None Portrait The Chair
- Hansard -

Thank you. We have three superb witnesses from Three, O2 and Vodafone. I am now in the hands of Members.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - -

Q It is a pleasure to serve under your chairship, Mr Hollobone. I want to start by thanking, as well as the witnesses, the members of the Committee, the officials and the staff of the House, who in coming into Parliament during a pandemic are also taking risks, which we very much regret.

I should have mentioned, as an interest, that I spent 20 years working in the telecoms industry within four network operators and vendors, as well as Ofcom, the regulator. I also may know personally some of the witnesses.

None Portrait The Chair
- Hansard -

It sounds like you might be dangerously over-qualified to take part in this Committee.

Chi Onwurah Portrait Chi Onwurah
- Hansard - -

You make a very good point, Mr Hollobone. I am going to try to keep my engineering and technical interest as much to the back as possible.

I am the shadow Minister for digital, and I am leading for Labour on this Bill. I will focus on the costs of removing Huawei and the diversification strategy, and Opposition colleagues will be focusing on different areas. I thank you for your presence and expertise. I want to ask two somewhat related questions.

First, some have given estimates of the costs of removing Huawei from your networks, and I want to verify whether those are the most up-to-date estimates. I also want to know whether they include opportunity costs, and the time and resources from your boards and others in your organisations. Are they the full costs, if you like, of the removal of Huawei? How can we minimise the economic impact, in your view? Are there other significant costs associated with the Bill and the implementation of a new security framework?

Secondly, your mobile network procurement is currently made through what I will call full-service providers, such as Huawei, Ericsson and Nokia. They basically design and make a network, and provide it to you—I know it is not quite as simple as that. Do you think the removal of Huawei or the develop of open RAN will change that? Critically, is the Government’s diversification strategy likely to lead to the emergence of significant full-service suppliers that will compete head on with the remaining suppliers, Ericsson and Nokia? If not, what other measures should the Government consider taking? How best can the Government work with partners around the world to achieve their goals? That is quite a lot in two questions.

Patrick Binchy: There was quite a lot in those questions. I guess the first thing is that the costs are obviously commercially sensitive, and we cannot disclose them in a public environment, but we would be very happy to respond to any of the Members or the Committee in private to give the detail behind that. At a more generic level, there will, of course, be cost to the industry and to Three. We had selected Huawei to build our 5G network, and we have now selected a second vendor, Ericsson. We have to go through the process of mobilising Ericsson and removing the Huawei equipment, which has a cost to it and will have an impact.

In terms of the diversification of the market, there are really only two players in the UK market now. As you rightly point out, there are service as well as equipment capabilities within those suppliers. As we look for diversification, we need to diversify across all those aspects of the market. We are working with the Government, NCSC and DCMS in terms of how to approach that and how to build that. We will continue to support that as we go forward.

Derek McManus: We have similar commercial sensitivities on cost. You may or may not be aware that we are not indebted to Huawei. For our network, the cost of removing from the radio network is relatively small compared to some of our competitors. So, I will focus more on your second question, if that is okay.

You are absolutely right that we tend to buy end-to-end service in the current mobile environment. ORAN today is set up with a quite separate and different supply chain, with different companies specialising in software, different companies specialising in hardware and specialists doing the integration. It is likely to change the nature and relationship that we will have with supplies. ORAN is relatively immature in its development. As it is technically and commercially ready for scale deployment, that may well change. But we see today that the leaders in ORAN tend to be smaller companies specialising in the hardware or, more specifically, the software.

Andrea Donà: Very much like my colleagues, I am more than happy to write to the Committee in the future, once we have completed our procurement process, with the details on the cost for replacing our high-risk vendor. More specifically, when it comes to the diversification strategy and the role that open RAN has, we at Vodafone believe that the UK should seek to be a leader in open RAN. We are, indeed, leading the way, and have committed to swapping out 2,600 of our base stations to an open RAN technology.

In order to fulfil that ambition, the current timescales for removing the high-risk vendor equipment must remain unchanged. We need the stability and the time, as Derek rightly points out, to allow industry and Government to develop a diverse supply chain and allow the technology to mature, both in its functionality and its capability, as well as the possibility of scaling industrially. The legacy vendors have had a lot of time in the market to develop their competence. We need to support any new entrants in the open RAN space with appropriate investment incentives and a policy framework that attracts and supports new entrants in the open RAN space.

None Portrait The Chair
- Hansard -

Three Members have indicated that they would like to ask questions. We will take them in the following order: James Sunderland, Miriam Cates and Kevan Jones.

--- Later in debate ---
None Portrait The Chair
- Hansard -

Superb—textbook answers.

Chi Onwurah Portrait Chi Onwurah
- Hansard - -

Q I ask these questions on behalf of Catherine West. Vodafone runs networks across Europe, and so does Three, whose owner is headquartered in Hong Kong, and O2, which is owned by Telefónica. Does the Bill duplicate or reflect legislation that you have seen elsewhere in your operations? What international comparisons are you aware of? Also, we have talked about standards being a key part of international collaboration. How many people, or what presence, do you have on international standards bodies?

Derek McManus: Basically, we have not seen anything directly like the UK legislation, although various forms of it can be seen internationally. The second question was on standards. We operate in 23 countries, and as you can imagine, their standards are key to us. We hold a lot of expertise, from a Telefónica group point of view, that the UK team is able to rely on and work with to ensure that we are at the very edge of developing the right standard.

Andrea Donà: As the Government plan to take a lead in enhancing the minimum security requirements, and in diversifying their telecoms strategy, we as a global company are happy to support the standard setting, and to advise on the practical implementation of the additional security requirements.

Patrick Binchy: I refer to Derek’s answer. We have a very similar position with regard to the UK legislation: we have not seen quite the same in the other countries. On standards, we play an active role, and we have a number of UK staff who act actively in standards setting.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - - - Excerpts

Q Thank you to all of you for your engagement today and with the Government up to this point. Given the time, I have one, simple question. The Bill is setting up a new telecoms security framework to enhance network security. How confident are you that you will be able to comply with that in full, and what else would you like to see from the Government to enable you to do that?

Andrea Donà: We need the clarification that I mentioned of what is, and what is not, in scope, so that we have absolute clarity from the word go. We all work together to understand the profile of that implementation. It cannot be a big bang—everything complying from day one. We obviously need to do a detailed risk assessment of the areas that we need to work on immediately on the Bill’s coming into force, and of what can afford to be done at a secondary stage, based on the risk assessment and the risk management analysis of the various assets in our network.

Derek McManus: As I said in my opening remarks, collaboration to date on getting the Bill to this stage has been positive. We should continue that. My request is for flexibility to help us execute effectively, while balancing the other demands on the industry.

--- Later in debate ---
Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Q The debate to date has mainly been around hardware, but you raised the issue—the bigger threat, certainly that I see, is from hacking and the vulnerability there. In terms of diversification, to be honest, we will have two vendors for the next considerable time, so when we talk about the diversification strategy and getting new vendors into the market, what timescales are we looking at? Are we actually putting all our eggs into the open RAN basket? I agree that there is the possibility of advancing that sector in the UK. Realistically, we will have those two, one of which, we know, is financially vulnerable. What difference would having just one vendor make to you?

Howard Watson: Let me work through that. First, from our perspective, given that we do have quite a large amount of BT in our mobile network, which is with the high-risk vendor, we have a large swap-out programme already under way. Effectively, we already use Nokia to extend their reach, but also to introduce Ericsson. That essentially means that I will be replacing a significant amount of my network over the next seven years.

It is quite difficult for me to start introducing new opportunities and new options into that, certainly in the early part of that. For my network, I see the opportunities in the latter part of this decade, not the early part. That does not mean that there will not be opportunities to try open RAN in some of the rural areas or to conduct some trials with the other vendors that we have talked about. It is very much an industry approach that we are taking here. Some of my colleagues may be able to move a bit earlier. It is important that we collaborate and work as a UK set of operators with the Government to make sure that we have the right rich set of solutions.

We would not want to come down to just one vendor. That would certainly be a worry for many reasons, so we need to continue to ensure that, in the short term, we absolutely have the choice of two.

Alex Towers: Given the timeframes that Howard has described, it is a five to seven-year cycle of replacement for the vendor. That is why it makes sense, we think, to go big now on large-scale trials of things like open RAN. The important investment in R&D and the £250 million is a good step towards that, but we will probably need some more, because we need to be ready for the next cycle if it is going to be a workable solution in future.

Chi Onwurah Portrait Chi Onwurah
- Hansard - -

Q Thanks very much for joining us. We have heard that open RAN will not be mature for another eight years. Do you agree with that assessment? In that case, as you have outlined, we have two vendors and potential financial concerns about one. Can you say categorically whether it is possible to have network security with only one full-scale vendor to choose from and whether it is possible to have that with two?

Secondly, we heard from Sir Richard Dearlove, the previous head of MI5, that when Huawei was first used as a vendor or equipment supplier by BT, it was not considered worth informing Ministers of that fact, despite what he considered to be evident security concerns. Can you say what in the Bill changes that so that the Government of the day will be better aware of ongoing and future security concerns?

Thirdly, on behalf of Catherine West, on international collaboration, what presence do you have on standards bodies? Can you say what your budget is for research and development so that we can see how that compares with the £250 million on offer?



Alex Towers: I will defer to Howard on the questions about standards and technical details. On your point about the relationship with Government, I do not think that any of us were around in 2005, but I know that there is some sort of contested story about exactly who was told what about the introduction of Huawei. You would—[Inaudible.] We have moved a long way on that. We have a very close working relationship with the NCSC and with other parts of Government, and we would be very confident that we are constantly in contact with them about exactly the mix of suppliers that we are using. The introduction through the Bill of TSRs will take that even further, so we would be very confident that we have got a good enough structure there to ensure that any concerns that any part of Government had would be captured and dealt with, and Ofcom is also now in a position to regulate.

The question about relying on just the one supplier is less a concern about security and more one about the commercial resilience of that position. Howard can probably say a little bit more about the standards and the technical questions around that.

Chi Onwurah Portrait Chi Onwurah
- Hansard - -

Q Do you not think resilience is part of security? Is a network secure if it is not resilient?

Alex Towers: I think they overlap and that is one of our questions about the drafting of the Bill. There is clearly a relationship between those two things, and the concern about the timeframes for the removal of Huawei, for example, has been partly about ensuring that we have operational resilience during what is going to be a very complicated engineering programme to take out all its kit without losing resilience, in the sense of outages and blackouts for customers. Some of the Bill’s provisions talk about outages, but there is a difference between outages for operational maintenance and updating of kit and outages because of a security issue or attack. It is going to be quite important to pull those threads apart a little bit.

Howard Watson: On the vendor point, to summarise the approach that we are taking, we stopped purchase at the end of December, we will stop deployment in September of this year, we get down to 35% by two years hence from the end of next week, and then we have it removed from the mobile network by December 2027. I think that timeframe works well for us with introducing effectively a third supplier into our mobile network in terms of that 2027 point. It certainly helps mitigate any future steps in terms of a two-to-one.

I would not bank on it taking a full eight years to have an open RAN opportunity. As we heard from Andrea, colleagues at Vodafone have already started deployment . The real challenge there is about being able to use open RAN in dense urban areas where the technology works at its hardest, shall we say.

On your final question about research, we are in the top five investors in R&D in the UK—we invest in excess of £500 million a year across both research and development. In fact, the only companies that research more than us in the UK are the pharmaceuticals. I have 280 researchers based in the BT labs at Adastral Park near Ipswich and they, plus a standards organisation —we also draw in from engineers across my organisation—remain really actively involved in the standards bodies. I welcome what colleagues from the other operators say and think it is really important that we maintain that as a UK presence and as a European presence to ensure that we are not lost in the middle of any risk of divergence between the US and eastern and Asian countries and China. I would implore us all to work hard to ensure that that does not happen.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Q Thank you to BT for your engagement thus far. I have two questions. The first is the same question I asked the other operators and is about the telecoms security framework. How confident are you that you will be able to comply with all the strictures in that? Secondly, to develop one of the questions that you have just answered, 2027 is very much a deadline and not a target. It is important that we hear more about your ability to meet that target. How taxing is that? How do you plan to make sure that everything you do can encourage the presence of a third—or more—vendor over the time we have between now and then?

Howard Watson: Let me take the final part of that question first, Minister. We are very much aware that that is a deadline, not a target, but we welcome the fact that the deadline is 2027. I have given evidence previously and have talked with Government significantly about the real risks to the availability of service if we pull that date forward.

We have a lot of infrastructure. That deadline allows us to plan carefully how we can switch off a site, if we have to, to replace it and swap it out, so that the spike has overlapping coverage from adjacent sites. Were we to be required to bring those timescales forward, we would be talking about mobile blackouts in the UK, which clearly we all want to avoid, given the increasing dependence of UK citizens on networks. We have a plan that gets us to that. The 35% by 28 January 2023, just two years away, is a little bit more challenging, but we have a plan to get us there. The pandemic is making that challenging, but right now we are on track for that too. I think that answers the second question.

In answer to your first question, the ambition that we have, and what will become requirements across the TSRs, will put the UK ahead of the pack, in being a safe place for people to work and run businesses, secure in the knowledge that we have a high level of protection against cyber-threats. We welcome that, particularly in the environment in which we are now operating.

We have remaining questions—we raised some of those in our written evidence—about the sequence by which the requirements will be applied. We think it is critically important that there is a strong baseline level of compliance that applies to everybody who operates a network in the UK. We do not want to have entry points through weak links across our environment.

Alex Towers: A large majority of what is in the TSRs reflects current best practice and we are already complying with it. There are some places where there is a stretch for us to do more, which is good. The key point, I suppose, concerns Howard’s point about making sure that the baseline for all operators is higher and strong enough, given that these are inter-connected network, as you have already heard this morning. The whole edifice is only as strong as its weakest point. We are concerned about the idea that the code of practice might not apply to some operators, for example. That is the sort of detail that we will begin to see debated further as the Bill goes through.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - -

Q I was interested in what you said about the weakest link for networks. I agree wholeheartedly with that. What are your thoughts on fixed networks? While the Government are consulting on fixed networks, apparently they are not minded to require the removal of high-risk vendors from existing fixed networks. You have Huawei in your fibre-to-the-cabinet network. Do you agree with that? Do you think that there is a reduced risk in the existing fixed network? Do you intend to remove high-risk vendors—that is, Huawei—from existing full-fibre build? Do you think that presents a security risk?

Howard Watson: We do believe that fixed networks, whether full-fibre or fibre-to-the-cabinet, have a different risk profile—a lower risk profile—from mobile networks. Please remember that it is only in the access part of the network, so the fibre—the device in the exchange that connects to that. In the core of the fixed network, we have no presence of high-risk vendors. So we do believe that is manageable. We worked really closely with DCMS and NCSC to arrive at the 35% threshold that was published a year ago, and we think maintaining that in the fixed network is proportionate and sufficient to ensure security there, combined with the oversight that, again, we continue to support from the HCSEC and NCSC to ensure that we are inspecting everything that goes into the network.

I will also say that it is essential that we do take that approach because, as you know, we have large ambitions to increase full-fibre coverage in the UK. Ofcom reported in December that that was now at 18%. We at BT have now built for 3.5 million homes. We have a plan, which we have talked about—this is with the right conditions—to get to 20 million. We do need that 35% to be part of that plan because, again, introducing alternative vendors is challenging.

Chi Onwurah Portrait Chi Onwurah
- Hansard - -

Q Can you say why the risk profile is different for fixed as opposed to mobile?

Howard Watson: Fundamentally, you are dealing with a customer that is a fixed end point, so you are not having to provide handover between different sites as you do in mobile. Essentially, we are taking an electrical signal, modulating it into optical and converting it back to electrical at the other end, in very standard ethernet-based protocols. It is therefore really easy to see if there is a problem, so if something was infiltrating the network, we would spot it very quickly. Also, it is a very segmented network. The FTTC network has a granularity of over 85,000 cabinets in the UK, and the FTTP network has splitters for every 32 homes. Any issues are very easy to spot and so it is much easier to keep secure.

Chi Onwurah Portrait Chi Onwurah
- Hansard - -

Q Finally, with regard to having only two vendors for the mobile network for a number of years, can I ask two questions? I think that there has been a little discussion about resilience versus security, but if you are dependent on two vendors, one goes down and you are dependent on the other, would you say that that network was still secure? And is an increase in prices for equipment likely to accompany the reduction in the number of vendors available?

None Portrait The Chair
- Hansard -

I am afraid you have only about a minute to respond. Which of you gentlemen would like to answer?

Howard Watson: I will take that. You are right. We want two vendors to be consistently in the market, so that we can continue to deploy. If one of them were to fail—well, we insist on commercial and physical measures being in place such that we could step in and run the equipment that was already in the network, so it would not be switched off in the short term or anything like that; there would be no immediate threat to the existing network. It is the ability to build forward that is important.

As I think Alex mentioned earlier, the primary reason, which relates to the second part of your question, is that we want competition on pricing. As we have looked to have the two remaining vendors compete with each other for replacement of our Huawei estate, that has actually worked quite well as we have put in place contracts for that replacement.