that:
“Regulations under this section must include provision that all security requirements specified in accordance with this Act are included as essential requirements in statutory conformity assessments and marking procedures under the Radio Equipment Regulations 2017 … and in any other such assessments and procedures applicable to relevant connectable products.”
I am speaking to the spirit of both these amendments. Amendment 5—similar to that of the noble Lord, Lord Bassam—follows on from the advice and help of Which? I thank that organisation, which has really been at the forefront of the consumer issues involved. In essence, the amendment picks up on three of the issues that the Minister tells us will be dealt with in SIs as soon as the Bill becomes an Act, but it takes the rather stronger approach of placing them in the Bill.
Paragraph (a) of proposed new subsection (2A) goes further than the general principle in specifying that passwords are not to be weak. As Which? explains, many smart products push the user to create a password themselves, rather than use a default password. However, they then allow weak and easily guessable passwords to be created, meaning that the risk of compromise stays high.
One of the outcomes of this amendment would be the introduction of a requirement for responsible password policy guidance to be adopted by the industry to ensure that security liability is not simply passed from the device manufacturer to the consumer. The Bill and associated guidance should be amended to clarify that every individual device must have a unique or user-set password that meets effective complexity requirements.
Paragraph (b) of proposed new subsection (2A) seeks to avoid the risk of disclosures going into a black hole or taking many years to fix. The Bill and associated guidance should be amended to make clear what is required of manufacturers, importers and distributors on provision of disclosure policy information, particularly around vulnerabilities. The appointed regulator should also clearly define and distribute a risk assessment framework for vulnerabilities that removes any sense of subjectivity and ensures that the response is effectively mandated.
Paragraphs (c) and (d) of our proposed new subsection concern the length of time a product is supported. The Government should introduce mandatory minimum support periods for smart products and consider whether these periods should reflect how long consumers, on average, continue to use such products. There is a precedent here. New ecodesign and energy labelling requirements came into force in England, Scotland and Wales in 2021. They include a requirement for electronic display items, including televisions, to be provided with firmware and security update support for a minimum of eight years after the last unit of a model has been placed on the market. A consistent approach to support periods for a range of products therefore needs to be considered, and it has already been considered in this other legislation.
Customers need absolute clarity on the support period manufacturers will offer, so that they are able to make more informed purchasing decisions. There must be a clear definition of what the “point of sale” means and how this relates to the definitions of “supply” in Clause 55. Without clearer specifications on what form the transparency requirements will take, there is a risk that this information could be hidden, obfuscated or even mislead. This amendment is designed to probe the Government’s thinking on these very important issues.
Finally, and very briefly, as a signatory to Amendment 2, I give it my full support.
Lord Parkinson of Whitley Bay (Con)
I am very grateful to noble Lords for setting out the cases for Amendments 2, 4 and 5. Since January 2020 the Government have been clear on introducing security requirements based on the three guidelines to which I referred in the previous group.
The commitment to set requirements has been made in response to consultations, published strategies and indeed to the Explanatory Notes to this Bill. Our notification to the World Trade Organization also contained reference to some of these documents. We have put manufacturers, trade bodies and industry representatives on notice. Supply chains are long and surprises unwelcome, so the Government have been very clear on whither we are heading.
Amendment 2 would remove any discretion the Secretary of State has to make regulations. I appreciate that the intention behind tabling it is to explore this issue, and I hope I can assure noble Lords that it is not needed. The regulations will be made, and swiftly. Indeed, we have already consulted on them, in 2020, which I hope gives noble Lords some reassurance that we intend to move swiftly in this area.
Amendments 4 and 5 would insert specific security requirements into the Bill. As several noble Lords mentioned at Second Reading, it is important that technology regulation enables the Government to respond to changes in threat and technology, and to the regulatory landscape. That is precisely why the Bill does not contain details of the requirements that the Government have assured industry they will set out.
Lord Fox (LD)
Perhaps the Minister should consult whoever drew up the legislation that managed to mandate that televisions should be updated for firmware and software for up to eight years after they have stopped being manufactured. Clearly, those people managed to find consensus among the industry—or decided to ignore consensus—and deliver something. If it can be done for electrical display devices, such as televisions, I do not see why it cannot be done here if there is a will to do it. However, I think the Minister is telling us that there is no will to do it.
Lord Parkinson of Whitley Bay (Con)
The noble Lord referred to mandatory minimum support periods for electronic display items and the Ecodesign for Energy-Related Products and Energy Information Regulations 2021. It is not quite correct to say that those requirements are applicable. They ensure that the last available security update continues to be available for at least eight years after the last unit of a product has been placed on the market but the requirement does not ensure that manufacturers continue to provide new security updates over that period to ensure that the product remains secure in response to changing threats.
Lord Fox (LD)
I did not say that those requirements are applicable; I implied that they are analogous. Frankly, the fact that there is some mandating of security support after the product has stopped being manufactured is a heck of a lot better than the situation for all the connectable devices we are currently talking about, where there is no requirement at the moment.
Lord Parkinson of Whitley Bay (Con)
I do not think that they are quite analogous. As I say, it is about the requirement to keep the last available updates available to consumers for eight years rather than evolving them. We do not yet consider that there is sufficient evidence to justify minimum security update periods for connectable products, including display equipment—certainly not before the impact of the initial security requirements is known.
It is important to stress that, as consumers learn more, they will expect more. This will drive industry to respond to market pressure. If the market does not respond to this effectively, the Government have been clear that they will consider the case for further action at that point, but we think that consumer expectation will drive the action we want to see in this area.
Amendment 3, tabled by the noble Lords, Lord Clement-Jones and Lord Fox, refers to children. All noble Lords will agree, I am sure, that protecting children from the risks associated with connectable products is vital. I assure noble Lords that the security requirements we will introduce are designed with consideration for the security of all users, including children, alongside businesses and infrastructure. The Bill already gives the Government the flexibility to introduce further measures to protect children, whether they are the users of the products or subject to other people’s use of a product. We therefore do not think that this amendment is necessary as this issue is already covered in the Bill.
The Bill, and forthcoming secondary legislation, will cover products specifically designed to be used by or around children, such as baby monitors and connectable toys; they include Hello Barbie, which I was not familiar with but on which I will certainly brief myself further. However, we recognise that the cyber risks to children are not limited to the connectable products in the scope of this Bill; indeed, a lot of the issues referred to by the noble Lord, Lord Fox, were about the data captured by some of the technology, rather than the security of the products themselves. That is precisely why the Government have implemented a broader strategy to offer more comprehensive protection to children—including through the Online Safety Bill, to which the noble Lord, Lord Bassam, referred.
I hope noble Lords will agree that Amendment 3 is not needed to make a difference to the Bill’s ability to protect children from the risks associated with insecure connectable products—this is already provided for—and will be willing either to withdraw their amendments or not move them.
Member’s explanatory statement
This amendment would mean regulations with the power to deem compliance with security requirements were subject to the affirmative resolution procedure, as recommended by the DPRRC.
Lord Fox (LD)
My Lords, in his response to the Minister, the noble Lord, Lord Bassam, talked about transparency. The Minister said that he hoped we were reassured by the presence, and indeed the draft, of particular regulations. More specifically on the point made by the noble Lord, Lord Bassam, we would be reassured if the Minister were prepared to share those drafts with Her Majesty’s loyal Opposition and those of us on this Bench, but the Minister has set his face against pre-publishing draft regulations so that we can have a chance. That trust will come if we are trusted in this process, but it does not come for nothing.
I rise to speak to these—whatever the collective noun for amendments is; perhaps a raft or a shedload—amendments, all of which are around delegated powers and secondary legislation, and to move Amendment 6. As we have discussed, in Part 1,
“The core provision is clause 1, which allows the Secretary of State to make regulations specifying the requirements that are to apply for the purpose of protecting or enhancing the security of internet-connectable products made available to consumers in the UK. The security requirements can be applied to … relevant persons.
Clause 3 allows the Secretary of State to make regulations providing that a relevant person is to be treated as complying with the security standard if specified conditions are met. No limits are imposed on the circumstances in which this power would be capable of being used. Subsection (2) provides that the specified conditions may include, “among other things”, compliance with specified standards. But this does not limit the circumstances in which this power may be exercised.
The explanation for the power is given in paragraphs 20 to 22 of the memorandum. The point is made that improving the security of connectable products is a critical global issue”—
which we have discussed,
“and therefore it is likely that many other countries and international standards bodies will introduce standards similar to or aligned with the security requirements imposed under this Bill. The purpose of the power is to allow products which meet these alternative standards to be excepted from the regime under this Bill, provided that those standards achieve equivalent security outcomes and do not weaken the regime established by the Bill.”
Are noble Lords still with me? The Bill’s
“powers will also facilitate mutual recognition agreements and therefore help the UK to avoid placing an undue burden on industry by restricting the free flow of international trade.”
I think we all can see this. I agree with the Delegated Powers and Regulatory Reform Committee,
“that this provides a reasonable explanation for the power contained in Clause 3, it does not explain why it is considered necessary or appropriate for the power to be at large and not limited so that it can only be used where a product is subject to an alternative security regime imposed outside the UK”
and that the Minister needs
“to explain whether the failure to limit the powers in this way is inadvertent; and, if not, why (whether by reference to technological change or otherwise) it is considered necessary to draw the powers more widely than indicated in the memorandum.
Regulations under Clause 3 are subject to the negative resolution procedure. That is based in part on the fact that the regulations will not reduce the effect of the legal framework. But that assumes that other international standards will apply instead.”
This amendment puts forward the DPRRC’s recommendation that
“the affirmative resolution procedure is more appropriate if the width of the regulation-making power is to be retained.”
The alternative is for the Government to narrow that regulation power.
Amendment 9 focuses on regulations under Clause 9(7), which are subject to the negative resolution procedure. This amendment implements the DPRRC recommendation that
“the affirmative resolution procedure is more appropriate if there are to be no limits on the circumstances in which the duty under clause 9 to provide a statement of compliance may be waived.”
Then we have tabled an amendment that removes Clause 9 altogether. Clause 9 is designed to take power to except manufacturers from the duty to provide a statement of compliance. The clause
“requires manufacturers to provide a statement of compliance when a product that is subject to security requirements is made available to the UK. Subsection (7) of clause 9 confers a power by regulations to provide that a manufacturer is to be treated as complying with this requirement if specified conditions are met.
The explanation in the memorandum links this power to the power in Clause 3 to treat a relevant person as complying with a security requirement.
‘Where the government has recognised another standard as being equivalent to compliance with a security requirement using the provisions of clause 3(1), it may be appropriate under certain conditions, for instance where the government has entered into a mutual recognition arrangement with another regime, for the duty to ensure that a product is accompanied by a statement of compliance to be waived for relevant persons in relation to products that meet that standard.’
However, this limitation on the circumstances in which the power will be used is not reflected in clause 9(7) itself, which simply confers a power to treat the manufacturer as complying with the duty to provide the statement of compliance ‘if specified conditions are met’, without any indication of or limit on what those conditions might be.”
As such, the purpose of giving notice of our intention to oppose the question that Clause 9 stand part of the Bill amendment is designed to get to the bottom of the issue and to get the Minister to explain whether the failure to limit the power, as described in the memorandum, is inadvertent; and, if not, why it is necessary to draw the power more widely than indicated in the memorandum.
Lord Parkinson of Whitley Bay (Con)
The feast of amendments in this group aim to implement the recommendations of your Lordships’ Delegated Powers and Regulatory Reform Committee. We welcome the committee’s report and are considering its recommendations, as we always do. It will infuriate the noble Lords who have asked detailed questions when I say that, ahead of setting out our response to the committee, I will not be able to cover all the issues they have pressed the Government on today. I am happy to say that we will set out our response in writing ahead of Report. Perhaps once we have done that, and noble Lords have seen the Government’s full thinking in their response to the committee, it might be helpful for us to speak in detail.
The legislation has been designed to protect people, networks and infrastructure from the harms of insecure consumer connectable products, while minimising the unnecessary regulatory burden on businesses. It does so in the context of rapid technological and regulatory change, evolving cybercriminal activities and a growing impact on people in businesses, all of which require us to ensure that the legislation can evolve quickly and effectively. The UK, as I have noted, is leading the world with its approach to regulating connectable products. As other jurisdictions increasingly turn their attention to this important issue, we will use this flexibility to achieve alignment with equivalent regulatory regimes, avoiding unnecessary duplication. These powers, and the others conferred by the Bill to make delegated legislation, are crucial for it to remain effective. We have carefully considered the number, scope and necessity of these powers, and believe we have struck the right balance between the need for that flexibility and the importance of Parliamentary scrutiny, which noble Lords rightly stressed again today.
We welcome the report of your Lordships’ committee and are considering its recommendations. I am afraid I cannot, at this stage, pre-empt our response, which has to be made while considering the recommendations’ impact on the broader framework. We will return to these matters on Report, and I am very happy to have a detailed conversation with the noble Lords about our response after we have responded to the DPRRC.
The noble Lord, Lord Fox, focused on Clauses 9 and 11. I am happy to confirm that nothing about how the powers are drawn in Clause 9 is inadvertent; this was our intent. Clause 9 contains four delegated powers; they will be used predominantly to provide administrative detail deemed too technical for primary legislation. For example, they will explain what must be included as a minimum in a statement of compliance, what steps must be taken to determine compliance, where appropriate, and for how long a manufacturer should keep a statement of compliance. They will also provide flexibility to respond swiftly to changes in the market. In addition, the delegated powers in this clause may be used in the future to provide that the statement of compliance is equivalent to certain product markings, or external conformity assessments, such that a manufacturer may be deemed to have provided a statement of compliance where such markings or assessments have been made or completed. This is dependent on regulatory changes to product markings and on the development of the assurance sector for product security.
At this stage, and awaiting our response to your Lordships’ committee, I hope noble Lords will agree that it goes without saying that the Government feel these clauses should stand part of the Bill.
Lord Fox (LD)
I sort of thank the Minister for his response, which is really no response at all. He did say that it would infuriate me and he is fairly accurate about that.
As correctly noted, I am merely a cipher for the DPRRC, a very serious committee that does not produce these reports lightly. The point it is making, particularly on Clause 27, is front and centre to this Bill. Who is going to enforce it? Who decides who will enforce the Bill, and how will Parliament know if the Secretary of State decides not to tell it, under the current regulations? These are very serious matters and not ones that your Lordships’ House should step back from. I am sure that the Minister will, on reflection, understand that the DPRRC has a very important point to make. The others are important points, particularly around Clause 3, but the Clause 27 piece is absolutely central to the future of this Bill. That said, I beg leave to withdraw Amendment 6.
Lord Bassam of Brighton (Lab)
My Lords, Amendment 7 is also in the name of my noble friend Lady Merron. This amendment, as the notes to the Bill’s amendments set out, brings online marketplaces which allow relevant products to be listed for sale within the scope of the security requirements outlined in the Bill. We wish to express again our gratitude to Which? and others for their work in relation to online marketplaces, including, but not limited to, Amazon and eBay, which facilitate the sale of many of these products.
Research suggests that a significant number of products listed on online marketplaces could have security and privacy risks. This is prior to the introduction of the new rules for producers, importers and distributors, but it does highlight the importance of ensuring that marketplaces are subject to at least some of the new measures. Following Second Reading, the Minister kindly wrote to noble Lords, as he promised he would, and suggested that in many cases these websites will fall under “at least one” of the categories and, even if they do not, earlier parts of the supply chain will be subject to the new duties. On that basis, the Government say they will not explicitly bring marketplaces within scope of these measures but will keep the matter under review. It is disappointing that the Minister decided to rule out this change without even having this Committee debate. I hope the Minister’s response will go into more detail than the letter, and he will outline exactly what this review process will look like. Importantly, if it becomes apparent that obligations need to be imposed on these businesses, can he outline the process for achieving this? Can it be done under existing powers, or would it require an additional, albeit simple, piece of primary legislation?
This may not be a gaping hole in the Bill, but it does feel like a gap that needs to be addressed. We hope the Government will be persuaded of that in the run-up to Report stage. It is important because we do not often get legislation on this subject and we do not often get the opportunity to deal with issues such as this. I say to the Minister that we need considerable reassurance on this point because of that very fact. The Minister may say that it is all going to be down to regulations. That is not really a complete answer but we look forward to hearing his response.
Lord Fox (LD)
My Lords, I rise to speak to Amendment 8 in my name and that of my noble friend Lord Clement-Jones. These are two ways of doing the same thing so I support the spirit of Amendment 7, about which we have just heard from the noble Lord, Lord Bassam.
This amendment adds the following wording to Clause 7:
“Any person who is a provider of an internet service that allows or facilitates the making by consumers of distance contracts with traders or other consumers for the sale or supply of a relevant connectable product is to be regarded as a distributor for the purposes of this Act, if not a manufacturer or an importer of the product.”
This amends the language that defines a distributor in the scope of the Bill. Online marketplaces are a mainstream form of today’s retail. Which? research in 2019 found that more than 90% of the UK population had shopped through an online marketplace within the month it was polling. That has increased during the pandemic. However, its research also consistently highlighted how online marketplaces are flooded with insecure products. It has previously demonstrated issues with the lack of legal responsibility of online marketplaces for the security and safety of products sold through their platforms.
The Government have recognised the problem, in their response to the call for evidence on product safety, that current safety rules were designed to fit supply chains as they operated before the world of internet shopping. In the realm of product safety, the Government have acknowledged that this can result in the peculiar situation where no actor is responsible for ensuring product safety. This has resulted in organisations such as Electrical Safety First repeatedly finding unsafe and non-compliant products listed on online marketplaces. Therefore, the traditional conception of actors in the supply chain is now outdated.
The Bill defines “distributor” as
“any person who … makes the product available in the United Kingdom, and … is not a manufacturer or an importer of the product.”
At present, it seems unlikely that certain online marketplaces, including eBay, Amazon Marketplace and Wish.com, will be included within the scope of that definition of distributors in the Bill. This will leave, without overstating it, a sizeable gap in the regulatory scope of this market.
Given the amount of insecure tech readily available on online marketplaces, it is paramount that these platforms are given obligations in the Bill to ensure the safety and security of the products sold on their sites, regardless of whether the seller is a third party. However, the Clause 7(5) definition of “distributor” in terms of making products available on the market is in line with existing product safety law, so we know that certain marketplaces are not classed as distributors and hence not obligated to take action. Amazon Marketplace, Wish.com and eBay are marketplaces where other people are selling; this is the issue.
This amendment seeks to expand the definition of distributors in Clause 7 to include appropriate online retailers, such as listings platforms and auction sites, including eBay, Amazon Marketplace and AliExpress. I feel sure that the Minister did not intend for the legislation to miss these marketplaces out; rather than risk this loophole going any further, we will work with the Minister and Her Majesty’s loyal Opposition to come up with some wording that absolutely iron-clads the Bill to ensure that these sorts of marketplaces are also included.
Lord Parkinson of Whitley Bay (Con)
I am grateful to noble Lords for speaking to their amendments in this group, both of which seek to make online marketplaces a “distributor”. It is vital that all products offered to consumers are secure, including those listed through online marketplaces, and we want to ensure that this is achieved in the most efficient way.
The explanatory statement for Amendment 7 suggests that products listed on online marketplaces might not be protected by the security requirements set out in the Bill. I reassure noble Lords, particularly those who tabled Amendment 7, that the security requirements will need to be met for all new connectable products offered to consumers in the UK, including those offered through online marketplaces. These marketplaces often act as a manufacturer, importer or distributor and, in those cases, they are subject to the same duties and security requirements as those three types of economic actor. If, however, the online marketplace does not fall into one of these three categories, the manufacturers, importers and distributors of those products are all still fully responsible for complying with security requirements.
Lord Fox (LD)
This has piqued my interest; how does this exercise relate to the Bill? This process of dealing with the online acquisition of unsafe products would seem to be what the Bill is doing front and centre, so what is that process? How do the two connect?
Lord Parkinson of Whitley Bay (Con)
They are complementary; the new product security framework sits alongside existing legislation on product safety, which is why we want to conduct a review of the safety framework and publish the consultation. I am certainly happy to write and endeavour to explain.
The noble Lord asked whether products sold through online marketplaces fall into a gap in the Bill. The Bill requires in-scope products offered for sale through online marketplaces to customers in the UK to be as secure as in-scope products sold, for example, in physical stores. We are mindful of the variety of services offered by different online marketplaces. Some act only as advertising platforms, while others facilitate transactions and store and ship products on behalf of the seller. As noble Lords have noted, this changes all the time. This must be carefully considered to ensure that businesses can comply with their legal obligations and that any regulation is necessary, appropriate and proportionate to provide the best protection to consumers.
Lord Fox (LD)
I am sorry to keep popping up; being a practical person, I will try to give the Minister a scenario and, if he cannot answer straightaway, he can write. I have bought a product through an online auction that turns out to be unsafe; I go back to the auction site, which tells me, “Not my problem. You have to return to the international manufacturer which made this product”, which turns out to be a brick wall and nothing comes back. First, is that online auction site correct in handing me over to the international manufacturer, which turns out to be a dead end? Secondly, if that site is correct, to whom do I go? Do I go to my local council trading officer or to the person who, under Clause 27, has been mysteriously made the enforcer for the Bill? I may or may not know who they are. How do I seek redress, and from whom?
Lord Parkinson of Whitley Bay (Con)
I will try answer the noble Lord’s question, and I am happy to write with further detail. Products sold on online marketplaces are covered by the Bill. All products sold to customers in the UK will have to comply with the security requirements set out under this framework. Where a product is sold on a third-party online marketplace, the seller will be responsible for ensuring that it is compliant. Third-party sellers who sell new products directly to customers on those platforms will also be covered under the “distributor” definition. I will happily write to the noble Lord with further detail ahead of Report but I hope that, for now, that goes some way towards addressing his question.
Product Security and Telecommunications Infrastructure Bill
Lord Fox ExcerptsMonday 6th June 2022
(3 years, 7 months ago)
Lords ChamberRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 25 May 2022 - (25 May 2022)
Lord Fox (LD)
My Lords, the Product Security and Telecommunications Infrastructure Bill is another snappy portmanteau Bill from this department—or perhaps I should say, in sporting parlance and in deference to the department, it is legislation in two halves. As we heard from the Minister, it is the second half that has attracted most attention in the Commons and, frankly, from the various lobbying organisations—and it is easy to understand why. Bringing connectivity to a reasonable level across everywhere in the United Kingdom is an aim I am sure all noble Lords share in this House, as do all the MPs at the other end. However, as the Minister alluded to, there are balances that need to be brought into play when we bring this objective forward.
I shall start with the first part of the Bill, the security bit. As the Minister outlined, it is designed to enable us to face up not just to the present but to the internet of things or the network of everything, safe in the knowledge that our appliances are safe from hacking. It is not a future problem, as the Minister outlined: it is with us here and now. The consumer organisation Which? very clearly brought this to bear. It tested a range of devices, from baby monitors to smart speakers, with its ethical hackers and found 37 vulnerabilities with those test devices, including at least a dozen rated as “very high risk” and one as “critical”.
At the heart of this problem is that some of these products may have had inadequate security against threats in the first place, or that they have not been effectively upgraded by the manufacturer during the life of the product, which is why they are at risk of being hacked, as the Minister well knows. The Bill is supposed to make provision to enable the Government, via regulations, to require manufacturers, importers and distributors to make sure that their consumer-connectible products meet some minimum standard of cyber requirement before they are placed on the market. This is the problem that I face with the Bill: the majority of this part of it will come through secondary legislation, so it is hard to see at this point the Government’s objective for consumer rights.
I have looked through the Bill—I have tried very hard—and neither the Long Title nor the text of the Bill sets out what a consumer might reasonably expect from consumer-connectible products in their house. What might they be able to expect through the life of that product in terms of security and hacking? Assuming that there is no such thing as absolute security, following the implementation of the Bill and all its, as yet, unseen statutory instruments, what level of security should the UK consumer reasonably expect for their household, and what is their recourse in the event that that is not met?
The Government’s response appears to be a sort of micromanaging process—for example, as the Minister set out, mandating password protocols. The Government are, in essence, pitching the ingenuity of the department and the support that the department gets against the ingenuity of the criminals and hackers and, to a large extent, micromanaging how those device manufacturers respond to that threat. In a sense, that absolves them of being the innovators; it absolves the manufacturers of responsibility for delivering a security rather than meeting a requirement set out in a statutory instrument. In short, they will need only to follow the letter of the process that the department comes up with through its statutory instrument rather than deliver a level of security. In the view of this Bench, there ought to be a minimum standard of security that consumers can expect. From our perspective, we are looking at the wrong end of the telescope with this legislation. At the very least, there should be an up-front clause that sets out what that minimum expectation should be. Then, rather than micromanaging it, it would be up to the supply chain to deliver security, which would be a legal expectation.
That takes us to the subject of policing. Assuming that the Bill stays as it is, I am interested in Chapter 3, on enforcement. Once again, the meat of this provision awaits secondary legislation. The Secretary of State is responsible for enforcement, but it is not clear to me how she will do it. Perhaps the unit will do this and perhaps a new unit will be set up in the department. Could the Minister explain how enforcement will be managed in light of the 20% reduction in departmental head count being enforced on all departments by the Chancellor of the Exchequer? There will be 20% fewer people to do, yet again, a bigger job. Unless the Minister can set out a plan for enforcement, it is safe to assume that consumers in fact will not be safer when the Act comes into play.
Turning to the infrastructure part, as the Minister said, the Government’s commitment is for there to be a minimum of 85% gigabit-capable broadband by 2025. The Levelling Up White Paper of course talks about maximum coverage later on. The Minister talked about there being 100% coverage as soon as possible. What does that mean in reality—or does it mean nothing? The Minister also spoke about a majority of the country having 5G by, I think, 2027. Does that mean 51% or a larger number? There are lots of parts of the country still chasing 4G, never mind 5G. Can the Minister use this Second Reading to update us further about—and perhaps set out in writing—where the country is in implementing both gigabit and 5G across the whole country, rather than use a percentage? To give a percentage of users is slightly misleading because there are less well-populated areas where users remain very much underserviced. I also ask the Minister to update your Lordships’ House on progress in eliminating Huawei hardware from the 5G network. We are interested to know where that is going and when it might be achieved.
As I expected, the Minister portrayed this legislation as a vital piece in meeting the installation target but, before we get to that, can he tell us how the other pieces are going? As I have said, my recent travels to Devon, Cornwall and my home county of Herefordshire indicate that network coverage remains poor at best and is sometimes not there at all. Given that these are some of the more rural parts of the United Kingdom, I take that to be the standard that most rural communities are surviving through. What extra is being done to get better coverage in these places, rather than focusing on the big numbers—the big conurbations, cities and towns? To date, the evidence suggests that this is not successful. It seems to me that the issues in the Bill are not the issues preventing this happening.
The Bill is about access—I think the Minister was a Whip at the time of the last pass on this. Somewhere in the dog days between two of the Covid lockdowns, my noble friend Lord Clement-Jones and I were climbing through the niceties of multiple-occupancy access and wayleaves in the then Telecommunications Infrastructure (Leasehold Property) Bill—another of the Minister’s snappy Bills. Perhaps this should be the starting point. The Minister mentioned it today but, taking that previous Bill as a template, when it comes to access, what worked and what did not work? I get a sense that access is piece of string that the telecoms operators will keep on pulling for ever, so what has sparked this new Bill, and what did not work under the previous ones? Their briefings seek to raise this as a key issue, but is that really the case? Is the lack of access that I described earlier the overwhelming impediment to the rate of installation, or is it something else? Is it perhaps the rate of investment, the skills available or the capacity to do so many projects overall? I suggest that all three are key elements in the rate at which the installation we need is happening. Can the Minister balance those issues with the issue of access, which is the only issue being addressed in the Bill?
Changing access regulations is also an opportunity to drive down costs. If they are being passed on to consumers, that is no bad thing—but are they? Speed Up Britain, a cross-industry organisation, is campaigning for the Government to close the loopholes—very much in the way that they are—and points to benefits. Other campaigners highlight a potentially catastrophic drop in income faced by local community organisations and local authorities in the rent-to-host infrastructure, such as mast licences, which was caused by the last Bill and will be further enshrined by this Bill; those campaigners estimate up to a 90% drop in income. In a meeting, the department puts the fall at around 60% to 65%. Either way, this is a big fall in income for, say, a local football club.
So who is benefitting from the drop in operational costs? Many of the mobile towers are now owned and operated by towercos which sit between the landowners and the telcos. I suspect that changes in the use of shared apparatus, as heralded by this Bill, will drive more of that intermediate role for towercos or similar. Are these towercos passing the savings through? To date, I think it is very hard to see that consumers have seen any benefit from that fall in cost.
The other delicate balance that has to be weighed carefully is the role of BT Openreach and the need to foster genuine competitivity across the sector, rather than having a collection of niche operators and a 500-pound gorilla. Can the Minister please tell your Lordships’ House how the market for full-fibre and gigabit-capable broadband is currently split, and what analysis his department has of how that will be affected or otherwise by this Bill? There is a possibility that the nature of the changes proposed in the Bill will disproportionately benefit the dominant player in the market, so that analysis will be very important.
As we have said, there are two parts to the Bill: there is a serious danger that the second half activates a series of unintended consequences, while I fear that the principal danger in the first half is that it has very little consequence at all. We look forward to working with the Minister on improving the Bill in Committee.
Lord Parkinson of Whitley Bay (Con)
The noble Lord is eager to hear answers to questions to which I may yet turn; on some of them I will write. Work has been done to identify the regulator, but it would not be right to refer to that person at this stage and ahead of Royal Assent. I will write to the noble Lord on the other points he mentioned. I talked just now about our approach, through secondary legislation, to future-proofing and the reasons for not setting out the first three principles in the Bill. We have set out what those standards will be up front.
My noble friend Lord Holmes of Richmond spoke about the important issue of digital inclusion and skills. We run programmes to give young people the opportunity to learn digital skills and to improve their cybersecurity. More than 100,000 young people have participated in these programmes. We have expanded that with a new online training platform, Cyber Explorers, which aims to engage 30,000 young people, and DCMS funded the creation of the UK Cyber Security Council to create professional standards and pathways for cybersecurity.
The noble Lord, Lord Fox, asked about Huawei equipment in our infrastructure. The Government have undertaken a consultation with the industry on the designation of Huawei as a high-risk vendor and proposed directions relating to Huawei goods and services. The responses we receive will inform any final post-consultation decision on whether to issue the designation notice and direction. The Government have also undertaken a public consultation on a set of draft electronic communications security measures regulations and a draft code of practice, the outcome of which will be published in due course.
Lord Fox (LD)
It was the “in due course” bit that I was interested in. In other words, what is “in due course” in this case—months, weeks, days, years?
Lord Parkinson of Whitley Bay (Con)
I am afraid I am not able to elaborate further than “in due course” at this point, but if I am able to before Committee I will come back with more particulars. The final regulations and code of practice will be laid in Parliament later this year using the negative procedure, as required by the Telecommunications (Security) Act.
The noble Baroness, Lady Merron, asked about the knock-on effect of telecoms operators’ reduced rental payments on the funding of community organisations. It is important to note that the funding for such organisations should not be reliant on telecommunications. There are many funding streams, not least from the Government, to support them and their important work. The National Lottery Community Fund is the largest non-government funder of community activity in the UK and one of the largest arm’s-length bodies that DCMS sponsors. Officials at the department work closely with the National Lottery Community Fund to ensure that it continues to support the evolving needs of civil society organisations. Over the last five years, the fund has distributed £3.4 billion.
The noble Baroness talked particularly about sports clubs. The Government very much agree that sports and physical activity are critical for our mental and physical health, which is why we provided an unprecedented £1 billion of financial support to sport and leisure organisations during the pandemic. We will ensure that community groups continue to get the support they need.
I shall write to the noble Lord, Lord Clement-Jones, on the points that he highlighted that I have not addressed today. I would, of course, be very happy to speak to any noble Lords who would like to talk about any of the issues in the Bill in further detail. I am very grateful to my noble friend Lord Hunt of Wirral and to the noble Baroness, Lady Merron, and the noble Lord, Lord Bassam of Brighton, as well as the noble Lords, Lord Fox and Lord Clement-Jones, for the engagement that we have had in detail already. I would be more than happy to hold further discussions and talk in greater detail between now and Committee.
My noble friend Lady McIntosh of Pickering offered to furnish me with the details of some of the unused masts in North Yorkshire, and I would be very glad to receive them and take them forward to discuss with officials.
Telecommunications (Security) Bill
Lord Fox ExcerptsTuesday 26th October 2021
(4 years, 3 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-R-I Marshalled list for Report - (15 Oct 2021)
Baroness Merron (Lab)
My Lords, this has been my first Bill since I joined your Lordships’ House a little over six months ago. Some would say that I was thrown in at the deep end but in my view, I was simply given the opportunity to swim in rather warm and pleasant parliamentary waters. It has been fascinating and enjoyable and I am very glad that my first Bill has been such an important one for the security of the nation.
The Minister has of course been a constant throughout consideration of this Bill, and we saw his worth recognised as he was promoted from the important role of Whip to the Minister tasked with bringing the Bill home. I thank him for the courteous and professional manner in which he has conducted himself throughout, and I also express my thanks to the former Minister, the noble Baroness, Lady Barran. From these Benches, we also express our gratitude to the Bill team, the clerks, the staff of the House—indeed, all those who have worked front of house as well as behind the scenes to make this Bill possible.
Throughout, it has been my pleasure to work with my noble friend Lord Coaker, who has brought his valuable experience and knowledge to proceedings. We have been blessed to have the highly professional support of Dan Harris, our excellent adviser who has guided and advised us throughout, to whom we express our thanks. Her Majesty’s Opposition strongly believe that our nation’s security is above party politics, and I thank all noble Peers who have worked cross party on this Bill.
New technologies have long transformed how we work, live and, of course, travel. Our experiences during the pandemic have upped the ante on the degree to which we rely on telecommunications networks. At the same time, it has reinforced how intertwined these networks are with issues of national security, including the top priority of any Government: to protect its citizens from risk. This Bill is a necessary step to protect us.
I am very glad to welcome the Government’s acceptance of our arguments that codes of practice, to be issued by the Secretary of State to telecoms providers, must first come before Parliament. However, the Bill raised key questions and concerns, especially given the absence of an effective plan to diversify the supply chain and in respect of our telecom security depending on strengthening our international bonds, in particular through the Five Eyes, involving the UK, the United States, Australia, Canada and New Zealand. I thank the noble Lord, Lord Alton, for his work on that issue.
I hope that the other place will give sympathetic consideration to the changes we have made on both those matters, and that the Minister will recognise that the amendments passed by your Lordships’ House make serious and important improvements to the Bill and have widespread support across the Chamber. My concluding wish for this Bill is that the Government will reflect and feel able to support these improvements to the Bill and the security they provide.
Lord Fox (LD)
My Lords, as the Minister said, this Bill entered the other place a year ago. It has variously been urgent, in the long grass, urgent again and now quite close to passing. I will not delay its passage many more seconds. I have shelved my inner churl, but I absolutely sign up to the comments of the noble Baroness, Lady Merron. There are outstanding issues that your Lordships commented on and put into the Bill as amendments that I hope can be picked up. I hope that when this Bill is finally put to bed, it really does protect the security of this country, and we will work, on these Benches, to help make that happen. There is a lot of unfinished business in this area. I fear that the Minister himself, or one of his successors, may very well be bringing other Bills before your Lordships quite soon.
I thank the Ministers, first the noble Baroness, Lady Barran, and then the noble Lord, Lord Parkinson, for their work and their willingness to communicate with those of us who were seeking to scrutinise this Bill. I join the noble Lord in congratulating the DCMS Bill team, and I hope he did not leave anybody out. I congratulate the noble Baroness, Lady Merron, and the noble Lord, Lord Coaker, on their legislative debuts. I also thank the noble Lord, Lord Alton, for his spirited, highly principled and really important, contributions on the Bill.
Finally, I thank my noble friends Lord Clement-Jones and Lady Northover, without whom this scrutiny would not have been complete, and Sarah Pughe, our legislative officer, for her invaluable support. With that, we wish this Bill onwards, with speed and effectiveness, because it has a very important job to do.
Lord Alton of Liverpool (CB)
My Lords, before we pass this Bill, may I add to a comment to what the noble Lord, Lord Fox, and the noble Baroness, Lady Merron, said? I express my thanks as well to everyone who was on the long list that the noble Lord, Lord Parkinson, gave us, but also to his predecessor, the noble Baroness, Lady Barran. As Ministers, I do not think they could have been more helpful and more responsive to the points we made both in Committee and on Report.
My noble friend also mentioned the all-party amendment moved last week by myself and the noble Lord, Lord Blencathra, which we also raised in Committee. It raises the need for reviews to take place when another jurisdiction—specifically, in this case, many of us cited the United States of America—had banned a particular company which was not banned in the United Kingdom but working within the telecommunications sector.
One example the noble Lord, Lord Coaker, and I gave in our debates was Hikvision, which is banned in the United States. It makes the surveillance cameras that are used punitively against the Uighur people in Xinjiang but are also used in our own high streets and public buildings. That amendment called for a review: that when any such company is banned in another Five Eyes jurisdiction, it is to be reviewed in the United Kingdom. It is a very reasonable all-party amendment, but it was opposed by the Government. Before the Minister completes his remarks today, could he tell us what has happened to that amendment and how the Government intend to respond to it?
Telecommunications (Security) Bill
Lord Fox ExcerptsTuesday 19th October 2021
(4 years, 3 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-R-I Marshalled list for Report - (15 Oct 2021)
“(1A) Regulations under subsection (1) may not be made unless a draft has been laid before, and approved by a resolution of, each House of Parliament.”Member’s explanatory statement
This amendment would require Parliamentary approval before regulations regarding the duty to take specified security measures are made.
Lord Fox (LD)
My Lords, Amendment 1 applies the affirmative procedure to the regulations made under new Section 105B in Clause 1. It requires secondary legislation to be laid in Parliament in draft and to be subject to a debate and a vote in both Houses. Clause 1 allows the Secretary of State to introduce regulations that have wide-ranging consequences for providers, and there is no provision for any independent or specialist formal oversight of these regulations. This continues a worrying trend whereby the Government make key regulations with no meaningful parliamentary scrutiny. New Section 105A introduced by Clause 1 is wide-ranging. In fact, it covers
“anything that compromises the availability, performance or functionality of the network or service”
—I repeat: “anything”.
This means that the Secretary of State has the means to make regulations that have highly onerous provisions, laying down that any provider must take “specified measures” of any kind. This is currently under the negative procedure, which, as we have noted from these Benches on many occasions, gives a near-certain guarantee of their coming into force with a minimum of scrutiny—none, it is safe to say. In Committee, the Minister’s predecessor was adamant that additional scrutiny was not desirable. She said that this was meant for technical people and had to be explained in technical language, which it was not appropriate for Parliament to discuss. However, there is the rub: the Bill covers a huge range of potential issues and, as I said, there is no formal independent or specialist oversight of these regulations, yet the Government said that they were too technical for Parliament to have its say on them. My noble friend Lord Clement-Jones spoke about the Secretary of State having unfettered power and, as usual, he was right.
Since then, the Government have slightly changed their mind, and this is seen in Amendment 3. We welcome Amendment 3 as far as it goes, which, given that it is effectively a negative process, is not very far. It does demonstrate that the Government now believe that your Lordships’ House can review technical issues and that we are capable of this onerous task, which the Minister’s predecessor deemed us incapable of doing. Clause 1 covers virtually anything the Minister decides, and we are in danger of signing a blank cheque. Amendment 1 addresses this issue and gives Parliament particular scrutiny of how these regulations affect the communications networks that are so vital to the UK’s economy and our public life. I beg to move.
Lord Alton of Liverpool (CB)
My Lords, the amendment just moved by the noble Lord, Lord Fox, is about transparency, accountability and parliamentary scrutiny. It puts Parliament into the driving seat. It deserves the support of the whole House, and I hope we will give it.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Parkinson of Whitley Bay) (Con)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for the amendment standing in their names, and I thank the noble Baroness for welcoming me to the Dispatch Box in my new role.
The question underlying this group is whether the new telecoms security framework will have proper scrutiny. Noble Lords have proposed ways to strengthen that scrutiny throughout the passage of the Bill and your Lordships’ Constitution Committee and Delegated Powers and Regulatory Reform Committee have made their own recommendations, and I thank those committees for their work.
In Committee, the noble Lord, Lord Clement-Jones, invited the Government to make a trade-off, a choice, in his words, between
“a loose definition of ‘security compromise’”
and
“a very tight way of agreeing the codes of practice.”—[Official Report, 13/7/21; col. GC 487.]
With that in mind, I turn first to Amendments 3, 4 and 5 in my name—although I should stress, as the noble Baroness, Lady Merron, kindly did, that they also represent the work of my predecessor, my noble friend Lady Barran. We both listened to the arguments put forward in Committee and these amendments represent her views as well as mine.
We have carefully considered the concerns raised and, as the noble Lord, Lord Clement-Jones, invited us to do, we have proposed how to make that trade-off. The government amendments we have brought forward today affect Clause 3. It provides the Secretary of State with the power to issue and revise codes of practice. The code of practice is a fundamental building block of the new telecoms security framework as it will contain specific information on how telecoms providers can meet their legal duties under any regulations made by the Secretary of State.
In its report on the Bill, the DPRRC noted the centrality of codes of practice to the new telecoms security framework. The committee drew attention to the statutory effects of codes of practice and their role in Ofcom’s regulatory oversight, and because of those factors, the committee recommended that the negative procedure should be applied to the issuing of codes of practice. The noble Baroness, Lady Merron, tabled amendments in Committee to implement that recommendation. We are happy to do that. Our amendments today require the Government to lay a draft of any code of practice before Parliament for 40 days. Your Lordships’ House and the other place will then have that period of time to scrutinise a code of practice before it is issued.
We think that these changes strike the balance that noble Lords have called for today and in previous stages. I hope these government amendments demonstrate that we have listened and are committed to appropriate parliamentary scrutiny across all aspects of the framework.
Amendment 1, tabled by the noble Lords, Lord Fox and Lord Clement-Jones, would apply the affirmative procedure to regulations made under new Section 105B in Clause 1. It would require the regulations to be laid in Parliament in draft and subject to a debate and vote in both Houses.
I share the noble Lords’ desire, echoed by the noble Lord, Lord Alton of Liverpool, to ensure that Parliament has a full and effective scrutiny role in this Bill, but I fear we disagree on the best way to achieve it. The only powers in the Bill that are subject to the affirmative procedure are delegated, or Henry VIII, powers that enable the amendment of penalty amounts set out in primary legislation. The Bill currently provides for the negative procedure to be used when laying the statutory instrument containing the regulations.
In the context of these new powers, the use of the negative procedure is appropriate for three reasons. First, Parliament will have had to approve the clauses in the Bill that determine the scope of regulations—Clauses 1 and 2—and the regulations will not amend primary legislation. Secondly, evolving technology and threat landscapes mean that the technical detail in regulations will need to be updated in a timely fashion to protect our networks. Thirdly and finally, as I noted in Committee, the negative procedure is the standard procedure for instruments under Section 402 of the Communications Act. The negative procedure delivers the right balance between a nimble parliamentary procedure and putting appropriate and proportionate measures in place effectively and efficiently to secure our networks.
The two noble Lords will also be aware that the changes they propose in their amendment are not ones that the Delegated Powers and Regulatory Reform Committee made. I accept that they are keen to explore avenues for scrutiny of this framework, but that committee made its recommendation for increasing the scrutiny of this regime, and the Government have brought forward our amendments to accept it. For these reasons, we are not able to accept the noble Lords’ Amendment 1. I hope that they will be content with what we have proposed in our amendment, and may be minded to withdraw theirs.
In conclusion, the Government were asked to make a trade-off. Through the passage of this Bill, we have been invited to provide greater opportunities for Parliament to scrutinise this regime. We have listened to those concerns and we have brought forward an answer. We feel that our amendments maintain our flexibility to adapt to an ever-changing technology environment and give your Lordships’ House and the other place a greater say in its operation, so I invite the noble Lord to withdraw the amendment.
Lord Fox (LD)
My Lords, it was remiss of me not to welcome the Minister formally; I have welcomed him personally, but not formally. Also, it was helpful that he was the Whip during the process thus far, and I should also welcome the new Whip to his seat. I thank the noble Lord, Lord Alton, and the noble Baroness, Lady Merron, for their contributions. The fact that this has been a short debate does not mean to say that it is not an important one. The reason it is short is because we have had the same debate so many times on so many different Bills, with not just this department but others. That is why it is an important issue and why, when the Minister says that we should strike a balance, we agree, but we think the balance is in the wrong place. That is why I am unable to withdraw this amendment and I should like to test the will of the House.
Lord Fox (LD)
My Lords, it is a pleasure to follow the noble Baroness, Lady Merron, and the noble Lord, Lord Alton, in supporting Amendment 8. The Government have talked a good game on diversification but are guilty of much compartmentalisation. They have put diversification on one side and security on the other. As the noble Baroness and the noble Lord suggested, you cannot separate the two. Without a diverse supply chain, there is no security.
The issue of having only two key suppliers, which the noble Baroness, Lady Merron, referred to, is down to the fact that there has been a market failure in this area. If the Government do not intervene proactively to right that market failure, we will not get out of the situation we are in now. The Bill is the only game in town to do that. This amendment is therefore really important. During debates on the Bill, a number of Peers highlighted the words of the Government’s integrated review of security, defence, development and foreign policy. It was clear that a
“diverse and competitive supply base for telecoms networks”
is vital to a secure future. We think these are wise words from the integrated review. As such, we are pleased to support this amendment and will be happy to vote on it in the event that the noble Baroness, Lady Merron, chooses to test the will of the House.
Lord Fox (LD)
My Lords, veterans of the National Security and Investment Bill—I am not sure there are any—will recognise this amendment: it is exactly the same argument that was put forward then. The response from BEIS was to set up a unit, within BEIS, that the relevant Minister said would have the necessary clearance to review potential national security information. It was quite clear to those in your Lordships’ Chamber at that time that that group of people would not get to see the sort of information that the ISC is cleared to see. We are in the same situation now. The Minister will say that there are people in his department who, if necessary, will be able to see the relevant information. That will not be the case and to some extent, those in the Minister’s department making decisions that refer to national security issues will be flying a little bit blind. If this is not recognised, that is regrettable. This is a really important area of security, and decisions should be made on the best available information, with the best available people reviewing that information. The clue is in the name: this is the Telecommunications (Security) Bill, and it is the Intelligence and Security Committee that is best able to review that information. That is why I support the noble Lord’s Amendment 9.
Lord Parkinson of Whitley Bay (Con)
My Lords, I thank the noble Lord, Lord Coaker, for his kind words of welcome and for tabling this amendment. The important matter of parliamentary oversight has been raised a number of times in both your Lordships’ House and another place. I welcome the opportunity to clarify further how appropriate oversight of the Bill’s national security powers will be provided for both in this Bill and through existing mechanisms. The noble Lord’s amendment would require the Secretary of State to provide the Intelligence and Security Committee with copies of a directional notice when such documents, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security.
As regards enforcement, this amendment would also require the Secretary of State to provide the committee with copies of notifications of contraventions and confirmation decisions. Further, it would require the provision of reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), as well as the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
We thoroughly agree with the need for effective scrutiny of the use of the Bill’s national security powers—that is why we have included measures to facilitate parliamentary oversight of the use of those powers. The Bill requires the Secretary of State to lay before Parliament copies of designation notices, designated vendor directions, and variations or revocations of either, unless doing so would be contrary to the interests of national security. We would expect in the vast majority of cases to lay copies of the directions and notices before Parliament. However, on very rare occasions there may be instances where the Secretary of State chooses not to do so because laying the documents would be contrary to the interests of national security. This would only be done in extremis.
We have already demonstrated our commitment to transparency with the publication of the illustrative draft designated vendor direction and designation notice last November. Indeed, it is in the Government’s interest to publish such documents as it sends a clear message to industry of our intent to use the powers in the Bill where necessary. However, while the presumption is to publish the directions and notices, it is right that we have the option to protect the UK if our national security could be put at risk through their publication.
It is worth noting that, under Section 390 of the Communications Act 2003, the Secretary of State is required to prepare and lay before Parliament annual reports on their functions under that Act. Those reports will show when the Bill’s national security powers have been exercised, whether or not copies of directions or notices are laid before Parliament. This will ensure that Parliament will always be made aware of the Secretary of State’s use of the national security powers to issue designated vendor directions and designation notices.
Having thus been made aware, the Intelligence and Security Committee will be able to request relevant information from the vital organisations it already oversees, such as the National Cyber Security Centre. Moreover, the ISC will be able to request such information at any time from the NCSC in relation to its assessment of high-risk vendors. The noble Lord is right to point to the importance of the committee. Given the cross-party support he enjoys, he knows better than most, as a former Security Minister, the important work it undertakes. The ISC will be able to do the work I have just outlined in line with its remit, as set out in the provisions of the Justice and Security Act 2013 and accompanying memorandum of understanding.
At Second Reading, the Noble Lord, Lord West, noted that the ISC had made a request for its memorandum to be formally reviewed. I understand that the chairman of the ISC has written to the Cabinet Office on these matters and that they are under consideration. Discussions and decisions regarding any changes to the ISC’s remit are of course for the Cabinet Office and the ISC to agree. That is the appropriate route for the ISC’s remit to be considered, not this Bill.
As I am sure noble Lords will appreciate, however, the advice of the security services will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the NCSC’s advice, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity of the requirements in any designated vendor direction. Those go beyond security matters and indeed fall under the work of DCMS; therefore, the Digital, Culture, Media and Sport Committee is best placed to consider those wider impacts. Hence, that is the appropriate body to oversee the Government’s use of the powers to issue designation notices and designated vendor directions, including where those directions and notices are not laid before Parliament. The Government will work with the committee to ensure that it has access to all the information it needs to carry out that oversight.
Those are the reasons why the Government cannot accept the amendment. I hope that the noble Lord will be content to withdraw it on that basis.
Lord Blencathra (Con)
My Lords, I am used to hearing powerful speeches from my noble friend Lord Alton of Liverpool, but what a delight it was to hear also the speech of the noble Lord, Lord Coaker. He spelled it out exactly: it beggars belief. I cannot believe that my noble friend, a wise and intelligent Minister, will reject this amendment.
I support Amendment 11, which does not detract from the Bill in any way; it does not sabotage the Bill or pull the guts out of it, it merely adds to our arsenal. All it asks the Government to do, as the noble Lord, Lord Coaker, pointed out, is to review the security arrangements with a telecoms provider if one of our vital, strategic Five Eyes partners bans its equipment. We are not calling for a similar immediate ban, or an eventual ban, we are just saying let us review it and come to a conclusion.
Why do I want this added? My motivation is quite simple: I believe this will be another small warning shot to China that we will start to stand up to its aggression. I share the view of the new head of MI5, Mr Ken McCallum, that Russia is an irritation but China is a threat to world peace and our whole western way of life. Yes, Russia—or Putin, more accurately—is nasty and will happily kill opponents, as we saw in Salisbury, and attempt to interfere in elections, but Russia is not capable and is afraid of the consequences of waging a world war.
China, I believe, does not share that view. It is building that massive economic and military capacity to dominate the whole world. It will overtake the USA in military capability in the next few years and has already overtaken all western powers in its attitude to using force. It is not that China wants war: it believes that war will not be necessary, since it will win when we surrender without firing a shot. If it attacks Taiwan, will the USA and the UK rush to support it? I hope so, but I do not hold my breath. China believes we do not have the moral guts to do as we did with plucky little Belgium before the First World War or Poland before the second, and guarantee their security.
To return to this amendment, it is a small symbol of our intention to begin our moral fightback—to say that we will not be bullied by China, either in our universities and supply chains or in the freedom of the seas. China has been achieving world domination by small incremental steps: making the WHO its puppet; infiltrating universities; subtly taking over international organisations; robbing African countries of all their minerals as payback for loans; and stealing every bit of technology that it can. It is, therefore, by incremental steps, such as this little amendment, that we will show that we will not be cowed—that we will resist and not become China’s slaves.
Lord Fox (LD)
My Lords, there are many merits to the plans, set out by the noble Lord, Lord Coaker, in Amendment 10, for the Secretary of State to publish a long-term strategy on telecommunications security and resilience. However, in the interests of time, I will quickly shift my focus to Amendment 11 and disappoint the House by saying that my words will be brief. The House has heard very strong speeches, not just from the noble Lord, Lord Coaker, but from the noble Lords, Lord Alton and Lord Blencathra, and it is a pleasure to see my name alongside theirs on this amendment.
The point has been made three times: this is a very small ask of the Government. Referring back to the point made by the noble Lord, Lord Coaker, working closely with our Five Eyes partners was identified as the whole point—certainly a key objective—in the integrated review. It is one of the central pillars of our security planning. So we are not asking for something outrageous. There is a strong theme of working with our Five Eyes allies across the field of security. The UK has to work with other countries to be effective—and if not with these countries then which?
The UK’s telecoms networks face the same challenges as those of our key allies, and this amendment simply ensures that when it comes to this most crucial component of security—increasingly, communications are at the heart of all our security decisions, whether we are finding things out, transmitting information or looking at what others are doing—we take into consideration what those allies are doing. If we were not doing this, there would be a strong danger of putting a wedge between us and them. Indeed, we began to see that happening with the United States, before this Government decided to change their mind over the Huawei decision—for which some noble Lords present should take a lot of credit.
The question we have to ask ourselves, therefore—it is very difficult to understand the answers, so I look forward to the Minister’s reply—is why the Government are not adopting this amendment. The Minister may take the stance that it is not necessary. If so, it is not a problem and could be included. More worryingly, does the Minister know that this is perhaps the thin end of a wedge, and that there is a lot more technology already installed in our infrastructure across the country that the Government would have to start to remove? If there is, it would be expensive but important to do. Or perhaps the reason is the worst of all excuses: that the Government did not think of it and so are resisting suggestions from others, which is the worst sort of institutional resistance, of a kind that we see all the time.
We on these Benches, therefore, support this amendment from the noble Lord, Lord Alton, and if he sees fit to lead us through that virtual Lobby, we will be virtually beside him.
Lord Fox (LD)
I thank the Minister, and perhaps I am pre-empting what he is about to say, but it seems that, although he has clearly said the answer that I predicted—“not necessary”—the fact that this amendment was brought shows that it is not clear from this legislation that that is what the Minister will be doing. At the very least, whether this gets voted through or not, there is a conversation to be had when this comes back on Report that takes into consideration whether it just limits itself to Five Eyes or goes broader. Will the Minister undertake to think about those things as well, and perhaps comment on that?
Telecommunications (Security) Bill
Lord Fox ExcerptsThursday 15th July 2021
(4 years, 6 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-III Provisional third marshalled list for Grand Committee - (14 Jul 2021)
The Deputy Chairman of Committees (Baroness Healy of Primrose Hill) (Lab)
I have received a request to speak after the Minister, from the noble Lord, Lord Fox.
Lord Fox (LD)
I thank the Minister and other speakers for this debate, which is really important. The Minister was basically saying in her response, “Don’t worry, we’ve got this covered.” If the Government did indeed have it covered, I suggest that ripping out 40% of the 5G network at the cost of several billion pounds to the industry is a pretty poor cover. The point made by the noble Baroness, Lady Stroud, that it took Back- Benchers to highlight this rather than the Government was particularly apposite.
The Minister portrayed the decision to remove Huawei almost as if it was a success of the process. Will she acknowledge that these billions of pounds are growth that we will not get, that they are investment in this country that has been wasted, and that it has put the country in danger in the process? Will she further acknowledge that there might be others who are able to help in the process of avoiding a repeat of what is a huge debacle?
Baroness Barran (Con)
I tried to present the breadth and depth of approaches that the Government are taking to address this incredibly serious and complex problem. If I may borrow the word used by the noble and gallant Lord, Lord Stirrup, we have tried to show some agility in responding to changing circumstances. The noble Lord will be aware that there were changes to the US foreign-produced direct product rules in May 2020 which changed the risk profile of our engagement with Huawei, and we acted on that, so I do not feel that I have to apologise at this point.
Lord Fox (LD)
My Lords, I commend the noble Lord, Lord Coaker, and my noble friend Lady Northover for this amendment, which I would have signed had she not done so already. We heard at Second Reading an excellent speech from the noble Lord, Lord West, explaining not only why this amendment is important but why certain figures who would normally speak in this debate are not doing so. He explained that the ISC is seeking to change its MoU. As such, he and others would not speak in this particular debate.
However, we have an analogous debate to refer to, which has already been mentioned. Those of us who are veterans of the National Security and Investment Bill have been through this already. I think the noble and gallant Lord, Lord Stirrup, is the only other person in this Room who was involved in it. I certainly spent some of my life on that Bill.
We sent back to the Commons an amended version of that Bill. Your Lordships adopted an amendment not dissimilar from the one in front of the Committee today. That decision was made, as we heard from the noble Lord, Lord Coaker, because the BEIS Select Committee is not enabled to deal with the level of security information it needs to properly scrutinise the operation of BEIS for the National Security and Investment Act. There is exactly the same situation here. I gather, anecdotally, that the BEIS Committee is already hitting issues with getting the information it needs under that Act.
We also heard anecdotally on Tuesday of the debacle over the Newport Wafer Fab, where the BEIS Secretary of State has failed to use the power given to him by the National Security and Investment Act to do something around national security. The noble Baroness, Lady Stroud, is no longer in her place, but once again the ministry was forced by Back-Bench action to reconsider what it was doing. This should not be how things work. It is beginning to look like these are rhetorical points, rather than actually being usable. I hope the same fate does not befall this legislation and that it actually gets used rather than shelved. But in the same way as BEIS, DCMS will have a Select Committee that cannot access the information it needs to scrutinise the activities covered in this Bill.
The noble Lord, Lord Coaker, notwithstanding the stifling atmosphere of this Committee Room, managed to do a very close approximation of complete incredulity over why the Government should not listen to this fantastic advice. I can say that, having gone through the last Bill and seen how resistant the Government are to advice of this sort, this is neither an accident nor a sin of omission. This is a sin of commission. The Government are very clear that they do not want proper scrutiny of what they are doing, and if this Bill remains as it is, there will not be the scrutiny that is needed. Neutering of that scrutiny is not an accident but a deliberate act of the Government.
Baroness Barran (Con)
My Lords, I thank the noble Baroness, Lady Merron, for tabling this amendment, and the noble Lord, Lord Coaker, for moving it. The role and remit of the Intelligence and Security Committee, as noble Lords have remarked, have been raised a number of times in the other place and at Second Reading of this Bill, so I welcome the opportunity to clarify how appropriate oversight of the Bill’s national security powers will be provided for in the Bill and through existing mechanisms.
Amendment 22 would require the Secretary of State to provide the Intelligence and Security Committee with copies of designation notices and designated vendor directions when such notices, or parts of them, are withheld under Section 105Z11(2) or (3) in the interests of national security. It would also require the Secretary of State to provide copies of notifications of contraventions, confirmation decisions, the reasons for giving urgent enforcement directions when withheld under Section 105Z22(5), and the reasons for confirming or modifying such directions when withheld under Section 105Z23(6).
I will try to correct the suggestion made by the noble Baroness, Lady Northover, and the noble Lord, Lord Fox, that the Government are trying to avoid parliamentary scrutiny on this particular point. That simply is not borne out by the way that the Bill is drafted. We are very clear about where parliamentary scrutiny should take place. I recognise the desire of your Lordships for the Intelligence and Security Committee to play a greater role in the oversight of national security decision-making across government, including in relation to this Bill. As I mentioned earlier, through the oversight of the National Cyber Security Centre, the Intelligence and Security Committee can request information around NCSC advice on, and activities relating to, high-risk vendors.
However, this amendment would extend the role of the Intelligence and Security Committee in an unprecedented way. As noble Lords are aware, the activities of the Department for Digital, Culture, Media and Sport are not within the ISC’s remit. That committee’s remit extends to the intelligence agencies and other activities of the Government in relation to intelligence or security matters, as they are set out in its memorandum of understanding.
The noble Lord, Lord Coaker, asked what he called the “central question” of how this will work in practice in terms of security access. My understanding is that according to the Osmotherly rules detailing how the Government may share information with Select Committees, members of the Digital, Culture, Media and Sport Committee are able to view and handle classified and other sensitive material, subject to agreement between the department and the chair of the committee on appropriate handling. Documents may also be shared with the chair of the DCMS Committee on Privy Council terms, subject to agreement between the committee chair and the department.
The advice of the intelligence agencies will not be the only factor that the Secretary of State will take into account when deciding what is proportionate to include in a designated vendor direction. As well as the advice of the National Cyber Security Centre, the Secretary of State will consider, among other things, the economic impact, the cost to industry and the impact on connectivity caused by the requirements in any designated vendor direction. The ISC does not have the remit to consider non-security issues such as the economic and connectivity implications of the requirements in designated vendor directions. The Digital, Culture Media and Sport Select Committee can consider those wider aspects and that is why it is the correct and appropriate body to see copies of designation notices and designated vendor directions that are not laid before Parliament. Any future changes to the ISC’s remit would be best managed through consideration of the Justice and Security Act 2013 and the associated memorandum of understanding.
For the reasons that I have set out, I am unable to accept the amendment and I hope that the noble Lord, Lord Coaker, will therefore withdraw it.
Lord Fox (LD)
Once again, this is a short but important debate, and one of a continuing series. In response to the noble and gallant Lord, Lord Stirrup, we had a short discussion that, to some extent, was crying over spilt milk about why industrial capacity in telecommunications in the United Kingdom is where it is. I think the noble Earl, Lord Erroll, largely agrees with me that it is to do with the purchasing decisions made by near-monopolistic private sector companies based on price. If that is not a lesson for the Government to take forward, we are all doomed anyway.
To turn to the detail of these two amendments, as both the noble Baroness, Lady Merron, and the noble and gallant Lord, Lord Stirrup, have set out, they are about people. Without overrepeating it, I come to the point I was talking about earlier, which is that BEIS is going through a similar process. It is setting up a unit that is supposed to scan the entire industrial landscape for supposed security problems and alert the Minister to decisions that should be made about the future of those companies. These people will have many of the same skills and face many of the same issues, going forward.
First, does the Minister think there is a sufficient pool of people available to cover both these units? Is it sensible to have two units operating in parallel to, and probably in isolation from, each other, with the BEIS unit setting up a telecoms capability, which DCMS will also have? Perhaps the Minister can tell us what conversations are going on between DCMS, Ofcom and BEIS to avoid that duplication. We have already heard that there are too few people so, frankly, it does not make much sense to have two departments competing for the same people.
More broadly, the noble Baroness, Lady Merron, is completely correct that there is a huge issue with the availability of people. Unless the Government pick up major programmes to train and retrain people and look at skills that are completely necessary to move forward, we will be left high and dry without the skills we need to create the sorts of industries that the noble and gallant Lord, Lord Stirrup, suggested we need. That will take time, so perhaps the Minister can say what the plan is. What is the process and what discussions are going on with trainers, universities and employers to deliver the skill set we need?
Of course, we would want to review all this annually, which is why these amendments are here, so the Government necessarily come to Parliament to explain how they are getting on and what they are doing. I am sure the Government do not want us to be suspicious of what they are doing, and the best way to avoid that suspicion is to be open and transparent, rather than try to operate in a black box.
Lord Parkinson of Whitley Bay (Con)
My Lords, these amendments, both tabled by the noble Baroness, Lady Merron, highlight the two important issues that our short debate covered—the role of Ofcom in relation to the Bill; and skills and training, and their effect on telecoms security. I am pleased to have the opportunity to outline some of the work that has already been done in these areas, which I hope explains why we consider these amendments not to be needed.
Amendment 26 would require the Government to complete a review of, and publish a report on, the impact of levels of skills and training on the security of the telecoms network and supply chain. It would require the Government to publish the report within six months of Royal Assent.
The Government certainly agree that it is crucial that public telecoms providers and organisations such as Ofcom have access to people with the skills that they need to keep our networks safe. DCMS published research this year as part of its annual survey, Cyber Security Skills in the UK Labour Market, which found that 50% of UK businesses have a basic technical skills gap. It also found that they do not have confidence in their ability to carry out basic cybersecurity functions and do not outsource these skills.
That is why the Government have a range of programmes already in place to support the growth of cybersecurity skills. Over the past five years, work funded by DCMS has supported over 160,000 young people to forge a career in the cyber sphere. The department has also funded a range of schemes to help adults or career changers to acquire new skills, most recently through the Cyber Launchpad initiative and projects sponsored through the fast track digital workforce fund.
Clearly, there is still much more work to be done to close the cyber skills gap. However, we are making progress. When compared with the 2018 survey, Cyber Security Skills in the UK Labour Market 2021 found that organisations were less likely to report a basic cyber skills gap in areas such as firewall configuration, restricting administrator rights and patching.
Specifically on skills in the telecoms sector, we know that telecoms providers need to have access to people with the right skills to ensure that their networks and services are secure, as the noble and gallant Lord, Lord Stirrup, rightly said. That is why we are creating a pipeline of these skills for the future, with telecoms apprenticeships currently available across the sector, and over 4,500 people starting this year alone.
The creation of the UK telecoms lab, as announced by my right honourable friend the Secretary of State in the other place last November, will facilitate knowledge sharing and promote skills development in telecoms security. The lab will collaborate with DCMS, the National Cyber Security Centre, the newly established UK Cyber Security Council and industry. It will develop and deliver training packages and support the establishment of professional bodies and communities. I hope that these initiatives demonstrate how seriously the Government take the task of supporting telecoms skills, and cyber skills in particular, and why we feel that the review proposed in the amendment is not needed.
I will speak more broadly about our skills agenda. The Department for Education has targeted specific investment in key areas of learning, such as science, technology, engineering and mathematics—STEM—and technical and digital subjects, which could support careers in telecoms. That includes: £2.5 billion of investment in the national skills fund to support adults to retrain and gain the skills they need for the future; nearly £2.5 billion made available for high-quality industry-designed apprenticeships; £500 million a year towards T-levels; up to £290 million to establish institutes of technology across the country, which will be the pinnacle of technical training; and a new £18 million growth fund to support further and higher education providers to expand high-quality higher technical education.
The noble Baroness, Lady Merron, asked about the impact of skills on the removal of Huawei equipment. We have no plans or intention to delay the 2027 target for the removal of Huawei equipment from 5G networks. Indeed, BT, for example, has already shared in the media that it is making good progress on removing Huawei from 5G networks, starting in Hull. We believe that we are on track.
Amendment 23 would require Ofcom to publish an additional statement as part of its annual report, under paragraph 12 of the Schedule to the Office of Communications Act 2002. This statement would contain information about the adequacy of Ofcom’s resourcing, and telecoms providers’ compliance with their security duties. It would also contain Ofcom’s assessment of any future or emerging risks to telecommunications networks, identified by interrogating telecoms providers’ asset registries.
I reassure the Committee that this amendment is also not needed. The Bill already contains a range of reporting mechanisms that will ensure that Ofcom’s role can be properly scrutinised. I will address three of these mechanisms in particular.
First, Ofcom will need regularly to report to the Secretary of State under new Section 105Z, providing information to assist him with the formulation of policy on telecommunications security. New subsection (4)(a) makes it clear that this report must include information on providers’ compliance with the duties imposed on them by the Bill.
Secondly, Ofcom will need to report on telecoms security in its annual infrastructure report. Clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new Sections 105A to 105D. Thirdly, by virtue of Clause 14, the Secretary of State will need regularly to report to Parliament on the effectiveness and impact of the new telecoms security framework.
The amendment would address three issues. I will take each in turn. The first concerns Ofcom’s resources, on which the noble Baroness, Lady Merron, began. As my noble friend the Minister mentioned at Second Reading, Ofcom’s security budget for this financial year has been increased by £4.6 million. This funding will allow Ofcom more than to double its headcount of people working on telecoms security, ensuring it has the necessary capacity to deliver its new responsibilities under the Bill. The noble Baroness asked specifically about staffing. Ofcom will work with a recruitment partner to secure the specific cyber skills needed to implement this work. This will include seconding in technical expertise to develop its capability further.
As we discussed earlier in the Committee, Ofcom will also work closely with the NCSC, which will share its expertise to support Ofcom’s implementation of the new regime. The noble Baroness mentioned the relationship between Ofcom and the National Cyber Security Centre. As she noted, the two organisations are in the process of developing a memorandum of understanding and have published a statement summarising how they intend to work together. The three key principles set out in that statement are, first, that the NCSC will provide expert technical cybersecurity advice to Ofcom to support implementation of the new telecoms security framework; secondly, that Ofcom and the NCSC will exchange information where necessary and permitted by law; and, thirdly, that the NCSC will continue to provide incident management support during serious cybersecurity incidents to telecoms operators and to Ofcom as necessary. That statement can be found on Ofcom’s website.
The second area of the amendment is a requirement for Ofcom’s annual report to include information on providers’ compliance with their duties under new Sections 105A to 105D. This reporting would duplicate provisions elsewhere in the Bill. Ofcom is already required to report publicly on providers’ compliance with those duties in Clause 11.
The final point in the amendment is about publishing information on emerging and future security risks. This has also been accounted for in the Bill. New Section 105Z(4)(f) already requires that Ofcom report to the Secretary of State any emerging risks it becomes aware of in its annual report on security. The noble Baroness asked about informing the public. It would be at the discretion of the Secretary of State whether to publish this information.
I can assure the Committee that Ofcom takes a forward-looking approach to regulation to ensure that it is robust in the face of market and technological developments. For example, its recent Technology Futures report looked at innovative technologies that will shape the communications industry, with input from the world’s leading technologists.
I hope that I have provided assurance that adequate and detailed reporting requirements for Ofcom are already outlined in the Bill. As I have set out, it already includes provision for reporting on Ofcom’s work, so additional requirements about skills and training are not necessary. I hope that the noble Baroness will therefore be content not to press her amendments.
Lord Fox (LD)
I thank the various noble Lords for their contributions. I will speak to Amendment 24, which bears my name, but I recommend that the noble Baroness, Lady Stroud, reads the Chancellor’s Mansion House speech, in which he calls for a nuanced relationship with China. Failing that, she could read my speech on the first group of amendments, in which I challenged how nuanced a relationship can be with a country threatening both our security and that of its own people. At the heart of the Government’s challenge is to be all things to everyone in this argument. They are doomed to fail if they try to do that.
I turn to the amendment I am supposed to be speaking to. As we discussed at Second Reading, there are essentially three strands to the diversity strategy. The first leg is supporting incumbent suppliers. I was corrected by the Minister: this refers not to domestic suppliers but suppliers we already have, presumably— although it is not explicit—with the ones we do not want having been weeded out. The second is attracting new suppliers into the UK market, and the third is accelerating open interface solutions, which I assume helps the second of those strands in particular.
There is not a strand about growing a domestic industry; some of us—I am one of them—were confused about this. It mostly seems to be about taking advantage of other countries’ businesses that we can trust—or think we can at the moment; I refer the Committee to earlier comments by the noble Earl, Lord Erroll, about today’s allies not always being tomorrow’s allies—rather than massively growing our own national capability. Bearing in mind those three legs, it would be helpful to hear from the Minister how the improvement in the domestic share of this market is planned.
In her letter to many of us on the subject of diversification, the Minister made the point that Vodafone has already attracted six new suppliers, two of which were Samsung and NEC, into the market through the open RAN deployment. I think I asked her at Second Reading when open RAN would become a significant player in telecoms delivery in this country. If she gave an answer then I am afraid I mislaid it, so can she tell us when open RAN will become a significant player or whether it is something of a sideshow? I do not mean that in a bad way; it is a recognition of where it really is in the market at the moment.
The biggest challenge I have with this is that the Government have launched a lot of strategies. They usually come with a glossy document and a picture of a smiling Secretary of State. I can confirm that this strategy is no exception. We have a very nice picture of the Secretary of State, Oliver Dowden, on page 3, but it does not come with a timeline and a delivery plan. The Government would not issue a strategy if they did not have a delivery plan, so I am sure there must be one. I think it would help us all if we understood what the delivery plan is. Perhaps the Minister could share with the Committee the timeline for the delivery of this strategy, otherwise many of us might suspect that it is something that gets only launched, not delivered. I understand that money has been put into it but, again, that does not guarantee that outcomes will be forthcoming.
This amendment has been tabled to reveal how that timeline is going and how the outcomes are being delivered. That is what it is for. It would enable the Government’s spending of taxpayers’ money on delivering this strategy to be tracked by Parliament. That seems a perfectly reasonable function for Parliament to have.
The Minister might come back and say that DCMS is being asked to lay all sorts of things before Parliament. If that is the case, I think that all of us, including me, the noble Baroness, Lady Merron, who spoke very capably on this, the noble Earl, Lord Erroll, the noble Baroness, Lady Stroud, and others are quite capable of coming up with a composite annual report that covers not just the items in Amendment 24, but those in Amendment 25 on strategy, Amendment 23 on Ofcom’s performance, and Amendment 26 on skills. Taken together, I am sure we could put together a composite annual report in the next round of discussions that would save DCMS having to make several different annual reports. I suspect that that might be a way forward and look forward to the Minister embracing this idea, because of course DCMS wants to demonstrate how it is delivering its diversification strategy.
Baroness Barran (Con)
I am grateful to all noble Lords for their contributions to this short debate and consideration of the Government’s ambitious diversification strategy. The amendment tabled by the noble Baroness, Lady Merron, raises the important issue of diversification, which I know is of great interest to your Lordships, as it was to Members in the other place. Diversification is a key part of the Government’s broader approach to ensuring that our critical networks are healthy and resilient. That is why the Government set out their 5G diversification strategy last autumn, and we are fully committed to ensuring that this strategy comes to fruition.
Our long-term vision for the telecoms supply market is one where, first, network supply chains are disaggregated, providing network operators more choice and flexibility; secondly, open interfaces that promote interoperability are the default; thirdly, the global supply chain for components is distributed across regions, creating resilience and flexibility; fourthly, standards are set transparently and independently, promoting quality, innovation, security and interoperability; and finally, security and resilience is a priority and a key consideration in network design and operation. However, the Bill focuses on setting clear security standards for our public networks and services. As the noble Baroness, Lady Merron, pointed out, although diversification is designed to enhance security and resilience, not all diversification activity is relevant to the security and resilience of our networks. That is why we believe the amendment would not be appropriate.
The Government have already made progress since the publication of our strategy, including the creation of the Telecoms Diversification Taskforce, which set out its recommendations in the spring. Work is already under way to implement several of those recommendations. Research and development was highlighted by the task force as a key area of focus in order to promote open-interface technologies that will establish flexibility and interchangeability in the market. As raised by the noble Baroness, Lady Merron, and the noble Lord, Lord Fox, it will also allow a range of new smaller suppliers to compete in a more diverse marketplace.
That is why the Department for Digital, Culture, Media and Sport was delighted to announce the launch of the future radio access network competition on Friday 2 July. Through this, we will invest up to £30 million in open radio access network research and development projects across the UK to address barriers to high-performance open deployments. This competition is part of a wider programme of government initiatives, which includes the SmartRAN Open Network Inter- operability Centre—more friendlily known as SONIC Labs—a facility for testing interoperability and integration of open networking solutions, which opened on 24 June. A number of leading telecoms suppliers are already working together through this facility.
We welcome recent announcements from operators including Airspan, Mavenir, NEC and Vodafone to introduce open radio access networks into their infrastructure. This demonstrates that industry is working alongside us, here in the UK, to drive forward the change needed in the sector. We continue to work with mobile operators, suppliers and users on a number of other important enablers for diversification; for example, we are developing a road map for the long-term use and provision of legacy network services, including 2G and 3G. Alongside this, the Government have led efforts to engage with some of our closest international partners, including the Five Eyes, to build international consensus on this important issue.
We are also working to deliver on UK issues in standard- setting bodies, and working with industry, academia and international partners to ensure that standards are set in a way that aligns with our overall objectives. Ensuring that standards are truly open and interoperable will drive market growth and diversification. Through the UK’s G7 presidency, we took the first step in discussing the importance of secure and diverse supply chains among like-minded partners and the foundational role that telecommunications infrastructure, such as 5G, plays.
The noble Baroness, Lady Merron, asked how we were planning to spend the initial £250 million, which we announced to kick off work to deliver our key priorities. These priorities have been informed by the recommendations of the Telecoms Diversification Taskforce and include: establishing a state-of-the-art UK telecoms lab; exploring commercial incentives for new suppliers; launching test beds and trials for new technologies such as open RAN; investing in an R&D ecosystem; and seeking to lead a global coalition of like-minded partners on an international approach to diversification. In response to questions from the noble Baroness and the noble Lord, Lord Fox, about the growth of UK businesses, we have been clear that we are focused on investing in the UK and in UK businesses, but do not think that a UK-only solution is a wise or realistic option.
We are working closely with operators and suppliers to develop targeted measures that address the needs of industry to deliver our long-term vision for the market. We responded to the task force’s findings in July and outlined our next steps and the use of that initial investment. If the noble Earl, Lord Erroll, has not seen the government response, I am sure he would find it interesting. It also sets out our plans to create a diversification advisory council, which will meet quarterly. I hope that responds to his question.
Baroness Merron (Lab)
My Lords, I am pleased to speak to Amendment 28, which stands in my name. It is the result of a number of recent developments, which I shall refer to. Noble Lords will be aware that on 2 July the Government published their response to the Telecoms Diversification Taskforce’s report and in it announced that the taskforce was now to transition into the Telecoms Supply Chain diversification advisory council, which came up earlier today. The Minister will recall that in response to a Written Question from me she said:
“The Advisory Council will play a key role in overseeing and offering scrutiny to the delivery of the 5G Supply Chain Diversification Strategy. We will also draw on the expertise of the Advisory Council for wider telecoms supply chain diversification issues beyond the RAN (Radio Access Network).”
That is all well and good. However—and this is the point that the amendment seeks to unravel—the Government have also announced that Mr Simon Blagden will be the new chair of this permanent council. Noble Lords will be aware that Mr Blagden was the non-executive director of Fujitsu UK during the Post Office scandal and has donated more than £215,000 to the Conservative Party.
As we have all discussed, diversification is inherently linked to security, so the new advisory council has to provide sound, expert advice that will secure our telecoms network, and we need confidence in that. The point I want to explore with the Minister, as she is already aware from Written Questions that I have submitted, is that the appointment of Mr Blagden raises a number of serious questions about the council’s independence and how the appointment will be able to benefit national security.
In addition to tabling Amendment 28, I have a number of questions to tease out all these points. It is also worth noting that in the past 24 hours there have been reports of a telecoms company, IX Wireless, having given—it has come to light through correct declarations of course—more than £20,000 to Conservative MPs, while the Secretary of State has given this same company glowing endorsement at a launch event, with a promotional film, which I have seen, showing him in his ministerial office with the executives of that company.
I should say to the Minister that it is a question not just of how things are but of how things look. Of course there will be facts on which I am sure the Minister can enlighten us. I have a number of questions in that regard for her relating to an inquiry about the appointment process that was in place for Mr Blagden. Who was involved and which Minister made the final decision? Will there be payment for Mr Blagden in his role as chair? How will the council give independent advice and what happens if Ministers reject that advice? Will there be security experts as members of the advisory council? What knowledge did Mr Blagden have of the faults with the Horizon system during his time at Fujitsu? Can the Minister confirm that Mr Blagden has no remaining financial interests in Fujitsu?
I know that the noble Baroness may not be in a position to answer those questions now. In which case, I hope that she will write to me before we go into the Summer Recess. I beg to move.
Lord Fox (LD)
Before I comment on that excellent speech from the noble Baroness, Lady Merron, I want to return to the answer that the Minister gave on the Newport Wafer Fab issue, which proves the point that we were making on the need for the ISC to be involved. Regarding the ISC issue, the Government furnished themselves with the National Security and Investment Act, which was supposed to deal with issues such as this. However, the Prime Minister has chosen to refer it back not to the people running that unit but to the National Security Adviser, which proves the point that someone with access to national security information is needed to make decisions of this nature, rather than an organisation that does not have access to the information. It absolutely proves the point that our amendment on the ISC is completely appropriate, just as it was appropriate for the BEIS analogue of what is happening here.
The noble Baroness, Lady Merron, made an excellent speech and I am not going to attempt to adorn it either with my normal flippancy or with detail. There is just one issue that I wish to raise regarding Simon Blagden. Are there any outstanding legal liabilities from his time at Fujitsu? In other words, has his activity been fully exonerated or is there potential legal recourse? Other than that, I echo the point that perception of these issues is as important as reality. If the Government continue to operate in a black-box way, everybody will assume that things are going on that they cannot see and that should not be happening. It is therefore in the Government’s interests to be transparent about how that person in particular was appointed and how the advisory council will operate.
Baroness Barran (Con)
My Lords, I thank the noble Baroness, Lady Merron, for tabling the amendment and for giving me an opportunity to provide an update on the work of the Diversification Taskforce and the new diversification advisory council.
The Government recently announced the council, building on the work of the Diversification Taskforce, chaired by my noble friend Lord Livingston of Parkhead. I should like to take this opportunity to offer my thanks to him and the taskforce members for volunteering their valuable time and knowledge to their excellent review. Their recommendations and expertise will remain crucial to helping us bring greater resilience and competition to our future networks as the taskforce now transitions to the new diversification advisory council.
The Government recognise that diversification is a broad and complex issue relating to matters of security and resilience, technology and geopolitics. It is for this reason that we sought the advice of the experts appointed to the diversification task force. Many of the task force members will continue to provide advice as part of the new advisory council. In appointing the membership of the advisory council, the Government have followed all standard processes. The Government have ensured that the council comprises experts from both industry and academia across a wide range of subject matters, including security, of course.
“Oversight by the Investigatory Powers Commissioner
(1) The Investigatory Powers Act 2016 is amended as follows.(2) After section 229(3)(j) insert—“(k) the exercise by the Secretary of State of functions under section 105Z1 of the Communications Act 2003”.”Member’s explanatory statement
This amendment would give the Investigatory Powers Commissioner oversight of the power given to the Secretary of State in this Bill to outlaw the use of individual vendors.
Lord Fox (LD)
I am moving this amendment on behalf of my noble friend Lord Clement-Jones, in whose name it is, who unfortunately could not come today. He figured that this would be taken on day three of the process, but we have got ahead of ourselves. I also thank the noble Earl, Lord Erroll, for his support for this amendment when he spoke to the second group. It is appreciated. I know that he has had to leave.
As Comms Council UK has pointed out, new Clause 105E is not the only new clause to give the Secretary of State extensive powers; there are others. New Clause 105Z1, for example, gives powers to the Secretary of State to outlaw the use of individual vendors, potentially with no parliamentary oversight, if the Secretary of State considers that it would be contrary to national security.
Clause 15 creates a scheme for dealing with particularly high-risk vendors by inserting new clauses into the Communications Act 2003. These empower the Secretary of State to give designated vendor directions where they consider it
“necessary in the interests of national security”
and the requirements imposed are
“proportionate to what is sought … by the direction.”
The designated vendor direction can impose wide-ranging requirements on providers on their use of
“goods, services or facilities … made available by a designated vendor specified in the direction.”
While vendors are entitled to notice of their designation if “reasonably practicable” to do so, they are not entitled to be consulted or informed of the reasons for the designation if the Secretary of State considers it contrary to national security. Vendors are also entitled to notice when directions are imposed on providers or when a designated vendor direction is revoked, but this right does not apply if the Secretary of State considers it contrary to national security.
The effect of all this is that, while a vendor may know of its designation, the providers with which it does business can have various restrictions imposed because of their relation to the designated vendor without the vendor knowing the reasons or possibly the existence of such directions. This is complicated but serious, and in several scenarios the vendors would have no real prospect of mounting any legal challenge, even under the closed material procedures provided for in the Justice and Security Act 2013.
Cutting to the chase, this amendment would give the Investigatory Powers Commissioner oversight of the power given to the Secretary of State in the Bill to outlaw the use of individual vendors. Without this, we are telling suppliers that they essentially have to operate without full legal protection. I cannot help thinking that this will discourage the future investment we need. I am interested to hear how the Government think they can mitigate an essentially Orwellian situation in which people find themselves in an adverse legal position but they do not know why, and sometimes they do not even know that they are there. I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment. I do not have too much to add to this brief and interesting debate, but I take the opportunity to thank the Constitution Committee for its report on the Bill.
At Second Reading the Minister said:
“Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act”.—[Official Report, 29/6/21; col. 747.]
However, she did not say why it would be wrong for the commissioner’s remit to change. This is the one point I put to the Minister, and it would be helpful to have a response.
Lord Fox (LD)
I thank the Minister for his response—but not much. There is a tendency, which has come through in this and lots of other Bills, for representatives of Her Majesty’s Government to stand up and completely ignore important committees of this House. The Constitution Committee and the Delegated Powers and Regulatory Reform Committee are not any old committees; they are very serious. The way in which their advice—or rather more than advice—has been dismissed across the board by both Ministers in this debate is a serious development. I implore representatives of Her Majesty’s Government to take those committees more seriously, because their not being observed is somewhat an abuse of process.
That said, I will read the Minister’s response in detail, with a suitably socially distanced lawyer to advise me. I do not think we have heard anything that makes this amendment less needed but, at this stage, I beg leave to withdraw the amendment.
“Definition of public electronic communications network
In section 151 of the Communications Act 2003, in the definition of “public electronic communications network”, at the end insert “, including—(a) landline communications systems;(b) mobile data, audio and video networks;(c) digital surveillance networks;(d) satellite delivered networks;”.”Member’s explanatory statement
This amendment clarifies the definition of “public electronic communications network”.
Lord Fox (LD)
We are down to the irreducible minimum. During my Second Reading speech, I asked the Minister about the range of technologies covered by the Bill. I do not recall getting a meaningful answer, so I thought I would try again using this as a probing amendment.
The noble Baroness, Lady Merron, talked about the creativity of your Lordships. I am now going to test your memory functions, which I know can sometimes be stretched in this House. I would like your Lordships to cast your minds back to 2003, the year when the Nokia 1100 mobile phone was introduced. Few noble Lords will remember the number, but most of you will remember the phone. It was an iconic phone that took over mobile telephony. For those who would like to see one, I have two and, for as long as 3G is available, they will continue to work. More than 250 million of these basic GSM phones were sold. It was the best-selling consumer electronics device in the world at that time—the state-of-the-art communications device—and was discontinued in 2009.
Meanwhile, at the same time, the Communications Act 2003 was introduced to regulate machines such as the Nokia 1100. This has not been discontinued but has enjoyed several patches along the way. As I have said, this is a probing amendment seeking to clarify the definition of “public electronic communications network” within the 2003 Act. I think you see what I have done; I have tried to illustrate that the world has changed a bit since 2003.
The amendment seeks to amend Section 151 of the Communications Act by adding a contemporary definition of the range of communication networks that increasingly have emerged since the Act was conceived, when Nokia ruled the roost. It would introduce a new clause to the Bill that would define the “public electronic communications network” as
“landline communications systems … mobile data, audio and video networks … digital surveillance networks … satellite delivered networks”.
My first question to the Minister is: in her opinion and that of the department, which of these categories is covered by the Bill and which is not? I also have some specific scenarios that I would like the Minister to consider. The noble Baroness, Lady Merron, will be pleased to note that they are focused on the consumer—an issue she addressed earlier in the week.
First, when broadband or 5G are delivered by satellite, whether by the BEIS-owned OneWeb or the Musk-owned SpaceX, to what extent is the satellite element covered by this legislation?
Secondly, when a facial recognition camera captures an image, sends that image to a database using a closed network and, in turn, contacts either a public sector or private sector operative via a smartphone, which part of this—if any—is covered by the legislation?
Thirdly, data is being relayed back and forth over smart speakers—Alexa and its, or her, colleagues—so do these transactions fall within the purview of the Communications Act or the Bill? For example, with smart speakers, does the Bill cover only the transmission and not the speaker itself? If that is true, what, if anything, covers the security integrity of the speaker and its software?
My fourth question concerns data travelling between smart meters, home thermostats, camera doorbells and the ever-increasing internet of things. How is their security and integrity protected by the Bill? If the answer is that they are not protected, where do these modern manifestations of communications fit in? How is the security of these things being protected for the consumers of today?
This is not just a piece of legislative housekeeping. The noble Lord, Lord Alton, raised other potentially risky companies in his speech on Amendment 1; at Second Reading I raised a range of other companies. I will not repeat them but they are in Hansard. These are just a few of the businesses involved in the sorts of activities that I have just outlined, so by understanding which activities are included in the Bill we may start to understand which companies and technologies it includes. It is about how satellites, cameras, smart speakers and the internet of things fit in the purview of what is now called communications. Times have changed since 2003. Can the Minister please update us? I beg to move.
Baroness Merron (Lab)
My Lords, I thank the noble Lords, Lord Fox, Lord Clement-Jones and Lord Alton, for tabling this amendment. The noble Lord, Lord Fox, has set out why they believe this definition of a public electronic communications network is needed. I also appreciated his reference to the importance of consumers, who, after all, are core in all our discussions.
It is important to hear from the Minister whether she believes that this definition is limiting for security purposes and what impact it would have. Perhaps she can advise on whether she feels that anything is missing which should be in there. Would this definition inhibit the future-proofing ability of the Bill? I look forward to hearing from the Minister.
Lord Fox (LD)
My Lords, there are more Bills to follow; I fear that I am being drafted into the purchasing Bill and the other Bill that the Minister just mentioned.
The Minister is wrong to conflate data protection with security—we are talking not about data protection but about security. There is a big difference between the role of the ICO and that of security. I do not think that that helps answer the questions that I was asking.
Perhaps this is for the Bills to come rather than today’s Bill, but there is something about the collective threat. If everybody’s smart meter is shut down that is a national emergency, not a personal emergency. There is a national security issue around personal data devices and somewhere, whether in this Bill or those to come, there needs to be the recognition that collective security happens when everybody’s systems are secure from threat. If I were a terrorist, it would be much easier to do those kinds of things than doing some big, national thing that is protected by the National Cyber Security Centre.
That is the point of what I am putting forward. The internet of things increases the security risk to every home all the time. Similarly, every time someone turns on their GPS locator, they are putting themselves into a system that is followed. The Minister carefully used the phrase wholly or majority use data. Increasingly with cars and satellite navigation systems, and when we move to electric and autonomous locations, all that data is becoming publicly available. In other words, my car is fed into your car, which is fed into her car to make sure that we do not run into each other. The idea that somehow you can draw these lines and say that only 10% of the data is used in a public way and 90% is not starts to become irrelevant, if it is not already. That is what I am trying to highlight.
I did not expect for a minute the Minister to say that the Government would amend Section 105 of the Act. The point was to really highlight this issue, because if the Government do not address it in this way or another then personal security on a mass level is compromised, which then becomes a national security issue. That was the point of the amendment. Having raised it, I beg leave to withdraw the amendment.
Telecommunications (Security) Bill
Lord Fox ExcerptsTuesday 13th July 2021
(4 years, 6 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-II(Rev) Second marshalled list for Grand Committee - (13 Jul 2021)
Lord Fox (LD)
This is an interesting debate—one that we started about a year ago. During the summer, on the then Telecommunications Infrastructure (Leasehold Property) Bill, many of these arguments were rehearsed. This Bill was held out, in a sense, as the carrot that would address these issues, and it has been some time coming.
To some extent, the initial issues that came up last year have been discounted, with the Government largely moving on the Huawei issue. However, as we have heard—and will hear over the course of Committee—many questions are unanswered. We should once again thank the noble Lords, Lord Alton and Lord Blencathra, and my noble friend Lady Northover for bringing forward these amendments, as well as the noble Lord, Lord Coaker. I will be interested to hear his perspective as, having been a Minister, he understands some of the trade-offs in decision-making—it is interesting that he chose to sign this amendment none the less.
I thank the noble Lord, Lord Naseby, for his Second Reading speech. He could not give it to us at Second Reading, so we got it anyway. There are some issues around industrial capacity which I will come back to.
The noble Earl, Lord Erroll, picked up a point on which I queried the Minister and did not get a response: at what point are we examining this technology? You have systems, sub-systems, components and software. Frankly, if we are doing this, it must be done at all levels. The capacity to do that and track a chip, a piece of software or something in the software which we do not even know is supposed to be there is a huge task. Do we have the capacity in the intelligence services, and the industrial ability, to do it? It is a very important question, as there is not much point having this if we cannot actually do it.
Before speaking to Amendments 1 and 20, I will say a few words on Amendment 27, the Five Eyes element. As we know, this requires the Secretary of State to review the UK’s security arrangements with companies banned by Five Eyes partners and to decide whether to take similar action on the UK’s arrangements with those companies. As I think my noble friend Lady Northover said, the Minister will no doubt say that we do this anyway. If we do this anyway then, to some extent, we should not be afraid of putting it in the Bill. It is important that we walk in as lock-step a way as we can with our Five Eyes partners, but the point of the noble Earl, Lord Erroll, is apposite; China understands that and will play the Five Eyes against each other. We must be aware of that; we must not be slavish in how we respond but canny, and work with our partners so that they understand why we are moving in the right direction.
Again, this comes down to capacity. The noble Lord, Lord Naseby, asked who does it. The NCSC is supposed to provide the ammunition for the Secretary of State and Ofcom to operate on. There are big questions around the interface between the NCSC and Ofcom and how they relate to each other. How, for example, does the highly secret information the NCSC is dealing with get to DCMS and Ofcom without either breaching security or eroding transparency, or both? We have big concerns about that, and obviously it will come up later.
The noble Lord, Lord Alton, raised Newport Wafer Fab, which until recently I thought was an ice cream firm somewhere in Aberystwyth. However, now I find that, as he set out, it is our only supplier of this equipment. That is an object lesson in itself but it is also completely appropriate to this point. In its response, BEIS confuses manufacturing capacity with technical novelty and has the idea that, because this is not technically novel, that somehow stops it from being valuable to this country. However, manufacturing capacity is central to the delivery of future technical novelty, and if you want somewhere to look, look at the communications industry. We were pre-eminent global leading companies in analogue communications technology; no country could match us. We lost that manufacturing capacity and the ability to innovate in the digital space, and that is why we have the supply chain issues we have today. If the Government have not learned this lesson, and it seems that BEIS has not, we have a long way to travel yet before we get to a sensible place.
In a sense we have heard from the noble Lord, Lord Alton, and others about specific issues but I would like to rise up a bit and look at the bigger picture slightly. In his Mansion House speech on 1 July 2021, Rishi Sunak crystallises the challenge and perhaps the dichotomy, and points us in a number of different directions at the same time. Your Lordships must excuse me, but I will read out a fairly lengthy passage which is appropriate to this debate. He says:
“And our principles will also guide our relationship with China. Too often, the debate on China lacks nuance. Some people on both sides argue either that we should sever all ties or focus solely on commercial opportunities at the expense of our values. Neither position adequately reflects the reality of our relationship with a vast, complex country, with a long history. The truth is, China is both one of the most important economies in the world and a state with fundamentally different values to ours. We need a mature and balanced relationship. That means being eyes wide open about their increasing international influence and continuing to take a principled stand on issues we judge to contravene our values. After all, principles only matter if they extend beyond our convenience. But it also means recognising the links between our people and businesses; cooperating on global issues like health, aging, climate and biodiversity; and”—
here we come to the rub—
“realising the potential of a fast-growing financial services market with total assets worth £40 trillion”.
What does a mature, balanced relationship look like in context? How nuanced are the examples that we have just heard about the Chinese? First, we can see that because of advanced concerns around the security of at least one Chinese vendor, the UK Government are mandating equipment to be torn out of our existing infrastructure and thrown away at the cost of several billion pounds. That is not a nuance. Secondly, we have heard from the noble Lord, Lord Alton, this time and previously, and we have seen the evidence of malevolence within China to its own people on a scale that is, let us say, unusual even for the age in which we live. Thirdly, we can see transparently what is going on in Hong Kong. That in itself is not a nuance either. Fourthly, we have the Chancellor’s stated desire to realise the potential of a fast-growing financial services market.
All this is the context in which Amendments 1 and 20 have been tabled. This gives the chance for the Minister to explain where she and the Bill sit on that nuanced scale, as the Chancellor puts it. He clearly sets out that the Government’s principles will guide our relationship with China, so what are those principles?
Lord Coaker (Lab)
My Lords, this is my first Grand Committee appearance, and I hope that I do not disappoint the noble Lord, Lord Fox. I have been in a number of committees, but not at this end of the building. I am still getting used to some of the processes and procedures, but I am very pleased to be speaking on this Bill.
From our perspective, the Bill is very welcome. The Government are clearly addressing a very real security concern that our nation has, and, in trying to deal with it, have not just my support but that of every single Member of the House of Lords. It is our country, and we want it looked after and defended properly. Many of the amendments and the comments that have been made so far today, and which will be made throughout the Committee and no doubt at Report and beyond, are about challenging the Government, not from an oppositional point of view but from one of trying to improve the legislation. We want to ask the Government testing questions to see where their thinking is. That is what all the various speakers have done so far today.
There are a number of particular issues. As others have said, the amendments in this group, from the noble Lord, Lord Alton, deal with the international context for the security of the telecommunications sector, however you define that. This is really important, because it affects—not infects—every single part of our lives. The noble Lord, Lord Alton, gave the example of Hikvision and CCTV. Whether it is the hardware or the software, this demonstrates that there are examples of new technology and telecommunications which impact on all our lives but which many of us probably do not view as causing a potential security threat to our country and nation. We have only to look at where that is going—whether you look at this sphere or the defence sphere—to know that we are going to see an increase in telecommunications, and in the use of space, drones, artificial intelligence and all those sorts of aspects.
One thing that I will talk about in other debates on other amendments is how you future-proof this—and that is part of some of the later amendments. Hikvision, which the noble Lord, Lord Alton, raised, is an interesting instance. At the nub of it is that, if our allies, who we depend on for our collective security, are banning companies such as Hikvision, as in the United States, how is it in our interests to defend our own security to not do the same? It is unfair to say that it has not been thought about, but there is something of a disjointed approach when one of our closest allies—if not our closest—has banned a tech company that we use. I am sure that there are very good reasons for it, and the Civil Service and others will no doubt tell the Minister X, Y and Z, but it defies common sense. Whatever the reality of it, it just does not appear to be a sensible option, so I very much support the example that the noble Lord, Lord Alton, gave. That is one of the reasons why I added my name to Amendment 27.
With regard to NATO and Five Eyes on a domestic and international level—I shall return to this point on Amendments 18 and 25—who actually holds the ring? Who is the person or what is the department that co-ordinates all this activity across government? Who holds the ring across government? You could say that it is the Prime Minister, but the Minister will know what I mean. Out of all the various aspects of government, who actually in the end decides? And if there is a conflict of interest between them, who then is the judge of that and how does that work on an international level? But as I say, that is more to do with Amendments 18 and 25.
Amendment 27 in particular, as I said, ensures a review of telecoms companies when a Five Eyes partner bans the operation of a vendor of goods or services to public telecommunications providers in its country on security grounds. That is eminently sensible. It a review. The amendment is, essentially, testing the Government by asking, “Why wouldn’t you have a review?” Why would you not—to use a security term—keep that under surveillance?
The Deputy Chairman of Committees (Baroness Healy of Primrose Hill) (Lab)
I have received a request to speak after the Minister, so I call the noble Lord, Lord Fox.
Lord Fox (LD)
I congratulate the Minister on introducing the Barran scale of nuance, which will no doubt become a classic in future. She did not address the issue of componentry, if you follow my drift. It seems to me, in analysis, that what tipped the balance in the sense of Huawei was the absence of American-made chips. Were that not to have happened, the NCSC would not have recommended the widescale removal that we have seen. That appears to be the implication. There seems to be an element of component monitoring going on, although in this case the monitoring appears to have been done more by the Americans than by the United Kingdom. It comes back to that fundamental point: at what level is the Bill going to be applied? Will it be applied on the overall capability of the system? In other words, is it a systems capability issue? Is it a subsystem operational outcome view, the individual pieces that go to make those subsystems, or the software that drives the overall system? How will the Bill actually be put into process?
Baroness Barran (Con)
I may need to write to the noble Lord about the technical details he has set out. I think for the approach to be effective it needs to incorporate all elements of that. An overall system cannot be a capable system if the subsystem is not. There needs to be coherence across the equipment that is supplied and our understanding of how it operates in practice and the component parts to inform the judgment about its security or not. I am happy to follow up in writing if he is agreeable.
The Earl of Erroll (CB)
My Lords, I rather agree with the noble Lord, Lord Clement-Jones, on this matter. The Bill is meant to be about security, not about “anything”. I have seen this happen with other legislation—that it suddenly becomes convenient to take something never intended for another purpose and, because it is very broadly worded, use it to beat some company or someone over the head over something completely unrelated. I am afraid that I agree that the Bill needs to be tightened up and brought down to security issues, not just “anything”.
For starters, a powerful, predominant supplier of routing equipment in the IP network would be a security risk. If anyone relies too much on one supplier—and they may unfortunately be pushed in that direction—it becomes a security risk, and we may have to close down some providers: “Oh dear, that’s our network finished”. That would be stupid. We are going to be anti certain companies. Companies get based or controlled elsewhere as takeovers happen internationally, so I see a certain amount of difficulty with this if it is very wide.
I come to what the noble Lord, Lord Fox, said. The reason we lost our manufacturing, of course, was that BT selected Huawei as the preferred supplier of the 21st-century network rewrite in 2005. That is the point at which we closed down our capability, effectively being blackmailed by America to get rid of Huawei while potentially blackmailed by Huawei, which could get too much control. We need to look at these strategic decisions where private companies that used to be government suddenly make companies that affect UK security. I have never been happy about that.
Lord Fox (LD)
My Lords, in response to the noble Earl, Lord Erroll, I say that it is also a huge issue when you have, essentially, a near-monopolistic private sector supplier, which makes any decision completely catastrophic for the under-bidder. I am speaking not to that but to Amendments 2, 3, 4, 5 and 6, which, as my noble friend Lord Clement-Jones pointed out, bear my name. He set out a very clear rationale for these amendments, which back up the concerns of the Constitution Committee and, indeed, some suppliers. Rather than reiterate those, I beg noble Lords’ indulgence to illustrate the point, inviting them to join me in a thought experiment. They need not worry—it is not going to hurt and I will not be pushing them into a Petri dish or anything like that. I simply ask your Lordships to imagine things the other way around: imagine that the Telecommunications (Security) Bill did indeed include the words currently proposed by my noble friend Lord Clement-Jones and myself, words that clearly identify that the focus of the Bill should be on the security of telecoms.
I ask noble Lords to continue to use their imagination that it was my noble friend and I who were proposing changes to include the words that are currently there; in other words, imagine that we were proposing to take the word “security” from this imaginary Bill and turn it into “anything”. Broadening the cover, as we have heard, would broaden the problem around any interruption very widely. I do not know but I dare say that, if we tried to do that, the Public Bill Office would have something to say, pointing to the Long Title of the Bill, which is:
“To make provision about the security of public electronic communications networks and public electronic communications services”
—in other words, security. Were we to try to take that word out and put in “anything”, I dare say the PBO would not allow us to do so.
If we did however slip it past the PBO, I guarantee that the Minister of the day would tell us that this would subvert the Bill’s intention and would take away the Bill’s focus from security to some of the imaginary things that the noble Lord opposite suggested—or, indeed, a digger backing into a green box somewhere in Kent. This is not the “Telecoms (Mishaps) Bill” but the Telecommunications (Security) Bill. These simple and modest amendments focus the Bill on its stated objective.
Lord Coaker (Lab)
This is a really important discussion. I do not want to speak for too long but the noble Earl, Lord Erroll, was right to say that the Bill is about security and not just “anything”. None of us on the Committee wants to compromise the nation’s security or compromise the ability of our military personnel to conduct necessary operations. However, sometimes in legislation words really matter—they are the law of the land. That is why scrutiny of legislation in Committee like this is so important, word by word and line by line, otherwise—and I will have a series of questions for the Minister on this—down the line in one, two, three or five years, something will happen and everybody will go, “How was the word ‘anything’ included?” The unintended consequence of legislation is something that we need to consider, or people will ask how something happened—how that word was allowed.
With that in mind, it is important that the Minister explains to the Committee how this definition is arrived at. The starting point would be to ask her to explain the differences between having the word “anything” and having the phrase “security issue”. Can she give examples of how the Bill would be weakened by having that term rather than “anything”, and what “anything” means—apart from saying that it means “anything”? What does it actually mean, given that the Bill is supposed to be about security issues, as the noble Earl said?
The Government argue that the duty on providers is appropriate and proportionate to ensure that the effects of compromise are limited and to act to remedy the impacts. I understand why Ministers are keen to keep the definition wide, but on its own it is not good enough. For example, can the Minister explain whether there are any thresholds to what amounts to a security compromise, or is it “anything”, and what does that mean to an individual who might stray into territory that they are not sure about? How was the Bill’s definition arrived at? Who came up with it and what advice did they receive? Were alternatives suggested to it, what did security experts say to the Minister was necessary, and were there dissenting voices?
In seeking clarification, I wonder whether the Minister can explain why the definition does not include, as I understand it, the presence of supply chain components, as the noble Lord, Lord Fox, mentioned on the earlier group of amendments, if they represent a security threat. Maybe it does—but could the Minister clarify that? We need to know that to understand the diversification of the supply chain and how effectively or not it is proceeding. It is important to consider the components of the supply chain, particularly when identifying where they are a threat to our national security. As I see it, that is not included in Clause 1, but perhaps the Minister can tell me that it is and that I have not read the clause correctly. If so, where is it?
I go back to where I started. These amendments are important in testing how the Government have arrived at this use of “anything”. I know it sounds like semantics —what does “anything” mean?—but the point made by the noble Earl, Lord Erroll, is crucial. The Bill is a security Bill. That being so, why does “anything” appear and why is “security issue” not the appropriate way to describe this? Why is it not included in the Bill? It is necessary for the Committee to understand the Government’s thinking on this for us to consider whether we need to bring back this matter on Report.
The Deputy Chairman of Committees (Lord McNicol of West Kilbride) (Lab)
I have received one request to speak after the Minister, from the noble Lord, Lord Fox.
Lord Fox (LD)
The Minister brought up the review, which was very clear that there are huge potential market failures within the security and resilience telecoms market, the reason being that security is not valued by the networks. It is other things, such as network connectivity and price, which are of maximum importance to those networks—things that might come under the word “anything”, for example.
Let us be clear about the four reasons given by the review that security is undervalued by networks: insufficient clarity on cyber standards and practices; insufficient incentives to internalise the costs and benefits of security; lack of commercial drivers, because consumers of telecoms services do not tend to place a high value on security; and the complexity of delivering, monitoring and enforcing contractual arrangements in relation to security. All four of those issues, which I think are driving the purpose of this Bill, involve the word “security”. Far from these amendments watering down the intent of the Bill, the Minister is watering it down herself by including the word “anything” and ignoring the word “security”. I do not expect her to accept these amendments now, but I would like the department to go away and think about this very carefully, because a catch-all Bill catches nothing.
Baroness Barran (Con)
I hear the noble Lord’s concerns. We will of course take back his comments and reflect on them again. However, I know that officials working on this Bill have considered these points in enormous detail and would be happy to meet the noble Lord and discuss them, if that would be helpful. We believe that our framework does not water down but balances future-proofing with the precision and specificity that the noble Lord seeks. I hope we can follow up on that in a separate meeting.
The Earl of Erroll (CB)
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.
Lord Fox (LD)
My Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
Baroness Merron (Lab)
My Lords, I speak to Amendment 11 in my name and welcome Amendments 7 and 12 in the names of the noble Lords, Lord Fox and Lord Clement-Jones. I was interested that the noble Lord, Lord Fox, referred to a chorus of agreement, which I certainly heard ringing out, expressing concerns about the role that Parliament should have in scrutinising on codes of practice that this Bill currently does not provide for. To me, the codes remind us that the Bill can provide us only with something of a framework, and for many areas there is a wait for the details to be filled in later. As the noble Earl, Lord Erroll, said, the devil, as always, is in the detail.
Clause 3 allows the Secretary of State to issue new telecom security codes of practice that will set out to providers the details of specific security measures that they should take. As we have heard referred to, the impact assessment states that these codes are the way in which the DCMS seeks to demonstrate what good security practices look like. However, I note that Ministers are proposing only to demonstrate but not actually to secure good practice, which I am sure is the real intent—and it would be very helpful if, through this debate, we could get to that place.
I am interested also to note and draw the Minister’s attention to the fact that the Government have said that these codes will be based on National Cyber Security Centre best practice security guidance. The Government have said that they will consult publicly, including with Ofcom and the industry, as we read in the Minister’s letter following Second Reading. That public consultation will be on implementation and revision. However, it strikes me as very strange that the National Cyber Security Centre is not a statutory consultee; can the Minister say why it is not?
I particularly make the point that, as the codes of practice will be admissible in legal proceedings, they have to be drafted accurately and we have to ensure that security input and expertise is fed into them. The National Cyber Security Centre, which is described as a bridge between industry and government and is, indeed, an organisation of the Government, would seem to be a body that should be, in a statutory sense, invited to make the input and offer its expertise, along with other departments and agencies. After all, we can see, when reading about the centre, that its whole reason for being is that it provides widespread support for the most critical organisations in the United Kingdom as well as the general public, and they are absolutely key when incidents, regrettably, occur. We are trying to address those incidents in respect of this Bill.
As we have heard from all noble Lords who spoke in this section of the debate today, the input needs to come from Parliament, which is why I tabled Amendment 11. As the Bill is drafted, the current reading is that a code of practice must be published and laid before Parliament, but there is no scrutiny procedure. I put it to the Minister that if codes have legal weight, why is Parliament being denied the chance to scrutinise them? We seem to have a complete mismatch there. I was taken by the words in the Delegated Powers Committee report, mentioned by the noble Lord, Lord Clement-Jones, in his introduction, which stated that this way of being was “unacceptable” and called for the negative procedure for codes. That is what Amendment 11 does. Can the Minister address specifically the words of that committee report? I refer her to paragraph 27, which says:
“In our view, the Department’s reasons are unconvincing … the fact that codes of practice would be produced after consultation with interested parties cannot be a reason for denying Parliament any scrutiny role; and … the Department appears not to have recognised the significance of the statutory effects of the codes of practice”,
as has been highlighted today. I therefore hope that the Minister will both comment on the report and seek to make what is a very important and significant change in this regard.
I will pick up on one additional point. The impact assessment also says that the codes of practice will have a tiering system for different-sized operators. The initial code will apply to tier 1, which serves the majority of businesses of critical importance to the United Kingdom. This will also apply to tier 2 medium-sized operators but with lighter oversight by Ofcom and longer timetables. Can the Minister offer a draft list of the operators in tiers 1 and 2, and can it be shared with noble Lords? I would also be interested to know whether the Minister has any concerns that tier 2 operators will somehow be worse at compliance. If she has those concerns, what support will be provided to small and medium-sized enterprises? I look forward to her reply.
Lord Fox (LD)
In quick response to, or doubling up on, the noble Earl, Lord Erroll, my understanding is that the code is enforceable by law. If it is not, perhaps the Minister can explain how the operators are expected to deliver.
This is relatively simple. The Minister has asserted that this is a technical issue. She has asserted that it is too technical for Parliament to be able to manage, but at the same time, as it is currently structured, there will be a self-referential group of people. If the Covid crisis has told us anything, it is that a self-referential group of people is not good at horizon-scanning. Security is a great big horizon scan. You normally know you have not got security only when you lose it and it is essential to take advantage of the diversity of technical opinion that exists in this country and elsewhere. It is extremely arrogant to believe that the sum of human knowledge is contained in one department, and probably one subsection of one department.
For those reasons alone, a technical advisory board is vital to secure the future of this country. That seems to me self-evident, but clearly it is not, so perhaps the Minister can explain. Was this discussed, when was it discussed and why was it dismissed as an option?
Both these amendments have very cunningly taken advantage of existing structures; they have looked at the Investigatory Powers Act 2016 and read across, with ready-made structures that can deliver both the technical advisory board and the benefits that I have just set out and a judicial commissioner to make sure that there is sufficient proportionality and appropriateness in those measures. It seems to me that it is for the Minister to explain, if this was good enough for the 2016 Act, why it is not appropriate to put it in this Bill for these issues.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
I call the noble Lord, Lord Clement-Jones—sorry.
Lord Clement-Jones (LD)
I must admit that I am somewhat baffled by the Minister’s response. The argument on the technical advisory board seems to be, “Oh, we’ve got enough technical advice, so we don’t need one”—but, clearly, it seems that there is a need for this. I quoted providers—I can go into the papers that we have received from them—as saying that real issues arise out of the regulations. These are technical and relate to things such as patches and audit and monitoring issues. There is a feeling that the department is just not listening on those issues, and what is needed is someone who is rather more dispassionate and can advise on the technical issues that are arising—perhaps, if it is seen as a conflict, someone like the noble Earl, Lord Erroll, who can genuinely advise on this kind of thing. It seems to me to be extraordinarily dismissive to say, “We’ve got enough advice. We don’t need a board of this kind”.
In the Investigatory Powers Act 2016, there is a very useful technical advisory board—it is not usable for this purpose because its function is rather different under that Act. When the Minister comes to the point about the judicial commissioners, saying, “Oh, no, they are for an entirely different purpose”, I say that, actually, if you read their function, it is four square with the kind of thing that would be useful under this Bill. They are talking about not technical issues but proportionality, appropriateness and so on—very much the kind of thing that they are dealing with under the 2016 Act.
So I am afraid that I do not buy what the Minister has to say, sadly; I just think that it is pushback based on the thinking that, “Well, the Bill’s the Bill and it’s all drafted, so we don’t really want to do very much with it by way of amendment”. That is the time-honoured government response to this kind of suggested amendment, but I believe that, constructively, both these aspects—a judicial commissioner and a technical advisory board—would make a great difference to the functioning of the Bill and would lead to much better regulations and codes of guidance at the end of the day.
Lord Fox (LD)
I thank the Deputy Chairman and apologise for speaking across him. I am a bit intrigued by the comment of the noble Lord, Lord Parkinson, on the subject of legal enforceability. He is correct to say that, as new Section 105H states, the
“provision of a code of practice does not of itself make the provider liable to legal proceedings”
—but it would not be liable only when the provision was not in force in time or when it was not legal. However, you would not bring a legal case anyway when it was not relevant or in force, so, to all intents and purposes, where the code is in force and relevant, it is legally enforceable. Therefore, it is legally enforceable.
Lord Parkinson of Whitley Bay (Con)
First, if I may, I will take back the point made by the noble Lord, Lord Fox, about new Section 105H under Clause 3; I will write to him to, I hope, alleviate any concerns and confusion. There are certain legal effects set out; I will write to him to clarify the point about legal enforceability.
I am grateful to the noble Lord, Lord Clement-Jones, for his appreciation. Part of the confusion here may be that two technical advisory boards are mentioned in these groups of amendments. As I think he noted, the one set up under RIPA has a different function, but we are certainly not being dismissive of the points that have been raised. Indeed, as I said, we have spoken to the industry and received helpful feedback from telecoms providers on the illustrative draft measures that were published in January. We will also be glad to look at the information that he mentioned—the views that have come his way—to make sure that these are reconciled; if he is happy to share them, we will look at them and come back him.
The Earl of Erroll (CB)
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
Lord Fox (LD)
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
Baroness Merron (Lab)
I thank the noble Lords, Lord Fox and Lord Clement-Jones, for these amendments. As before, it is a pleasure to follow their contributions and that of the noble Earl, Lord Erroll.
On the codes of practice and Amendment 10, I understand the importance of not wanting to put undue burdens on businesses. We should make particular reference to the exceptionally difficult and testing times that businesses and the economy have had to suffer over the past year due to the pandemic. Obviously, a balance needs to be considered. We have to ensure that if the codes are going to be used, they are the most effective way of implementing security measures. How will the Government consider the impact of codes on businesses? For example, will there be specific consultation about undue costs in respect of businesses?
The concerns that we have heard in this debate give a further nod to concerns about lack of parliamentary oversight, which is missing from the codes. I again say gently to the Minister that by giving parliamentarians the opportunity to provide scrutiny there might also be the ability to review the impact on businesses.
Amendments 16, 17 and 21 would ensure that Ofcom’s new powers in the Bill were subject to requirements in Sections 3 and 6 of the Communications Act 2003. Section 3 focuses on the general duties of Ofcom, while Section 6 focuses on reviewing regulatory burdens. It would be helpful to hear from the Minister whether the Bill has been deliberately drafted for the new powers to fall out of scope of those sections in the Communications Act and, if so, why.
What review process will be faced in respect of Ofcom’s new powers? It is very important that, when new powers are given, there is an opportunity to review, reflect and amend, and to keep a close eye on whether those new powers are doing the job intended.
The Earl of Erroll (CB)
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
Lord Fox (LD)
My Lords, this is an interesting and nuanced—to coin a word we used earlier—debate. I am probably the only person here who has had to deal with a national security issue that impacted a consumer brand in real time on television. I must say that 30 days was not an option—30 minutes was not an option. Picking up on the point of the noble Earl, Lord Erroll, the time is entirely dependent on the nature of the crisis or security breach. My fear is that 30 days becomes a target rather than an injunction.
I think the point here is “no burial”. I assure colleagues and others in this Room that our amendments do not intend to bury the issue either, but to introduce some equivocation in the event that not announcing something makes things more secure than announcing them. The point of this is not to protect the reputation or otherwise of the network, but to protect consumers and the integrity and security of the network. That is the decision Ofcom would need to make. That would be its call. Its default position would be that it needs to be communicated to consumers as quickly as is sensible, unless there is a reason not to communicate it, and it would be up to the network providers to put their position forward. However, there are definitely times when it should not be communicated. At the moment the Bill seems rather unequivocal in its approach.
The Deputy Chairman of Committees (Lord Rogan) (UUP)
I call the noble Baroness, Lady Barran.
Lord Fox (LD)
Sorry, I have not quite finished.
I would call Amendment 15 a “good manners” amendment. If Ofcom possesses information that the network provider does not, it simply calls for that network to be brought into the loop before the rest of us are. That seems good manners to me—you do not necessarily have to legislate for that, but these days it always helps. I have now finished.
Baroness Barran (Con)
My Lords, I thank the noble Baroness, Lady Merron, and the noble Lords, Lord Clement-Jones and Lord Fox, for tabling these amendments to Clause 4 and for their considered remarks. As we have heard, these amendments speak to reporting requirements placed on industry in the event of a significant risk of a security compromise and the powers bestowed on Ofcom in the event of a compromise or the risk thereof.
Amendments 13 and 14 amend new Section 105J. As the noble Baroness, Lady Merron, summarised, new Section 105J is designed to give users of telecoms networks and services relevant information when there is a significant risk of a security compromise, including the steps that they should take to prevent such a compromise adversely affecting them. Giving users this information will help ensure that, where possible, they can take swift action to protect themselves. It will also contribute to greater awareness of security issues, supporting users to make more informed choices about their telecoms provider.
The Earl of Erroll (CB)
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
Lord Fox (LD)
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
Baroness Merron (Lab)
My Lords, I have been very interested to hear the arguments put forward by the noble Lords, Lord Clement-Jones and Lord Fox, and the noble Earl, Lord Erroll. As we heard from the noble Lord, Lord Clement-Jones, in his opening remarks, concern about oversight is driving this section of the debate. As we know, Clause 13 ensures that when deciding an appeal against certain security-related decisions made by Ofcom, the tribunal is to apply judicial review principles without taking any special account of the merits of the case.
I understand that this does not apply to appeals against Ofcom’s enforcement decisions and that the Government have said that this ensures that it is clear that the tribunal is able to adapt its approach as necessary to ensure compatibility with Article 6, the right to a fair trial. My questions to the Minister are about the legal advice that the Government have received on this clause. What legal advice has been received? Is this external legal advice as well as internal legal advice?
The clause states that
“the Tribunal is to apply those principles without taking any special account of the merits of the case.”
Can the Minister explain what “special account” is expected to mean?
Telecommunications (Security) Bill
Lord Fox ExcerptsTuesday 29th June 2021
(4 years, 7 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Amendments as at 25 May 2021 - large print - (25 May 2021)
Lord Fox (LD)
My Lords, I thank the Minister for her very clear exposition of the purposes and modus operandi of this Bill. It is a great pleasure to follow the noble Lord, Lord West—Admiral West—and I look forward to working with the noble Baroness, Lady Merron, who is on the Front Bench.
During late summer last year, we debated the Telecommunications Infrastructure (Leasehold Property) Act, when this security Bill was held out as a carrot, largely to try to curtail discussions of a Chinese nature. It did not work, of course, and we had those discussions, but here we are at last with this Bill. As we have heard, it provides the Government with considerable new national security powers to issue directions to privately-held public telecommunications providers, primarily with the aim of managing issues arising from high-risk vendors. As such, the Minister will acquire wide and sweeping powers.
The Bill also gives Ofcom wide duties and legal powers to monitor and assess the security of telecoms providers. For teeth, as we have heard from the Minister, companies that continue to use high-risk vendors could or will face very heavy fines. Perhaps the Bill’s headline outcome is the new controls on the use of Huawei 5G equipment, including a ban on the purchase of new Huawei equipment from the end of 2021 and a commitment to remove all Huawei equipment from 5G networks by 2027.
How will these Benches respond? First, I am happy to confirm that Liberal Democrats are strongly in favour of having secure telecommunications networks. I am sure the Minister is relieved to hear that. Secondly, Liberal Democrats want to see Huawei technology removed as quickly and expediently as possible. However, I note, as the Minister hinted at but did not detail, that the issue is with more than one supplier and more than one country. I add that the issue of the treatment of Muslim Uighurs does not stop with this Bill. The genocide going on there creates much wider implications for our relationship with China than the issue of which technology makes our phones work. These implications are very important, but I understand that they are beyond the scope of this Bill.
Thirdly, Liberal Democrats strongly believe that the Government must now invest in developing telecommunications technology in the UK. We want to see an increase in the diversity of the UK’s telecoms supply chain. We also believe that a strong relationship with the European Union and the intelligence alliance Five Eyes will help us to ensure that security risks are dealt with quickly. Finally, Lib Dems want to see stronger protections for the privacy of people in the UK.
What we will be testing in Committee is threefold. First, does the Bill effectively shut out the technology it is meant to shut out? The trick to making communications secure will be the nuts and bolts of the Bill. Secondly, do the Minister and Ofcom have the right powers, and the necessary checks and balances, to make this Bill work? Thirdly, when it comes to supply chain diversification, can we actually shut out Huawei et al and have an effective communications network?
One at a time, first let us look at the prime intent of the Bill: to keep our networks secure. On the face of it, this is another skeleton Bill. With the presentation of a few statutory instruments here and there, the Government should theoretically be able to react swiftly, but are the Minister and Ofcom placed to pre-empt issues, rather than react to them? There is a technical difficulty here: in 5G particularly, the distinction between the core and edge of networks is blurred. With technology moving faster than government can, that distinction is almost meaningless and the threats will change from week to week. So can the Minister explain how Ofcom can ever successfully be ahead of the game and not chasing issues?
As we know, plans for removing Huawei have been announced, but this does not stop with Huawei. For example, legislation in the US is considerably broader. It identifies specific companies, including Huawei, but also ZTE Corporation, Hytera Communications Corporation Limited, Hangzhou Hikvision Digital Technology Co. Limited and Dahua Technology Co. Limited. Also, US legislation covers telecommunications and video surveillance and services. Given the news this weekend, the Minister might like to review where we source CCTV cameras from in this country—I note that that was discussed in a previous debate. Can the Minister assure your Lordships’ House that this legislation will cover the full range of security threats that we need to cover or will we see another Bill to broaden it yet further into surveillance and surveillance services?
Turning to the powers granted by this Bill, it gives wide-ranging powers to the Secretary of State and next to no oversight to Parliament. Included are sweeping powers to address matters of national security and it is not clear, although the Minister has hinted, how Ofcom will really interact with the intelligence community. Furthermore, as we have heard from the noble Lord, Lord West, the committee, which has express oversight of national security, has been excluded from scrutinising how this legislation will operate. I support the words of the noble Lord, Lord West. In addition, there is no dedicated role for judicial or technical oversight. This is very different from the Investigatory Powers Act 2016, in which such provision exists. I expect my noble friend Lord Clement-Jones to comment more on this issue.
The Bill also gives sweeping powers to Ofcom. We heard from the Minister how Ofcom will be co-operating with the intelligence services, but this creates a conflict of culture within Ofcom and will inevitably lead to more opaque operations which will, in turn, create issues elsewhere. I am still not clear how that interface will work. It will be useful to investigate that in Committee.
Finally, I turn to supply chain diversity. The Minister in the Commons said:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”—[Official Report, Commons, 30/11/20; col. 75.]
Fine words, I am sure, but they come from a Government whose Chancellor and Secretary of State for BEIS have cancelled the industrial strategy and disbanded the Industrial Strategy Council. Undaunted, alongside the Bill the DCMS has published a diversification strategy. I suggest that Oliver Dowden, who adorns that document, is rowing somewhat in the opposite direction from the Chancellor of the Exchequer. Assuming that this strategy makes some headway against a running tide within government, it has three legs: “supporting incumbent suppliers”, “attracting new suppliers” and accelerating “open-interface solutions”.
I will take those legs one at a time, beginning with “supporting incumbent suppliers”. I am bemused by the term “incumbent”. I think it means domestic suppliers, because Huawei is an incumbent supplier and we have heard that it will not be getting support. Assuming domestic suppliers is what is meant—there are world trade rules that make it difficult to preferably treat domestic suppliers, but assuming these can be surmounted —can the Minister give us the current estimate of how many incumbent domestic suppliers are in our network and what percentage, in terms of value, they represent?
To fill that gap, we are going to need pretty rapid innovation. Innovation is not easy and the speedy innovation we have just seen with the Covid vaccine, for example, was helped by two important conditions: first, a very strong existing R&D base in this country and secondly, a guaranteed private sector market for the vaccine. I do not think these conditions exist for telecoms technology. So, what is Her Majesty’s Government’s assessment of telecoms research and development in the UK? How will the private networks be encouraged to guarantee a market for any UK-based and UK-developed products that emerge?
The second strategic leg is “attracting new suppliers”. I suspect this is going to be an easier job than building an industry from scratch in this country. Will the Minister confirm how the vetting process will work? I assume this will be in the code of conduct. Will the networks have to be externally cleared? Will they be subsequently audited, and how deep does approval go? Does every component of every sub-assembly need to go through a process, and how will this all unfold in building the networks? It begins to sound quite cumbersome if there is going to be a nuts and bolts check of the technology.
The third leg is accelerating “open-interface solutions”. The Government are moving ahead at speed with open-access radio networks and open RAN piloting, and should be congratulated. If it goes to plan, when will we start to see this becoming significant? How will the Government get the existing vendors to increase the scope of their interoperability? What, in a sense, is in it for them?
We overwhelmingly support the objectives of this Bill. There are serious issues, particularly in the absence of detail and scrutiny. The regulations remain a mystery until they are published, and the process is potentially pretty bureaucratic. I think the Government have recognised that there are issues, which probably reflects why there are four days in Committee ahead of us. We may need all four of those days.
Telecommunications Infrastructure (Leasehold Property) Bill
Lord Fox ExcerptsThursday 4th March 2021
(4 years, 10 months ago)
Lords ChamberRead Full debate Telecommunications Infrastructure (Leasehold Property) Act 2021 View all Telecommunications Infrastructure (Leasehold Property) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 174-I Marshalled list for Consideration of Commons amendments in lieu and reason - (2 Mar 2021)
Lord Fox (LD)
My Lords, I thank the Minister for her thorough review of both the amendments, and of the scene.
The Bill seems to have been around almost as long as the Covid pandemic. I am almost minded to call it the “lockdown Bill”, because it surfaced from time to time and then disappeared from time to time. Looking forward, I hope that future Bills which may or may not emerge from consultations will perhaps have a rather more impelling momentum than this one, which seems to have been rather caught in the backwash of legislation.
It has been a Bill of essentially two debates. One was the huge concern that your Lordships demonstrated about the nature of the digital communications supply chain; the Minister may be pleased to know that I will not go back into that. The other debate—the Minister may not agree—has exposed the paucity of ambition in the Bill and, therefore, by extension, in Her Majesty’s Government. On the Minister’s own admission, it is a narrow Bill; I would say it is just about as narrow as the Government’s USO, which I remind your Lordships is just 10 megabits a second. Both the Government and the industry should be seeking to increase that.
When it comes to the digital communications supply chain, there is one thing that I should like to talk about. Much work is to be done in the sector as it comes to terms with the future absence of Huawei. Since we last considered the Bill, some of us have received letters from the Minister setting out plans for supply chain diversity. I hope that that letter is in the Library; if not, it would be appreciated if the Minister made sure that it was. Government support for the NEC open RAN trial is good and we welcome that. I remind the Minister that the Government’s stated aim is to have 5G open RAN up and running this year. It would therefore be helpful if the Minister were able in her closing words to let us know whether that is on track. I should point out in referring to the technical consultation being due in the spring that the first day of spring was Monday, so we are, as it were, already sprung.
I turn to the items on the Marshalled List. When addressing the amendment on leasehold status in the Commons, the Minister of State Matt Warman MP recognised the plight of people living in flats and apartments, which was welcome. He and the Minister enumerated about 10 million people as potentially benefiting from being able to seek better broadband in their homes. That point was thoroughly made by my noble friend Lord Clement-Jones. The purpose of his amendment on Report was to clarify, as the Minister said, that people who rent their flat can make use of the changes in the Bill. It is gratifying that the Government have retained the spirit of that Amendment 1 in offering Amendments 1A and 1B instead. I am sure that my noble friend will have more to say on that.
Turning to Lords Amendment 3, the Government’s response is not supportive and that is disappointing. That amendment would have added a new clause requiring the Secretary of State to commission a review of the impact of the Bill on the Electronic Communications Code. It seems to me that in her rebuttal of that amendment the Minister enumerated the considerable weaknesses of the code and set out some areas of concern. Amendment 3 would have included an assessment of whether the code was sufficient to support 1 gigabit broadband rollout in every premises by 2025. In her rebuttal, she said that the code was not competent to do that. Given that so much weight has been put, not least by the Government, on that target, that would seem to be a serious issue. As the Minister set out, it would have required separate assessments to be made, as well as addressing the issue around utilities—that was well rehearsed on Report and I do not propose to do so again.
However, I am tempted to ask what the Government are scared of in terms of allowing that review to happen. They seem to be nervous about their ability to deliver on that 1 gigabit target. It was therefore not surprising that Matt Warman MP would politely denounce that amendment, as the Minister has done today. Both focused on the assertion that elements of the amendment fall outside the scope of the Bill. It is not beyond understanding that if that were the case the Government could have come back with an amendment that retained or created a review but also satisfied the need for the amendment to sit inside the Bill. Once again, we have fallen foul of the narrowness of the Bill.
It is partly surprising and perhaps gratifying that the Government have realised how narrow the Bill is, and it was almost remarkable that before the ink was dry on it, the next consultation came fluttering through the letterbox. Perhaps the Minister has, in a sense, already confirmed the recognition that the Bill was insufficient in the first place. It has taken us a long time for us to get not very far and now we have to start again.
On many occasions, the Minister has reminded us that the code is technology-neutral. I think we know and understand that. Therefore, the review has to grasp that within the context of how the code in future deals with the key issue: are people getting the connectivity they need, can we measure it, and can we make it quicker and better as well as cheaper? I hope that that goes beyond simply talking about access to land and that kind of issue. Let us get through this consultation as quickly and thoroughly as we can. Let us get another Bill so that we can create a code that does what it needs to do and is fit for purpose because, let us face it, the Government have an interest in delivering the gigabit target from their manifesto but the country has much higher stakes in this. We need it as soon as possible.
Telecommunications Infrastructure (Leasehold Property) Bill
Lord Fox ExcerptsThursday 28th January 2021
(5 years ago)
Lords ChamberRead Full debate Telecommunications Infrastructure (Leasehold Property) Act 2021 View all Telecommunications Infrastructure (Leasehold Property) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 118-I Marshalled list for Third Reading - (25 Jan 2021)
Lord Fox (LD)
My Lords, on Report, the noble Lord, Lord Alton, said that this amendment would empower the Government to deny infrastructure access to operators whom, they believed, were abusing human rights. This is part of an important conversation about how modern slavery legislation might apply to the digital economy and especially its supply chain.
Since Report, this argument has been rehearsed on a number of occasions in other places. That reflects the tenacity of the noble Lord, Lord Alton, and his colleagues. Each time the argument is repeated, it is no less powerful, horrifying or revolting to hear what is happening.
As we heard from the noble Lord, the Trade Bill has been one focus for this discussion. The Government spurned a real opportunity when they whipped Conservative MPs to vote against the so-called genocide amendment earlier this month. That amendment reflected the discussions during the passage of the Trade Bill in your Lordships’ House. It sought to introduce a mechanism to allow British courts to determine whether a foreign country had committed genocide. The amendment was introduced in your Lordships’ House to deal not just with the Uighurs but with other human rights issues as well. I hope that your Lordships will listen sympathetically next Tuesday when the amendment is reintroduced.
I, too, thank the Minister both for her comments and for her detailed letter, which showed empathy on this issue and explained why her department had been unable to bring forward the amendment previously promised. My admiration for the ingenuity of the noble Lord, Lord Alton, and others has increased. They have managed to table this amendment to a Bill that, as the noble Baroness, Lady Morgan, correctly characterised it, is intended to help tenants obtain broadband.
The noble Baroness, Lady Morgan, also implied that the issue had, as a result of these discussions, somehow been dealt with. Although there has been welcome movement on the Government’s part over Huawei, it would be wrong to say that the issue has been dealt with. I asked the House of Lords Library whether a law exists that prevents telecommunications operators from using their infrastructure to breach human rights. I thank the Library for its thorough work, but it was unable to find evidence of legislation preventing telecoms operators from using tele- communications infrastructure to breach human rights. In other words, there is no such legislation. The Library asked Ofcom whether it was aware of any such requirement in legislation; Ofcom said that it was not. Legal experts were also unaware of anything in telecoms legislation. In other words, the noble Lord, Lord Alton, and the signatories to this amendment have identified a gap in the legislation.
The Human Rights Act applies only to public authorities and other bodies—public or private—that perform public functions. There is no general requirement on companies to comply with human rights obligations, although that has sometimes been applied to the relationship between companies and private individuals. As others have said, there are UN guiding principles on human rights and business. The Companies Act 2006, the EU non-financial reporting directive 2014 and the Modern Slavery Act all contain commentary on human rights but none deals with this particular issue.
It is a shame that we have had to have this debate almost by proxy. Even the noble Lord, Lord Alton, would admit that this Bill was not designed to address this issue. Such a Bill is needed so that we can have this discussion in a discrete environment. I understand that my noble friend Lord Clement-Jones was promised that there would be a communications security Bill. I assume that the National Security and Investment Bill is what that has metamorphosised into—perhaps the Minister could confirm that. As my noble friend Lady Northover suggested, this issue could be discussed in that context. I am working on that Bill, but it seems to me to have to been drawn very narrowly. Given this legislative absence, it is appropriate that the noble Lord, Lord Alton, and others have brought forward this amendment now. If the noble Lord, Lord Alton, decides to push it to a vote, we on the Liberal Democrat Benches will support it. If he does not, we shall support an amendment to the Trade Bill. Even if the noble Lord decides not to push for a vote today, the Government can be sure that this issue is not done with and will not go away.
Lord Stevenson of Balmacara (Lab) [V]
My Lords, I am glad that the noble Lord, Lord Alton, has rehearsed the background to his Report stage amendment and explained the reasons for bringing it back to your Lordships’ House today. We simply cannot turn a blind eye. Standing aside or ignoring what is happening in China is tantamount to condoning the appalling actions described by the noble Lord in his powerful and moving speech.
A lot has changed since June. I am sure that the Minister will update us on subsequent government action, particularly in relation to Huawei equipment. As a number of noble Lords have said, other legislation—including the Trade Bill, before your Lordships’ House again next Tuesday—has amendments bearing on this issue. The case made by the noble Lord, Lord Alton, is unanswerable, as I have made clear. However, tabling this amendment to this Bill is perhaps not the best way of achieving his wider objectives. It might, I suppose, adversely affect the chances of the big win that we hope to achieve on Tuesday with his amendment to the Trade Bill.
Everyone who has spoken today has supported the noble Lord, Lord Alton, and paid tribute to his campaigning and his ceaseless tenacity on this cause. If he chooses to divide the House, we will support him, but I hope that he will feel able to accept the Government’s position on this narrowly focused Bill and that it would be better to defer the decision to Tuesday’s debate on the Trade Bill.
Lord Fox (LD)
My Lords, the amendment, which we welcome, brings us into the territory of the Bill. The noble Baroness, Lady Morgan of Cotes, if she is still in her virtual seat, will be sitting more easily in this part of the discussion.
When speaking previously to an amendment brought by the noble Lord, Lord Stevenson, supported by myself and others, the Minister agreed that we should aim to simplify the lives of consumers. To that end, she said that the Government would be willing to table an amendment at Third Reading. My understanding is that this amendment honours that statement. The Minister said that Her Majesty’s Government consider it fair to amend the Bill in this way and that the aim is to include measures to ensure that an operator must not install their equipment in any such anti-competitive way. Therefore, the test of the amendment is whether it reaches that objective.
I shall discuss two aspects of the amendment’s wording. First, the words,
“nothing done by the operator”,
seem to imply more than just technology, because there are other things that an operator could do. Perhaps the Minister can explain “nothing”. It could refer to a contractual matter or all sorts of other areas, including service as well as the purely technological. Secondly, there is the phrase, “unnecessarily prevents”. What is a necessary prevention? In other words, how will the regulations deal with those two areas—“nothing” and “unnecessary”?
I had the opportunity to virtually bump into the Minister this morning—obviously with at least two metres between us—and give her some warning of my concerns. Regarding the practical way this matter will work, let us imagine that I am a tenant in a new property. I move in, wish to switch my operator and start to encounter technological problems with the process. What do I do next? How does the amendment help me to deliver on that?
Quickly in conclusion, none of this means anything if we do not have great connectivity. I could not, therefore, pass this opportunity by without asking the Minister where we are on that. The delivery of ultrafast broadband was a subject for discussion in Committee and on Report, as was the creation of an open source network. It is safe to say that some time has passed since we last discussed that issue. As the Minister stated, some technological developments have included, not least, the gradual removal of Huawei from the supply chain. Meanwhile, the Prime Minister has made several statements about the bandwidth that will be provided and its extent—statements at odds with what network providers have said is possible. Where are we on the Prime Minister’s gigabit connectivity being available to everyone? Where are we on the development of open source networks? If the Minister can answer those questions, I am sure that we will support the amendment.
Lord Vaizey of Didcot (Con) [V]
My Lords, I refer to my entry in the register of Members’ interests. I was not a Member of this House when the Bill was debated at Second Reading or on Report. Therefore, I begin by saying how much I welcome it. In my experience as the Minister responsible for rural broadband rollout between 2010 and 2016, I soon came to realise that planning is the biggest obstacle that prevents the rapid deployment of the broadband that this country desperately needs. The planning system is hopelessly complex and time-consuming, and imposes enormous costs on operators. Anything that can make their lives easier has to be welcomed. Multi-dwelling units contain dozens of potential recipients of ultrafast broadband. If we can make it easier and simpler for operators to deploy their technology, that is to be welcomed.
I was also delighted that the Government yesterday published a consultation on reforming the Electronic Communications Code. Again, I was the Minister who had a first stab at that, which was obviously not good enough, and that is why we need a second bite at the cherry. I should point out to the noble Lord, Lord Fox, that the foreword to that consultation document contains some heartening statistics on the deployment of gigabit broadband. From memory—I read it only this morning, but I am getting older—some 30% of homes can now potentially receive gigabit broadband. It is good to see the Government pressing ahead on another front.
I should say on operators entering multi-dwelling units that one of the Government’s commitments during the passage of the Bill was to publish a consultation on the code of practice and then a code following Royal Assent. Given that the Bill imposes obligations on landlords and effectively interferes with their property rights, it is vital that landlords are reassured that the operators will adhere to the highest possible standards. The code of practice is also important for some of the smaller operators. There is some nervousness among them. If landlords are worried about operators’ standards when deploying the technology, they will simply take refuge by dealing only with the biggest operators and not allow insurgents, as it were, or start-ups to fibre-up their buildings. I hope that when she responds the Minister can give some reassurance that the code of practice consultation will be issued imminently.
I should also point out that the Bill does not yet cover the issue of shared freeholds, and I hope that the consultation on the Electronic Communications Code, which I am not covers this issue, could be used as a vehicle for looking at how operators can enter buildings where there is a shared freehold—the typical building being a Victorian house that has been split into flats. Some 5 million premises fall within that category and there needs to be some way forward to allow operators to access shared freehold premises.
I am not sure whether the amendment is necessary in practice, but I understand the Government’s motivation to reassure Members of both Houses that the Bill will not inadvertently create monopolies in multi-dwelling units. I should also ask the Minister to respond, either now or in writing, to the concern of some operators about the Government and Ofcom’s ongoing intentions to impose wholesale access on operators. It is one thing to say that an operator should not do anything, intentionally or inadvertently, to prevent a competitor supplying technology to multi-dwelling units, but it is quite another to impose on a company the obligation to allow others to use the infrastructure it has invested in and paid for. What is the direction of travel of the Government and Ofcom, because I know that they have previously thought about imposing wholesale obligations on operators in multi-dwelling units?
However, as I say, I welcome the amendment. My understanding is that any attempt to physically impede competitors from entering a multi-dwelling unit would fall foul of the ATI regulations and, indeed, the EU’s Electronic Communications Code, so I am not entirely certain that the amendment is necessary. However, in the sense of providing statutory reassurance that a much- needed piece of legislation will open up access to ultrafast broadband to many millions of people living in multi-dwelling units the amendment has to be welcomed.
Telecommunications Legislation: Human Rights
Lord Fox Excerpts(5 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Barran
We have been very clear about the level of concern about human rights abuses of the Uighur Muslims in Xinjiang province. We have recently announced important new moves on extradition and arms sales in relation to Hong Kong, and we continue to be at the forefront of raising these issues in multilateral organisations, including the UN Human Rights Council, most recently at the end of June.
Lord Fox (LD)
My Lords, when the Secretary of State announced a change in Huawei’s status last week he also said that full-fibre and older networks will be treated differently from 5G in terms of their technology, security and vendors. Will the Minister expand on the remit and timetable of the consultation that the Secretary of State announced? Will she undertake to ensure that vendors’ human rights positions will be part of that consultation?
Baroness Barran
The remit of the full-fibre broadband operators to which the noble Lord refers has been defined as a short technical consultation to understand what alternatives there are in the supply chain to balance the risk of delay and an unwise reliance on a single provider.