Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Naseby
Main Page: Lord Naseby (Conservative - Life peer)Department Debates - View all Lord Naseby's debates with the Department for Digital, Culture, Media & Sport
(3 years, 4 months ago)
Grand CommitteeMy Lords, we move into the scrutiny of the Bill, which seeks to balance the need for the United Kingdom to be at the forefront in technological development and connectivity—requiring the fastest and most efficient broadband, for example—with the need to ensure that we do not inadvertently open ourselves to malicious actors or states as we do so. It is therefore appropriate that the first group of amendments seek to strengthen the security side, recognising the complexity of modern threats. The noble Lord, Lord Alton, has as ever laid out the case extremely clearly and in detail, and I look forward to the noble Baroness, Lady Barran, replying as comprehensively. He has long made sure that in the Lords we delve deeply into these issues as we challenge the Government and hold Ministers to account.
These are sensible amendments intended to set the Bill in the context of what our allies are doing, drawing from their knowledge and experience and, as the noble Lord said, most importantly, working together. They propose actions that should be happening anyway but which we know can be easily set aside or overlooked as Governments address many pressing issues. Amendment 1 includes a duty to review telecoms vendors
“which are prohibited in other jurisdictions on security grounds”.
It is important that we both learn from other jurisdictions and act together. We have seen how China, for example, seeks to pick off states, as in its recent threat to ban Australian beef on the basis of what it had judged to be interference in its internal affairs. We also saw the Foreign Minister of New Zealand at first indicate that her country should go its own way in relation to China, clearly worried about China’s possible actions, before stepping back from that position in recognition of the fact that we really are stronger together.
There are clear risks. We see Canadian citizens used as pawns in a wider concern about Huawei. As China becomes ever more dominant economically, and under its current leadership, resistance to its positions will become ever more difficult. We have been unable even slightly to hold it back in relation to Hong Kong, and it is therefore vital that like-minded countries work together. Therefore, there are two reasons for seeing what other like-minded countries are doing: first, to see what risks they identify and, secondly, to decide whether we should act together, as we would hope they would act when we saw risks. We are of course in a weaker position globally as we are out of the EU, which has strength in numbers and economic power.
Amendment 20 would expand the powers to include ownership or investment, and this clarifies further where risks might be; for example, through the investment clout of certain players. This is clearly vital.
Amendment 27 would require the Secretary of State to review the UK’s security arrangements with countries banned by a Five Eyes partner and decide whether to issue a designated vendor direction or take similar action with regard to the UK’s arrangements with that company. This updates previous legislation where this risk was not so apparent as it is now, with the hugely increased economic and other associated power, for example, of China. Of course, the Five Eyes of the US, Canada, Australia, New Zealand and the UK are very much aligned on this. Certainly, the risks identified by the Five Eyes should be front and centre in our thinking. I would say that we should add in the EU. Had we still been in it, we would have had that major sphere of influence to strengthen our position further. That makes these amendments even more important.
As the noble Lord, Lord Alton, laid out, we have become very dependent on China in many areas. That is true not only in the area of the Bill but in the new green industries, for example. We need to be much more strategic than we have been in this regard up to now. As he also set out, we cannot build our business on human rights abuses even up to genocide.
I am sure the Minister will say that these amendments are not needed as all these actions will be taken, but they are tabled to make sure that they are. We know that this has not happened adequately up to now; we need to strengthen the Bill, as the noble Lord, Lord Alton, has stated. I therefore look forward to the Minister’s reply.
My Lords, I apologise to my colleagues that I was not able to speak at Second Reading. I am quite clear, as I suspect we all are, that the security of the UK’s telecoms infrastructure is vital. Sadly, we come pretty late to the scene. The expansion of 5G and full-fibre broadband should have happened years ago, so this is not before time.
I read economics at Cambridge and looked at a number of aspects of economic expansion there, particularly in relation to business sectors. It is all very well saying that we will try to prevent the supply chain to the UK network being dependent on a limited number of suppliers. That may be a good idea in theory, but I just reflect that we have a national grid which is every bit as important as 5G; we have one or two aircraft manufacturers, and we have a couple of shipyards, so I just wonder whether there are a whole lot of suppliers out there for the telecoms world—there will be others who are better qualified than me to judge that. However, it is clear that we need to identify areas of risk, and Huawei is clearly one of them.
I would just ask a couple of simple questions. The noble Baroness, Lady Northover, mentioned Five Eyes. Is there a co-ordinating structure for Five Eyes in relation to this particular structure? If so, where is it based, what is our contribution to it and who exactly is doing it?
Some of our colleagues may have read the recent trading standards report that has just come out—I read it only last evening. A massive number of scams is happening at this point in time and we are dealing with the trouble they cause.
Amendment 20 refers to
“a specified country or … sources connected with a specified country, including by ownership or investment”.
I have worked overseas, including in a fair number of countries in south Asia such as Pakistan, India and Sri Lanka, so I ask: who on the ground will actually be doing the work? Quite frankly, I know of nobody in any of our high commissions capable of doing that sort of analysis. Do we have a floating investigatory system? How are we going to judge the evidence properly?
On Amendment 27, we need to take care, clearly, but we must recognise that there may be a valid opportunity in a company that has upset the host Government. You and I would not know the situation, but we should be aware of that fact.
I am a bit sceptical about the security check. I made a freedom of information inquiry—it was nothing to do with telecoms—and, at the end of the day, the reason given for not producing all the evidence following my FoI request was the security of the country. It was never explained in words of one syllable—or indeed in any syllables at all—what aspect of my inquiry would affect the security of the UK. I would like to know this from the Minister: are we relying on Five Eyes or are we relying on Ofcom? Who is it specifically that will be doing this analysis?
My Lords, I want to say a few words on this. It is highly relevant that we keep a close eye, but on all vendors, including the ones that may seem okay at any given moment—the world keeps changing. I am not an apologist for, and nor do I wish to promote, China in any way whatever, but it happens to be there and it happens to have ripped off a lot of Cisco stuff a few years back and improved it. The Japanese did this to our cars, many years ago—nothing changes.
The real problem is that we do not manufacture this sort of stuff here; some of it is manufactured in Europe, and of course we are no longer part of that, but does that matter anyway? We are reliant for the supply of all this electronic equipment, and the components—such as chips, which I mention specifically —on China and many other places. The Americans also rely on China to manufacture components which they then put in their equipment. We had a security compromise a few years ago, when compromised components were put into some Cisco equipment. It is more complex than trying to ban one company or one country. But there are not many alternatives for us here, and that is the real problem. We need to get some home-grown stuff going and we need to get it done very quickly if we want to be really secure.
What are we going to do about it? The thing that worries me is that you cannot assume that your allies are always your friends in everything. We have to be particularly careful of being dragged into a trade war under the cover of security or defence—and this does happen. The cost of this whole thing is not so much that Huawei will try to cause us problems in some way unknown if we remove it from our system completely; there is the other side of it. If its technology is working and is better, and we can make sure in various ways that we are secure against what Huawei might do, its technology might get us to where we need to be in an internet world a lot quicker. I notice that we have already delayed quite substantially the rollout of broadband everywhere and 5G—everything seems to be stalling because of these rows, which to me are trade rows.
I fully understand the points of the noble Lord, Lord Alton, about supporting regimes that are doing appalling things around the world. The trouble is that there are an awful lot of them. Take the situation he mentioned, to do with cameras. It is actually the software that does the facial recognition, not the camera; it is purely a bit of hardware that takes a very good, high-quality photograph, and there are many alternatives to it. Who is supplying that facial recognition software? That is where I would really target, and I would bet it is China. If there are bits that are useful to us, we need to use them. We need to stay in the world and we need to get ahead. We are not ahead and we are going to drop behind more and more.
The other difficult thing about picking a fight with China is that, if we are really going to go net zero and start going all electric in the next few years, lithium supplies and processing are from China. There is already a shortage of chips and other things in the automotive industry; I am sorry, but we are reliant on an intertwined global supply chain which stretches all over the place. We must be very careful about singling out one country, but we are—and that is why the amendment is useful. We must have something that says that we are keeping a proper eye on the whole lot of them.
My Lords, I hope the Committee will forgive me if I move on to drier but—I hope the Committee will agree—important ground. In moving Amendment 2, I will also speak to Amendments 3, 4, 5 and 6.
Amendment 2, along with similar amendments to Clause 1 in the name of my noble friend Lord Fox and myself, seeks to narrow the scope of the definitions of “security compromise” and “connected security compromise”. As well as having concerns about oversight of the new powers of the Secretary of State, which we will debate later, there is also concern, reflected by the Constitution Committee, about the width of these crucial definitions and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I say this in the context of the impact assessment of 9 June, which stresses the large degree of uncertainty surrounding the costs to be incurred by business, amplified by the report of the Regulatory Policy Committee under its new chair. The Constitution Committee says:
“Clauses 1 and 2 impose duties on providers of a public electronic communications network or service … These include taking such measures as are appropriate and proportionate for the purposes of identifying and reducing the risk of security compromises occurring. The Bill defines security compromises, but the Explanatory Notes acknowledge this definition is broad and do not explain their intended scope. The consequences of a security compromise for providers are potentially significant, including substantial and costly duties of due diligence”—
this echoes the impact assessment. It goes on:
“The House may wish to consider whether narrowing the definition of security compromises would be appropriate.”
BT gave evidence to the Public Bill Committee in the Commons. Of course, BT is a provider which will need to comply with the provisions of the Bill, so I take the liberty of reading out much of its evidence:
“As currently defined, a ‘security compromise’ … would cover any planned network outage that may be required for maintenance or upgrading of the network, or any unplanned outages due to faults or wear and tear. These types of outages are relatively regular occurrences given the scale of our network and we always seek to minimise customer impact and restore service as quickly as possible. The duties on operators in the Bill that flow from this definition are significant—including network issues that cannot reasonably be considered as security compromises (rather resilience or availability issues) would create undue burdens on operators and potentially on OFCOM.
These outages are not the result of any unauthorised access or malicious intent, nor do they have consequences for the confidentiality of data or signals carried over the network. We do not believe it is the intention of the Bill to apply the same requirements (e.g. with respect to reporting or notification to stakeholders), or to make the same powers available to OFCOM, in relation to these types of incidents, as are intended to apply to ‘security compromises’.”
It goes on:
“The definition also seeks, we understand, to capture any compromise to the integrity of signals conveyed over a network. However, the way that this is expressed—by reference solely to compromises of the ‘confidentiality of signals’—is unclear and confusing. It could be significantly improved by making a simple amendment to refer to ‘confidentiality and integrity’.
The definition of ‘connected security compromise’ … is a simple definition referring to something that ‘occurs in relation to another public electronic communications network or a public electronic communications service’. Given the potential breadth of this definition, building some specifics on how the ‘connected’ element will be assessed in the overall Government/OFCOM guidance on ‘security compromise’ will be important.”
So a provider that will be considerably impacted by the Bill and the Constitution Committee have raised important issues about the width of these definitions. These amendments perhaps do not go as far as some providers would like, but they attempt to give greater certainty by specifying that compromises which involve security issues are covered, but not wider outages which do not have security implications. I very much hope the Government will heed both the providers and the Constitution Committee by narrowing the width of these definitions. I beg to move.
My Lords, I had the privilege of being an RAF pilot. The instructions we received as pilots in methods of security included the word “anything”. In other words, if you are flying a jet on a mission and you suspect something, “anything” is reported back, or you take remedial action. You do not try to refine that security by, in this case, reducing it or leaving any element of doubt. Thinking about it a little further, the “anything” could be technical. In this context, it could be competitive; it could be a company being taken over; it could be lack of finance; it could be fraud. Above all, it could provide a loophole. Therefore, Her Majesty’s Government are absolutely right in putting in the word “anything” and not trying to restrict it further.
My Lords, I am sorry that the noble Lord, Lord Clement-Jones, does not like my analogy of flying. I just remind him of a recent series of Boeing airliners that crashed with a huge loss of life when the security of flying was overridden by a piece of machinery. I stick by my analogy but I will not progress that any further in relation to these amendments.
The Bill says clearly:
“publish the code; and … lay a copy of the code before Parliament.”
However, it does not allow Parliament by right to debate that code and any amendments that come. This is a fast-moving market, as we all know. New opportunities have come up that will have a security dimension to them. There will be new developments, I hope, from our own technical universities so there must be some provision for the expertise that both the House of Commons and the House of Lords have within them to debate. Those of us who have been in Parliament for a few decades know that quite often there are unusual people who have a particular niche that they know something about. That is the benefit of the experience of Parliament.
I agree with the noble Lord that it ought to be done on the affirmative procedure. I sat in the chair for five years during the passage of all the Maastricht and other Bills and there are certain areas where it is absolutely crucial that it should be done by affirmative resolution. Therefore I certainly support that dimension.
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.