Telecommunications (Security) Bill (Second sitting) Debate
Full Debate: Read Full DebateChi Onwurah
Main Page: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)Department Debates - View all Chi Onwurah's debates with the Department for Digital, Culture, Media & Sport
(3 years, 11 months ago)
Public Bill CommitteesChi Onwurah, did I detect that you were going to ask questions on behalf of Catherine West?
Q
Matthew Evans: From techUK’s point of view, obviously our members—you heard from some of them this morning, and you have more this afternoon—operate across a number of different territories. We seem to be the furthest, or the most advanced, in bringing into place quite a holistic security regime. That is in the first half of the Bill. Obviously, the conversation about high-risk vendors is prevalent in other areas, but I would say that in terms of bringing in a regime that covers the entire telecoms sector, this seems to be a world-leading initiative.
Hamish MacLeod: Chi, I am certainly aware of what other countries are doing as regards high-risk vendors. The operators absolutely accept the Government’s policy and the 2027 timeline. The important thing now is to stick to that timeline, because it allows not only for an orderly removal of the HRV equipment, but for alternatives to develop and emerge as viable competitors to the remaining companies.
Q
Hamish MacLeod: The States, New Zealand and Australia have all excluded Huawei, among others. We could supply you with a full list if that is needed.
Q
Matthew Evans: Thank you for that question. As I said at the start, we welcome the Government’s diversification strategy. It looks to tackle four issues, really, which are supporting incumbent suppliers to the UK market; attracting other global-scale suppliers; accelerating open interfaces and interoperability; and then the fourth area, which we could probably do with more detail on, which is really building on that domestic capability. I know that the taskforce that helped Government to frame the strategy is working on that aspect of it. As I say, I think we could do with some more detail.
However, we welcome the funding that has come alongside that strategy, and I think that we have a real opportunity in the UK in some of the areas where we have traditional strengths, in the software side in particular, to build some world-leading capability. As for the Bill itself, I do not think that it necessarily presents a barrier to that domestic capability; it is more in how we develop the strategy that sits alongside the Bill.
Hamish MacLeod: Just to add to what Matt said, yes, we very much welcome the diversification strategy. It is an absolutely necessary step to mitigate the risks of having to rely on two incumbents. It gives the UK an opportunity to have a leadership role in the development of exciting new technologies, such as open RAN, and, as Matt said, to grow the supplier base in the UK in the mobile sector.
Thank you. I am going to switch to the Minister and shadow Minister. If there is time left, I will come back to other Members, but I want to be sure that we do this fairly. I call Chi Onwurah.
Q
I am also really interested in what you said, Mr Evans, with regard to research and development. I absolutely agree with you that we clearly need investment in research and development if we are to lead in hardware and in open RAN and software. You said that the £250 million was focused on R&D, but it is actually focused on testing. It does not really do much for research at all, as far as I can see. You also referred to the diversification strategy as a strategy and not a plan, so do we need investment in research and development? Is the £250 million, which I think—I am looking at the Minister now—is over five years, a significant amount of investment in research and development for the mobile sector and tech sector generally?
Finally, the Bill gives the Secretary the State a huge amount of powers to set out requirements to remove vendors and for Ofcom to inspect what operators are doing. Do you think that might have an impact on international foreign investment in the UK telecoms sector, and are you confident that the right sort of technical, security and democratic scrutiny is in place? That is three things: hardware, research and development, and scrutiny.
Shall we start with you, Mr MacLeod?
Hamish MacLeod: I think the question that was directed at me was whether it is possible to have a secure supply chain. I will not try to gainsay Chi’s knowledge on this, but my understanding is that that is the role that the proposed National Telecoms Lab will perform, to validate that security aspect.
Matthew Evans: I agree with Hamish on that first point, to answer Chi’s questions on R&D. We do not yet know how the £250 million is going to be spent. We believe that we will need to accelerate the maturity of technologies such as open RAN, to make them deployable and commercially viable. Yes, we do need to see more, but as I said, that has to be alongside testing, because accelerating the maturity of it does not really matter if the operators do not get that confidence in either the hardware or the software.
In terms of the Secretary of State’s powers, we are broadly comfortable. We would like to see some thresholds on what amounts to a security compromise, particularly in terms of Ofcom’s powers of oversight. From our point of view, and this is also relevant to the foreign direct investment question, if it is evidence-based, as transparent as possible—we know that we will not see all that evidence, particularly that element in the security services—and the actions are proportionate, that is also important. We believe that that builds into the best practice that we see in other areas of national security.
In terms of the technical expertise, we know that NCSC is going to work closely with Ofcom, in terms of providing that oversight. We are comfortable with the experience that we have had over the past couple of years, as the telecoms supply chain has gone through, in terms of the expertise and the overall regime that this Bill seeks to put in place.
Q
Matthew Evans: I think it sends quite a strong signal to the market of the Government’s intent. If we published the strategy without the funding, it would not have sent the same signal. We have seen NEC, for instance, commit to opening an open RAN test centre in the UK. I think that is a signal of how the market is starting to react. This needs to work with the grain of industry, so it is important that industry is able to participate in this funding. I think it sent a strong signal.
Q
I respect your reluctance, if you like, to voice criticisms at this stage, but can I just get a further idea on the level of R&D spend in the sector? We heard from British Telecom this morning that it spends £500 million a year. I imagine it is not the only company to spend. Do you have a view of the level of R&D spend? You talk about the £250 million being a signal. Am I right in thinking that a lot more investment needs to be attracted into the UK telecoms sector in order to really move the dial? That is what we are talking about, is it not—really moving the dial on UK telecoms capability?
Hamish MacLeod: Absolutely. The £250 million was very much described as an initial £250 million, because you are right that moving the dial will take significant investment. With R&D, there is pure R&D—what you do in labs—but there is also the testbed activity, which is a very important aspect, and trials at scale and all those things. Working with the operators, bringing in international partners and leveraging what is going on elsewhere in the world will all be important.
Matthew Evans: The important word there is “leveraging”. Telecom spend on R&D, both traditional and in open RAN, runs into billions and billions of pounds each year, but we can use that £250 million to leverage greater investment. It has to be with the grain of what the industry is delivering, so we can attract more of that investment. If we can be world leaders in the adoption of open RAN, that is key, and we will attract that investment. That is why I think the supply has to match up with the demand side fully.
Catherine is always interested to understand what international comparisons there are, but I think that that has already been addressed, so thank you; she will be grateful to you.
Who is next? If there are no pressing answers, I will go to the shadow Minister.
Q
Pardeep Kohli: Maybe I can take that. To answer your question, if there is a greenfield operator in the UK that is similar to Dish, which we are working with in the US, we can definitely provide that. Dish, for example, is doing only 5G, but we obviously look at requirements all over the world and we appreciate that, in certain parts of the world, there is still a lot of 2G and 3G presence, and, of course, 4G will be there for a long time. We have a solution that can handle 2G, 3G, 4G, 5G, and if you are talking about a 12-month window, we can definitely provide a complete greenfield solution for those four technologies.
Regarding the hardware aspect, everything other than the real radio that goes on the tower and does the transmitting and receiving is largely general computing open silicon—
Sorry—say that again. I could not hear that. What is the rest of it?
Pardeep Kohli: It is general-purpose open compute; it is already available hardware.
It is computing—it is processors.
Pardeep Kohli: That is correct. You get processors for CPU or general-purpose computing, or even if there are some accelerators, which we use for some specific algorithms, even though they are openly available from companies like Xilinx and Nvidia. They make those chips and we can use them to do some of the functions; but they are openly available, and you can buy that today. That is what carriers are doing. They are building the new networks.
Regarding the hardware that goes on the tower, that depends on the frequency band you allocate, so if there is an operator coming in that is on a frequency band that the existing operators do not have, whoever the vendor is would have to build those radios anyway, and it takes about nine to 12 months to build those.
Q
Pardeep Kohli: Today, because it has always been proprietary solutions, that is where the challenge comes for companies like us, because it is demand and supply. Until open RAN came in, you really could not build this channel on radio, because there was no demand for it. So today the radios get built only by companies like Huawei, Ericsson, Nokia—I know NEC is building a few of them; but now, with open RAN, there are new players coming up. NEC, for example, is building radios outside of the Japan market. Fujitsu has now started building radios. We are actually building some radios ourselves for the frequency bands that are not available from our partners, so if NEC has a radio we use the NEC radio, but if it does not have a radio and Fujitsu does not have a radio and if you want to get into that market, we start building some of those radios ourselves. So we actually have, now, opened a centre in the UK, to build some of those radios, and we are working with Facebook and together we are building some of the radios for a frequency band not currently open.
Q
Pardeep Kohli: So if the frequency band radios are available today, which are right, then we can actually build it in 12 months—the complete network; but if the bands are not available and we have to build those radios then, maybe, by the end of next year.
Q
Chris Jackson: Just to add to what Pardeep has been saying, I think open RAN is not about, necessarily, any one company providing an all-encompassing solution. So at the moment, for NEC, we would provide 4G and 5G radios, but in terms of 2G and 3G we will work with our partners to provide that solution, so we would leverage third parties in order to provide that all-encompassing solution. I think that is the way that open RAN will work moving forward. As I say, you will not see any one company dominating one particular area. It is about bringing best of breed together. In terms of the actual hardware platform, in terms of 4G and 5G, NEC will provide that radio, but as I mentioned for 2G and 3G we would look to other vendors to provide.
Q
Chris Jackson: The majority would be US-based now, but again, we are not restricted to that. As a systems integrator, which is what you will basically need, moving forward, we would work with whichever vendors were the best of breed for that particular scenario.
Q
Chris Jackson: We would not compete with Nokia and Ericsson in terms of standard RAN, but the whole idea is that we would look to bring open RAN technology. That is the direction that NEC is supporting. If you ask me whether we could step in today and provide that capability, we believe yes, we could.
Q
Chris Jackson: First of all, thank you very much indeed, Minister, for support in that particular trial. We believe that this is very important, because it has given us the opportunity to showcase 4G and 5G open RAN capability with multi vendors, and we are doing it in supporting the share of your network, which we know is an important KPI for the UK Government, in terms of increasing that capability across the UK. They want to ensure that the investment is targeted at areas within the UK—where the UK will receive the most benefit—and, more importantly, or as importantly, an opportunity for a trial that brings multiple companies together. So, although NEC is leading this particular trial, we are working with a number of other companies to bring this overall solution together. That is exactly what open RAN is trying to embrace, and that is the way forward. We would be delighted to work with Mavenir; we are already involved with Mavenir as well. That is not a hurdle or obstacle for us.
Stefano Cantarelli: There are several angles. The first one is the neutral hosting. I would like to draw attention to the fact that we have already done work with British Telecom, two years back, on neutral hosting, so that has now been talked about for a long time. Also, you might have noticed in the market that companies—the one that comes to mind is Vilicom—have been doing this type of thing, where they deploy Mavenir infrastructure to provide neutral hosting capabilities. So, we are fully supportive and believe that this kind of funding is particularly important.
We understand that that there is some interesting funding. We are in discussion with DCMS. We are discussing some projects that we believe will boost a lot of the innovation in this space. For example, we are trying to get funding for our R&D activities for open source software that could boost the availability of radio units. We say that the radio unit is hardware, but in reality there is of course a bit of software on top. This type of software, which is mainly interfaced towards the rest of the software and the control of the operation and maintenance activities, is not differentiated for each radio unit; it is just standard. By having an open source like that, you can fundamentally get the radio vendors to focus on their IPR for analogue development and being able to produce a radio unit with different frequencies, as Pardeep said before, which we believe could boost the market. That type of funding is particularly useful, because it is aimed at boosting the market and giving availability in the open RAN of these radio units.
I would also like to add that most of the frequencies that are used today in the UK are available in our view for open RAN, so I do not see that as a problem. But that type of investment is particularly important—in R&D—so the trial that you have funded in the first round of the 5G Create programmes is particularly useful to get learning and experience. As I said, in the SONIC, we are particularly active, although that is not a 5G Create programme but a different one. We believe that in the second round, you can focus on funding some R&D specifically to boost the ecosystem of the open RAN.
Q
Stefano Cantarelli: Let me just address that initially before anyone else. We are a supplier in other places in the network, so they consider us a reliable supplier. We supply voice services, messaging services and everything else. You mentioned the initial deployment of open RAN by Vodafone this morning. That relates to us, because we are the supplier that it has deployed and is continuing to deploy. We are actually deploying sites for it.
I think that you have to look at two aspects when you are on an operator’s side. I am speaking from experience. It is not just about the technology; it is also about your processes and how you are able to move forward and change your mindset. I think that operators have a lot of complexity. We sympathise with them, of course—it is not an easy environment—but there are a couple of mindsets that they need to over-pass, if you let me use that word.
First, the world is changing. It is not hardware and software together; it is software and hardware disaggregated, and that of course requires some different capabilities. It is the same as when we passed from circuit voice to packet voice. Some people here may not get the example completely, but it is just a different point of view. That does not mean that it is more complex or whatever; it is just a different point of view, and you need to change. We know that change is not an easy thing. That is the first aspect that we need to take into consideration.
The second aspect is that, despite the technology that is available, you still need to consider the in-life service that you need to swap over. You have to consider that you did some planning or design based on certain principles that were available before, and you need to rethink how you are going to do that. For example, most of the 5G deployed today just uses additional frequencies on the existing sites that they have deployed with 4G, 3G and 2G. This is not what I consider full 5G, with all the characteristics of low latencies and so on. You need to start to think about the densification of sites. The Government can help a lot—with policies, by helping to define new capabilities, and by allowing the operators to change their architecture by enabling them to get more sites, and get permits more easily to build new sites.
These sites will not be like sites today; on these sites, there will be lot of carriers, a lot of technologies, and a lot of frequencies. As Pardeep said, a site today is probably just a radio unit that connects, through an internet connection—not necessarily just fibre—to a software data centre. These things are more important, and they are the reason why, although operators are in the middle of that transformation, it is taking a bit of time.
Q
Stefano Cantarelli: Not only with fibre. The open RAN interface is such that you are not forced to use fibre only. You can also use internet connectivity. The internet is what you use when you are in a building.
Q
Stefano Cantarelli: I add that this transformation in the core infrastructure has already almost happened. Already, most of the core infrastructure of the MNOs is running on general-purpose hardware, such as Dell servers and so on, with software on top of it. The RAN is really the last one to be transformed, for the reason that I gave, and also because, as I said, the market has been dominated by some suppliers who have been providing hardware and software, because they work with better interfaces between the radio access component.
Thank you. That is very helpful. That makes me think that there are security issues arising from, for example, having our cloud infrastructure dominated by one vendor, such as Amazon Web Services. Those are perhaps future security issues that we need to look at. I now understand much better what you need to support your transition, so thank you very much for that.
Q
Pardeep Kohli: I would just add that I understand the operators’ point of view as well. They are familiar with these vendors; they have been using them and they understand their processes. The vendors know each other. Obviously, we have to gain their trust. We spend over $300 million on research and development every year on open RAN, so we are fully committed, and we will seek any help that you can provide on engaging with operators in the UK market.
Chris Jackson: Can I come in on the NEC side of things? Frankly speaking, we are re-entering this market, and one of the reasons why is because we believe that open RAN, and particularly the Bill, now provides the framework and conditions to enable us to compete. It is probably similar for the operators; it is a change for them to actively work with companies such as NEC, as opposed to the companies they have previously been working with, but we are starting that process. We are actively engaged with the operators, and more support from the Government, through the Bill, is the way to move this forward.
John Baker: One last comment. Open RAN is all-inclusive, so this is not excluding the incumbents of the network. As soon as Nokia and Ericsson add open RAN interfaces to their products, we will be very happy to work with those guys. That will speed up the ability to deliver open RAN solutions in the marketplace.
Q
I have questions for both of you, but let me start with Dr Bennett. I was impressed by your structured list of things that are missing from the Bill, because we are here to scrutinise the Bill and see how we can improve it. I think you talked about the breadth of the security challenge and how this Bill, as it stands, might not meet the full breadth of it. You had four areas, and I think you have run through two of them in more detail. Could I ask you to summarise again the areas that you think are missing? In particular, could you talk a little bit more about the need for improved scrutiny? Could you just summarise that and then go into more detail on the ones where you have not yet?
Dr Bennett: I said that the areas that needed to be covered were network architecture, which is the Bill’s focus, the security of the asset databases that make up the network, how to ensure security of the data passing over the network, the maintenance of security over time, and the operational costs and other impacts of compliance. I have touched on all of them, but perhaps not very much on the operational costs and impacts of compliance.
The more diversified your network, and the more small vendors there are, the harder it will be for them to maintain the level of scrutiny, record-keeping and general security that is required as their bits of the network develop and the interfaces they have with other bits of the network change over time. That is an area where the Government should consider giving help to people to cover those costs. I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.
If the Government suddenly say, “All components from supplier X must now be removed from the network because of x, y and z,” it is incumbent on the Government to have some funding to help people to do that and to ensure that that really does happen, because it could be a step too far if you have a lot of very small suppliers that do not have the resources of skills, time or money to do it. You need to think about that and about how you can ensure that they are not squeezed out of the network—this diverse network that we want—by those costs.
Q
Dr Bennett: I think most people would agree that the diversity of end points, of interfaces and of applications running over complex networks all pose security problem areas. The more of those you have, the more resilient your network might be on the one hand, because there are multiple parts, but on the other hand, the harder it is to maintain them adequately.
We see some of these problems today in the decision to move the copper out of the network. Applications that are very important to many users, notably alarm signals, are ones that often assume they have an underlying network of a particular type, and if it is not there those applications do not work and they do not work suddenly. These types of things are very complicated but are actually very important for the end users. It may be an alarm that says an elderly person has fallen in their home; it may be an alarm that says your bank has been attacked by a criminal gang. Who knows what it may be? But those types of things are the types of applications that run over these very complex networks, and unintended consequences can happen as you change the network architecture. If those tier 3 suppliers and the people providing key applications over the network are not involved in this conversation at the CNI level with the top-level suppliers, all sorts of unintended things can happen.
It is a question of how you make sure that you minimise the number of these unintended consequences and support people to realise what they need to do early on, so that they are not caught out by them.
Q
Julius Robson: We are discussing the use of the mobile network for new and innovative services, such as worker alarms or falling-over alarms. Actually, there are some smaller players working in specialised industries that understand those customer requirements probably better than mobile operators, and that are very used to dealing with them. In fact, many of the applications for mobile are those that already exist in proprietary and bespoke wireless systems today and that we would want to move on to mobile. Some of the newcomers probably understand these things better than others and the diversification policy is about bringing in that expertise—those industry specialists who understand these requirements.
I would also say that, yes, the network is complicated—radio wireless networks, with lots of endpoints—but intrinsically the wireless medium is insecure. Anyone can listen in to it; it is possible to modify the signal. It has been designed so that everything going over it is secure and protected, and those security paradigms are locked up in the core, so that there are parts of the network that you do not have to worry about, because the information has been secured at a higher level.
I think this was mentioned by Andrea from Vodafone this morning: it is really important for us to understand which parts of the network are in scope of the security rules and which bits we do not need to worry about. The air—anything in the airwaves—is intrinsically already easy to eavesdrop on or modify. So obviously that is out of scope. I think we do not have to get too worried about certain parts of the network.
Chi, we have time for another quick question. I think you had a point that you wanted to come back to.
Q
Julius Robson: Thank you for that question. I have mentioned chipsets, which are important, and lots of people have talked about software and open RAN. The specialist base station chipsets are an important component, and if we can make them available at scale, which is something that we work on with our FAPI—our functional application programming interface—I think that will really help to fuel the diversity of equipment providers. That is one aspect.
Another aspect—I am not sure how well it is coped with in the consideration of the supply chain—is diversification at service provider level. As I have mentioned, mobile operators are the main service providers for mobile services, but they partner with other providers, particularly ones that work in specialist environments. There is a particular type called neutral hosts that can offer multi-operator services. If you wanted to connect to a hospital, it would not be any good to have just one operator service and have only a quarter of the people served. You need all of them served, and that needs to be done affordably. We want to make sure that the partners of mobile operators, such as neutral hosts, are supported in legislation.
It is also about recognising, as has been mentioned, the challenges of getting the hardware out. You can scale software just by selling it to more people, but hardware needs more feet on the streets and more deployers. We have to look at how we go about enabling more people to deploy mobile infrastructure into communities and industry, so that more people are aware of how it works, which means making the system simpler. From a security perspective, we need to recognise that there are parts of the network that need to be kept secure, and there are parts of the network that are out of scope of that.
Q
Julius Robson: Just to make the point that you do not have to worry about every last resistor—components were mentioned—and every piece of equipment you have. As I pointed out, the radio airwaves themselves are also not secure. The whole system is designed to securely operate over an untrusted environment. In standards, we have the concepts of trusted and untrusted networks. Typically, you can operate your mobile network over the internet, which is considered untrusted. It is important that we recognise that paradigm.
I would say that all service providers are well accustomed to working with the level of security that the mobile operators and the regulatory regime demand, so we are happy with that. I just hope that we do not introduce new burdens with this legislation that stand in a way of diversification.
Looking around the room, I think that is it. In that case, I thank Dr Bennett and Mr Robson for their evidence. We are extremely grateful to you. Thank you both very much indeed. That brings this session to a close.
Examination of Witnesses
Dr Scott Steedman and Charles Parton gave evidence.
Q
I start with a question to Mr Parton on behalf of Catherine West, which relates to the last point you made. As we know, the Government were moved to ban Huawei entirely from the network following US sanctions instigated by President Trump. What changes do you see the Biden Administration having on the US’s outlook on China, if any? Can you also squeeze in a reference to Chinese influence on academic research and development in this country? Then I have another question for Dr Steedman, which I will ask afterwards, if I may.
Charles Parton: A very quick response to that. I am more an expert on China than America, but nothing in the last couple of years has suggested to me that the Democrats will take a very much different position from the Republicans on the question of technology. I think they see it as a very great threat, as the Chinese have said. I think nothing will change there.
On the question of academic influence, I really do not think we should underestimate that. I wrote a paper on it about two years ago and much of what I sketched out there exists. For that reason, if I may repeat the point I made earlier, a great deal of effort has to be made, particularly in the STEM subjects. We could talk about the arts subjects and the clampdown, or the influences, on the freedom of speech and the self-censorship there, but in the STEM subjects it is really very urgent that we give our universities good guidance on what subjects, what organisations and what people they can co-operate with in the China context. As some of the research has shown, in terms of what is going on in our universities, there are subjects that we perhaps should not be helping on. GAIT technology with Huawei is an example. What can GAIT technology be used for? Surveillance. Not always, but it is very important in surveillance when you cannot see someone’s face because they are wearing a mask or it is bad weather. We have to be very much more on the ball in that area.
As I said, I am a massive fan of standards development. I have worked in the area, with the ITU. I agree that it is essential to enable open RAN and diversification. The Government have said that standards are driven by vendors. We heard this morning from the network operators that their standards presence was driven by their headquarters—their owners. We do not have a UK vendor. When you say that we need to improve our presence in standards bodies, who is going to do that and how is it going to be funded?
Dr Steedman: Actually, we have excellent people in the UK who participate in international standards work. The challenge is that there is a huge breadth of organisations, fora, consortia and formal bodies that generate, develop and maintain the standards that are then used in the evolution of the equipment—hardware, software and so on. We need to pick those organisations that are doing the critical work, particularly perhaps the ones around security, and ensure that we have British voices in there. It is true that if you look at a consortia model, you will find that the consortia that develop standards are what we call pay to play: companies pay to join a consortium, and together they sit and write a standard. But actually there are other organisations that have more governance and more formal mechanisms for national representation, national voice and consumer voice, as well as industry voices. This spectrum is the piece that is often not well understood.
Our ambition, on the diversification taskforce, is to look to co-ordinate UK voices, which are currently fragmented in these multiple organisations, and to see what we can do to target, to focus, on the areas of standards development that we know are going to support the ambition of security, resilience and diversification in the UK—and, frankly, to allow other areas of standards development to carry on as they will. People write standards to suit themselves. But where we need formal standards to support a market structure in the UK, we must be absolutely sure that those standards have had UK stakeholder voices in the process, and that is part of the formal process.
You mentioned the ITU-T. That is where the DCMS, of course, is representing the Government. And the BSI represents the UK in ISO/IEC JTC 1 and in and the European regional organisations, including ETSI. So there is a big opportunity for us to take those lessons that we have learned in influencing these great international organisations and extend that policy of influence through co-ordination of the UK voice in other spaces. The ORAN-ALLIANCE is one example of where we need to improve our co-ordination. Who is going to pay for it?
I am going to interrupt you. I am sorry, but I want to let the Minister get a last question in. My apologies.