Telecommunications (Security) Bill (Third sitting) Debate
Full Debate: Read Full DebateChristian Matheson
Main Page: Christian Matheson (Independent - City of Chester)Department Debates - View all Christian Matheson's debates with the Department for Digital, Culture, Media & Sport
(3 years, 11 months ago)
Public Bill CommitteesYou will both get a chance. We will go to Professor Webb.
Professor Webb: I am certainly all in favour of placing the requirements on those best placed to deliver them. For diversification, that is certainly the operators. I talked a bit about how you could, for example, offer them some financial incentive to have a more diversified supplier base. That would make some kind of sense, given that this would add costs to their management of the network.
In terms of security, I think it is a bit more difficult to see how that one might follow. I can imagine that there might be certain security issues where, for example, the decision might be made that a replacement is needed for a certain component in the network, or that they need to purchase some additional elements, and then you might imagine that it might help to have some sort of financial incentive to do that. But I think that would be on more of a case-by-case basis—I cannot see a clear, catch-all type of approach that would enable that.
Emily Taylor: I very much agree with what Professor Webb has said. Indeed, one of my reflections on the draft Bill is that it is very much at the stick end rather than the carrot end. Maybe we will start to see a bit more of the incentives coming through as the detail is filled out. But I think that thinking about incentives would very much reflect the close working relationship that there has historically been between the industry and Government. That is not the case in every country; it is actually a benefit in this case.
Security is expensive, and it is also long term. The telecoms supply chain review last year put it very accurately: the market does not reward investment in security—quite the opposite—so I would hope that there would be some recognition from Government about what is needed. I do not think that the investment in the diversification strategy is nearly going to match the investment that is required by the mobile providers who—yes, they are very successful large companies—have not had the great decade that, say, the Googles of the world have had in terms of their margins. So you are asking an already squeezed sector to make substantial investments, and I think that is the place where you could be looking at incentives.
Q
There is one way of looking at this legislation, which is that it can provide a market-led opening for suppliers, in a market that is no longer, in the long term, going to be distorted by, for example, Huawei, with its state backing. Is there any evidence, therefore, that other suppliers—first tier and lower suppliers—are looking at this and thinking, “There is a chance here to get back into the game”?
Ms Taylor, you talked about security being quite a difficult and expensive barrier to overcome, but are there any discussions in the wider sector about there being an opportunity to be had here, or about whether, actually, a stronger diversification strategy is necessary?
Emily Taylor: The initiative is welcome—the diversification strategy is welcome—but, as Professor Webb has described, there are many barriers to entry for new suppliers. To build out an entire country’s network requires substantial scale, and, very understandably, the operators are risk-averse. You cannot just turn up and build out a network; open RAN is exciting, but, as you have heard from witnesses—and this morning, from Professor Webb—it is not ready, yet, to build out an entire country.
Also, the market distortions can still happen despite a diversification strategy. You can well imagine that the companies that decide it is attractive to enter this market are not, perhaps, the cheeky start-ups that you would want to encourage; they would be already dominant in other sectors. Imagine if we were sitting here, in five or 10 years’ time, lamenting the fact that the equipment market is now dominated by Microsoft and Google. I am just making that up as a hypothetical example—I have no knowledge to back that up—but those are the companies that have the sufficient scale and skills, and as Chi Onwurah said in her question we are moving to a more hybrid network, where skills in cloud computing and software are going to define the success of the player.
Professor Webb: If you want to encourage a new entrant—be that a company that has some skills in this space but is upping its game to develop a complete system, or a brand-new company—they have got to develop the equipment, and that involves developing a lot of software and hardware, and an awful lot of effort and investment. If you add yet more requirements on them—for example, security requirements—that makes their effort even harder; it makes it even harder for new entrants to compete with existing players, who have already made much of that investment, to have the scale and capability to add on that extra. Adding security is the right thing to do—I am not criticising that—but the implication is that it will make it harder to diversify the supply chain. What you want to do is make it as easy as possible for new entrants, with the minimum requirements on equipment, if you want to bring a larger number in.
Q
Professor Webb: I am not sure it would quite work like that. I think the operators would always want to procure to a certain security standard, whether there is legislation or not, so everyone would have to get to that standard. Raising the standards bar would essentially require everyone to move up higher above that bar.
Emily Taylor: If I may, just to support Professor Webb’s point, the security standards do not level the playing field, although they are the right thing to do. In just the same way as we have seen some of the perverse consequences of, say, GDPR, the companies that have the scale and capacity to absorb the cost of compliance fare better than the smaller companies, who really do not have the scale and capability. The disincentive to enter the market, or perhaps the incentive to exit the market, as a result of these requirements, hits precisely the type of companies that you want to encourage, although it is welcome to see some recognition of that in the factsheets, with the tiering system. The third tier would probably let the smaller independent ISPs and providers off the hook. It is not quite correct to view it as the security requirements levelling the playing field. They are definitely required, and the market is not delivering that, but it will require close monitoring, I think, to ensure that there is still a competitive market.
Q
Finally, could you sum up the chat around the sector at the moment? I get the impression that you are suggesting there is still a way to go to bring confidence that we can diversify across the broad range of the sector, as a result of this proposed legislation, and that there is still more reassurance and consultation required.
Professor Webb: Certainly, as I look at the information that I get back on ORAN, there is a lot more scepticism than optimism throughout the sector about its ability to do anything in the short term. We have talked a bit about why that is the case.
There is potentially more promise from the vendors that are somewhat established—the Samsungs and the NECs—and there is generally better comment about their ability to do something. If I had to look at what I am seeing around the industry and bring some advice, it would be focused on those vendors, rather than ORAN, as the most likely source of diversification over the next few years.
Emily Taylor: I can talk about the feedback that I have been getting. I come from a segment of the internet environment that has not historically been highly regulated at all. I would reflect that, if this Bill were brought forward to cover that sector, you would hear the screams. One thing that has really surprised me, and reassured me to a certain extent—it came through in the evidence you have heard—is that there is a degree of comfort with the direction of travel, and I think that speaks to the strong relationship that the industry has with Government on that.
Q
Lindsey Fussell: I think that is really a question for Government rather than the regulator. We will be ready to provide whatever accountability the legislation requires of us, as well as providing direct accountability by talking to Parliament and Select Committees.
Q
Lindsey Fussell: I think the structural framework helps us a great deal here, as I have already indicated. Clearly, the NCSC carried out a really detailed supply chain review, which identified the threats that could occur in different elements of the network, and it has now turned that into telecoms security requirements and, ultimately, into the code of practice. We will be giving—indeed, the legislation requires us to—considerable weight to that code of practice and the judgments that the NCSC has reached on what is required to combat threats. That will then enable us to judge and monitor whether operators are doing what is said in the code of practice.
If, for example, an operator were to say to us that it was not going to meet something set out in the code of practice because it considered that an alternative way would meet that threat, we will have arrangements in place with the NCSC to enable us to seek its advice and guidance at that point on whether that satisfies the requirements of national security.
Q
Lindsey Fussell: Clearly, we would start that conversation within the team and escalate it if necessary, but I do not think that it will actually be an issue in practice. We already have very good working relationships in place with the NCSC, and regular collaboration and discussion. The legislation enables us to share information with the NCSC to enable either it or us to perform its duties. I do not think that there will be any issue in practice, or any surprise in terms of our regular interactions with it.
Q
Lindsey Fussell: Yes, we do. Of course, like any organisation, you would expect that. Ofcom has a range of people with different skills in it, as you would expect. It is actually far broader than, for example, some of the Government Departments that I have worked in before. We have people who are specialist technologists. Simon has talked about his experience. We have economists, lawyers, colleagues who specialise in enforcement, colleagues who specialise in policy, and many other professions. Although people absolutely do move and develop their career, and certainly in relation to these kinds of new responsibilities we will look to upskill existing colleagues where that is possible and where it makes sense to do so, we also employ an awful lot of specialists who will tend to stay more in that specialism and apply that to our work.
Q
Lindsey Fussell: I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.
It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?
Simon Saunders: Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.
Q
I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.
Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.
Lindsey Fussell: The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.
Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.
On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.
I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.
Simon Saunders: Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.
I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.