Telecommunications (Security) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Chi Onwurah
Main Page: Chi Onwurah (Labour - Newcastle upon Tyne Central)Department Debates - View all Chi Onwurah's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Sixth sitting)
Chi Onwurah ExcerptsThursday 21st January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Mr Kevan Jones (North Durham) (Lab)
I am demasked. Welcome to the Chair, Mr McCabe. It is a pleasure to serve under your chairmanship. The amendment’s intention is similar to that of new clause 7, which we spoke about earlier. My hon. Friend the Member for Newcastle upon Tyne Central is trying to probe, like I was, how we get operators to ensure that there is a full audit of their telecoms networks. This is not an easy situation. I accept what the Minister said about trying to strike a balance between prosperity—not wanting to put undue burdens on operators—and ensuring security. As my hon. Friend said, with her huge expertise in the field, these networks are not static entities; they develop over time. The example that she cited was that some of the kit in networks is many years old, which may now create security issues that were not evident when the equipment was introduced.
We are not talking about too onerous a burden on the network operators, because they are large companies. I accept that they will be resistant to anything that adds cost because, at our insistence of wanting cheaper phone calls and mobile technology, prices are competitive between the various operators. My hon. Friend therefore makes a good point that there must be a clear level playing field between the operators.
The Bill will ensure that existing Huawei kit is taken out by 2027, even though the networks did nothing wrong by putting in that kit in the first place. Without wanting to carry on my campaign against the Cabinet Office, the Intelligence and Security Committee’s 2013 report “Foreign involvement in the Critical National Infrastructure” shows that the Cabinet Office was made aware of BT’s contract with the Chinese company Huawei in 2003. That the Cabinet Office felt it was not important enough to tell Ministers so until 2006 reinforces my point about its role. That brings me to Ofcom and its capacity, which I will come to later. If we want the most robust system, we will need a system by which we know what is in the network.
There are two issues. I think it is possibly easier for future deployments, because we know what we are putting in. In the debate around Huawei and the security risks, I think it has been very clear. Let us be honest: an operator would be very silly to put in a piece of equipment that was deemed to be high risk for any future roll-out. However, as my hon. Friend says, it is what is already in the network. We accept that some of that will be taken out as a result of the Huawei issue, but a huge amount of equipment will still be in there.
That is before we look at software. What saddens me about the entire debate around Huawei and the telecoms sector is that it has been very hardware-centric. We know that the risks to our network from software are greater in some respects; we have seen examples of where network compromise is easier, too. Again, how do we get a robust framework in terms of the audit around software—not just what has already been used, but what will be used in the future?
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
My right hon. Friend is making some excellent comments. He has raised another issue, which I perhaps did not highlight in my speech, which is that there might be existing equipment that is not necessarily seen as having a security implication but that, as the network evolves, will pose a security threat in the future. I gave an example in the evidence sessions. Say Amazon Web Services was to be bought by a Chinese company. As our networks move the functionality into the software, that will be running in the cloud over the Amazon Web Services infrastructure, which would have a huge potential security impact. An effective audit of where that equipment is now would be critical to knowing the level of that threat.
Mr Jones
I do not disagree with my hon. Friend. That is why we need to get into the idea of the audit. As I said earlier, we basically need a level playing field for operators; we do not want one to have an advantage over another. We also need a clear picture of what we are asking in terms of the audit. On the point she makes regarding web services and the cloud, there is an issue there that I think is worth referring to. It links today’s Bill with the National Security and Investment Bill, which we were discussing yesterday. There was a lot of discussion around what we define as critical—a point she has already raised.
For yesterday’s Bill, the question was what is critical to national infrastructure—for example, a company that is developing software that is then acquired by a state that we deem is a security risk to us. If that equipment or software is being used in our telecommunications network, does that mean that the network is compromised, and how do we guard against that? There are provisions in the National Security and Investment Bill that enable the Government to stop the acquisition of companies that we consider vital to our national security, but unless we know that in advance, how will we make that decision?
If we have a situation where a small company is providing software for part of our critical national infrastructure for telecoms, how will that be joined up? How will we be able to use the provisions in the National Security and Investment Bill, so that the Business Secretary can block the sale? Likewise, how do we get that connection? We can do that only by the Minister and Ofcom having a very clear indication from day one—I do not think it will be possible from day one, but from some time into it—what is in our network, not just now, but into the future. That will be important.
That brings us to the role of Ofcom. We have seen a development of regulators in this country. I am not a great fan of regulators, because I think it is a way for Ministers to palm off their responsibilities to third parties and then stand back and saying, “If it all goes wrong, it is nothing to do with me, guv—it is these independent organisations.” A long time ago—perhaps it is a bit old-fashioned—the General Post Office used to be responsible for this type of thing, and I am currently reading the excellent new history of GCHQ that has come out, which I recommend to everyone. It is fascinating to read about some of the challenges—things that apply to this Bill—such as, in the first world war, what was conceived as national security and who was responsible for it. Was it the GPO, the military or someone else?
How will Ofcom be able to look at a network and say, “Yes, we are satisfied that there is nothing in there that is a matter of national security”? They do not know. I do not think for one minute that we are going to have a situation whereby this Government or any future Government will suddenly throw so much money at Ofcom that a huge army of inspectors will be climbing up poles and going into operators’ offices to check source codes and so on. That is not going to happen.
From a practical point of view, the operators will have to be responsible for providing that information to Ofcom. Whether it is in the Bill or in the guidance, it must be clear what is expected of operators. It is no good looking back in hindsight and saying, “We should have done that,” when something happens. The operators will just say, “You did not tell us we had to do that,” or, “We didn’t know about that.” It has to be very clear, to prevent a competitive advantage between different companies, that there is one standard. They also have to know what we are asking for. Then, taking the telecoms hat off and putting the national security hat on, from the Government’s point of view, that needs to be very clear as well, because we need to be reassured that the components and software in those networks, now and in the future, are not a national security risk.
That brings us to an issue that I have already raised. I am not someone who thinks that every time we go to bed at night, we should look under the bed to see whether the Chinese are there, unlike some members of the China Research Group, but there is an issue about the way in which China will look at supply chains as a way of getting access, for two reasons. The first is national security. The second is commercial reasons—dominating the market, which is what China has done with Huawei. How will we identify that, without having some type of audit process? I do not think that everything to do with China is bad, but a huge number of the components in all our mobile phones in our pockets today will have come from China, including Ericsson and Nokia hardware.
Mr Jones
This is a remarkable day. This morning I was told that my contribution to the debate was inspiring, and now I am being told that I am talking sense—I thank the hon. Gentleman for making my day.
The hon. Gentleman is right, but he is also wrong. He is right in the sense that there are threats that will come through GCHQ and others—they will say to operators, “You’ve got to be careful of these things.” Where he is wrong, though, is with the idea that somehow GCHQ can take a guess at what is in the network. It does not have that capability. Going forward—the emphasis in this country, in the Bill, in terms of looking at telecoms security—yes, the bar has been raised substantially.
There will be occasions when GCHQ—it does it already —contacts operators and others to say, “Beware of this software or this thing.” I accept that as a proactive approach, but handling backwards will also be important. How do we have a gold-plated system, whereby we have GCHQ doing what the hon. Member for Bracknell suggested they are already doing, but one that also matches up with operators taking responsibility to say, “We have spotted something and are doing something about it”? It is pulling the two things together.
Chi Onwurah
Part of the challenge is that the operators do not know themselves and, as we have discussed, there are no incentives for them to find out. To give an example, Virgin Media took over from NTL, which I think took over from the 13 different cable providers in the franchises of the ’80s, and the BT mobile network was bought partially from EE—so there are takeovers and acquisitions, and partners may not know, and do not necessarily have an incentive to find out unless we put in a requirement.
Mr Jones
My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.
We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.
I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to serve under your chairmanship, Mr McCabe.
We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers
“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.
That is already there and key to the issues that hon. Members have been talking about.
Chi Onwurah
I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.
Matt Warman
I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.
Matt Warman
The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.
The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.
In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.
Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.
Chi Onwurah
It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.
I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Matt Warman
It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.
As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.
Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.
Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.
These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.
Chi Onwurah
As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.
Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.
Matt Warman
We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.
Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.
In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.
In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.
Chi Onwurah
We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.
I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
The Chair
This must be down to that productivity seminar they sent me on. Still, nothing lasts forever.
Clause 3
Codes of practice about security measures etc
Chi Onwurah
I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.
The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.
It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:
“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]
In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.
Matt Warman
I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.
Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.
I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.
For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.
Chi Onwurah
I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.
Matt Warman
I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.
New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.
The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.
We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.
Chi Onwurah
I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.
On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.
I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Informing others of security compromises
Question proposed, That the clause stand part of the Bill.
Matt Warman
As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.
We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.
New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.
Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.
The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.
The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.
Matt Warman
I will pretend I have not finished, and give way to the hon. Lady.
Chi Onwurah
I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.
Matt Warman
Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.
Chi Onwurah
Is my right hon. Friend aware that the hack used by the young person had been around for longer than that young person had been alive? That is an indication of the low level of security TalkTalk had in their network; they had not been able to address a known hack that had existed for at least 16 years. The Bill aims, in part, to address that and the consequences of that lack of security for our constituents.
Mr Jones
My hon. Friend is correct. A lot of the debate has been about hardware, but the biggest threat to our national security, in terms of telecoms, is from hacking and cyber-attacks. The changing nature of the threat is interesting. There are state actors and there is organised crime, acting on of behalf of states, but there is also, as referred to by my hon. Friend, some poor teenager who thought it was a good idea. The TalkTalk case showed the emphasis they put on the security of their network. Not just clause 4, but the whole Bill, puts the onus on the operators, which is why it is so welcome. Never again could they be accused of not knowing their responsibilities.
New section 105J requires providers to take “reasonable” steps to inform users about the risk, the nature of the security compromise, the steps the user could take in response, and the name and details of the person to contact. That is fine, but how to respond might be a matter for Ofcom. That is important, because people might then quickly take steps to stop compromises to their security.
The Bill lays out penalties for telecoms operators, but what about the consumer and people who have lost money because of data breaches? Do I assume that the Bill does not change that? It beefs it up, but I assume that any mitigation or compensation that should be paid to individuals who have been compromised would be an issue for Ofcom. When we had the TalkTalk compromise, getting TalkTalk to do anything was like trying to get blood out of a stone. That is important from the point of view of consumers.
It is important that the Secretary of State is informed, but how will that be done? I presume GCHQ and others would do that. Would that lead to lessons learned or to a notice being given to other operators that that has happened? Would that be done by Ofcom, the National Cyber Security Centre or GCHQ, or would it be a combination of all of them? It comes back to the point made by my hon. Friend the Member for Newcastle upon Tyne Central: this is a risk and this clause puts the onus initially with the operators, where it should be.
Chi Onwurah
We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.
My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.
I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.
I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?
Those are just some general comments. We welcome the clause.
Matt Warman
I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.
On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.
Matt Warman
As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.
Chi Onwurah
The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.
Matt Warman
I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.
Question put and agreed to.
Clause 4 accordingly ordered to stand part of the Bill.
Clause 5
General duty of OFCOM to ensure compliance with security duties
Chi Onwurah
I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.
A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.
It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.
Matt Warman
The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.
The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.
Matt Warman
I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.
In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.
Chi Onwurah
I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?
Matt Warman
The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.
Christian Matheson
I beg to move amendment 12, in clause 6, page 10, line 12, at end insert—
“(3) In this section “another person” means a UK government agency or a person from a UK government agency.
(4) OFCOM may not incur costs exceeding £50,000 in carrying out, or arranging or another person to carry out, an assessment under this section.”.
This amendment restricts those who Ofcom may arrange to carry out an assessment under this section to a UK government agency or person from such an agency. It also caps the cost of an individual security assessment at £50,000 for Ofcom.
The desire of the Committee is to crack on, so I will not detain us for too long. The clause, which covers more than three pages of the Bill, is extensive in outlining the powers of Ofcom to assess compliance with security duties and will amend sections of the Communications Act 2003 to that end. The Opposition’s probing amendment intends to bring clarity in two areas in particular.
The clause will insert proposed new section 105N into the Communications Act to give authority to Ofcom or “another person” to undertake an assessment of whether a network or service provider is carrying out its duties—an inspection, spot check or audit, whatever you will, Mr McCabe. That is all fine, but the appointment of “another person” is far too vague and needs clarity. Since this is a matter of national security, we believe such an authority can be vested only in an agency or arm of the UK Government. It would be wholly inappropriate to outsource it to a telecoms, IT or other consultancy in part because of the need for full co-operation from the business being audited, which must have absolute confidence to be open and transparent and, therefore, must have confidence in the inspector. Ofcom therefore cannot appoint any Tom, Dick or Harry to do the job but only someone who rides above the industry and will not give the inspected business any reason to think that its commercial confidentiality is at stake.
My hon. Friend the Member for Newcastle upon Tyne Central, with her extensive experience of the telecoms sector, has told me that it is a tight-knit industry in which everyone has worked for everyone else at some point. We got that impression from the oral evidence as a lot of the experts had worked with or knew one another. Perhaps it is an exaggeration to say that everyone has worked for everyone else, but it is illustrative of the nature of the sector, so there will be limits on who could be appointed. Does the Minister agree that the current suggestion of “another person” is too wide?
Chi Onwurah
The impression that I have given my hon. Friend about the telecoms sector being tight-knit is absolutely right. One concern that that brings is that there will therefore be conflicts of interest. Ofcom, as a public servant with the status of a quango, has rules and regulations for declaring interests that mean previous conflicts of interest will not weigh into its work. The concern that I have articulated to my hon. Friend in the past is that that would not apply to “other persons”, so broadly defined.
Christian Matheson
I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.
Chi Onwurah
My right hon. Friend the Member for North Durham raised the Test and Trace programme. I do not want to dwell on that, as it is not within the scope of the Bill, but it is important to understand the extent to which the programme has been used as a vehicle to privatise parts of the NHS by building up private sector skills as opposed to public sector skills. There must be some concern that the huge new powers for and requirements on Ofcom might effectively be used to privatise some of its duties.
Christian Matheson
My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.
This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.
It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.
Christian Matheson
Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.
Chi Onwurah
Again, I rise mainly to support the excellent contributions made by my hon. Friend the Member for City of Chester in moving this amendment. I will raise a couple of points from my experience in this area.
As I said to my hon. Friend, having worked in telecoms for 20 years, when I joined Ofcom in 2004, I had worked with, or worked with someone who had worked with, just about every operator and network provider in the business. Those personal relationships can be helpful in ensuring quick, effective collaboration, but they can also bring about conflicts of interest. Ofcom, as a public body, has processes and procedures to address those conflicts of interest. However, the Bill makes no provision for that to be applied to whoever is “another person”.
It is also the case that, unfortunately, as a regulator, one can be subject to regulatory capture by those who are regulated. The large operators often have tens or, in some cases, hundreds of lawyers and public affairs spokespeople. However, the smaller operators, unfortunately, cannot afford to dedicate so much time and resource to engaging with the regulator. It is critical that this huge increase in new powers and work for Ofcom is carried out in the right way.
As my hon. Friend said, the £50,000 figure has not been calculated on the basis of the likely costs to Ofcom, because the impact assessment does not indicate what they could be. However, it is merely the cost of five consultants at £1,000 a day for 10 days. We know that hundreds of consultants have been hired as part of the Test and Trace programme at those sorts of prices. That likely cost is within scope of any programme that is to be carried out by bringing in large private sector organisations. I hope the Minister will reassure us that he is taking these considerations into account.
Finally—I think we will discuss this point in more detail—this is a huge additional requirement on Ofcom. In the evidence session, Ofcom said that it thought it would need to hire 50 or 60 people to address the requirements of the Bill. There is always going to be an inclination to reduce internal resources, especially if they are in short supply, such as those to do with network engineering resources and the current skill set. So it is really important that the Bill should have a better definition than it currently does of who may carry out the work.
Matt Warman
I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.
The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.
The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.
I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.
As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.
Chi Onwurah
I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.
Matt Warman
Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.
Chi Onwurah
Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.
Matt Warman
If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.
On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.
Christian Matheson
I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Chi Onwurah
I beg to move amendment 13, in clause 6, page 10, line 20, at end insert—
“(aa) provide a report on the diversity of their network’s supply chains;”
This amendment gives Ofcom the power to request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.
It is a great pleasure to speak to this amendment, which goes to the absolute heart of one of our key concerns about the Bill—the lack of any reference to the diversification of our supply chain. That is absolutely critical and should be integral to our national security. Our amendment 13 affects clause 6, which we have already discussed. The objective of the amendment is to give Ofcom the power to
“request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.”
As we have heard, clause 6 amends the Communications Act 2003 to insert section 105N, which gives Ofcom powers to assess compliance with the security duties set out in earlier sections, and section 105O, which gives Ofcom the power to impose on providers the duty to do any of a significant list of things, from (a) to (k)—to
“carry out specified tests or tests of a specified description…make arrangements of a specified description…direct an authorised person to documents on the premises…”
or
“assist an authorised person to view information”.
As I have said, this is an integral part of the Bill and requires some considerable debate, so it may detain the Committee for some time, but this debate can be continued at a later time if necessary. There is a long list of requirements that Ofcom might place on network providers, but nowhere is there a requirement for those providers to give a report on the diversity of their supply chains, yet the diversity of a network provider’s supply chains is absolutely integral to the security and resilience of that network provider.
We heard that very clearly during our evidence sessions. In particular, I asked Dr Drew:
“Is it possible for the UK to have secure networks without a diverse supply chain for them?”
Her answer was:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
The reason I have highlighted that particular quote—there were a number of quotations supporting the diversification of supply chains—is that it sets out really well what might happen if a network provider has only one possible supplier. If every aspect of its network is supplied by, let us say, Ericsson, and Ericsson then has supply issues itself or is bought or acquired by another operator from a different country that we might not be so close to, or—I do not mean to imply that this is a possibility—should fail in some way, that network provider no longer has any support for their network and no longer has the ability to maintain it securely.
The dependence of our telecoms security on diversifying the supply chain was set out in the 2019 telecoms supply chain report; yet the Bill fails to mention it at all. The objective of the clause is really for Ofcom to assess how successful a network provider is in meeting our nation’s security requirements. My argument is that it is not possible to do that without understanding the diversity of that network provider’s supply chain; yet the clause as it stands makes no reference to that.
Matt Warman
I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—
Chi Onwurah
I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?
Matt Warman
The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.
Chi Onwurah
I thank the Minister for that, but I am still puzzled as to where clause 12 says that Ofcom will collect data with regard to diversification of the networks. Ofcom is given the power to collect data with regard to the duties under the Bill, but there is not a duty under the Bill to diversify networks. I am trying to speed-read clauses and subsections; perhaps the Minister can direct me to a part of the clause that specifically requires information concerning. Clause 12 mentions
“information concerning future developments of a public electronic communications network or public electronic communications service that could have an impact on the security of the network or service.”
I agree that that could be liable to an interpretation that included diversification of the network, but given that the Bill does not anywhere mention diversification of the supply chain as being part of the security of the network, I am afraid I do not feel reassured.
Matt Warman
I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.
Chi Onwurah
We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)