Telecommunications (Security) Bill (Third sitting) Debate
Full Debate: Read Full DebateChi Onwurah
Main Page: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)Department Debates - View all Chi Onwurah's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesQ
I have a couple of questions, starting with you, William. We heard from Mavenir on Thursday that open RAN could provide 2G, 3G, 4G and 5G networks now, but the operators were not looking to purchase networks from it. What is your view on the accuracy of that statement and the maturity of open RAN? What challenges does that pose with regard to the diversification strategy set out by the diversification taskforce?
Professor Webb: Thank you, Chi. I am sure Mavenir is correct that it can sell equipment that can do 2G, 3G, 4G and 5G, but that is not sufficient for an existing operator. If an operator wants to put this equipment into its network, it needs to work with its network diagnostic systems; it needs to handle all of the various features that it might deliver to customers, businesses or whatever, or that it might use for optimising its network or the various software systems that it has. It has built these up over 20 or 30 years, so adding in the equipment is a lot more than simply ticking the box and saying that it can transmit 2G or 3G. That takes quite some time, particularly with the more complex base stations that we find in city centres. The ones in rural areas are typically much simpler and less problematic if they go wrong. That is why we see people like Vodafone trialling open RAN in those places.
Although Mavenir has all the ticks in the boxes, it does not yet have work-through with the operators to deliver something that really works for all of its network. As we have heard from the operators, that is a long, slow process. The operators are rightly risk averse—they do not want to rush out a whole load of equipment and for their networks to fail after a few months, with all the problems that that would have for consumers. So it seems to me that we are still some time away—I think the operators have said five, six or maybe seven years—from any significant deployment of open RAN. That sounds very plausible to me as a strategy for evolving a network. Of course, by the time you get to that point, they will have deployed most of their 5G network already, so it feels as though open RAN will be too little too late to have a significant impact on diversifying the 5G networks that we have in this country and that we will have for the next few years.
Q
Professor Webb: If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, “You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.” The stick might be some kind of licence condition that said, “In order to meet your licence, you have to have at least x number of vendors in your network.” That seems to me to be the way to pull through, and then the operators can decide whether they want ORAN, something like NEC or Samsung or someone like that. They can make that choice and that will pull through the decisions to them, rather than the Government trying to decide on their behalf what the best technology for them to use might be.
Q
Emily Taylor: Thank you very much for those questions. As a general point about the cyber-security of critical national infrastructure, I feel a little like we have been fetishising 5G and a single company for the last two years, perhaps at the expense of a more holistic awareness of systemic cyber-security risks. Ciaran Martin spoke eloquently yesterday about the need for flexibility in what critical national infrastructure is. The last year has shown us that what is critical very much depends on what you are going through at the time. Healthcare systems probably would not have been top of the list two years ago, but now they are. The SolarWinds attack shows that the identity of the vendor is not always the key risk point. SolarWinds is a very trusted vendor from a like-minded, close ally country, and yet it turns out to be a critical single point of failure across key, very sensitive Government Departments, both in the US and the UK.
Thank you for talking about consolidation across cloud services, Chi. One of my reflections on open RAN is that, although, of course, I am excited at the idea of open, interoperable standards, which would prevent vendor blocking, most of my experience has been in the internet environment rather than the mobile environment, and we are replete with open, interoperable standards, but we have a major competition problem. That in itself is not going to be enough of a lever to secure diversification.
On the point about acquisitions, particularly where you have cutting-edge technologies coming through, this country is really good at R&D—we have wonderful universities full of very brainy people who are creating things—but there does not seem to be the follow-through to create world-beating companies that can compete across the world stage. Why is that? It is because they either get sold to the US or to China. Of course, the foreign investment security strategies are all part of this as well, but you make a key point. If Amazon Web Services was sold to a frenemy country, that would potentially introduce the same kind of, at least theoretical, security risks that we have been troubled by over Huawei and 5G.
It is also the case that consolidation of infrastructure providers, like the cloud providers, is a security risk, because they become too big to fail. There was a brief outage of Google just before Christmas, and people just cannot work. When Cloudflare or Dyn go down, they introduce massive outages, particularly at a point where we are all so reliant on technology to do our work. These are security risks, and that highlights the need for a flexible approach. You have to be looking across all sectors.
Q
Emily Taylor: Generally, our standard of security across the board is not as high as it should be.
Professor Webb: I realise that Chi had also asked me how the UK can strengthen its ability to provide diversified supply chains, and I did not address that.
I want to pick up on something Emily said as well. I think she is absolutely right—the UK has a great number of really excellent engineers, both in universities and in leading consultancy-type organisations. Here in Cambridge there is a plethora of wonderful consultancies and start-up companies. In my experience, the biggest problem is actually finance. To try to raise the finance to get a start-up company off the ground, particularly one that sells to operators who have huge purchasing power and tend to squeeze all their vendors—quite naturally—is very difficult in the UK. It is much easier in the US. Addressing the ability to provide finance for those kinds of entities and, to Emily’s point, allowing them to exist for many years rather than to be bought as part of that financial process would help more than anything else, for the UK to grow its own major players in this space.
Q
Professor Webb: Yes, I think there is a balance. I do not have strong views on that. The legislation appears to be sufficient and flexible in this space. I think the issue is the way it is implemented, and particularly the downstream actions of the Government and of Ofcom might need a bit more care.
Emily Taylor: The legislation is creating a framework, and a lot of that will be filled out through statutory instrument and the codes of practice that are envisioned. I imagine the codes of practice will reflect the TSRs to a large degree. Thinking particularly about how the legislation might impact on the wish and the essential need to diversify, it imposes very high levels of liability for providers, and almost unlimited duties on everybody for the smallest infractions. That is William Webb’s point about proportionality.
As the measures come to life through secondary legislation, codes of practice and the actions of Ofcom, it is going to be very important that there are checks and balances. I am not sure whether the Committee is hearing from any civil society groups, but I am sure they would be worried about the very wide discretion for the Secretary of State. There is a lot of concentration of power in the Secretary of State and, perhaps, insufficient safeguards, as things are currently drafted.
Also, on the provisions that relate to the identity of the supplier—the nationality—rather than the qualities of security, which I think are the more relevant points, of course identity and nationality can be relevant, but there may need to be more of a look there to ensure that we are on the right side of potential risks of discrimination.
Q
Dr Drew: It is very similar. That is a great point to make. Pretty much wherever you see belt and road initiatives in, say, a port or supply chain of a physical good, you will see simultaneous investment and market input in a telecoms sense. There is a digital silk road as much as there is a belt and road initiative in the physical goods and supply chain sense.
They are becoming increasingly entwined fields; 10, maybe 15 years ago you could easily have seen a distinct separation between the physical supply chain and the digital supply chain. That differentiation is fading as we progress through time, and I think the Chinese have worked that out perhaps faster than we have and they are rapidly making inroads in order to amplify that effect and gain the benefits of it.
Q
Also, you have great experience in evolving security threats. In your view, does the Bill address major telecommunications threats to national security—future and evolving threats? For example, do you think this Bill would have helped to mitigate the impact of the recent SolarWinds Orion network monitoring hack, which was also mentioned by a previous witness?
Dr Drew: I will start with the question of values. I am a great believer that technology and values and norms of behaviour are implicitly connected: you cannot separate them. It should be explicitly understood that it is an implicit truth. I believe—and I have stated this before to some of your colleagues and civil servants in various Departments—that the CCP has realised that the great firewall of China, which tries to police content within China, has holes in it and is not going to last, or was not going to last, given the direction that the internet, freedom of communication and transfer of information is going.
The next logical step, and what I believe is happening, is that if you cannot control the internet within the great firewall, it is better to be able to shape the internet everywhere, both outside and inside it. I would argue that a lot of the technological standard-setting that you see take place in the ITU and elsewhere is essentially that taking place, as is the use of social media platforms to harvest data, which is then used to aid in the censorship of domestic content within China.
With regard to evolving threats and the Bill specifically, I think that the Bill goes a very long way towards pre-emptively meeting threats that are likely to come in the future. My biggest issue echoes what I caught of the previous witness statements: the fact that it is a matter of capacity for the institutions that are given this responsibility—that is, Ofcom—and the ability to change their culture to actively engage within that framework and take action to ensure these standards are met and kept to. Those are my biggest queries about the ability of this Bill to be as forward-looking as we would like it to be.
Finally, with regard to SolarWinds, I think this Bill is aptly timed in a way, given the context of this particular threat. SolarWinds was a perfect example of a supply chain security risk, and a vector of attack that went through a diverse supply chain to meet what should have been some of the most secure systems that the United States had.
Telecoms will, as I have already said, be the backbone of all the UK’s future advancements of technology in all the things we are seeking to develop within our borders. The hardest thing to do as an attacker is to gain access. We should be making it as hard as possible to gain access; we should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met, and I think this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.
Q
Dr Drew: The two essentially go together. If you look at the membership and those who take part in ITU standard setting committees and groups, you will see a predominance of not only state representation from China, but also representation of Chinese companies.
I think it needs to be made clear to our providers the benefits to them of being able to set standards; I believe this has been overlooked. The easiest way to do that is to simply look at some of the technical standards that have been set or lobbied for in this group by companies such as Huawei and ZTE, which are essentially entrenching their technical standards into a global standards body—that obviously gives them an advantage in producing that output. I think our companies could benefit in exactly the same way, and they would certainly benefit from taking part.
On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains. It would be akin to having a black box where we go, “Okay, this black box must output something secure, but we don’t need to know how it gets there.” I think we should know, as much as is possible, who is involved in the supply chains to reach our eventual telecoms network.
Q
Dr Drew: It is undeniable, as the previous witness stated, that this Bill will increase costs and potentially slow down the pace at which development of these technologies, to the standards that are now being asked for, can be done. I have been asked similar questions before about what is the cost of us not getting to 5G roll-out as soon as possible. My general response has been to point out that although 5G is a backbone technology that provides access, we have very few practical applications of the speeds and connectivity that this network will provide us with.
It is something that you might see on your phone, but the increase in speed from having a 5G connection will be almost so fast as to be unnoticeable to the normal user. We have not got to the point where we have large city-wide technologies that will draw on this infrastructure, such as traffic management, health systems and economic production systems.
Although there might be a delay and an increase in cost—which again, I think we should try to meet in a way that incentivises more players to come into this market—I think this delay is not crippling. That is because, at the moment, although the 5G technology itself is maturing, the uses of that technology are still immature and I do not think we are losing out too much if we have a slight delay, with the benefit of reaching greater security.
Q
Dr Drew: It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
Q
“to further the interests of citizens in relation to communications matters; and to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Do you think there is an argument to add a further security duty, if that is going to take such a large portion of Ofcom’s capacity?
Dr Drew: As to the second question first, I believe that security should be a component here. In fact, I believe it fits with what Ofcom is likely to be responsible for, and with the Online Harms White Paper as well. Security is fundamentally and inexorably linked with technology, culture and communications in the modern sense, so I believe that it would be important for that to be included as a key provision for DCMS.
With regard to the differences between fixed networks and 5G and the implications of this Bill, in the efficacy of its methodology towards the other, there are technical differences in how 5G operates right now and how we perceive the next generation of telecommunications to operate, but those differences will change over time, I believe. They will become less distinct. It is likely that fixed networks will move towards the concept of computing on the edge, and this is indeed already happening in some senses.
As for the actual efforts to control security risk, I do not see any major differences between telecommunications suppliers and fixed network suppliers. There is the same potential risk. You mentioned the SolarWinds hack earlier. That was a fixed network supplier in a way—it was not telecommunications—but there was the same risk involved and the same means of access, through a diversified chain with limited oversight at Government level, because it is a private sector actor with limited responsibilities. That is as true in that case as it would be for a fixed network with Cisco, and as it would be with a telecoms provider by ZTE, Huawei, Ericsson or any other. I do not think there is a significant technical difference to mean that the goals and direction of this Bill could not, and perhaps should not, be applied to others.
Q
Dr Drew: That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.
The same is true in this sense if you transfer these issues to telecommunications or fixed networks. If you have only a single supplier, all it takes is that supplier to be compromised for your whole network to be compromised. As I said earlier, with any form of cyber-attack, the access is always the hardest part if you are the attacker, so if you have an easy target or if the target is just one point, they can throw all their resources at it and it is easier. I would argue that diversification is one of the most basic and probably most effective means of limiting the damage that could be caused in any attack against one of those vectors.
Dr Drew, there are no further questions from Members, so I thank you very much indeed for your time this morning and for sharing your expertise with the Committee.
Dr Drew: It was a pleasure. Thank you.
Examination of Witnesses
Simon Saunders and Lindsey Fussell gave evidence.
Q
Lindsey Fussell: I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.
It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?
Simon Saunders: Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.
Q
I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.
Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.
Lindsey Fussell: The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.
Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.
On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.
I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.
Simon Saunders: Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.
I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.
Q
Lindsey Fussell: We would, as I say, expect providers to keep detailed records of the components that they use in their networks. I would expect that that is the type of information that, if a significant new vendor is brought into the market, the NCSC might well be interested in. It is worth saying that, while we do not have any direct regulatory powers over the vendors themselves, under these arrangements operators are required to assess the maturity of the vendors and suppliers they use, and the NCSC has issued guidance to them to enable them to assess that maturity. If the question is: if we see a brand new supplier starting to appear, is that the kind of information that we would expect operators to provide to us and for us then to share it with the NCSC? The answer to that question would be yes.
Q
Can I come on to duties? I have the Communications Act here, which has got a lot thicker since I left Ofcom. The two duties are the “interests of citizens” and the “interests of consumers” with regard to competition, but there is not a duty on security. Does that not suggest that if there is a conflict between competition or communication matters, that will be prioritised over security if there is not an explicit duty to maintain the security of our networks?
Lindsey Fussell: I think this legislation quite clearly does place explicit duties on us to monitor and enforce the compliance of operators on network security requirements. I do not see that there is any risk that we would downplay the importance of that duty in comparison with others. Clearly, it is for the Government to put forward any changes to legislation to change the balance of our duties or to add new ones, but I think the Government—and, indeed, Parliament—are asking us very clearly to take on those responsibilities through this new legislation.
To pick up on a point I made earlier, in terms of the interests of citizens and consumers, it is important to say that of course it is in the interest of citizens and consumers to have excellent networks functioning that provide them with great connectivity. If we have learned anything from this most recent period, it is how important connectivity is to everybody’s daily life. Of course, that comes across in pricing and support for more vulnerable consumers, and all those other things that we have responsibility for in telecoms.
Actually, promoting secure networks is absolutely in the interests of consumers and citizens as well, not just because of the really damaging consequences of cyber-attacks, but because, ultimately, if we are able to have better networks, that should enable greater economic innovation through 5G use cases and things like that, for example. I think in promoting the interests of citizens and consumers, telecoms security is clearly part of that.
Q
Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.
In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.
The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.
Q
Lindsey Fussell: In relation to Ofcom’s costs first, Ofcom is funded in two ways: first, by a levy on the sectors and companies that it regulates and, secondly, through the collection of fees, primarily from our spectrum duties. Our overall funding is obviously agreed by our board but also subject to a cap agreed with Government each year. We are currently in discussion with the Treasury about the exact technicalities and which of those routes will be used to fund this, but it will be in line with Ofcom’s normal funding arrangements.
In relation to company costs, clearly the Government have looked into that, in discussion with operators in relation to the impact assessment for the legislation. I know that there is a plan to do further work on that in relation to telecom security requirements, once companies have had a chance to see the SI and the code of practice.
The point here, which is built into the legislation, is the concept of proportionality. Although we would expect the largest operators—we would work with them intensively throughout the process—to take part in, for example, penetration testing, it is likely we will be more proportionate with the smaller operators and, for example, respond on an incident-based approach, rather than expect them to carry out the same level of detailed work and interaction with Ofcom. In all of that, we would want to be proportionate in the costs imposed on operators, as we are in all our responsibilities, bearing in mind that these are really important responsibilities, as we have been discussing.
Q
Lindsey Fussell: If I may, I will bring Simon in on the question of diversification. In relation to costs, the bulk of Ofcom’s own costs are paid by larger operators rather than smaller ones, and we have talked about proportionality in the way we operate that. Again, although I understand the tiering of the system will be set out in the code of practice, that will also be based on size and scale. Simon, may I turn to you on diversification?
Simon Saunders: The diversification strategy that the Government have published has set out a desire to attract new suppliers to the UK and further expand suppliers through open solutions, among other means, and to ensure that that is supported by an appropriate regulatory framework. We are ready to do what comes from that, in terms of any objectives the Government set on the level of diversification and to support measures to enable that. There are clearly synergies between the security aspects and the diversification aspects: in determining how diverse the supply base is, having a fully populated and up-to-date asset register from the operators for the security needs will also support the requirement to assess the diversity, if that is what we are required to do.
Q
Simon Saunders: Our existing duties around ensuring the health of the communications market for consumers and citizens point in the same direction in many ways, even if diversity is not spelled out explicitly. We see that a functioning, competitive market for network equipment supports the operators’ ability to provide cost-effective networks that perform well, and that supports the needs of citizens to get great services wherever they are and for those services to be reliable and so on. I do not view this as an entirely separate area from our existing duties; whether specific duties around this are needed is part of the work we are doing to support the taskforce and the plans that come from that.
This will have to be a very quick answer, because we have to stop at 11.25 am.