Telecommunications (Security) Bill (Sixth sitting)
Chi Onwurah ExcerptsThursday 21st January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Mr Kevan Jones (North Durham) (Lab)
I am demasked. Welcome to the Chair, Mr McCabe. It is a pleasure to serve under your chairmanship. The amendment’s intention is similar to that of new clause 7, which we spoke about earlier. My hon. Friend the Member for Newcastle upon Tyne Central is trying to probe, like I was, how we get operators to ensure that there is a full audit of their telecoms networks. This is not an easy situation. I accept what the Minister said about trying to strike a balance between prosperity—not wanting to put undue burdens on operators—and ensuring security. As my hon. Friend said, with her huge expertise in the field, these networks are not static entities; they develop over time. The example that she cited was that some of the kit in networks is many years old, which may now create security issues that were not evident when the equipment was introduced.
We are not talking about too onerous a burden on the network operators, because they are large companies. I accept that they will be resistant to anything that adds cost because, at our insistence of wanting cheaper phone calls and mobile technology, prices are competitive between the various operators. My hon. Friend therefore makes a good point that there must be a clear level playing field between the operators.
The Bill will ensure that existing Huawei kit is taken out by 2027, even though the networks did nothing wrong by putting in that kit in the first place. Without wanting to carry on my campaign against the Cabinet Office, the Intelligence and Security Committee’s 2013 report “Foreign involvement in the Critical National Infrastructure” shows that the Cabinet Office was made aware of BT’s contract with the Chinese company Huawei in 2003. That the Cabinet Office felt it was not important enough to tell Ministers so until 2006 reinforces my point about its role. That brings me to Ofcom and its capacity, which I will come to later. If we want the most robust system, we will need a system by which we know what is in the network.
There are two issues. I think it is possibly easier for future deployments, because we know what we are putting in. In the debate around Huawei and the security risks, I think it has been very clear. Let us be honest: an operator would be very silly to put in a piece of equipment that was deemed to be high risk for any future roll-out. However, as my hon. Friend says, it is what is already in the network. We accept that some of that will be taken out as a result of the Huawei issue, but a huge amount of equipment will still be in there.
That is before we look at software. What saddens me about the entire debate around Huawei and the telecoms sector is that it has been very hardware-centric. We know that the risks to our network from software are greater in some respects; we have seen examples of where network compromise is easier, too. Again, how do we get a robust framework in terms of the audit around software—not just what has already been used, but what will be used in the future?
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
My right hon. Friend is making some excellent comments. He has raised another issue, which I perhaps did not highlight in my speech, which is that there might be existing equipment that is not necessarily seen as having a security implication but that, as the network evolves, will pose a security threat in the future. I gave an example in the evidence sessions. Say Amazon Web Services was to be bought by a Chinese company. As our networks move the functionality into the software, that will be running in the cloud over the Amazon Web Services infrastructure, which would have a huge potential security impact. An effective audit of where that equipment is now would be critical to knowing the level of that threat.
Mr Jones
I do not disagree with my hon. Friend. That is why we need to get into the idea of the audit. As I said earlier, we basically need a level playing field for operators; we do not want one to have an advantage over another. We also need a clear picture of what we are asking in terms of the audit. On the point she makes regarding web services and the cloud, there is an issue there that I think is worth referring to. It links today’s Bill with the National Security and Investment Bill, which we were discussing yesterday. There was a lot of discussion around what we define as critical—a point she has already raised.
For yesterday’s Bill, the question was what is critical to national infrastructure—for example, a company that is developing software that is then acquired by a state that we deem is a security risk to us. If that equipment or software is being used in our telecommunications network, does that mean that the network is compromised, and how do we guard against that? There are provisions in the National Security and Investment Bill that enable the Government to stop the acquisition of companies that we consider vital to our national security, but unless we know that in advance, how will we make that decision?
If we have a situation where a small company is providing software for part of our critical national infrastructure for telecoms, how will that be joined up? How will we be able to use the provisions in the National Security and Investment Bill, so that the Business Secretary can block the sale? Likewise, how do we get that connection? We can do that only by the Minister and Ofcom having a very clear indication from day one—I do not think it will be possible from day one, but from some time into it—what is in our network, not just now, but into the future. That will be important.
That brings us to the role of Ofcom. We have seen a development of regulators in this country. I am not a great fan of regulators, because I think it is a way for Ministers to palm off their responsibilities to third parties and then stand back and saying, “If it all goes wrong, it is nothing to do with me, guv—it is these independent organisations.” A long time ago—perhaps it is a bit old-fashioned—the General Post Office used to be responsible for this type of thing, and I am currently reading the excellent new history of GCHQ that has come out, which I recommend to everyone. It is fascinating to read about some of the challenges—things that apply to this Bill—such as, in the first world war, what was conceived as national security and who was responsible for it. Was it the GPO, the military or someone else?
How will Ofcom be able to look at a network and say, “Yes, we are satisfied that there is nothing in there that is a matter of national security”? They do not know. I do not think for one minute that we are going to have a situation whereby this Government or any future Government will suddenly throw so much money at Ofcom that a huge army of inspectors will be climbing up poles and going into operators’ offices to check source codes and so on. That is not going to happen.
From a practical point of view, the operators will have to be responsible for providing that information to Ofcom. Whether it is in the Bill or in the guidance, it must be clear what is expected of operators. It is no good looking back in hindsight and saying, “We should have done that,” when something happens. The operators will just say, “You did not tell us we had to do that,” or, “We didn’t know about that.” It has to be very clear, to prevent a competitive advantage between different companies, that there is one standard. They also have to know what we are asking for. Then, taking the telecoms hat off and putting the national security hat on, from the Government’s point of view, that needs to be very clear as well, because we need to be reassured that the components and software in those networks, now and in the future, are not a national security risk.
That brings us to an issue that I have already raised. I am not someone who thinks that every time we go to bed at night, we should look under the bed to see whether the Chinese are there, unlike some members of the China Research Group, but there is an issue about the way in which China will look at supply chains as a way of getting access, for two reasons. The first is national security. The second is commercial reasons—dominating the market, which is what China has done with Huawei. How will we identify that, without having some type of audit process? I do not think that everything to do with China is bad, but a huge number of the components in all our mobile phones in our pockets today will have come from China, including Ericsson and Nokia hardware.
Mr Jones
This is a remarkable day. This morning I was told that my contribution to the debate was inspiring, and now I am being told that I am talking sense—I thank the hon. Gentleman for making my day.
The hon. Gentleman is right, but he is also wrong. He is right in the sense that there are threats that will come through GCHQ and others—they will say to operators, “You’ve got to be careful of these things.” Where he is wrong, though, is with the idea that somehow GCHQ can take a guess at what is in the network. It does not have that capability. Going forward—the emphasis in this country, in the Bill, in terms of looking at telecoms security—yes, the bar has been raised substantially.
There will be occasions when GCHQ—it does it already —contacts operators and others to say, “Beware of this software or this thing.” I accept that as a proactive approach, but handling backwards will also be important. How do we have a gold-plated system, whereby we have GCHQ doing what the hon. Member for Bracknell suggested they are already doing, but one that also matches up with operators taking responsibility to say, “We have spotted something and are doing something about it”? It is pulling the two things together.
Chi Onwurah
Part of the challenge is that the operators do not know themselves and, as we have discussed, there are no incentives for them to find out. To give an example, Virgin Media took over from NTL, which I think took over from the 13 different cable providers in the franchises of the ’80s, and the BT mobile network was bought partially from EE—so there are takeovers and acquisitions, and partners may not know, and do not necessarily have an incentive to find out unless we put in a requirement.
Mr Jones
My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.
We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.
I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to serve under your chairmanship, Mr McCabe.
We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers
“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.
That is already there and key to the issues that hon. Members have been talking about.
Chi Onwurah
I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.
Matt Warman
I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.
Matt Warman
The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.
The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.
In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.
Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.
Chi Onwurah
It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.
I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Matt Warman
It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.
As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.
Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.
Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.
These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.
Chi Onwurah
As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.
Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.
Matt Warman
We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.
Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.
In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.
In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.
Chi Onwurah
We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.
I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
The Chair
This must be down to that productivity seminar they sent me on. Still, nothing lasts forever.
Clause 3
Codes of practice about security measures etc
Chi Onwurah
I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.
The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.
It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:
“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]
In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.
Matt Warman
I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.
Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.
I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.
For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.
Chi Onwurah
I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.
Matt Warman
I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.
New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.
The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.
We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.
Chi Onwurah
I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.
On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.
I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Informing others of security compromises
Question proposed, That the clause stand part of the Bill.
Matt Warman
As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.
We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.
New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.
Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.
The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.
The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.
Matt Warman
I will pretend I have not finished, and give way to the hon. Lady.
Chi Onwurah
I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.
Matt Warman
Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.
Chi Onwurah
Is my right hon. Friend aware that the hack used by the young person had been around for longer than that young person had been alive? That is an indication of the low level of security TalkTalk had in their network; they had not been able to address a known hack that had existed for at least 16 years. The Bill aims, in part, to address that and the consequences of that lack of security for our constituents.
Mr Jones
My hon. Friend is correct. A lot of the debate has been about hardware, but the biggest threat to our national security, in terms of telecoms, is from hacking and cyber-attacks. The changing nature of the threat is interesting. There are state actors and there is organised crime, acting on of behalf of states, but there is also, as referred to by my hon. Friend, some poor teenager who thought it was a good idea. The TalkTalk case showed the emphasis they put on the security of their network. Not just clause 4, but the whole Bill, puts the onus on the operators, which is why it is so welcome. Never again could they be accused of not knowing their responsibilities.
New section 105J requires providers to take “reasonable” steps to inform users about the risk, the nature of the security compromise, the steps the user could take in response, and the name and details of the person to contact. That is fine, but how to respond might be a matter for Ofcom. That is important, because people might then quickly take steps to stop compromises to their security.
The Bill lays out penalties for telecoms operators, but what about the consumer and people who have lost money because of data breaches? Do I assume that the Bill does not change that? It beefs it up, but I assume that any mitigation or compensation that should be paid to individuals who have been compromised would be an issue for Ofcom. When we had the TalkTalk compromise, getting TalkTalk to do anything was like trying to get blood out of a stone. That is important from the point of view of consumers.
It is important that the Secretary of State is informed, but how will that be done? I presume GCHQ and others would do that. Would that lead to lessons learned or to a notice being given to other operators that that has happened? Would that be done by Ofcom, the National Cyber Security Centre or GCHQ, or would it be a combination of all of them? It comes back to the point made by my hon. Friend the Member for Newcastle upon Tyne Central: this is a risk and this clause puts the onus initially with the operators, where it should be.
Chi Onwurah
We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.
My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.
I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.
I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?
Those are just some general comments. We welcome the clause.
Matt Warman
I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.
On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.
Matt Warman
As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.
Chi Onwurah
The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.
Matt Warman
I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.
Question put and agreed to.
Clause 4 accordingly ordered to stand part of the Bill.
Clause 5
General duty of OFCOM to ensure compliance with security duties
Chi Onwurah
I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.
A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.
It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.
Matt Warman
The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.
The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.
Matt Warman
I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.
In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.
Chi Onwurah
I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?
Matt Warman
The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.
Christian Matheson
I beg to move amendment 12, in clause 6, page 10, line 12, at end insert—
“(3) In this section “another person” means a UK government agency or a person from a UK government agency.
(4) OFCOM may not incur costs exceeding £50,000 in carrying out, or arranging or another person to carry out, an assessment under this section.”.
This amendment restricts those who Ofcom may arrange to carry out an assessment under this section to a UK government agency or person from such an agency. It also caps the cost of an individual security assessment at £50,000 for Ofcom.
The desire of the Committee is to crack on, so I will not detain us for too long. The clause, which covers more than three pages of the Bill, is extensive in outlining the powers of Ofcom to assess compliance with security duties and will amend sections of the Communications Act 2003 to that end. The Opposition’s probing amendment intends to bring clarity in two areas in particular.
The clause will insert proposed new section 105N into the Communications Act to give authority to Ofcom or “another person” to undertake an assessment of whether a network or service provider is carrying out its duties—an inspection, spot check or audit, whatever you will, Mr McCabe. That is all fine, but the appointment of “another person” is far too vague and needs clarity. Since this is a matter of national security, we believe such an authority can be vested only in an agency or arm of the UK Government. It would be wholly inappropriate to outsource it to a telecoms, IT or other consultancy in part because of the need for full co-operation from the business being audited, which must have absolute confidence to be open and transparent and, therefore, must have confidence in the inspector. Ofcom therefore cannot appoint any Tom, Dick or Harry to do the job but only someone who rides above the industry and will not give the inspected business any reason to think that its commercial confidentiality is at stake.
My hon. Friend the Member for Newcastle upon Tyne Central, with her extensive experience of the telecoms sector, has told me that it is a tight-knit industry in which everyone has worked for everyone else at some point. We got that impression from the oral evidence as a lot of the experts had worked with or knew one another. Perhaps it is an exaggeration to say that everyone has worked for everyone else, but it is illustrative of the nature of the sector, so there will be limits on who could be appointed. Does the Minister agree that the current suggestion of “another person” is too wide?
Chi Onwurah
The impression that I have given my hon. Friend about the telecoms sector being tight-knit is absolutely right. One concern that that brings is that there will therefore be conflicts of interest. Ofcom, as a public servant with the status of a quango, has rules and regulations for declaring interests that mean previous conflicts of interest will not weigh into its work. The concern that I have articulated to my hon. Friend in the past is that that would not apply to “other persons”, so broadly defined.
Christian Matheson
I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.
Chi Onwurah
My right hon. Friend the Member for North Durham raised the Test and Trace programme. I do not want to dwell on that, as it is not within the scope of the Bill, but it is important to understand the extent to which the programme has been used as a vehicle to privatise parts of the NHS by building up private sector skills as opposed to public sector skills. There must be some concern that the huge new powers for and requirements on Ofcom might effectively be used to privatise some of its duties.
Christian Matheson
My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.
This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.
It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.
Christian Matheson
Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.
Chi Onwurah
Again, I rise mainly to support the excellent contributions made by my hon. Friend the Member for City of Chester in moving this amendment. I will raise a couple of points from my experience in this area.
As I said to my hon. Friend, having worked in telecoms for 20 years, when I joined Ofcom in 2004, I had worked with, or worked with someone who had worked with, just about every operator and network provider in the business. Those personal relationships can be helpful in ensuring quick, effective collaboration, but they can also bring about conflicts of interest. Ofcom, as a public body, has processes and procedures to address those conflicts of interest. However, the Bill makes no provision for that to be applied to whoever is “another person”.
It is also the case that, unfortunately, as a regulator, one can be subject to regulatory capture by those who are regulated. The large operators often have tens or, in some cases, hundreds of lawyers and public affairs spokespeople. However, the smaller operators, unfortunately, cannot afford to dedicate so much time and resource to engaging with the regulator. It is critical that this huge increase in new powers and work for Ofcom is carried out in the right way.
As my hon. Friend said, the £50,000 figure has not been calculated on the basis of the likely costs to Ofcom, because the impact assessment does not indicate what they could be. However, it is merely the cost of five consultants at £1,000 a day for 10 days. We know that hundreds of consultants have been hired as part of the Test and Trace programme at those sorts of prices. That likely cost is within scope of any programme that is to be carried out by bringing in large private sector organisations. I hope the Minister will reassure us that he is taking these considerations into account.
Finally—I think we will discuss this point in more detail—this is a huge additional requirement on Ofcom. In the evidence session, Ofcom said that it thought it would need to hire 50 or 60 people to address the requirements of the Bill. There is always going to be an inclination to reduce internal resources, especially if they are in short supply, such as those to do with network engineering resources and the current skill set. So it is really important that the Bill should have a better definition than it currently does of who may carry out the work.
Matt Warman
I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.
The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.
The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.
I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.
As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.
Chi Onwurah
I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.
Matt Warman
Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.
Chi Onwurah
Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.
Matt Warman
If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.
On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.
Christian Matheson
I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Chi Onwurah
I beg to move amendment 13, in clause 6, page 10, line 20, at end insert—
“(aa) provide a report on the diversity of their network’s supply chains;”
This amendment gives Ofcom the power to request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.
It is a great pleasure to speak to this amendment, which goes to the absolute heart of one of our key concerns about the Bill—the lack of any reference to the diversification of our supply chain. That is absolutely critical and should be integral to our national security. Our amendment 13 affects clause 6, which we have already discussed. The objective of the amendment is to give Ofcom the power to
“request a report from a network provider on the diversity of their supply chains for the purpose of assessing whether they are complying with the security duties placed on them by earlier sections of the Act.”
As we have heard, clause 6 amends the Communications Act 2003 to insert section 105N, which gives Ofcom powers to assess compliance with the security duties set out in earlier sections, and section 105O, which gives Ofcom the power to impose on providers the duty to do any of a significant list of things, from (a) to (k)—to
“carry out specified tests or tests of a specified description…make arrangements of a specified description…direct an authorised person to documents on the premises…”
or
“assist an authorised person to view information”.
As I have said, this is an integral part of the Bill and requires some considerable debate, so it may detain the Committee for some time, but this debate can be continued at a later time if necessary. There is a long list of requirements that Ofcom might place on network providers, but nowhere is there a requirement for those providers to give a report on the diversity of their supply chains, yet the diversity of a network provider’s supply chains is absolutely integral to the security and resilience of that network provider.
We heard that very clearly during our evidence sessions. In particular, I asked Dr Drew:
“Is it possible for the UK to have secure networks without a diverse supply chain for them?”
Her answer was:
“That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 87, Q110.]
The reason I have highlighted that particular quote—there were a number of quotations supporting the diversification of supply chains—is that it sets out really well what might happen if a network provider has only one possible supplier. If every aspect of its network is supplied by, let us say, Ericsson, and Ericsson then has supply issues itself or is bought or acquired by another operator from a different country that we might not be so close to, or—I do not mean to imply that this is a possibility—should fail in some way, that network provider no longer has any support for their network and no longer has the ability to maintain it securely.
The dependence of our telecoms security on diversifying the supply chain was set out in the 2019 telecoms supply chain report; yet the Bill fails to mention it at all. The objective of the clause is really for Ofcom to assess how successful a network provider is in meeting our nation’s security requirements. My argument is that it is not possible to do that without understanding the diversity of that network provider’s supply chain; yet the clause as it stands makes no reference to that.
Matt Warman
I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—
Chi Onwurah
I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?
Matt Warman
The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.
Chi Onwurah
I thank the Minister for that, but I am still puzzled as to where clause 12 says that Ofcom will collect data with regard to diversification of the networks. Ofcom is given the power to collect data with regard to the duties under the Bill, but there is not a duty under the Bill to diversify networks. I am trying to speed-read clauses and subsections; perhaps the Minister can direct me to a part of the clause that specifically requires information concerning. Clause 12 mentions
“information concerning future developments of a public electronic communications network or public electronic communications service that could have an impact on the security of the network or service.”
I agree that that could be liable to an interpretation that included diversification of the network, but given that the Bill does not anywhere mention diversification of the supply chain as being part of the security of the network, I am afraid I do not feel reassured.
Matt Warman
I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.
Chi Onwurah
We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
Telecommunications (Security) Bill (Third sitting)
Chi Onwurah ExcerptsTuesday 19th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
Q
I have a couple of questions, starting with you, William. We heard from Mavenir on Thursday that open RAN could provide 2G, 3G, 4G and 5G networks now, but the operators were not looking to purchase networks from it. What is your view on the accuracy of that statement and the maturity of open RAN? What challenges does that pose with regard to the diversification strategy set out by the diversification taskforce?
Professor Webb: Thank you, Chi. I am sure Mavenir is correct that it can sell equipment that can do 2G, 3G, 4G and 5G, but that is not sufficient for an existing operator. If an operator wants to put this equipment into its network, it needs to work with its network diagnostic systems; it needs to handle all of the various features that it might deliver to customers, businesses or whatever, or that it might use for optimising its network or the various software systems that it has. It has built these up over 20 or 30 years, so adding in the equipment is a lot more than simply ticking the box and saying that it can transmit 2G or 3G. That takes quite some time, particularly with the more complex base stations that we find in city centres. The ones in rural areas are typically much simpler and less problematic if they go wrong. That is why we see people like Vodafone trialling open RAN in those places.
Although Mavenir has all the ticks in the boxes, it does not yet have work-through with the operators to deliver something that really works for all of its network. As we have heard from the operators, that is a long, slow process. The operators are rightly risk averse—they do not want to rush out a whole load of equipment and for their networks to fail after a few months, with all the problems that that would have for consumers. So it seems to me that we are still some time away—I think the operators have said five, six or maybe seven years—from any significant deployment of open RAN. That sounds very plausible to me as a strategy for evolving a network. Of course, by the time you get to that point, they will have deployed most of their 5G network already, so it feels as though open RAN will be too little too late to have a significant impact on diversifying the 5G networks that we have in this country and that we will have for the next few years.
Chi Onwurah
Q
Professor Webb: If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, “You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.” The stick might be some kind of licence condition that said, “In order to meet your licence, you have to have at least x number of vendors in your network.” That seems to me to be the way to pull through, and then the operators can decide whether they want ORAN, something like NEC or Samsung or someone like that. They can make that choice and that will pull through the decisions to them, rather than the Government trying to decide on their behalf what the best technology for them to use might be.
Chi Onwurah
Q
Emily Taylor: Thank you very much for those questions. As a general point about the cyber-security of critical national infrastructure, I feel a little like we have been fetishising 5G and a single company for the last two years, perhaps at the expense of a more holistic awareness of systemic cyber-security risks. Ciaran Martin spoke eloquently yesterday about the need for flexibility in what critical national infrastructure is. The last year has shown us that what is critical very much depends on what you are going through at the time. Healthcare systems probably would not have been top of the list two years ago, but now they are. The SolarWinds attack shows that the identity of the vendor is not always the key risk point. SolarWinds is a very trusted vendor from a like-minded, close ally country, and yet it turns out to be a critical single point of failure across key, very sensitive Government Departments, both in the US and the UK.
Thank you for talking about consolidation across cloud services, Chi. One of my reflections on open RAN is that, although, of course, I am excited at the idea of open, interoperable standards, which would prevent vendor blocking, most of my experience has been in the internet environment rather than the mobile environment, and we are replete with open, interoperable standards, but we have a major competition problem. That in itself is not going to be enough of a lever to secure diversification.
On the point about acquisitions, particularly where you have cutting-edge technologies coming through, this country is really good at R&D—we have wonderful universities full of very brainy people who are creating things—but there does not seem to be the follow-through to create world-beating companies that can compete across the world stage. Why is that? It is because they either get sold to the US or to China. Of course, the foreign investment security strategies are all part of this as well, but you make a key point. If Amazon Web Services was sold to a frenemy country, that would potentially introduce the same kind of, at least theoretical, security risks that we have been troubled by over Huawei and 5G.
It is also the case that consolidation of infrastructure providers, like the cloud providers, is a security risk, because they become too big to fail. There was a brief outage of Google just before Christmas, and people just cannot work. When Cloudflare or Dyn go down, they introduce massive outages, particularly at a point where we are all so reliant on technology to do our work. These are security risks, and that highlights the need for a flexible approach. You have to be looking across all sectors.
Chi Onwurah
Q
Emily Taylor: Generally, our standard of security across the board is not as high as it should be.
Professor Webb: I realise that Chi had also asked me how the UK can strengthen its ability to provide diversified supply chains, and I did not address that.
I want to pick up on something Emily said as well. I think she is absolutely right—the UK has a great number of really excellent engineers, both in universities and in leading consultancy-type organisations. Here in Cambridge there is a plethora of wonderful consultancies and start-up companies. In my experience, the biggest problem is actually finance. To try to raise the finance to get a start-up company off the ground, particularly one that sells to operators who have huge purchasing power and tend to squeeze all their vendors—quite naturally—is very difficult in the UK. It is much easier in the US. Addressing the ability to provide finance for those kinds of entities and, to Emily’s point, allowing them to exist for many years rather than to be bought as part of that financial process would help more than anything else, for the UK to grow its own major players in this space.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
Q
Professor Webb: Yes, I think there is a balance. I do not have strong views on that. The legislation appears to be sufficient and flexible in this space. I think the issue is the way it is implemented, and particularly the downstream actions of the Government and of Ofcom might need a bit more care.
Emily Taylor: The legislation is creating a framework, and a lot of that will be filled out through statutory instrument and the codes of practice that are envisioned. I imagine the codes of practice will reflect the TSRs to a large degree. Thinking particularly about how the legislation might impact on the wish and the essential need to diversify, it imposes very high levels of liability for providers, and almost unlimited duties on everybody for the smallest infractions. That is William Webb’s point about proportionality.
As the measures come to life through secondary legislation, codes of practice and the actions of Ofcom, it is going to be very important that there are checks and balances. I am not sure whether the Committee is hearing from any civil society groups, but I am sure they would be worried about the very wide discretion for the Secretary of State. There is a lot of concentration of power in the Secretary of State and, perhaps, insufficient safeguards, as things are currently drafted.
Also, on the provisions that relate to the identity of the supplier—the nationality—rather than the qualities of security, which I think are the more relevant points, of course identity and nationality can be relevant, but there may need to be more of a look there to ensure that we are on the right side of potential risks of discrimination.
Mr Jones
Q
Dr Drew: It is very similar. That is a great point to make. Pretty much wherever you see belt and road initiatives in, say, a port or supply chain of a physical good, you will see simultaneous investment and market input in a telecoms sense. There is a digital silk road as much as there is a belt and road initiative in the physical goods and supply chain sense.
They are becoming increasingly entwined fields; 10, maybe 15 years ago you could easily have seen a distinct separation between the physical supply chain and the digital supply chain. That differentiation is fading as we progress through time, and I think the Chinese have worked that out perhaps faster than we have and they are rapidly making inroads in order to amplify that effect and gain the benefits of it.
Chi Onwurah
Q
Also, you have great experience in evolving security threats. In your view, does the Bill address major telecommunications threats to national security—future and evolving threats? For example, do you think this Bill would have helped to mitigate the impact of the recent SolarWinds Orion network monitoring hack, which was also mentioned by a previous witness?
Dr Drew: I will start with the question of values. I am a great believer that technology and values and norms of behaviour are implicitly connected: you cannot separate them. It should be explicitly understood that it is an implicit truth. I believe—and I have stated this before to some of your colleagues and civil servants in various Departments—that the CCP has realised that the great firewall of China, which tries to police content within China, has holes in it and is not going to last, or was not going to last, given the direction that the internet, freedom of communication and transfer of information is going.
The next logical step, and what I believe is happening, is that if you cannot control the internet within the great firewall, it is better to be able to shape the internet everywhere, both outside and inside it. I would argue that a lot of the technological standard-setting that you see take place in the ITU and elsewhere is essentially that taking place, as is the use of social media platforms to harvest data, which is then used to aid in the censorship of domestic content within China.
With regard to evolving threats and the Bill specifically, I think that the Bill goes a very long way towards pre-emptively meeting threats that are likely to come in the future. My biggest issue echoes what I caught of the previous witness statements: the fact that it is a matter of capacity for the institutions that are given this responsibility—that is, Ofcom—and the ability to change their culture to actively engage within that framework and take action to ensure these standards are met and kept to. Those are my biggest queries about the ability of this Bill to be as forward-looking as we would like it to be.
Finally, with regard to SolarWinds, I think this Bill is aptly timed in a way, given the context of this particular threat. SolarWinds was a perfect example of a supply chain security risk, and a vector of attack that went through a diverse supply chain to meet what should have been some of the most secure systems that the United States had.
Telecoms will, as I have already said, be the backbone of all the UK’s future advancements of technology in all the things we are seeking to develop within our borders. The hardest thing to do as an attacker is to gain access. We should be making it as hard as possible to gain access; we should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met, and I think this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.
Chi Onwurah
Q
Dr Drew: The two essentially go together. If you look at the membership and those who take part in ITU standard setting committees and groups, you will see a predominance of not only state representation from China, but also representation of Chinese companies.
I think it needs to be made clear to our providers the benefits to them of being able to set standards; I believe this has been overlooked. The easiest way to do that is to simply look at some of the technical standards that have been set or lobbied for in this group by companies such as Huawei and ZTE, which are essentially entrenching their technical standards into a global standards body—that obviously gives them an advantage in producing that output. I think our companies could benefit in exactly the same way, and they would certainly benefit from taking part.
On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains. It would be akin to having a black box where we go, “Okay, this black box must output something secure, but we don’t need to know how it gets there.” I think we should know, as much as is possible, who is involved in the supply chains to reach our eventual telecoms network.
Sara Britcliffe
Q
Dr Drew: It is undeniable, as the previous witness stated, that this Bill will increase costs and potentially slow down the pace at which development of these technologies, to the standards that are now being asked for, can be done. I have been asked similar questions before about what is the cost of us not getting to 5G roll-out as soon as possible. My general response has been to point out that although 5G is a backbone technology that provides access, we have very few practical applications of the speeds and connectivity that this network will provide us with.
It is something that you might see on your phone, but the increase in speed from having a 5G connection will be almost so fast as to be unnoticeable to the normal user. We have not got to the point where we have large city-wide technologies that will draw on this infrastructure, such as traffic management, health systems and economic production systems.
Although there might be a delay and an increase in cost—which again, I think we should try to meet in a way that incentivises more players to come into this market—I think this delay is not crippling. That is because, at the moment, although the 5G technology itself is maturing, the uses of that technology are still immature and I do not think we are losing out too much if we have a slight delay, with the benefit of reaching greater security.
James Sunderland
Q
Dr Drew: It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
Chi Onwurah
Q
“to further the interests of citizens in relation to communications matters; and to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Do you think there is an argument to add a further security duty, if that is going to take such a large portion of Ofcom’s capacity?
Dr Drew: As to the second question first, I believe that security should be a component here. In fact, I believe it fits with what Ofcom is likely to be responsible for, and with the Online Harms White Paper as well. Security is fundamentally and inexorably linked with technology, culture and communications in the modern sense, so I believe that it would be important for that to be included as a key provision for DCMS.
With regard to the differences between fixed networks and 5G and the implications of this Bill, in the efficacy of its methodology towards the other, there are technical differences in how 5G operates right now and how we perceive the next generation of telecommunications to operate, but those differences will change over time, I believe. They will become less distinct. It is likely that fixed networks will move towards the concept of computing on the edge, and this is indeed already happening in some senses.
As for the actual efforts to control security risk, I do not see any major differences between telecommunications suppliers and fixed network suppliers. There is the same potential risk. You mentioned the SolarWinds hack earlier. That was a fixed network supplier in a way—it was not telecommunications—but there was the same risk involved and the same means of access, through a diversified chain with limited oversight at Government level, because it is a private sector actor with limited responsibilities. That is as true in that case as it would be for a fixed network with Cisco, and as it would be with a telecoms provider by ZTE, Huawei, Ericsson or any other. I do not think there is a significant technical difference to mean that the goals and direction of this Bill could not, and perhaps should not, be applied to others.
Chi Onwurah
Q
Dr Drew: That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.
The same is true in this sense if you transfer these issues to telecommunications or fixed networks. If you have only a single supplier, all it takes is that supplier to be compromised for your whole network to be compromised. As I said earlier, with any form of cyber-attack, the access is always the hardest part if you are the attacker, so if you have an easy target or if the target is just one point, they can throw all their resources at it and it is easier. I would argue that diversification is one of the most basic and probably most effective means of limiting the damage that could be caused in any attack against one of those vectors.
The Chair
Dr Drew, there are no further questions from Members, so I thank you very much indeed for your time this morning and for sharing your expertise with the Committee.
Dr Drew: It was a pleasure. Thank you.
Examination of Witnesses
Simon Saunders and Lindsey Fussell gave evidence.
Christian Matheson
Q
Lindsey Fussell: I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.
It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?
Simon Saunders: Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.
Chi Onwurah
Q
I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.
Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.
Lindsey Fussell: The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.
Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.
On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.
I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.
Simon Saunders: Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.
I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.
Chi Onwurah
Q
Lindsey Fussell: We would, as I say, expect providers to keep detailed records of the components that they use in their networks. I would expect that that is the type of information that, if a significant new vendor is brought into the market, the NCSC might well be interested in. It is worth saying that, while we do not have any direct regulatory powers over the vendors themselves, under these arrangements operators are required to assess the maturity of the vendors and suppliers they use, and the NCSC has issued guidance to them to enable them to assess that maturity. If the question is: if we see a brand new supplier starting to appear, is that the kind of information that we would expect operators to provide to us and for us then to share it with the NCSC? The answer to that question would be yes.
Chi Onwurah
Q
Can I come on to duties? I have the Communications Act here, which has got a lot thicker since I left Ofcom. The two duties are the “interests of citizens” and the “interests of consumers” with regard to competition, but there is not a duty on security. Does that not suggest that if there is a conflict between competition or communication matters, that will be prioritised over security if there is not an explicit duty to maintain the security of our networks?
Lindsey Fussell: I think this legislation quite clearly does place explicit duties on us to monitor and enforce the compliance of operators on network security requirements. I do not see that there is any risk that we would downplay the importance of that duty in comparison with others. Clearly, it is for the Government to put forward any changes to legislation to change the balance of our duties or to add new ones, but I think the Government—and, indeed, Parliament—are asking us very clearly to take on those responsibilities through this new legislation.
To pick up on a point I made earlier, in terms of the interests of citizens and consumers, it is important to say that of course it is in the interest of citizens and consumers to have excellent networks functioning that provide them with great connectivity. If we have learned anything from this most recent period, it is how important connectivity is to everybody’s daily life. Of course, that comes across in pricing and support for more vulnerable consumers, and all those other things that we have responsibility for in telecoms.
Actually, promoting secure networks is absolutely in the interests of consumers and citizens as well, not just because of the really damaging consequences of cyber-attacks, but because, ultimately, if we are able to have better networks, that should enable greater economic innovation through 5G use cases and things like that, for example. I think in promoting the interests of citizens and consumers, telecoms security is clearly part of that.
James Sunderland
Q
Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.
In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.
The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.
Chi Onwurah
Q
Lindsey Fussell: In relation to Ofcom’s costs first, Ofcom is funded in two ways: first, by a levy on the sectors and companies that it regulates and, secondly, through the collection of fees, primarily from our spectrum duties. Our overall funding is obviously agreed by our board but also subject to a cap agreed with Government each year. We are currently in discussion with the Treasury about the exact technicalities and which of those routes will be used to fund this, but it will be in line with Ofcom’s normal funding arrangements.
In relation to company costs, clearly the Government have looked into that, in discussion with operators in relation to the impact assessment for the legislation. I know that there is a plan to do further work on that in relation to telecom security requirements, once companies have had a chance to see the SI and the code of practice.
The point here, which is built into the legislation, is the concept of proportionality. Although we would expect the largest operators—we would work with them intensively throughout the process—to take part in, for example, penetration testing, it is likely we will be more proportionate with the smaller operators and, for example, respond on an incident-based approach, rather than expect them to carry out the same level of detailed work and interaction with Ofcom. In all of that, we would want to be proportionate in the costs imposed on operators, as we are in all our responsibilities, bearing in mind that these are really important responsibilities, as we have been discussing.
Chi Onwurah
Q
Lindsey Fussell: If I may, I will bring Simon in on the question of diversification. In relation to costs, the bulk of Ofcom’s own costs are paid by larger operators rather than smaller ones, and we have talked about proportionality in the way we operate that. Again, although I understand the tiering of the system will be set out in the code of practice, that will also be based on size and scale. Simon, may I turn to you on diversification?
Simon Saunders: The diversification strategy that the Government have published has set out a desire to attract new suppliers to the UK and further expand suppliers through open solutions, among other means, and to ensure that that is supported by an appropriate regulatory framework. We are ready to do what comes from that, in terms of any objectives the Government set on the level of diversification and to support measures to enable that. There are clearly synergies between the security aspects and the diversification aspects: in determining how diverse the supply base is, having a fully populated and up-to-date asset register from the operators for the security needs will also support the requirement to assess the diversity, if that is what we are required to do.
Chi Onwurah
Q
Simon Saunders: Our existing duties around ensuring the health of the communications market for consumers and citizens point in the same direction in many ways, even if diversity is not spelled out explicitly. We see that a functioning, competitive market for network equipment supports the operators’ ability to provide cost-effective networks that perform well, and that supports the needs of citizens to get great services wherever they are and for those services to be reliable and so on. I do not view this as an entirely separate area from our existing duties; whether specific duties around this are needed is part of the work we are doing to support the taskforce and the plans that come from that.
The Chair
This will have to be a very quick answer, because we have to stop at 11.25 am.
Telecommunications (Security) Bill (Fourth sitting)
Chi Onwurah ExcerptsTuesday 19th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
Q
I will be brief, as we are running out of time, but thank you for your expertise. My question to Andy Sellars and Heba Bevan is about the diversification strategy. In what areas do you think the UK has the capability to exploit the opportunities of this diversification strategy, particularly in hardware versus software? We have been told that hardware is beyond our manufacturing capabilities, yet you seem to be making a success out of it, Heba. What barriers are new entrants and smaller companies likely to experience and what kind of interventions should the Government make that are not fully addressed by the diversification strategy in order to ensure a UK capability in this area?
My question to Dr Johnson: we heard from Mavenir earlier, which said that open RAN could provide 2G, 3G, 4G and 5G networks now. We have also heard of the operational challenges associated with that. What is your view on the maturity of open RAN technology? We will start with Andy.
Dr Sellars: The first question was about UK capabilities to exploit the opportunity. Specifically, the UK has a cluster of small-cell base station manufacturers around the Bath and Bristol area. We have satellite communications clusters around the north-east, central Scotland and Surrey. We have a compound semiconductor cluster around south Wales, employing 1,600 highly skilled engineers generating something like £180 million per annum to the Welsh and UK economy. We have quantum encryption expertise funded through Innovate UK’s programmes, we have world-leading providers of optical transceivers for fibre communications, and we have backhaul capability.
Chi Onwurah
Q
Dr Sellars: For interventions, I would suggest that the Advanced Propulsion Centre is a really good model to look at. It is in a different sector. It is funded through the Department for Business, Energy and Industrial Strategy, and its remit is to help to transition the automotive industry from petrol and diesel engines to electric drivetrains using batteries. Have a look at that as a model. It is an incredibly good model for transitioning an entire industry from one technology to another. It brings together supply chains and is very effective. That is one of the interventions I would suggest. Other interventions could be cyber-certification and just helping UK companies to access some of the standards bodies. That would be very effective. We have a lot of SMEs.
Heba Bevan: Thank you for your question. On hardware, as a company—and to be honest in the UK as a nation —we do not have the essential foundries. We can design and prototype the silicon, and we can work on, from the beginning, how actually it would work, but the actual manufacturing of the chip—not the hardware: that one chip which is like the CPU or a piece of DSP—those actually require very high-intensity foundries. If we want to build them in the UK it will cost around £10 billion today—probably over that number. Andy can correct me on that.
In the far east, they have unlimited resources with the state aid rule; and Europe, in the last few years, passed something, for the state aid rule, called IPCEI, which is important projects of common European interest. Germany was able to fund €1.2 billion from its money to support these foundries. France put in €0.8 billion, and Holland put in €0.4 billion. In the UK in the last few years, in terms of building these foundries, the UK has not supported that type of manufacturing. In chip manufacturing, we do not. However, on the hardware scale we are able. The way we see it, we build the hardware; we build the software—but the actual components and the chips, today we do not have the capabilities in the UK to manufacture that.
The Chair
I am really sorry to do this to you, but I think I had better interrupt and go to the Minister or we will run out of time completely.
The Chair
Chi, I think you had something outstanding, and you have got just about a minute and a bit to do it.
Chi Onwurah
Q
Dr Johnson: So, the 45-second answer: Mavenir is using IP access GSM 3G technology in its open RAN development. Pardeep, I think, said that it would be ready within 12 months, and I agree that that is a true statement.
Mr Jones
Q
Helen Duncan: I do not think it is necessarily the case that they will just use Ericsson and Nokia equipment. Vodafone, for instance, has committed to equipping something like 2,500 cell sites with open RAN equipment, so they are taking a forward-looking view and trying to stimulate that themselves.
Dr Cleevely: If I may intervene here as well, it is curious, is it not? The economists will tell you that sunk costs are sunk costs and you should always move forward, and that is something to hold on to. Human nature says, “Well, we’ve invested in this—let’s see if we can sweat that asset to make the most of it.” A constructive dialogue with your finance director or chief financial officer is always an essential part of all this, and, for example, it is important to understand what is driving the risk that a company is running, its weighted average cost of capital and its cost of borrowing on the market.
Essentially the point is this: if you can get more business and improve your service, and get more customers and make more money, as a result of doing investment, then that is what you will do. The key point here is whether we can find a way of making it clear and straightforward to the most truculent of finance directors or chief financial officers that this is a good investment for the future. In there lies the key, because you need to get the incentives right.
Chi Onwurah
Q
We have talked a little about how we got here; Helen, you worked for Marconi, and I worked for Northern Telecom, which bought STC, one of our last UK companies providing telecoms equipment. Without putting words into your mouth, I think the situation could be characterised by a lack of investment in innovation and in British sovereign capability. Now that we are seeking to reverse that, or to jump ahead of that, what interventions could best guarantee the long-term security and resilience of the UK telecoms network, with UK sovereign capability supporting it? Is the £250 million diversification strategy set to achieve that? Can you give examples—I am looking for quite concrete examples—of what you might add or change? David, you talked about needing to give the right incentives to the mobile operators. The telecoms supply chain review was quite clear that there is not an incentive right now in the supply chain to deliver security in mobile networks. What interventions and what incentives should there be?
Helen Duncan: Starting from how we got into this situation, in the 1990s we had three incumbent base station manufacturing companies in the UK, which were Orbitel in Nottinghamshire, and Motorola and Lucent Technologies, both in Swindon. They survived for different lengths of time: Orbitel closed down in 1996 when Ericsson took over, Motorola ceased base station manufacturing in 2002, but stayed open and was then sold to Nokia, and Lucent became Alcatel-Lucent and was closed down. Mergers and acquisitions have clearly played a huge part, as did the dotcom bubble and, as I mentioned, the removal of funding from the defence sector.
Heba made the point that to support semiconductor manufacture in the UK, the £250 million would not even start to scratch the surface. We need to concentrate a little bit further up the food chain. We have some very good capability in this country in component and subsystem manufacture based around the chips. We have some good design capability for chips that are then manufactured in the larger foundries elsewhere in the world. Supporting those activities, the design and the manufacture of components and subsystems, would give us a good basis and improve resilience.
I also want to mention that we have some capability in this country in the test and measurement sector with Spirent and VIAVI Solutions—although VIAVI is an American-owned company, it manufactures RF and wireless test equipment in the UK. By definition, test is ahead of the curve on development. If you can make equipment to test something, you can actually make that equipment, because it is much more complicated to make the test equipment than it is to make the base station or the handset itself. Those companies deserve our support as well. That was a very long question, Chi; I am not sure I covered every aspect you were asking about.
Chi Onwurah
Q
Dr Cleevely: Thanks, Chi—nice to see you. One of the things that was mentioned in the session a little bit earlier was standards, and I think one of the things that changed telecommunications between the 1970s and the dotcom revolution was the emergence of some of these more open standards, such as TCP/IP for running the internet and so on, and HTML for doing the web browsers. I think we could be putting a lot more money and effort into defining some of those standards, because if you define the interfaces for pieces of equipment correctly, you can allow people to come in and provide bits of equipment that can conform to those interfaces. That is one very concrete thing.
You are right to say that, until relatively recently, the penalties on security and so on—the consequences—have been very small, but in terms of behaviour, you need both carrot and stick on things like this. You need to have something that will give the telecom operators a real reason to do something, which might be as simple as a kitemark that says, “The telecoms network you are using has been certified as secure.” That may or may not be the kind of thing that would engender the behaviour change, but it is noticeable that with a number of things like Telegram and WhatsApp, that is seen to be quite an important thing.
Finally, the networks of people are important in all of this. I noticed that the Government have spent some money on the 5G networking across the UK, which is being run by Cambridge Wireless, which I am very proud to have helped set up. We talked in the previous session about the cluster of people down in Bristol working on semiconductors and so on, and I think the Government should be putting some money into networking people together across the UK, and between regions in particular, to have ways in which we can be exchanging ideas and getting to understand what each other is doing. We complain about silos in Government and siloes in corporate, but we have siloes across every single component of this industry, and it is no good to sit in a part of the west midlands, Cambridge or Belfast and not talk to other people about the issues, the standards and the technology. While we seem to think that that gets delivered by the free market, in reality that is not happening, and I think the Government in particular need to intervene to connect up all these people.
Today, I launched the Northern Ireland Engineering Hub for the Royal Academy of Engineering—I am chair of the enterprise committee—and that was specifically picking Northern Ireland because of its deep engineering history in order to start to connect it with a lot of the other things that are happening in the rest of the United Kingdom. I think we need more of that, and I think that out of it will come the same blossoming of innovation and engineering that we have seen previously when people have been connected up together. I am a great optimist on that.
Chi Onwurah
Q
Helen Duncan: That is an interesting question.
Chi Onwurah
We could perhaps have a telecoms business bank?
Helen Duncan: You cannot stop mergers and acquisitions happening, but if you can put in some sort of criteria that companies that buy British companies need to give a commitment to continue to invest in this country for a set period of time—whether or not that is practicable—that would help.
The most important thing is to make the companies themselves strong enough so they are not targets for asset stripping, as has happened in the past. All the measures that we are talking about to oil the wheels, as David says, will make our companies stronger and able to compete in what is still a global market. I think making our companies competitive is the key to this.
Dr Cleevely: There was a thing called the Macmillan gap, which led to the emergence of the Industrial and Commercial Finance Corporation in the late 1940s. Translated into modern terms, that gap is investments required of around about half a million to £5 million or £10 million. We are still living with that, and that gap was identified in the 1920s. We have a structural problem in the United Kingdom about the way in which we invest in some of what would in Germany be called Mittelstand—those smaller companies. I think you are quite right, Chi, to draw attention to that as a particular risk profile. People do not want to put money necessarily past the seed stage into what I would call late series A and into series B.
The other point is procurement. As I have mentioned before, if you have a client or two who is prepared to buy kit from you, you not only get money but you get experience and expertise and you develop your company. We need more incentives for procuring from those kind of middle-sized companies, because out of those will come the giants of tomorrow.
My experience in Cambridge and elsewhere is that quite often, many of those companies say they are entirely private sector driven, but actually they have been the subject of lots of Government procurement and interventions along the way. That is particularly true in the United States where the SBIR scheme is very important.
The Chair
Do you have anything you want to add to that?
Mike Fake: I do not have anything to add to that. I support what has been said.
James Sunderland
Q
Doug Brake: I worry that sometimes 5G is conceptualised as a singular technology or a singular thing. It is not a monolith; there are a number of different component technologies and a number of different flavours. Depending on whether you are doing a fully 5G network, a stand-alone network or a non-stand-alone network, it is a very different sort of system. There are also a lot of differences between what spectrum is used to deploy the network—if you are using low-band, mid-band or high-band spectrum or a combination of all three. It is hard to answer that question in generalities.
A number of different component technologies and architectures will be rolled out over time. At a high level, the real advantage of 5G compared with 4G is in its flexibility. It is able to tailor its connectivity to a number of different applications’ needs. It can offer extremely high throughput and much faster speeds. It is very reliable, with very low latency. For example, if you want to stream a football match while travelling on a train, it can do that quite well, or quite a bit better than LTE and 4G today. At the same time, you can also change very obscure technical parameters to make for simple communications that require very little battery on the device side to be able to communicate. If you want to have massive deployments of sensors for smart agriculture, or something like that, that have battery life in the order of decades, it can do that. The hallmark is its flexibility.
Given that flexibility, it is anticipated that 5G is going to be much more deeply integrated within the economy and trade sectors, and will be a key tool to boost productivity. There is an important hope that we see a broad deployment, not just in urban areas but in rural areas. Again, I go back to that note on differences depending on the spectrum that is used to deploy—unless it is of interest, I do not want to get too bogged down in the details, but there are real differences in what we would expect to see deployed in urban versus rural areas. But, again, we would also expect to see very different use cases in those areas. Admittedly, there will likely be a performance difference between urban areas and more rural areas. But at the same time, like I said, the use cases look very different—you are not likely to have massive crowds of people all looking to share video from a stadium or something like that in rural areas. There will be a real difference in the roll-out, but I worry that sometimes the challenges with that have been overstated.
Chi Onwurah
Q
Doug Brake: That is a great question. We talk now about needing diversification and seeking entry of a US-UK equipment supplier, but the question and lessons from history are about why we need this in the first place. In the past, we had quite successful telecommunications supply companies, especially in the US. The president of our organisation, Rob Atkinson, set out to answer that question. You may have seen an article in the American Affairs journal, titled, “Who Lost Lucent?” It is a long and interesting article—I will not go into all the details of history. I would say that it is fair to characterise the failures and decline of Lucent as a complicated story, but it stems from a combination of unique challenges imposed by the Anglo-American economic system, systemic failures of US Government policy—particularly with regards to anti-trust and some of the regulatory policy throughout the 1990s—and very strong and aggressive foreign industrial policies, particularly with regards to China, to acquire market share.
I am happy to go through that in some detail, but feel free to cut me off if I go on too long. You are absolutely right to say that we had Lucent and Nortel. Lucent was absolutely massive—it was three times larger than Nortel—and originally spun off from AT&T’s equipment arm, Western Electric. It had the famous Bell Labs. Throughout the ’90s, it was the largest telecoms equipment company and was still growing dramatically overseas, but due to a number of strategic decisions within the company and decisions within the US Government, it ended up really suffering as a result of the dot.com bubble.
Setting aside all the competitiveness questions, particularly with regards to Chinese companies, a hands-off, free market globalised system reigned in the US and UK throughout the ’90s. It was finance-focused capitalism that saw Lucent and Nortel cut their R&D budgets and staff dramatically, particularly as a result of the 2001 crash—much more so than some of their international competitors. With that financial system, it was harder for those companies, which were designed to be growth companies—much more so than a valued company. They were focused on growing quarter after quarter and meeting their financial targets, which made it very difficult to focus on long-term growth. You can contrast that with Ericsson in Sweden, where the Wallenberg family control a lot of the voting shares. Ericsson was able to focus on much longer-term value creation, and they did not cut staff or R&D by nearly as much as Lucent did.
Before that, I think there are a lot of lessons to be learned from the aggressive anti-trust action that broke up Bell Labs and restructured the entire industry. Up until the restructuring of the US telecom market in 1984, Bell Labs had a fantastic situation in order to generate innovation. It had the commercial drive, focus and flexibility that is often lacking in a Government research lab. It also had a long-term focus and an interest in broad technological change, which many R&D efforts in industry do not see. It had steady revenue from telecom rates. There is a complicated story there. It is hard to tell what concentration is good for innovation and where competition is really the order of the day, but it seems clear that the decline of Bell Labs was a real loss.
Chi Onwurah
Q
Doug Brake: Absolutely. We would be happy to do that.
Chi Onwurah
Q
Doug Brake: Absolutely. I think the diversification strategy is a very strong document. I would say, when it comes to open RAN generally, there are clear benefits that you have heard a lot about, I am sure, including diversification and faster innovation when software is decoupled from hardware. Generally, lower margins on generic components eliminate the risk of the entire sector tipping to a single vendor or a gradual narrowing of trusted suppliers, but there are real challenges with this process. Again, this is going to be a gradual effort. There is not a need to transition immediately.
First, there is a real risk of bandwagoning, where this is seen as a silver bullet and even companies that might not be interested in pursuing this area, such as Nokia and Ericsson, are willing to join in these efforts, even if it is just for the sake of defence. So, there is a real risk of bandwagoning. There is real complexity with transitioning to this sort of system. It is not immediately clear how well open RAN will scale. Actual implementation at scale in urban areas is adding a tremendous amount of complexity. There is a much larger attack surface. It is worth keeping in mind SolarWinds, a US company trusted by many within the Government, which saw this massive damaging breach.
I think there is a real challenge that remains to be addressed in the manufacturing of stand-alone radios. I think that is a potential opportunity for real co-operation: identifying companies that are interested in focusing purely on radio. There is still hardware that needs to be provided that historically was integrated with the broader system, when you only have relatively small providers that are interested in scaling up manufacturing.
The Chair
I am just going to interrupt you there. I am sorry, but I am conscious of time and I want to give the Minister a fair opportunity.
Telecommunications (Security) Bill (Second sitting)
Chi Onwurah ExcerptsThursday 14th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
The Chair
Chi Onwurah, did I detect that you were going to ask questions on behalf of Catherine West?
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
Q
Matthew Evans: From techUK’s point of view, obviously our members—you heard from some of them this morning, and you have more this afternoon—operate across a number of different territories. We seem to be the furthest, or the most advanced, in bringing into place quite a holistic security regime. That is in the first half of the Bill. Obviously, the conversation about high-risk vendors is prevalent in other areas, but I would say that in terms of bringing in a regime that covers the entire telecoms sector, this seems to be a world-leading initiative.
Hamish MacLeod: Chi, I am certainly aware of what other countries are doing as regards high-risk vendors. The operators absolutely accept the Government’s policy and the 2027 timeline. The important thing now is to stick to that timeline, because it allows not only for an orderly removal of the HRV equipment, but for alternatives to develop and emerge as viable competitors to the remaining companies.
Chi Onwurah
Q
Hamish MacLeod: The States, New Zealand and Australia have all excluded Huawei, among others. We could supply you with a full list if that is needed.
Miriam Cates (Penistone and Stocksbridge) (Con)
Q
Matthew Evans: Thank you for that question. As I said at the start, we welcome the Government’s diversification strategy. It looks to tackle four issues, really, which are supporting incumbent suppliers to the UK market; attracting other global-scale suppliers; accelerating open interfaces and interoperability; and then the fourth area, which we could probably do with more detail on, which is really building on that domestic capability. I know that the taskforce that helped Government to frame the strategy is working on that aspect of it. As I say, I think we could do with some more detail.
However, we welcome the funding that has come alongside that strategy, and I think that we have a real opportunity in the UK in some of the areas where we have traditional strengths, in the software side in particular, to build some world-leading capability. As for the Bill itself, I do not think that it necessarily presents a barrier to that domestic capability; it is more in how we develop the strategy that sits alongside the Bill.
Hamish MacLeod: Just to add to what Matt said, yes, we very much welcome the diversification strategy. It is an absolutely necessary step to mitigate the risks of having to rely on two incumbents. It gives the UK an opportunity to have a leadership role in the development of exciting new technologies, such as open RAN, and, as Matt said, to grow the supplier base in the UK in the mobile sector.
The Chair
Thank you. I am going to switch to the Minister and shadow Minister. If there is time left, I will come back to other Members, but I want to be sure that we do this fairly. I call Chi Onwurah.
Chi Onwurah
Q
I am also really interested in what you said, Mr Evans, with regard to research and development. I absolutely agree with you that we clearly need investment in research and development if we are to lead in hardware and in open RAN and software. You said that the £250 million was focused on R&D, but it is actually focused on testing. It does not really do much for research at all, as far as I can see. You also referred to the diversification strategy as a strategy and not a plan, so do we need investment in research and development? Is the £250 million, which I think—I am looking at the Minister now—is over five years, a significant amount of investment in research and development for the mobile sector and tech sector generally?
Finally, the Bill gives the Secretary the State a huge amount of powers to set out requirements to remove vendors and for Ofcom to inspect what operators are doing. Do you think that might have an impact on international foreign investment in the UK telecoms sector, and are you confident that the right sort of technical, security and democratic scrutiny is in place? That is three things: hardware, research and development, and scrutiny.
The Chair
Shall we start with you, Mr MacLeod?
Hamish MacLeod: I think the question that was directed at me was whether it is possible to have a secure supply chain. I will not try to gainsay Chi’s knowledge on this, but my understanding is that that is the role that the proposed National Telecoms Lab will perform, to validate that security aspect.
Matthew Evans: I agree with Hamish on that first point, to answer Chi’s questions on R&D. We do not yet know how the £250 million is going to be spent. We believe that we will need to accelerate the maturity of technologies such as open RAN, to make them deployable and commercially viable. Yes, we do need to see more, but as I said, that has to be alongside testing, because accelerating the maturity of it does not really matter if the operators do not get that confidence in either the hardware or the software.
In terms of the Secretary of State’s powers, we are broadly comfortable. We would like to see some thresholds on what amounts to a security compromise, particularly in terms of Ofcom’s powers of oversight. From our point of view, and this is also relevant to the foreign direct investment question, if it is evidence-based, as transparent as possible—we know that we will not see all that evidence, particularly that element in the security services—and the actions are proportionate, that is also important. We believe that that builds into the best practice that we see in other areas of national security.
In terms of the technical expertise, we know that NCSC is going to work closely with Ofcom, in terms of providing that oversight. We are comfortable with the experience that we have had over the past couple of years, as the telecoms supply chain has gone through, in terms of the expertise and the overall regime that this Bill seeks to put in place.
Chi Onwurah
Q
Matthew Evans: I think it sends quite a strong signal to the market of the Government’s intent. If we published the strategy without the funding, it would not have sent the same signal. We have seen NEC, for instance, commit to opening an open RAN test centre in the UK. I think that is a signal of how the market is starting to react. This needs to work with the grain of industry, so it is important that industry is able to participate in this funding. I think it sent a strong signal.
Chi Onwurah
Q
I respect your reluctance, if you like, to voice criticisms at this stage, but can I just get a further idea on the level of R&D spend in the sector? We heard from British Telecom this morning that it spends £500 million a year. I imagine it is not the only company to spend. Do you have a view of the level of R&D spend? You talk about the £250 million being a signal. Am I right in thinking that a lot more investment needs to be attracted into the UK telecoms sector in order to really move the dial? That is what we are talking about, is it not—really moving the dial on UK telecoms capability?
Hamish MacLeod: Absolutely. The £250 million was very much described as an initial £250 million, because you are right that moving the dial will take significant investment. With R&D, there is pure R&D—what you do in labs—but there is also the testbed activity, which is a very important aspect, and trials at scale and all those things. Working with the operators, bringing in international partners and leveraging what is going on elsewhere in the world will all be important.
Matthew Evans: The important word there is “leveraging”. Telecom spend on R&D, both traditional and in open RAN, runs into billions and billions of pounds each year, but we can use that £250 million to leverage greater investment. It has to be with the grain of what the industry is delivering, so we can attract more of that investment. If we can be world leaders in the adoption of open RAN, that is key, and we will attract that investment. That is why I think the supply has to match up with the demand side fully.
Chi Onwurah
Catherine is always interested to understand what international comparisons there are, but I think that that has already been addressed, so thank you; she will be grateful to you.
The Chair
Who is next? If there are no pressing answers, I will go to the shadow Minister.
Chi Onwurah
Q
Pardeep Kohli: Maybe I can take that. To answer your question, if there is a greenfield operator in the UK that is similar to Dish, which we are working with in the US, we can definitely provide that. Dish, for example, is doing only 5G, but we obviously look at requirements all over the world and we appreciate that, in certain parts of the world, there is still a lot of 2G and 3G presence, and, of course, 4G will be there for a long time. We have a solution that can handle 2G, 3G, 4G, 5G, and if you are talking about a 12-month window, we can definitely provide a complete greenfield solution for those four technologies.
Regarding the hardware aspect, everything other than the real radio that goes on the tower and does the transmitting and receiving is largely general computing open silicon—
Chi Onwurah
Sorry—say that again. I could not hear that. What is the rest of it?
Pardeep Kohli: It is general-purpose open compute; it is already available hardware.
Chi Onwurah
It is computing—it is processors.
Pardeep Kohli: That is correct. You get processors for CPU or general-purpose computing, or even if there are some accelerators, which we use for some specific algorithms, even though they are openly available from companies like Xilinx and Nvidia. They make those chips and we can use them to do some of the functions; but they are openly available, and you can buy that today. That is what carriers are doing. They are building the new networks.
Regarding the hardware that goes on the tower, that depends on the frequency band you allocate, so if there is an operator coming in that is on a frequency band that the existing operators do not have, whoever the vendor is would have to build those radios anyway, and it takes about nine to 12 months to build those.
Chi Onwurah
Q
Pardeep Kohli: Today, because it has always been proprietary solutions, that is where the challenge comes for companies like us, because it is demand and supply. Until open RAN came in, you really could not build this channel on radio, because there was no demand for it. So today the radios get built only by companies like Huawei, Ericsson, Nokia—I know NEC is building a few of them; but now, with open RAN, there are new players coming up. NEC, for example, is building radios outside of the Japan market. Fujitsu has now started building radios. We are actually building some radios ourselves for the frequency bands that are not available from our partners, so if NEC has a radio we use the NEC radio, but if it does not have a radio and Fujitsu does not have a radio and if you want to get into that market, we start building some of those radios ourselves. So we actually have, now, opened a centre in the UK, to build some of those radios, and we are working with Facebook and together we are building some of the radios for a frequency band not currently open.
Chi Onwurah
Q
Pardeep Kohli: So if the frequency band radios are available today, which are right, then we can actually build it in 12 months—the complete network; but if the bands are not available and we have to build those radios then, maybe, by the end of next year.
Chi Onwurah
Q
Chris Jackson: Just to add to what Pardeep has been saying, I think open RAN is not about, necessarily, any one company providing an all-encompassing solution. So at the moment, for NEC, we would provide 4G and 5G radios, but in terms of 2G and 3G we will work with our partners to provide that solution, so we would leverage third parties in order to provide that all-encompassing solution. I think that is the way that open RAN will work moving forward. As I say, you will not see any one company dominating one particular area. It is about bringing best of breed together. In terms of the actual hardware platform, in terms of 4G and 5G, NEC will provide that radio, but as I mentioned for 2G and 3G we would look to other vendors to provide.
Chi Onwurah
Q
Chris Jackson: The majority would be US-based now, but again, we are not restricted to that. As a systems integrator, which is what you will basically need, moving forward, we would work with whichever vendors were the best of breed for that particular scenario.
Chi Onwurah
Q
Chris Jackson: We would not compete with Nokia and Ericsson in terms of standard RAN, but the whole idea is that we would look to bring open RAN technology. That is the direction that NEC is supporting. If you ask me whether we could step in today and provide that capability, we believe yes, we could.
Matt Warman
Q
Chris Jackson: First of all, thank you very much indeed, Minister, for support in that particular trial. We believe that this is very important, because it has given us the opportunity to showcase 4G and 5G open RAN capability with multi vendors, and we are doing it in supporting the share of your network, which we know is an important KPI for the UK Government, in terms of increasing that capability across the UK. They want to ensure that the investment is targeted at areas within the UK—where the UK will receive the most benefit—and, more importantly, or as importantly, an opportunity for a trial that brings multiple companies together. So, although NEC is leading this particular trial, we are working with a number of other companies to bring this overall solution together. That is exactly what open RAN is trying to embrace, and that is the way forward. We would be delighted to work with Mavenir; we are already involved with Mavenir as well. That is not a hurdle or obstacle for us.
Stefano Cantarelli: There are several angles. The first one is the neutral hosting. I would like to draw attention to the fact that we have already done work with British Telecom, two years back, on neutral hosting, so that has now been talked about for a long time. Also, you might have noticed in the market that companies—the one that comes to mind is Vilicom—have been doing this type of thing, where they deploy Mavenir infrastructure to provide neutral hosting capabilities. So, we are fully supportive and believe that this kind of funding is particularly important.
We understand that that there is some interesting funding. We are in discussion with DCMS. We are discussing some projects that we believe will boost a lot of the innovation in this space. For example, we are trying to get funding for our R&D activities for open source software that could boost the availability of radio units. We say that the radio unit is hardware, but in reality there is of course a bit of software on top. This type of software, which is mainly interfaced towards the rest of the software and the control of the operation and maintenance activities, is not differentiated for each radio unit; it is just standard. By having an open source like that, you can fundamentally get the radio vendors to focus on their IPR for analogue development and being able to produce a radio unit with different frequencies, as Pardeep said before, which we believe could boost the market. That type of funding is particularly useful, because it is aimed at boosting the market and giving availability in the open RAN of these radio units.
I would also like to add that most of the frequencies that are used today in the UK are available in our view for open RAN, so I do not see that as a problem. But that type of investment is particularly important—in R&D—so the trial that you have funded in the first round of the 5G Create programmes is particularly useful to get learning and experience. As I said, in the SONIC, we are particularly active, although that is not a 5G Create programme but a different one. We believe that in the second round, you can focus on funding some R&D specifically to boost the ecosystem of the open RAN.
Chi Onwurah
Q
Stefano Cantarelli: Let me just address that initially before anyone else. We are a supplier in other places in the network, so they consider us a reliable supplier. We supply voice services, messaging services and everything else. You mentioned the initial deployment of open RAN by Vodafone this morning. That relates to us, because we are the supplier that it has deployed and is continuing to deploy. We are actually deploying sites for it.
I think that you have to look at two aspects when you are on an operator’s side. I am speaking from experience. It is not just about the technology; it is also about your processes and how you are able to move forward and change your mindset. I think that operators have a lot of complexity. We sympathise with them, of course—it is not an easy environment—but there are a couple of mindsets that they need to over-pass, if you let me use that word.
First, the world is changing. It is not hardware and software together; it is software and hardware disaggregated, and that of course requires some different capabilities. It is the same as when we passed from circuit voice to packet voice. Some people here may not get the example completely, but it is just a different point of view. That does not mean that it is more complex or whatever; it is just a different point of view, and you need to change. We know that change is not an easy thing. That is the first aspect that we need to take into consideration.
The second aspect is that, despite the technology that is available, you still need to consider the in-life service that you need to swap over. You have to consider that you did some planning or design based on certain principles that were available before, and you need to rethink how you are going to do that. For example, most of the 5G deployed today just uses additional frequencies on the existing sites that they have deployed with 4G, 3G and 2G. This is not what I consider full 5G, with all the characteristics of low latencies and so on. You need to start to think about the densification of sites. The Government can help a lot—with policies, by helping to define new capabilities, and by allowing the operators to change their architecture by enabling them to get more sites, and get permits more easily to build new sites.
These sites will not be like sites today; on these sites, there will be lot of carriers, a lot of technologies, and a lot of frequencies. As Pardeep said, a site today is probably just a radio unit that connects, through an internet connection—not necessarily just fibre—to a software data centre. These things are more important, and they are the reason why, although operators are in the middle of that transformation, it is taking a bit of time.
Chi Onwurah
Q
Stefano Cantarelli: Not only with fibre. The open RAN interface is such that you are not forced to use fibre only. You can also use internet connectivity. The internet is what you use when you are in a building.
Chi Onwurah
Q
Stefano Cantarelli: I add that this transformation in the core infrastructure has already almost happened. Already, most of the core infrastructure of the MNOs is running on general-purpose hardware, such as Dell servers and so on, with software on top of it. The RAN is really the last one to be transformed, for the reason that I gave, and also because, as I said, the market has been dominated by some suppliers who have been providing hardware and software, because they work with better interfaces between the radio access component.
Chi Onwurah
Thank you. That is very helpful. That makes me think that there are security issues arising from, for example, having our cloud infrastructure dominated by one vendor, such as Amazon Web Services. Those are perhaps future security issues that we need to look at. I now understand much better what you need to support your transition, so thank you very much for that.
The Chair
Q
Pardeep Kohli: I would just add that I understand the operators’ point of view as well. They are familiar with these vendors; they have been using them and they understand their processes. The vendors know each other. Obviously, we have to gain their trust. We spend over $300 million on research and development every year on open RAN, so we are fully committed, and we will seek any help that you can provide on engaging with operators in the UK market.
Chris Jackson: Can I come in on the NEC side of things? Frankly speaking, we are re-entering this market, and one of the reasons why is because we believe that open RAN, and particularly the Bill, now provides the framework and conditions to enable us to compete. It is probably similar for the operators; it is a change for them to actively work with companies such as NEC, as opposed to the companies they have previously been working with, but we are starting that process. We are actively engaged with the operators, and more support from the Government, through the Bill, is the way to move this forward.
John Baker: One last comment. Open RAN is all-inclusive, so this is not excluding the incumbents of the network. As soon as Nokia and Ericsson add open RAN interfaces to their products, we will be very happy to work with those guys. That will speed up the ability to deliver open RAN solutions in the marketplace.
Chi Onwurah
Q
I have questions for both of you, but let me start with Dr Bennett. I was impressed by your structured list of things that are missing from the Bill, because we are here to scrutinise the Bill and see how we can improve it. I think you talked about the breadth of the security challenge and how this Bill, as it stands, might not meet the full breadth of it. You had four areas, and I think you have run through two of them in more detail. Could I ask you to summarise again the areas that you think are missing? In particular, could you talk a little bit more about the need for improved scrutiny? Could you just summarise that and then go into more detail on the ones where you have not yet?
Dr Bennett: I said that the areas that needed to be covered were network architecture, which is the Bill’s focus, the security of the asset databases that make up the network, how to ensure security of the data passing over the network, the maintenance of security over time, and the operational costs and other impacts of compliance. I have touched on all of them, but perhaps not very much on the operational costs and impacts of compliance.
The more diversified your network, and the more small vendors there are, the harder it will be for them to maintain the level of scrutiny, record-keeping and general security that is required as their bits of the network develop and the interfaces they have with other bits of the network change over time. That is an area where the Government should consider giving help to people to cover those costs. I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.
If the Government suddenly say, “All components from supplier X must now be removed from the network because of x, y and z,” it is incumbent on the Government to have some funding to help people to do that and to ensure that that really does happen, because it could be a step too far if you have a lot of very small suppliers that do not have the resources of skills, time or money to do it. You need to think about that and about how you can ensure that they are not squeezed out of the network—this diverse network that we want—by those costs.
Chi Onwurah
Q
Dr Bennett: I think most people would agree that the diversity of end points, of interfaces and of applications running over complex networks all pose security problem areas. The more of those you have, the more resilient your network might be on the one hand, because there are multiple parts, but on the other hand, the harder it is to maintain them adequately.
We see some of these problems today in the decision to move the copper out of the network. Applications that are very important to many users, notably alarm signals, are ones that often assume they have an underlying network of a particular type, and if it is not there those applications do not work and they do not work suddenly. These types of things are very complicated but are actually very important for the end users. It may be an alarm that says an elderly person has fallen in their home; it may be an alarm that says your bank has been attacked by a criminal gang. Who knows what it may be? But those types of things are the types of applications that run over these very complex networks, and unintended consequences can happen as you change the network architecture. If those tier 3 suppliers and the people providing key applications over the network are not involved in this conversation at the CNI level with the top-level suppliers, all sorts of unintended things can happen.
It is a question of how you make sure that you minimise the number of these unintended consequences and support people to realise what they need to do early on, so that they are not caught out by them.
The Chair
Q
Julius Robson: We are discussing the use of the mobile network for new and innovative services, such as worker alarms or falling-over alarms. Actually, there are some smaller players working in specialised industries that understand those customer requirements probably better than mobile operators, and that are very used to dealing with them. In fact, many of the applications for mobile are those that already exist in proprietary and bespoke wireless systems today and that we would want to move on to mobile. Some of the newcomers probably understand these things better than others and the diversification policy is about bringing in that expertise—those industry specialists who understand these requirements.
I would also say that, yes, the network is complicated—radio wireless networks, with lots of endpoints—but intrinsically the wireless medium is insecure. Anyone can listen in to it; it is possible to modify the signal. It has been designed so that everything going over it is secure and protected, and those security paradigms are locked up in the core, so that there are parts of the network that you do not have to worry about, because the information has been secured at a higher level.
I think this was mentioned by Andrea from Vodafone this morning: it is really important for us to understand which parts of the network are in scope of the security rules and which bits we do not need to worry about. The air—anything in the airwaves—is intrinsically already easy to eavesdrop on or modify. So obviously that is out of scope. I think we do not have to get too worried about certain parts of the network.
The Chair
Chi, we have time for another quick question. I think you had a point that you wanted to come back to.
Chi Onwurah
Q
Julius Robson: Thank you for that question. I have mentioned chipsets, which are important, and lots of people have talked about software and open RAN. The specialist base station chipsets are an important component, and if we can make them available at scale, which is something that we work on with our FAPI—our functional application programming interface—I think that will really help to fuel the diversity of equipment providers. That is one aspect.
Another aspect—I am not sure how well it is coped with in the consideration of the supply chain—is diversification at service provider level. As I have mentioned, mobile operators are the main service providers for mobile services, but they partner with other providers, particularly ones that work in specialist environments. There is a particular type called neutral hosts that can offer multi-operator services. If you wanted to connect to a hospital, it would not be any good to have just one operator service and have only a quarter of the people served. You need all of them served, and that needs to be done affordably. We want to make sure that the partners of mobile operators, such as neutral hosts, are supported in legislation.
It is also about recognising, as has been mentioned, the challenges of getting the hardware out. You can scale software just by selling it to more people, but hardware needs more feet on the streets and more deployers. We have to look at how we go about enabling more people to deploy mobile infrastructure into communities and industry, so that more people are aware of how it works, which means making the system simpler. From a security perspective, we need to recognise that there are parts of the network that need to be kept secure, and there are parts of the network that are out of scope of that.
Chi Onwurah
Q
Julius Robson: Just to make the point that you do not have to worry about every last resistor—components were mentioned—and every piece of equipment you have. As I pointed out, the radio airwaves themselves are also not secure. The whole system is designed to securely operate over an untrusted environment. In standards, we have the concepts of trusted and untrusted networks. Typically, you can operate your mobile network over the internet, which is considered untrusted. It is important that we recognise that paradigm.
I would say that all service providers are well accustomed to working with the level of security that the mobile operators and the regulatory regime demand, so we are happy with that. I just hope that we do not introduce new burdens with this legislation that stand in a way of diversification.
The Chair
Looking around the room, I think that is it. In that case, I thank Dr Bennett and Mr Robson for their evidence. We are extremely grateful to you. Thank you both very much indeed. That brings this session to a close.
Examination of Witnesses
Dr Scott Steedman and Charles Parton gave evidence.
Chi Onwurah
Q
I start with a question to Mr Parton on behalf of Catherine West, which relates to the last point you made. As we know, the Government were moved to ban Huawei entirely from the network following US sanctions instigated by President Trump. What changes do you see the Biden Administration having on the US’s outlook on China, if any? Can you also squeeze in a reference to Chinese influence on academic research and development in this country? Then I have another question for Dr Steedman, which I will ask afterwards, if I may.
Charles Parton: A very quick response to that. I am more an expert on China than America, but nothing in the last couple of years has suggested to me that the Democrats will take a very much different position from the Republicans on the question of technology. I think they see it as a very great threat, as the Chinese have said. I think nothing will change there.
On the question of academic influence, I really do not think we should underestimate that. I wrote a paper on it about two years ago and much of what I sketched out there exists. For that reason, if I may repeat the point I made earlier, a great deal of effort has to be made, particularly in the STEM subjects. We could talk about the arts subjects and the clampdown, or the influences, on the freedom of speech and the self-censorship there, but in the STEM subjects it is really very urgent that we give our universities good guidance on what subjects, what organisations and what people they can co-operate with in the China context. As some of the research has shown, in terms of what is going on in our universities, there are subjects that we perhaps should not be helping on. GAIT technology with Huawei is an example. What can GAIT technology be used for? Surveillance. Not always, but it is very important in surveillance when you cannot see someone’s face because they are wearing a mask or it is bad weather. We have to be very much more on the ball in that area.
Chi Onwurah
As I said, I am a massive fan of standards development. I have worked in the area, with the ITU. I agree that it is essential to enable open RAN and diversification. The Government have said that standards are driven by vendors. We heard this morning from the network operators that their standards presence was driven by their headquarters—their owners. We do not have a UK vendor. When you say that we need to improve our presence in standards bodies, who is going to do that and how is it going to be funded?
Dr Steedman: Actually, we have excellent people in the UK who participate in international standards work. The challenge is that there is a huge breadth of organisations, fora, consortia and formal bodies that generate, develop and maintain the standards that are then used in the evolution of the equipment—hardware, software and so on. We need to pick those organisations that are doing the critical work, particularly perhaps the ones around security, and ensure that we have British voices in there. It is true that if you look at a consortia model, you will find that the consortia that develop standards are what we call pay to play: companies pay to join a consortium, and together they sit and write a standard. But actually there are other organisations that have more governance and more formal mechanisms for national representation, national voice and consumer voice, as well as industry voices. This spectrum is the piece that is often not well understood.
Our ambition, on the diversification taskforce, is to look to co-ordinate UK voices, which are currently fragmented in these multiple organisations, and to see what we can do to target, to focus, on the areas of standards development that we know are going to support the ambition of security, resilience and diversification in the UK—and, frankly, to allow other areas of standards development to carry on as they will. People write standards to suit themselves. But where we need formal standards to support a market structure in the UK, we must be absolutely sure that those standards have had UK stakeholder voices in the process, and that is part of the formal process.
You mentioned the ITU-T. That is where the DCMS, of course, is representing the Government. And the BSI represents the UK in ISO/IEC JTC 1 and in and the European regional organisations, including ETSI. So there is a big opportunity for us to take those lessons that we have learned in influencing these great international organisations and extend that policy of influence through co-ordination of the UK voice in other spaces. The ORAN-ALLIANCE is one example of where we need to improve our co-ordination. Who is going to pay for it?
The Chair
I am going to interrupt you. I am sorry, but I want to let the Minister get a last question in. My apologies.
Telecommunications (Security) Bill (First sitting)
Chi Onwurah ExcerptsThursday 14th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
The Chair
Thank you. We have three superb witnesses from Three, O2 and Vodafone. I am now in the hands of Members.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
Q
I should have mentioned, as an interest, that I spent 20 years working in the telecoms industry within four network operators and vendors, as well as Ofcom, the regulator. I also may know personally some of the witnesses.
The Chair
It sounds like you might be dangerously over-qualified to take part in this Committee.
Chi Onwurah
You make a very good point, Mr Hollobone. I am going to try to keep my engineering and technical interest as much to the back as possible.
I am the shadow Minister for digital, and I am leading for Labour on this Bill. I will focus on the costs of removing Huawei and the diversification strategy, and Opposition colleagues will be focusing on different areas. I thank you for your presence and expertise. I want to ask two somewhat related questions.
First, some have given estimates of the costs of removing Huawei from your networks, and I want to verify whether those are the most up-to-date estimates. I also want to know whether they include opportunity costs, and the time and resources from your boards and others in your organisations. Are they the full costs, if you like, of the removal of Huawei? How can we minimise the economic impact, in your view? Are there other significant costs associated with the Bill and the implementation of a new security framework?
Secondly, your mobile network procurement is currently made through what I will call full-service providers, such as Huawei, Ericsson and Nokia. They basically design and make a network, and provide it to you—I know it is not quite as simple as that. Do you think the removal of Huawei or the develop of open RAN will change that? Critically, is the Government’s diversification strategy likely to lead to the emergence of significant full-service suppliers that will compete head on with the remaining suppliers, Ericsson and Nokia? If not, what other measures should the Government consider taking? How best can the Government work with partners around the world to achieve their goals? That is quite a lot in two questions.
Patrick Binchy: There was quite a lot in those questions. I guess the first thing is that the costs are obviously commercially sensitive, and we cannot disclose them in a public environment, but we would be very happy to respond to any of the Members or the Committee in private to give the detail behind that. At a more generic level, there will, of course, be cost to the industry and to Three. We had selected Huawei to build our 5G network, and we have now selected a second vendor, Ericsson. We have to go through the process of mobilising Ericsson and removing the Huawei equipment, which has a cost to it and will have an impact.
In terms of the diversification of the market, there are really only two players in the UK market now. As you rightly point out, there are service as well as equipment capabilities within those suppliers. As we look for diversification, we need to diversify across all those aspects of the market. We are working with the Government, NCSC and DCMS in terms of how to approach that and how to build that. We will continue to support that as we go forward.
Derek McManus: We have similar commercial sensitivities on cost. You may or may not be aware that we are not indebted to Huawei. For our network, the cost of removing from the radio network is relatively small compared to some of our competitors. So, I will focus more on your second question, if that is okay.
You are absolutely right that we tend to buy end-to-end service in the current mobile environment. ORAN today is set up with a quite separate and different supply chain, with different companies specialising in software, different companies specialising in hardware and specialists doing the integration. It is likely to change the nature and relationship that we will have with supplies. ORAN is relatively immature in its development. As it is technically and commercially ready for scale deployment, that may well change. But we see today that the leaders in ORAN tend to be smaller companies specialising in the hardware or, more specifically, the software.
Andrea Donà: Very much like my colleagues, I am more than happy to write to the Committee in the future, once we have completed our procurement process, with the details on the cost for replacing our high-risk vendor. More specifically, when it comes to the diversification strategy and the role that open RAN has, we at Vodafone believe that the UK should seek to be a leader in open RAN. We are, indeed, leading the way, and have committed to swapping out 2,600 of our base stations to an open RAN technology.
In order to fulfil that ambition, the current timescales for removing the high-risk vendor equipment must remain unchanged. We need the stability and the time, as Derek rightly points out, to allow industry and Government to develop a diverse supply chain and allow the technology to mature, both in its functionality and its capability, as well as the possibility of scaling industrially. The legacy vendors have had a lot of time in the market to develop their competence. We need to support any new entrants in the open RAN space with appropriate investment incentives and a policy framework that attracts and supports new entrants in the open RAN space.
The Chair
Three Members have indicated that they would like to ask questions. We will take them in the following order: James Sunderland, Miriam Cates and Kevan Jones.
Chi Onwurah
Q
Derek McManus: Basically, we have not seen anything directly like the UK legislation, although various forms of it can be seen internationally. The second question was on standards. We operate in 23 countries, and as you can imagine, their standards are key to us. We hold a lot of expertise, from a Telefónica group point of view, that the UK team is able to rely on and work with to ensure that we are at the very edge of developing the right standard.
Andrea Donà: As the Government plan to take a lead in enhancing the minimum security requirements, and in diversifying their telecoms strategy, we as a global company are happy to support the standard setting, and to advise on the practical implementation of the additional security requirements.
Patrick Binchy: I refer to Derek’s answer. We have a very similar position with regard to the UK legislation: we have not seen quite the same in the other countries. On standards, we play an active role, and we have a number of UK staff who act actively in standards setting.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
Q
Andrea Donà: We need the clarification that I mentioned of what is, and what is not, in scope, so that we have absolute clarity from the word go. We all work together to understand the profile of that implementation. It cannot be a big bang—everything complying from day one. We obviously need to do a detailed risk assessment of the areas that we need to work on immediately on the Bill’s coming into force, and of what can afford to be done at a secondary stage, based on the risk assessment and the risk management analysis of the various assets in our network.
Derek McManus: As I said in my opening remarks, collaboration to date on getting the Bill to this stage has been positive. We should continue that. My request is for flexibility to help us execute effectively, while balancing the other demands on the industry.
Mr Jones
Q
Howard Watson: Let me work through that. First, from our perspective, given that we do have quite a large amount of BT in our mobile network, which is with the high-risk vendor, we have a large swap-out programme already under way. Effectively, we already use Nokia to extend their reach, but also to introduce Ericsson. That essentially means that I will be replacing a significant amount of my network over the next seven years.
It is quite difficult for me to start introducing new opportunities and new options into that, certainly in the early part of that. For my network, I see the opportunities in the latter part of this decade, not the early part. That does not mean that there will not be opportunities to try open RAN in some of the rural areas or to conduct some trials with the other vendors that we have talked about. It is very much an industry approach that we are taking here. Some of my colleagues may be able to move a bit earlier. It is important that we collaborate and work as a UK set of operators with the Government to make sure that we have the right rich set of solutions.
We would not want to come down to just one vendor. That would certainly be a worry for many reasons, so we need to continue to ensure that, in the short term, we absolutely have the choice of two.
Alex Towers: Given the timeframes that Howard has described, it is a five to seven-year cycle of replacement for the vendor. That is why it makes sense, we think, to go big now on large-scale trials of things like open RAN. The important investment in R&D and the £250 million is a good step towards that, but we will probably need some more, because we need to be ready for the next cycle if it is going to be a workable solution in future.
Chi Onwurah
Q
Secondly, we heard from Sir Richard Dearlove, the previous head of MI5, that when Huawei was first used as a vendor or equipment supplier by BT, it was not considered worth informing Ministers of that fact, despite what he considered to be evident security concerns. Can you say what in the Bill changes that so that the Government of the day will be better aware of ongoing and future security concerns?
Thirdly, on behalf of Catherine West, on international collaboration, what presence do you have on standards bodies? Can you say what your budget is for research and development so that we can see how that compares with the £250 million on offer?
Alex Towers: I will defer to Howard on the questions about standards and technical details. On your point about the relationship with Government, I do not think that any of us were around in 2005, but I know that there is some sort of contested story about exactly who was told what about the introduction of Huawei. You would—[Inaudible.] We have moved a long way on that. We have a very close working relationship with the NCSC and with other parts of Government, and we would be very confident that we are constantly in contact with them about exactly the mix of suppliers that we are using. The introduction through the Bill of TSRs will take that even further, so we would be very confident that we have got a good enough structure there to ensure that any concerns that any part of Government had would be captured and dealt with, and Ofcom is also now in a position to regulate.
The question about relying on just the one supplier is less a concern about security and more one about the commercial resilience of that position. Howard can probably say a little bit more about the standards and the technical questions around that.
Chi Onwurah
Q
Alex Towers: I think they overlap and that is one of our questions about the drafting of the Bill. There is clearly a relationship between those two things, and the concern about the timeframes for the removal of Huawei, for example, has been partly about ensuring that we have operational resilience during what is going to be a very complicated engineering programme to take out all its kit without losing resilience, in the sense of outages and blackouts for customers. Some of the Bill’s provisions talk about outages, but there is a difference between outages for operational maintenance and updating of kit and outages because of a security issue or attack. It is going to be quite important to pull those threads apart a little bit.
Howard Watson: On the vendor point, to summarise the approach that we are taking, we stopped purchase at the end of December, we will stop deployment in September of this year, we get down to 35% by two years hence from the end of next week, and then we have it removed from the mobile network by December 2027. I think that timeframe works well for us with introducing effectively a third supplier into our mobile network in terms of that 2027 point. It certainly helps mitigate any future steps in terms of a two-to-one.
I would not bank on it taking a full eight years to have an open RAN opportunity. As we heard from Andrea, colleagues at Vodafone have already started deployment . The real challenge there is about being able to use open RAN in dense urban areas where the technology works at its hardest, shall we say.
On your final question about research, we are in the top five investors in R&D in the UK—we invest in excess of £500 million a year across both research and development. In fact, the only companies that research more than us in the UK are the pharmaceuticals. I have 280 researchers based in the BT labs at Adastral Park near Ipswich and they, plus a standards organisation —we also draw in from engineers across my organisation—remain really actively involved in the standards bodies. I welcome what colleagues from the other operators say and think it is really important that we maintain that as a UK presence and as a European presence to ensure that we are not lost in the middle of any risk of divergence between the US and eastern and Asian countries and China. I would implore us all to work hard to ensure that that does not happen.
Matt Warman
Q
Howard Watson: Let me take the final part of that question first, Minister. We are very much aware that that is a deadline, not a target, but we welcome the fact that the deadline is 2027. I have given evidence previously and have talked with Government significantly about the real risks to the availability of service if we pull that date forward.
We have a lot of infrastructure. That deadline allows us to plan carefully how we can switch off a site, if we have to, to replace it and swap it out, so that the spike has overlapping coverage from adjacent sites. Were we to be required to bring those timescales forward, we would be talking about mobile blackouts in the UK, which clearly we all want to avoid, given the increasing dependence of UK citizens on networks. We have a plan that gets us to that. The 35% by 28 January 2023, just two years away, is a little bit more challenging, but we have a plan to get us there. The pandemic is making that challenging, but right now we are on track for that too. I think that answers the second question.
In answer to your first question, the ambition that we have, and what will become requirements across the TSRs, will put the UK ahead of the pack, in being a safe place for people to work and run businesses, secure in the knowledge that we have a high level of protection against cyber-threats. We welcome that, particularly in the environment in which we are now operating.
We have remaining questions—we raised some of those in our written evidence—about the sequence by which the requirements will be applied. We think it is critically important that there is a strong baseline level of compliance that applies to everybody who operates a network in the UK. We do not want to have entry points through weak links across our environment.
Alex Towers: A large majority of what is in the TSRs reflects current best practice and we are already complying with it. There are some places where there is a stretch for us to do more, which is good. The key point, I suppose, concerns Howard’s point about making sure that the baseline for all operators is higher and strong enough, given that these are inter-connected network, as you have already heard this morning. The whole edifice is only as strong as its weakest point. We are concerned about the idea that the code of practice might not apply to some operators, for example. That is the sort of detail that we will begin to see debated further as the Bill goes through.
Chi Onwurah
Q
Howard Watson: We do believe that fixed networks, whether full-fibre or fibre-to-the-cabinet, have a different risk profile—a lower risk profile—from mobile networks. Please remember that it is only in the access part of the network, so the fibre—the device in the exchange that connects to that. In the core of the fixed network, we have no presence of high-risk vendors. So we do believe that is manageable. We worked really closely with DCMS and NCSC to arrive at the 35% threshold that was published a year ago, and we think maintaining that in the fixed network is proportionate and sufficient to ensure security there, combined with the oversight that, again, we continue to support from the HCSEC and NCSC to ensure that we are inspecting everything that goes into the network.
I will also say that it is essential that we do take that approach because, as you know, we have large ambitions to increase full-fibre coverage in the UK. Ofcom reported in December that that was now at 18%. We at BT have now built for 3.5 million homes. We have a plan, which we have talked about—this is with the right conditions—to get to 20 million. We do need that 35% to be part of that plan because, again, introducing alternative vendors is challenging.
Chi Onwurah
Q
Howard Watson: Fundamentally, you are dealing with a customer that is a fixed end point, so you are not having to provide handover between different sites as you do in mobile. Essentially, we are taking an electrical signal, modulating it into optical and converting it back to electrical at the other end, in very standard ethernet-based protocols. It is therefore really easy to see if there is a problem, so if something was infiltrating the network, we would spot it very quickly. Also, it is a very segmented network. The FTTC network has a granularity of over 85,000 cabinets in the UK, and the FTTP network has splitters for every 32 homes. Any issues are very easy to spot and so it is much easier to keep secure.
Chi Onwurah
Q
The Chair
I am afraid you have only about a minute to respond. Which of you gentlemen would like to answer?
Howard Watson: I will take that. You are right. We want two vendors to be consistently in the market, so that we can continue to deploy. If one of them were to fail—well, we insist on commercial and physical measures being in place such that we could step in and run the equipment that was already in the network, so it would not be switched off in the short term or anything like that; there would be no immediate threat to the existing network. It is the ability to build forward that is important.
As I think Alex mentioned earlier, the primary reason, which relates to the second part of your question, is that we want competition on pricing. As we have looked to have the two remaining vendors compete with each other for replacement of our Huawei estate, that has actually worked quite well as we have put in place contracts for that replacement.
Online Anonymity
Chi Onwurah Excerpts(3 years, 3 months ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a pleasure to serve under your chairship for the first time, Ms McVey. I look forward to doing so on many further occasions. I thank the right hon. Member for East Hampshire (Damian Hinds) for securing this exceptionally important debate. I also thank the hon. Member for Stroud (Siobhan Baillie) for her opening remarks, which were more than those of a stand-in. They set out the concerns and the personal experience really well and illustrated why this is such an exceptionally important topic to debate. I am sure that many more Members would be here had it not been for the confusion about whether this debate would be taking place. I know that this is an issue of personal, professional and constituency concern to many Members on both sides of the House; it is not a party-political issue.
I want to start by citing the right hon. Member for East Hampshire, who is aware of the challenge of online anonymity for bullying and negative self-perception among young people. He has spoken often about that, and he noted that in 2018 the OECD found that English schools have the highest reported rates of cyber-bullying out of 48 countries. As we debate online anonymity today, we have to keep in mind the deeply troubling human impact that anonymous presence online can have, not least on our young people.
The Government ought to know about the challenge of online anonymity, because their own Commission for Countering Extremism published academic work in 2019 that noted:
“Increased anonymity is associated with increased extremist …language”
on Twitter and YouTube. Tackling abuse and extremism online must mean tackling the worst parts of anonymity online.
We do not have to rely on academic work or the OECD to know the pain and harm that online anonymity can cause. The hon. Member for Stroud set out some of her experiences, and I would just like to say how sorry I was to hear of them. My hon. Friend the Member for Ellesmere Port and Neston (Justin Madders) set out some of his experiences with Twitter, and it is highly regrettable—it is not the first time I have heard it—that Twitter does not take complaints from Members of Parliament or members of the public seriously enough.
Just last month, we heard the strong testimony of my right hon. Friend the Member for Barking (Dame Margaret Hodge), who highlighted over 90,000 posts aimed at her. Many were antisemitic, misogynistic and ageist, and many were posted by people hidden behind anonymous screens. We know from several colleagues, from the valuable testimony of groups such as the Antisemitism Policy Trust, and from painful personal experience that online anonymity too often accompanies online abuse. Like almost all Members of Parliament, I have experienced abuse online, particularly when I dare to say something that some people might consider to be controversial. I have never been able to find out who was behind the most violent instances of such abuse.
As the Government note, there can be trade-offs in regulating online anonymity. Anonymity can be a shield for brave whistleblowers, for victims finding online refuge, or for children and minorities finding courageous self-expression. We must not forget that the internet and social media applications have many positive consequences for people who can use them. They are free and widely available, and they allow communication across generations, geography, countries and all kinds of barriers. Simply banning online anonymity is unlikely to be workable or desirable. We have to be sensitive to the trade-offs here. Protecting privacy is as much a priority in those cases as protecting against harm is in abuse cases.
However, I would say to the Minister that inaction is the worst trade-off of them all. The Secretary of State said:
“It is a challenging area, this point about anonymity,”
and that the Government will do nothing on it in the proposed online safety Bill,
“But of course we will continue to keep it under review.”—[Official Report, 15 December 2020; Vol. 686, c. 157.]
The Government are evading tough trade-offs altogether. That inaction means turning a blind eye to misinformation online. It means a failure to look at victims of abuse online—young people, minority communities and our fellow Members of Parliament—and a failure to assure them that we will do better by them. It is a failure to stand by the victims in these horrendous examples.
It does not have to be this way. Protecting whistleblowers does not need to come at the cost of protecting people who perpetrate abuse. We could do things differently. Indeed, there are already legal provisions that seek to balance anonymity and online responsibility. Norwich Pharmacal orders, or NPOs, can help obtain the identity of a party in court cases where there is alleged wrongdoing. The regulations in the Investigatory Powers Act 2016 give public authorities the ability to access communications data for potential criminal investigations. As we know, however, the sheer scale of online abuse and extremism means that there is more that we could and should do.
This is not a new issue. As I may have said in the past, my background before coming into Parliament was working in technology, particularly on the networks that now form the internet, for 20 years. The rights and wrongs of anonymity on the internet is a question that is as old as the internet itself, which we should remember is now decades old—it is no longer a rebellious teenager.
Three years ago, I attended a conference held by Ditchley on our rights and responsibilities on the internet, and the right to identity was a particular issue. One of the things that I want to emphasise to the Minister is that, as well as considering the right to anonymity on the internet, we must also consider the right to identity. For example, people should be able to prove who they are when they need to. Companies, services and Governments have a right to ask for identity in certain circumstances, as we do in the physical world. Anonymity should not be treated as a zero-sum concept, but should be qualified by the question, “Anonymous to whom and for how long?”
In real life, we can walk through a crowd without the people around us knowing who we are, but we accept that we are not permanently anonymous. If, for example, a police officer has a reason to review CCTV footage of the area, or we go into a bar and look young enough that we are asked about our age, we may be asked to prove our identity. We would not expect to be able to take out a loan or mortgage without proving our identity. Different degrees of anonymity apply to different situations in the real world. Why should we not reveal on the internet as much of our identity as is appropriate to the situation?
In some ways, as well as a question of principle, this is a question of design, on the way in which permissions and information are required and set out for applications on the internet. It is up to the Government to support a debate about how a spectrum of identity and anonymity should be implemented. A key aim should be to increase the friction that cyber-criminals face when pursuing crime. I do not think anyone is arguing that putting in place identity requirements and appropriate measures to support identification will end cyber-crime or cyber-abuse, but it would increase the friction associated with the crime, and that would help to reduce it.
We should consider a number of areas to address that, some of which have already been raised by the hon. Member for Stroud and my hon. Friend the Member for Ellesmere Port and Neston. We should consider a requirement for companies to know their customers’ identities. Contrary to the Government’s position, requiring users to selectively share their identities with online platforms does not mean that users share their identities with the world at large. Platforms can still protect users’ anonymity on the public platform while having direct access to their identities in the event of harmful behaviour.
Justin Madders
We know that the business model of a lot of online tech giants is based on sharing and utilising user information commercially. Does that not show that there must be a way of getting enough information on individuals? The information does not need to be circulated, but that shows that it can be found.
Chi Onwurah
My hon. Friend makes an excellent point, and one that I was just about to make by citing the “know your customer” verification requirements in financial institutions, which are part of efforts to prevent money laundering, for example.
Financial institutions, although they have improved immensely in technology over the past few years, are nowhere near as knowledgeable as the great tech giants such as Facebook, Twitter and Google in scooping up and managing data, although they tell us that they manage the data in privacy-conscious ways. As my hon. Friend the Member for Ellesmere Port and Neston said, their business models are driven by access to data. There are real concerns about the consolidation and monopoly control of data, which are not within the remit of this debate, but, as he suggests, the idea that these organisations cannot obtain and protect effectively the identity of their users is clearly ridiculous.
Such checks would not even require platform companies to hold user identity data themselves. Instead, as in financial services, secure, expert identity verification services could allow users to share only aspects of their identity—the minimum required to access online platforms. Again, anonymity would be guaranteed relative to other users. The fact that my bank did a “know your customer” check would not mean that my bank data was suddenly accessible to other customers. I think we accept that principle. At the same time, identity would be available to relevant law enforcement authorities in the event of suspected wrongdoing. The very act of requiring a “know your customer” check would also deter malicious agents from using the cloak of anonymity and would therefore increase the friction in the system.
As a complement to those ideas, we could require platform companies to put up deterrents against abuse and harm, ensuring that customers know that their identity could be shared with law enforcement agencies in the event of wrongdoing. I know that the Minister’s online safety legislation, which is in development, will put a duty of care on the large platforms. Perhaps she will tell us why she does not feel a more proactive duty to prevent and deter harm and abuse would not be appropriate, as it would require platforms to know their customers.
It is important to recognise that people are always customers. Even if those who use Twitter and Facebook are not paying for the service, they are still customers and are effectively paying in an exchange of data, so I feel that the model of “know your customer” is particularly appropriate. We could also consider imposing appropriate forms of liability on companies in the event that they are unable to provide identity information where courts and law enforcement require it.
None of those policies would obstruct the privacy of whistleblowers, children expressing themselves or victims finding solace and solidarity online. None of them would require companies to identify customers on their platforms to other customers. Some of them would not even require companies to have the identity data themselves, allowing the possibility of secure identity solutions held outside of these companies. Some of them are likely to be practices that already happen, but voluntarily and not systematically.
The point is not to pursue one specific policy. The point is for the Government to have a consultation and a debate that sets out policies that achieve those objectives, with a robust set of sophisticated digital identity options that can be statutorily enforced. Inaction, which is the Government’s current default of delaying action in this area, is a choice that evades trade-offs, avoids actions and lets victims down, so I ask the Minister to use this moment to tackle online anonymity head-on. We must grasp this opportunity, and to do so we must answer three questions.
First, what is the right identity verification required to place on online platforms with user-generated content? Can we ensure that those cover what might be needed for effective action against illegal and, in some instances, harmful behaviour? How can those requirements on platform companies have impact, with the right mix of incentives and sanctions for companies?
Secondly, how can we ensure that those online platforms are best co-ordinated with law enforcement authorities, where needed? Should Ofcom’s oversight of platforms’ duty-of-care performance cover how effectively companies work with law enforcement authorities? I understand, for example, that Twitter charges law enforcement officials to provide information on the identity of its users. Will the Minister verify that?
Thirdly, what confidence do we have in the jurisdictional coverage of existing and potential identity verification requirements? Do those apply to the range of internationally headquartered and popular platforms, or are Facebook, YouTube, Instagram and Twitter able to evade coverage as a result of country-of-origin principles?
I hope that the Minister will answer those questions, as the right answers could materially improve our public sphere and address the examples of online harm and abuse that have been raised in this debate. Platforms would be able to verify users easily, law enforcement authorities could pursue justice appropriately, those hiding online abuse behind anonymity would be deterred and, most of all, users would navigate online platforms with far greater assurance of no abuse or extremism.
With that final point, I will close, because the pandemic has demonstrated that our lives are lived online to an extent never before seen. Even when we return to social contact—we all hope soon—as opposed to social distance, the internet, the web and social media platforms will continue to play a greater part in our lives. The hon. Member for Stroud set out the enormous increase in online activity that we have seen as a consequence of the pandemic. I want my constituents to be able to have trust and confidence online, and in those they meet and engage with online. I want them to feel secure in their online and digital lives, because without that they will be handicapped and prevented from engaging as full citizens in what is increasingly a digital world. I ask the Minister to ensure that that digital world is as safe for everyone as the real world is.
Caroline Dinenage
I will get to the end of my sentence, then I will absolutely give way. We want all parliamentarians to feed into this significant and important piece of work, so this is a starting point. We will continue to work with Members of both Houses to listen to their concerns as we move forward, and as hon. Members will be aware, the Secretary of State is minded to undertake legislative scrutiny on this. We want that to start quite shortly.
Chi Onwurah
I did not mean to interrupt the Minister in full flow; indeed, I am grateful for the way in which she is responding to the many issues that have been raised. There was an exchange today about whether or not exceptions to the online harms legislation would be enabled through trade deals with the US, for example, and there seemed to be some confusion over that. I wondered whether the Minister would like to take the opportunity to clarify that point.
Caroline Dinenage
I am grateful to the hon. Lady for giving me the opportunity to do so. We absolutely stand by our commitment on online harms, and are completely dedicated to it, so nothing in any trade deal—particularly the US trade deal, given that so many of these big social media companies originate there—will impact that. We will continue to promote appropriate protections for consumers online and ensure that internet users, particularly children, are safeguarded from harms. We are keen to maintain very high standards of protection for personal data, including when it is transferred across borders, and those data protection standards would never be lowered as a result of any deal with the US. I hope that that reassures the hon. Lady about our position, and I am grateful that she has given me the opportunity to put that on record.
The other thing I want to put on record is that we are very passionate about our belief, and our willingness to put out there, that companies should not wait for legislation to be in place before they start taking action to tackle online harms. I have said many times that this legislation is coming down the track, and we are not the only country in the world that is bringing forward such legislation. A vast range of measures are already available for platforms to use that could keep their users much safer online, if they want to. To help them with that, alongside the full Government response, we have published interim codes of practice on things such as preventing terrorists’ use of the internet and child sexual exploitation and abuse. Those codes of practice are voluntary, but are designed to bridge the gap until the regulator is operational, fully up and running, and able to produce its own statutory codes. My strong message to online providers is that they should start getting their house in order now, rather than wait for the legislation to bring that about.
Of course, being anonymous online does not give anybody the right to abuse others. The police have a range of legal powers to identify individuals who attempt to use anonymity to escape sanctions for online abuse where the activity is illegal; I have not heard before that Twitter charges for supporting that work, but I will certainly look into it. The Investigatory Powers Act allows police to acquire communications data such as an email address and the location of the device from which the illegal anonymous abuse was sent, and they can use that data as evidence in court. In fact, in 2017-18, the majority of communications data requests from public authorities were for subscriber information. Subscriber information requests seek to identify the user of a telephone, an email address or a social media account, for example. In 96% of cases, the applicant identified the subject of the request as the suspect in the investigation.
The Government are undertaking a review with law enforcement to ensure that the current powers that it has are sufficient to tackle illegal anonymous abuse online. Because the online world is so fast-moving, we want to ensure that our law enforcement agencies are fully equipped to be able to do that. The outcome of that work will inform the Government’s position in relation to illegal anonymous abuse online and, of course, the online harms regulatory framework.
In addition, to ensure that the criminal law is fit for purpose to deal with online abuse, we have instructed the Law Commission to review existing legislation on abusive and harmful communications. The commission has highlighted in its consultation the fact that it acknowledges that anonymity online often facilitates and encourages abusive behaviours. It combines with—the hon. Member for Ellesmere Port and Neston pointed this out—the lack of restraint that an individual feels when they are communicating online, compared with communicating in person.
I have had experience of that myself. People have posted on Facebook, “I’m going to go and see that Ms Dinenage and give her a piece of my mind. I’m turning up here, at this time, on this date. I’m going to be there.” That has never materialised in real life, for which I am very thankful, but you can imagine how frightening it is. People have a lot of bravado when hidden behind a screen or keyboard, and it is very difficult to know whether that bravado could tip over into real life. There is a lack of restraint online, compared with in person, and abusive behaviours such as pile-on harassment and cyber-flashing are much easier to engage in, at a practical level, via the anonymity of these platforms.
As part of the review, the Government have asked the Law Commission to examine how the criminal law will address the encouragement or assistance of self-harm as well. That is something that is incredibly distressing. As the Minister who took over this role, I have found that one of the hardest conversations that I have had to have is with young people who have been incited to self-harm or, indeed, to take their own life online.
The Law Commission has consulted on its proposed reforms, and a final report is expected early this year. We are going to consider very carefully using the online harms legislation to bring its final recommendations into law where it is appropriate to do so. We are really committed to tackling all harms online, including anonymous abuse. The hon. Member for Newcastle upon Tyne Central talked about sanctions. We want to ensure that Ofcom has the ability to use sanctions. They are tough—up to 10% of global turnover. We will not shy away from that—it is more than is being proposed by the equivalent European legislation, for example—because we know that anonymous abuse can have such a significant impact on victims. We have all seen a little bit of it ourselves, but we know that there are people outside the House who are much more broadly affected than we are. Whether someone is a member of the public, a high-profile public figure or a child subject to the most awful abuse outside the school gates, where they just cannot escape it, it is really important that we have a regulatory framework that adequately addresses this issue, while also protecting the value of freedom of expression. We have always to keep that in our minds as well. It is vital that we tread that line very carefully. It is vital that we get the legislation right.
We want all parliamentarians to be able to feed into this really significant and important piece of work. As the hon. Member for Newcastle upon Tyne Central said, there would have been a lot more people here today in normal circumstances. My door is always open, because I want to continue to work with Members of both Houses to listen to their concerns as we move forward.
Chi Onwurah
I thank the Minister for giving way again, and thank her again for the tone in which she is responding to issues. May I summarise the position—without putting words in the Minister’s mouth—by saying that online anonymity is not currently directly addressed in the proposed legislation, but it could be if there was thought to be sufficient reason to do so? Is that a fair summary?
Caroline Dinenage
That will be addressed in a number of the broader protections. I was very taken with what the hon. Member said—I wrote down the words she used—about the importance of the right to identity, as well as the right to anonymity.
We really want to get this piece of legislation right. The other day, somebody raised with me the analogy of the invention of the motorcar. The internet is such a big invention that it is almost like that. With the advent of the motor car, we did not put in place seatbelts, airbags, the highway code or even the driving test—my grandfather did not take one—from the outset. Some of those innovations had to come down the track, but I really want to put in place as many protections for the internet from the outset as we can. I want to make this piece of legislation as robust, powerful, far-reaching and successful as possible. That is why I am not taking anything off the table. I want genuinely to put this legislation through pre-legislative scrutiny, take the comments of both Houses and ensure that, when we move forward, we do so in the best possible way. That is why we will continue to keep the area of anonymity under review as we progress with the online safety legislation.
Oral Answers to Questions
Chi Onwurah Excerpts(3 years, 5 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Caroline Dinenage
My hon. Friend is a great champion for local media and newspapers in his area. We recognise the vital role publications like his own Warrington Guardian play in supporting communities but also in providing reliable information. We strongly welcome the recommendations in the Competition and Markets Authority report and the setting up of a digital markets unit within the CMA to ensure fairness in regulating digital platforms. The Minister for Media and Data meets very regularly with the sector to discuss all its ongoing concerns about this.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
I do not know who your secret Santa is, Mr Speaker, but I do know the Minister’s: Google and Facebook. Only, they are not buying presents—just using our data, behaviour and social contacts to tell us what to buy through their domination of online advertising, while our local retailers, who pay significant taxes and employ so many people, lose out. Can the Minister confirm that the digital markets unit’s powers have yet to be defined and that powers in the long-delayed online harms Bill are being watered down? Will she promise now to stop tech companies selling on our data, and put us back in control of our digital lives and Santa back in charge of Christmas?
Caroline Dinenage
I sincerely hope they are not my secret Santa. Online advertising is clearly an important driver of the UK economy. The Government are really committed to supporting the continued growth of the industry, but it needs to be fairer and better regulated. So we will launch a public consultation next year on measures to enhance how online advertising is regulated in the UK. That will build on the call for evidence we launched this year, and we will consider options to enhance the regulation of advertising content and placement online. The hon. Member asks about the online harms response. It will be published very shortly and it will not be watered down—there is my secret Santa gift for her, Mr Speaker.
Digital Infrastructure, Connectivity and Accessibility
Chi Onwurah Excerpts(3 years, 5 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
I would like to start by thanking the right hon. Member for Tatton (Esther McVey) and my hon. Friend the Member for Sunderland Central (Julie Elliott) for securing this important and excellent debate. When I first entered Parliament 10 years ago after 20 years as a telecoms engineer, I was somewhat disappointed by the lack of discussion on digital connectivity and digital opportunity. That has really changed in the past few months, although not significantly in Government time. Members have shown real knowledge, passion and understanding, and I hope that the Minister has been listening.
As several Members—most eloquently, I thought, my hon. Friend the Member for Mitcham and Morden (Siobhain McDonagh)—pointed out, the covid-19 pandemic has highlighted the significant role that online services play in supporting people’s social lives, education, workplaces and communities. We have seen a huge shift in people’s dependence on digital. The Office for National Statistics estimates that almost 50% of people are currently working from home, and 80% of people told it that they feel digital technology has been a vital support to them in lockdown, if they have access to it.
Several Members—in particular the hon. Members for Beaconsfield (Joy Morrissey) and for West Dorset (Chris Loder) and the right hon. Member for Orkney and Shetland (Mr Carmichael)—emphasised the economic importance of digital connectivity, but for it to play that role, we need it to be reliable and fast. The 2020 National Audit Office report “Improving Broadband” found that, at 14%, the UK has one of the lowest full-fibre coverage rates in Europe, as several Members observed.
The fact is that successive Tory Governments have presided over 10 wasted years for our telecoms infrastructure. The last Labour Government made great strides in building a digital economy. Our Communications Act 2003 set the strategy and vision, and our office of the internet was a world leader. We oversaw the roll-out of first-generation broadband to 50% of households by 2009 and were in the top 15% of global broadband speed tables, with competitive infrastructure positions.
Jane Hunt
I wonder whether the hon. Member agrees with me that, actually, it was the Labour Government who made telecommunications companies spend billions of pounds buying bandwidth that previously had been only a matter of hundreds of pounds. If they did not have that bandwidth, they did not have that network and they were not in the market.
Chi Onwurah
I am afraid that I do not have the time fully to go into the reasons why that intervention is wholly without value. First, we are talking about fixed networks here. Secondly, the huge improvement in the services that could be offered on spectrum meant that that spectrum was valuable, and it is in the public interest that valuable spectrum should have its value recognised.
This Government have flip-flopped and U-turned when it comes to our network infrastructure. As the right hon. Member for Tatton reflected, the Prime Minister initially promised full fibre to all by 2025. In their 2019 manifesto, the Government downgraded that pledge to universal gigabit-capable broadband to every home. Then, only last week, they sneaked out in the spending review plans to water down their broadband promises; instead of keeping to their manifesto promise, the Government are now aiming only to have a minimum of 85% coverage by that date. The budget for that plan remains the same, but now only £1.2 billion of the £5 billion will be made available up until 2024. We were promised roll-out; what we got was roll-back.
BT’s own analysis shows that at the current rate, full-fibre coverage will reach only 70% of UK premises by 2025 without the removal of key barriers, making even the revised target unrealistic. At the current rate, the Government’s 100% target will not be met until 2033, disappointing many Members, including the hon. Member for Stoke-on-Trent North (Jonathan Gullis).
The Local Government Association also has major concerns about the Government’s intention to centrally procure and manage the contracts for the delivery of gigabit-capable broadband infrastructure. I hope that the Minister will take this opportunity to reassure local authorities that they will be involved in the local delivery of both broadband and 5G infrastructure.
For many, access to fibre is but a dream. As the hon. Members for Totnes (Anthony Mangnall), for Devizes (Danny Kruger), for North Devon (Selaine Saxby) and for North Norfolk (Duncan Baker) set out, in the wastelands of Wiltshire and the deserts of Dorset they have no, or very little, broadband access. There are 1.9 million households without access to the internet and 155,000 UK properties are unable to get decent broadband. In rural areas, 50% of rural premises have patchy and unreliable mobile reception. Nearly half a million rural premises cannot get decent broadband. The broadband universal service obligation is no such thing, with rural residents potentially charged tens of thousands of pounds to connect to broadband, as the hon. Member for Loughborough (Jane Hunt) highlighted.
We need to provide network access to protect the most vulnerable in our society. FutureDotNow estimates that between 175,000 and 500,000 of those who received letters instructing them to shield during the pandemic had no internet access, yet because the letters were peppered with references to websites, those individuals would find it incredibly difficult to access the information they need. Yet the Government do not even have a target for digital inclusion. Could the Minister speak to that?
Many Members made the point—I pay tribute to the work of my hon. Friend the Member for Sunderland Central and her all-party group, and the passion of my hon. Friend the Member for Ilford North (Wes Streeting) in this area—that digital infrastructure is not enough. We need digital skills, which are economically key to keeping us safe online and unlocking the potential of digital. A lack of digital skills isolates people. To participate effectively online, individuals need devices on which to access the internet. Without them, individuals are excluded. What is the Minister doing to provide the digital skills and access that are needed?
I am aware that the Minister previously told the Select Committee on Digital, Culture, Media and Sport that although he wanted to do more to help those who are digitally excluded, there were limited resources. I think the Chair of the Select Committee dealt effectively with that point. I urge the Minister to find the political will and set out plans to ensure that nobody in the UK is left behind through a lack of digital literacy in this digital age, and that everyone can be an active participant in our increasingly digital world. Digital should be an enabler, not a divider.
Broadband Rollout: Devon and Somerset
Chi Onwurah Excerpts(3 years, 5 months ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
It is a great pleasure to serve under your chairship, Ms Fovargue. I want to thank the hon. Member for Tiverton and Honiton (Neil Parish) for calling the debate. It has been a huge pleasure for me to listen to so many excellent and well-informed contributions. As a north-east MP, who is not allowed to travel far at the moment, I feel that I have been on a tour of Somerset and Devon and I very much appreciated it. I feel for the Members who have eloquently expressed concern about the impact of the lack of the digital infrastructure they need and deserve on the people of Devon and Somerset. I do not know whether the Minister has enjoyed the debate quite as much, but I shall briefly summarise some of what was said.
I was amazed to learn that Tiverton and Honiton’s ranking was as low as 627th, but then I found that North Devon is even further down. Obviously there are comparisons to be made, and someone has to come top and bottom. Even so, despite Devon and Somerset having 1.5% of households in the country, 5% of homes there are located in notspots. In Somerset West, one in 20 households are unable to receive the minimum 10 megabits, which is the Government’s definition of decent broadband. That figure increases to nearly 12% of households in east and west Devon. The hon. Members for Somerton and Frome (David Warburton), for East Devon (Simon Jupp), for Totnes (Anthony Mangnall), for North Devon, and for Tiverton and Honiton all emphasised how the pandemic had truly brought home to us the importance of connectivity at this time.
Every Member referenced the Connecting Devon and Somerset broadband scheme, which the hon. Member for Tiverton and Honiton described as too slow. However, the scheme exceeds the UK’s superfast broadband roll-out target set by the coalition Government, which called for 90% coverage by 2015. Unfortunately, mismanagement under the coalition Government meant that, nationally, the target was not reached and was missed by a year. If a local scheme that outperforms the Government’s is too slow and needs to be reviewed, the Government’s own position on broadband has been lacklustre and should also be up for review. [Interruption.] I do have mobile coverage here.
Anthony Mangnall
The hon. Lady started her speech by saying that she felt the experience of our lack of connectivity in the south-west. She is more than welcome to come and experience it at any time.
Chi Onwurah
I really am grateful to the hon. Gentleman for that timely intervention. I meant to say that I felt for the experience, but I am keen to feel the actual experience in the gorgeous surroundings that he has so well described. The products and services sound so very attractive.
We have had 10 wasted years for telecoms infrastructure under this Government. I was a chartered engineer who worked in telecoms for 20 years before coming into Parliament, which I mention from time to time, and the decade that I have been in Parliament has coincided with a rapid relative decline in the quality of our telecommunications infrastructure. Labour made great strides in building a digital economy. Our Communications Act 2003 set out the strategy and vision for a decade. Our office of the internet was a world leader, and we oversaw the roll-out of the first generation of broadband to more than 50% of households by 2009.
Labour’s plans would have seen two-thirds of UK households have access to services of up to 40 megabits by 2015. Unfortunately, that is now not the case, consecutive Tory Governments having squandered that world-leading position. Several Members mentioned the need for effective competition and not the over-building of fibre to one home, and not the absence of any competition or a monopoly provider. Under Labour, we had competitive infrastructure competitions, including the local loop, but since then we have seen U-turns, dither and delay in infrastructure roll-out, including the BDUK scheme, which re-emphasised Openreach—indeed, BT—effectively as a monopoly provider. All phase 1 contracts and funding under the scheme went to British Telecom, and the Public Accounts Committee warned that that restricted the Department’s ability to insist on value for money. Will the Minister set out his strategy for encouraging effective competition, particularly in rural broadband? It is concerning to see that as a country that invented the fibre-optic cable—
Neil Parish
I shared the hon. Lady’s concern that Openreach had too much of a monopoly, but I have to say that since Openreach has stepped back from connecting Devon and Somerset, the situation has actually got worse, not better. Openreach is training 5,000 engineers every year, so there is a real need for it. Now that it has been split away reasonably successfully from BT, we can use Openreach much more.
Chi Onwurah
The hon. Gentleman shows an understanding of network competition that I rarely find in this House. I can only agree with him that it is necessary to have effective separation. If Openreach is effectively separated and open to different over-the-top providers, having a monopoly position does not lead to monopolistic behaviours such as raising rents or offering low customer service, but it is necessary for that separation to occur. As I think has been said, it is also the case that BT responded to many of the Building Digital UK bids and ended up having a monopoly position. That was BT, not simply Openreach.
I want to focus for a couple of minutes on the economic importance of rolling out broadband. In 2018, the Conservative-run Somerset County Council highlighted the worry about regional productivity in its economic development strategy, which said:
“We are not as productive a District as we could be. Evidence shows a relative lack of dynamism in our economy with productivity levels below our potential and lower than those of the South-West and national levels.”
Across the country, only 8% to 10% of premises are connected to full-fibre broadband, compared with 97% in Japan. We are an innovative nation, but our innovation needs the digital platform to allow our small businesses to grow, particularly as our economy shifts online and we face the challenges and opportunities of the fourth industrial revolution, with its implications for everything from manufacturing to smart cities and addressing climate change.
I do not want to reiterate the Prime Minister’s sad history of flip-flopping over promises on delivering full fibre, but I will summarise it. Full fibre was supposed to be delivered by 2025, but that was then downgraded to gigabit-capable broadband to every home by 2019. As we have heard, only last week the Government sneaked out the Chancellor’s spending review plans to water down their broadband promise instead of keeping that manifesto commitment, and a smaller proportion of money has been made available.
The hon. Member for Tiverton and Honiton cited George Bernard Shaw. My recollection is that it was Oscar Wilde who wrote:
“To lose one parent…may be regarded as a misfortune; to lose both looks like carelessness.”
That quote is absolutely appropriate in this case, because although we might understand one change in the Government’s commitment to broadband, a series of changes is either carelessness—which is negligent, given the importance of digital infrastructure to our economy—or, I am afraid, deliberately misleading.
I hope the Minister can set out how we will achieve in Devon and Somerset the digital infrastructure that is so richly deserved. I also hope he will talk a bit about the divide in digital skills, because as well as having the infrastructure, we need to ensure that everyone has access to the digital skills that mean they can use the infrastructure and reap the economic benefits. I am particularly concerned about access to infrastructure at home, which enables Zoom meetings and online education. Some 50% of rural premises have patchy and unreliable mobile reception, so I hope the Minister will say a word about 5G roll-out and the delays in coverage. We cannot allow the digital divide to exacerbate the current rural divides. I hope that the Minister will mention the universal service obligation, which the Government launched in March to great fanfare and which allows rural households to demand connectivity from BT. As I am aware from the north-east, however, an estimated 60,000 households across the country may be charged up to £100,000 for installation under that initiative. Does that count as a universal service obligation? How much does the Minister believe is too much to pay for the internet?
Digital is now at the heart of almost every policy area and online access is integral to people’s lives. I thank the hon. Members for Somerton and Frome, for East Devon, for Totnes and for North Devon—and, of course, the hon. Member for Tiverton and Honiton—for their considered contributions to the debate, which represent their constituents’ interests now and in future. We must ensure that, as we build back better and level up, there is no rural digital divide that holds back parts of our country and a significant number of our constituencies.
Matt Warman
My hon. Friend is absolutely right. A crucial part of the future programme will be much greater communication with Members of Parliament, which is important up to a point, but also with the public. One of the most important things we can do is say to people, as he said, yes, the whole procurement will take several years, but there will be many shovels in the ground and many connections made well before the end of that period. We need to give people as much transparency as we possibly can, so that the entirely legitimate criticism that my hon. Friend made of the previous contract is not the case for the future contract.
It was right that CDS gave Gigaclear the opportunity to make things work, because it could speed things up, but we are where we are. It also important from a national perspective to say that Gigaclear has delivered in large swathes of the country: in Oxfordshire, Berkshire, Essex, Herefordshire and Gloucestershire. There are many problems, given the situation we are in today, but part of this is that we cannot lay them all at the door of any one entity.
On the new procurement, while some may think it easier to award the contracts to a larger supplier, the fair and open process across six lots was intended to promote speed and competition. When my hon. Friend gets his Christmas present, I hope he will be able to greet that, and we will give him some of the transparency that we have talked about.
I thank CDS for working with DCMS as closely as it has. That is why we have got to the position of doing six procurements in ten months or thereabouts, taking the people of Devon and Somerset to a significantly better place. The overall delivery, in stages between 2021 and 2024, and 2024 and 2025, is the right approach but it needs to be as transparent as possible, and should go as fast as possible. It should be communicated as quickly as possible. I have made that point to DCMS and CDS because, once awarded, these new contracts will deliver the balance of the connectivity that should have been delivered by Gigaclear. It is worth remembering the UK Government target of 95% for superfast coverage. The latest figures in my hon. Friend’s constituency show that 84.35% of his constituents have superfast connectivity —slightly up from the figures that he has given. The bad news is that the other two constituencies that he mentioned have gone up slightly faster. Tiverton and Homerton now has the lowest connectivity in Devon and Somerset, and I know that he is not going to let up until that is at a significantly higher level. We will pick up the superfast connections with these remaining procurements, we will be more transparent and we will go as fast as we possibly can.
It is also important to talk about the forthcoming UK gigabit programme that my hon. Friend mentioned and be absolutely clear that this remains a £5 billion programme with a 100% target. The judgment of industry and the Government is that the initial phasing of the spending reflects the maximum that can be delivered in the period up to 2025, but we will continue to work with industry so that if we can go any faster at all, then we will. If we can exceed that 85%, then we will. It is not an 85% maximum—it is a 100% ambition and we will go as far and as fast as we can.
My hon. Friend the Member for North Devon (Selaine Saxby) mentioned vouchers. They will be a key part, but not the only part by any means, of that future procurement, because it is horses for courses, as we know. Some communities are able to work together, but in some areas that is simply not the right approach. A host of different approaches will inform how we spend that £5 billion because that is how we will make it go as fast as possible and how, with an eye on value for money, we will manage to make sure that we spend it as quickly as possible. I know what matters to hon. Members in the Chamber is getting those connections done as quickly as possible. In the period to 2025, we will focus that funding, wherever possible, on premises that do not have access to superfast broadband. That means that the focus will be disproportionally on constituencies such as Somerton and Frome, and Tiverton and Homerton, where an 80-something per cent. of people have it. I obviously cannot make promises about any individual connection, although I am glad that my hon. Friend the Member for Totnes (Anthony Mangnall) has recently been upgraded and I have hopes for my hon. Friend the Member for Somerton and Frome, but it is important that the Government are clear that we will focus the £5 billion gigabit programme on getting as many people connected as possible. We will focus on those who need it most, and we will continue to work with the industry to refine the programme and maximise coverage.
Chi Onwurah
I thank the Minister for the good-natured way in which he is addressing our concerns, but I want to ask him about the commitment to universal gigabit broadband. Does it remain, and if so when will it be achieved?
Matt Warman
As I said, we think we will get to 85% or thereabouts by 2025. We will go as fast as we possibly can and we will get to 100% as quickly as we possibly can. I know the hon. Lady wants me to put a date on that, but the point is that we will go as fast as we possibly can. We will talk more about what the phasing looks like as we talk more about the gigabit programme. We will release some details this side of Christmas and some more in the new year. If the hon. Lady will be slightly patient, we will be able to release some more details. One of the key factors for the gigabit programme has to be providing people with transparency about what happens when.
I thank my hon. Friend the Member for Tiverton and Honiton for securing this debate. It is a hugely important issue for everyone across Devon and Somerset. I understand and share the frustration. I would be very happy to have another one of these debates, but I really hope we will not need one.
Telecommunications (Security) Bill
Chi Onwurah ExcerptsMonday 30th November 2020
(3 years, 5 months ago)
Commons ChamberRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
I start by thanking Members from all parts of the House for a well-informed debate with many impressive contributions. My first job as a hardware engineer was with Nortel, which has been mentioned by a number of Members. Having spent 23 years in the sector before entering the Commons, I am thrilled that the main debating chamber of our parliamentary democracy should spend so many hours dedicated to our telecommunications infrastructure. I regret that Members who wanted to take part in this debate, particularly from the Opposition Benches, and who could have done so remotely, were not able to do so because of an arbitrary decision by the Leader of the House.
However good the debate is, it cannot make up for the wasted decade under this Government. Successive Tory Governments have squandered the world-leading legacy position on broadband infrastructure left by the last Labour Government. Since then, we have seen delays in the roll-out of networks and the development of a dependency on high-risk vendors. The UK’s sovereign telecoms capabilities and our national security have been neglected, resulting in the Huawei debacle and ultimately this Bill.
My hon. Friend the Member for Cardiff Central (Jo Stevens) put it so eloquently: national security is the first duty of any Government, and Labour will always put that first. The point was made strongly by a number of Members, including the right hon. Members for New Forest East (Dr Lewis) and for Chingford and Woodford Green (Sir Iain Duncan Smith).
Given where we are, we support the aims of the Bill. National security should be the priority of any Government, and our telecommunications infrastructure is clearly critical to our defence, our security and our economic prosperity. That point was made by a number of Members, including the hon. Member for The Wrekin (Mark Pritchard).
We must make sure that we do not find ourselves in a similar position again and that our telecoms network and supply chain are resilient and protected in future, even, critically, as the geopolitical environment evolves. Our telecoms infrastructure lacks security and resilience. We have taken no steps to maintain or develop a sovereign communications capability, and the Government’s broadband strategy, if we can call it that, has far more U-turns, dither and delay than meaningful policies. We want to work with the Government to get issues of national security right, but the Bill is far from perfect.
Members have raised many issues, and I will focus on just three: cost, resource and diversification. I have found telecoms operators to be extremely responsive to the need to take action on the issue of, and in the cause of, national security and to replace high-risk vendors, but six months since the decision to strip out Huawei was finally made, we still do not know how the Government plan to achieve this. They seem to have decided that that is for the private sector to sort out.
The impact assessments, of which there are two, admit that the Government cannot figure out what the impact will be. They have chosen not to give operators any legal protection on existing contracts, but have again not quantified that impact. The Government are apparently happy to pass on the costs of their mistakes, indecision and poor planning to the operators, stating that the costs of removing Huawei are
“commercial decisions that are for the mobile operators to make.”
Yet clearly there was a failure Government here, as 5G security was not sufficiently safeguarded, in the ways that the right hon. Member for South Holland and The Deepings (Sir John Hayes) set out so clearly. Will there be a delay in 5G roll-out? Again, we are not clear, and depending on what is factored in, various research projects have found the costs to be anything from £6 billion to £18 billion. If the Government plan to leave this entirely to the mercy of the market, I would say that all the information-gathering skills Ofcom has will not give us an accurate integrated view of progress and effectiveness. There is no mention of working with local authorities to ease this or to make it quicker, cheaper or more effective.
I joined Ofcom in 2004, just a few weeks after it was born, when it was to be a light-touch regulator, small and nimble. Over the years, it has acquired responsibility for critical national infrastructure; the BBC; the Post Office; soon, we understand, the entirety of online harms; and now, it would appear, national security as well. As Members have pointed out, this Bill refers only to the Secretary of State and Ofcom when it comes to making these key decisions. Of the two, I have to say that I would have more confidence in Ofcom, but the Bill says very little about the resources or the skills that will be provided. This is a huge job, an issue that my right hon. Friend the Member for North Durham (Mr Jones) set out so clearly in what was a truly excellent contribution. One still has to ask: is it sufficiently well scoped? It is a huge job, but is it actually scoped? Is it the role of Ofcom to consider the security of our current networks, or should it be forward-looking? Members have set out what kind of a challenge that would be. Members also touched on the importance of human rights with regard to China’s record. How is that to play on national security decisions?
Sir John Hayes
The real point about Ofcom is whether it acquires those skills or what the processes will be for it to access them from the intelligence community and the National Cyber Security Centre, which would seem to be a much more straightforward way of quickly tooling up to do the job the hon. Member describes.
Chi Onwurah
I thank the right hon. Member for that intervention, and indeed for his contribution to the debate. I agree with him, although I think that is something we need to work out and probe in Committee, because currently there is no reference to that, or no plan to do that. I think we should certainly be taking into account and using our existing resources, and we all know that these kinds of resources and skills are both expensive and hard to find at the moment. The right hon. Member makes an important point.
On 14 July, the Secretary of State, who is not in his place, said in this House that he had
“set out a clear and ambitious diversification strategy.”—[Official Report, 14 July 2020; Vol. 678, c. 1377.]
I asked him repeatedly over the summer when he would publish this clear strategy that he had already set out. Answer came there none, and I could only conclude that he had misspoken. However, I did think that today we would get that strategy, but unfortunately not. Yes, there is actually a diversification strategy, which has been published, but it is neither clear nor ambitious. It is far more concerned with bringing new vendors into the UK than with developing our sovereign technological capability. Indeed, as it diversifies opportunities for Nokia and Ericsson, we could call it an effective Scandinavian industrial strategy. Apart from a vague commitment to link the scale of home-grown suppliers to the Government’s broader growth and productivity agenda, there is no clear plan—no plan at all—to build UK sovereign capabilities, which the right hon. Members for Vale of Glamorgan (Alun Cairns) and for Bournemouth East (Mr Ellwood) emphasised as being important.
Just today, Mobile UK, the mobile operators industrial body, emphasised that the Bill and the 5G diversification strategy are intrinsically linked but not, it would appear, by the Government. The diversification strategy also does not refer to fibre, although the Bill applies to our fibre networks too and may impact the Government’s constantly shifting roll-out targets.
Network operators need to be confident in the maturity, performance, integration and security credentials of new vendors and technologies before they are deployed in their main networks. We agree with the Secretary of State that the Government can help accelerate that process, and in doing so there is potential to create opportunities for the UK to take the lead, as well as much-needed high-skilled jobs. The hon. Members for Totnes (Anthony Mangnall), for Strangford (Jim Shannon) and for Bracknell (James Sunderland) all agreed about the importance of diversification, but all the diversification strategy says about developing UK technology, jobs and capability is that it will be part of the industrial strategy, which we have yet to see. Clearly, we do not have a diversification strategy.
Mr Kevan Jones
Does my hon. Friend agree the Bill will have to dovetail closely with the National Security and Investment Bill? If new developments were taken over by foreign entities, that could be a security risk as well. However, as we were told last week, the responsibility for that lies with the Department for Business, Energy and Industrial Strategy, not DCMS.
Chi Onwurah
My right hon. Friend makes an excellent point. He is absolutely right. The question of how the diversification strategy delivers home-grown capability and protects that as it grows and strengthens has been avoided.
As the shadow Secretary of State said, it is important that everyone can benefit from 5G, both in our technological capability and in using it. There is a digital divide in this country: 11 million adults lack one or more basic digital skills and 10% of households do not have internet access. 5G has the potential to increase digital inclusion, providing greater access to broadband. As the hon. Members for West Dorset (Chris Loder) and for Caithness, Sutherland and Easter Ross (Jamie Stone) highlighted, digital technology can be a great leveller, but we need to ensure that the infrastructure and skills base exist for everyone to take advantage of the opportunities it provides. Digital inclusion requires political will, urgent action and a Government who understand the importance of universal digital suffrage. Government interventions on that have been brief—not quite as brief as the intervention of the hon. Member for Tonbridge and Malling (Tom Tugendhat) in the debate, but far less eloquent.
As a chartered engineer, I want to finish by celebrating the potential of 5G, which can truly transform our businesses, our industries and our daily lives. It will not only vastly improve our connectivity and browsing experience but support new enabling technologies, from the internet of things to artificial intelligence. If the first industrial revolution was powered by engines, the fourth will be powered by data. As hon. Members have observed, 5G is essential for innovations from driverless cars to smart cities, and to addressing the climate emergency through monitoring and improving our energy efficiency. Some estimates predict that 5G could mean productivity savings for the UK of up to £6 billion a year on top of energy and waste reductions that internet of things devices could enable.
We must get this right. As we all agree, our national security is priceless, but until we see a detailed plan, a proper impact assessment and an industrial strategy, the Opposition will remain deeply concerned that the Government are not prepared to make the interventions necessary to ensure that our national security is safeguarded.