Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Earl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill
Earl of Erroll ExcerptsTuesday 29th June 2021
(2 years, 9 months ago)
Lords ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Amendments as at 25 May 2021 - large print - (25 May 2021)
The Earl of Erroll (CB)
My Lords, this Bill is generally welcomed and very well intentioned, but it really lacks any effective parliamentary or judicial oversight, as has been quite forcefully pointed out. I agree with everything the noble Lord, Lord West, said on this issue. We should use the ISC for this. As regards the excuse that designating a vendor or something might leak too early, it will leak anyway—something as big as that will be all over the place in five minutes.
This is not without cost and pain, and we are already seeing it. The Government have already revised their target for rolling out full fibre from 100% coverage to only 85% by 2025. The disruption caused by a rule to, say, extract Huawei or anything from the network has far-reaching consequences. After all, way back at the end of the 1990s, I think, we gave the contract for redoing the BT 21st Century Network to Huawei and not Marconi. We bankrupted a British company and gave it to China. That decision was taken a long time ago, so it is embedded in all our ordinary telecoms at the moment—not 5G, but the ordinary stuff that our telecoms are running over. We must be careful about this revising down of our targets, because it will affect our global competitiveness. We must be careful not to cut off our nose to spite our face. It is very easy to take a high moral stand, but at the end of the day we also have to survive on the global stage.
What this Bill does may be very effective for blocking foreign access, in trying to ring-fence the UK, but we could also create a single point of failure if we are not careful. There are not many suppliers of equipment of the type that will run the backbone of the internet. We are basically talking about Cisco and Huawei; Samsung also has a whole load of stuff out there; there are a whole lot of others—such as Nokia, Juniper and Hewlett Packard Enterprise—but nothing is quite as big as Cisco and Huawei. One of our problems is knowing whether Cisco is okay; some of its components, such as motherboards and other things, are manufactured in China. With the global supply chain, it is not as simple as it seems.
The second thing that worries me is this assumption that, just because we do not have Chinese equipment in the UK network, we are safe. First, China is not necessarily the only one interested in what we get up to; when you get into trade wars, many people who may appear to be our allies are maybe not on our side entirely when we are negotiating international contracts, so we should be careful of that. The other thing is that, if we create a monolith with one supplier—it does not matter who it does not include—it is vulnerable. The way the internet works at the moment is that, if you have multiple suppliers sitting in Britain, it does not matter whether they are hostile or not. Routing over the internet is inherently vulnerable because of the way it is constructed. However, it splits your message up into lots of packets that go over different routes. If they are going through lots of different people’s equipment, it is impossible for any of them to get the whole message; if it is all with one supplier, there might be technical ways they could do it. Funnily enough, one of the better security solutions is to mix them all together and keep it that way.
Next, there is a lot about trying to have the right rules and regulations and all that, but ensuring best practice cannot guarantee network security. Our current communications network has grown like Topsy; it is a mixture and mishmash of digital infrastructures all sitting on top of a whole lot of analogue stuff. It is very complex, with lots of ill-defined interfaces sitting in there. If you are going to start ripping some of it out and say that we have to do it by a deadline, you need to know what is there before you do it. This means we will have to maintain very accurate and secure databases—otherwise that is a vulnerability—probably down to component level, but certainly batch level, of what is in there, so that if you suddenly discover a vulnerability somewhere, you can get the other stuff out as well. We must do this categorisation of our assets in the network. That in itself is a security risk because it is very interesting to a foreign supplier, so that part of it is very difficult.
As for Ofcom—I am interested in this—we need some further clarity on how it will interpret the legislation, impose penalties and all the bits and pieces like that. The manner in which it develops its role as regulator will be vital for it to be a success, and how it decides what the significant risks are will be very important. On my noble friend Lord Vaux’s point, I have been told by someone that Ofcom’s reach could be extended because the legislation is very generally written to cover services—for instance, they were talking about banking fraud—and public electronic systems. In fact, it could drag in non-telcos, because they are services. It is not just about the hardware and equipment behind it, though it all started off with Huawei. There is a lack of clarity.
Someone had a very good idea, which has been adopted for some fintech stuff, that we could maybe have sandpits, where new entrants to the market could develop new stuff—new equipment, et cetera—and try out their ideas in a realistic environment to make sure that they are okay and will work before they put them into the network, if it is a secure network. I think that is a very good idea. Another very good idea put to me is that we should have the assistance of an independent commissioner and a technical panel overseen by Parliament and the judiciary. It is needed here. This model is used by the ICO and would probably be very helpful, so I would like it considered.
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Earl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill
Earl of Erroll ExcerptsTuesday 13th July 2021
(2 years, 9 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-II(Rev) Second marshalled list for Grand Committee - (13 Jul 2021)
Lord Naseby (Con)
My Lords, I apologise to my colleagues that I was not able to speak at Second Reading. I am quite clear, as I suspect we all are, that the security of the UK’s telecoms infrastructure is vital. Sadly, we come pretty late to the scene. The expansion of 5G and full-fibre broadband should have happened years ago, so this is not before time.
I read economics at Cambridge and looked at a number of aspects of economic expansion there, particularly in relation to business sectors. It is all very well saying that we will try to prevent the supply chain to the UK network being dependent on a limited number of suppliers. That may be a good idea in theory, but I just reflect that we have a national grid which is every bit as important as 5G; we have one or two aircraft manufacturers, and we have a couple of shipyards, so I just wonder whether there are a whole lot of suppliers out there for the telecoms world—there will be others who are better qualified than me to judge that. However, it is clear that we need to identify areas of risk, and Huawei is clearly one of them.
I would just ask a couple of simple questions. The noble Baroness, Lady Northover, mentioned Five Eyes. Is there a co-ordinating structure for Five Eyes in relation to this particular structure? If so, where is it based, what is our contribution to it and who exactly is doing it?
Some of our colleagues may have read the recent trading standards report that has just come out—I read it only last evening. A massive number of scams is happening at this point in time and we are dealing with the trouble they cause.
Amendment 20 refers to
“a specified country or … sources connected with a specified country, including by ownership or investment”.
I have worked overseas, including in a fair number of countries in south Asia such as Pakistan, India and Sri Lanka, so I ask: who on the ground will actually be doing the work? Quite frankly, I know of nobody in any of our high commissions capable of doing that sort of analysis. Do we have a floating investigatory system? How are we going to judge the evidence properly?
On Amendment 27, we need to take care, clearly, but we must recognise that there may be a valid opportunity in a company that has upset the host Government. You and I would not know the situation, but we should be aware of that fact.
I am a bit sceptical about the security check. I made a freedom of information inquiry—it was nothing to do with telecoms—and, at the end of the day, the reason given for not producing all the evidence following my FoI request was the security of the country. It was never explained in words of one syllable—or indeed in any syllables at all—what aspect of my inquiry would affect the security of the UK. I would like to know this from the Minister: are we relying on Five Eyes or are we relying on Ofcom? Who is it specifically that will be doing this analysis?
The Earl of Erroll (CB)
My Lords, I want to say a few words on this. It is highly relevant that we keep a close eye, but on all vendors, including the ones that may seem okay at any given moment—the world keeps changing. I am not an apologist for, and nor do I wish to promote, China in any way whatever, but it happens to be there and it happens to have ripped off a lot of Cisco stuff a few years back and improved it. The Japanese did this to our cars, many years ago—nothing changes.
The real problem is that we do not manufacture this sort of stuff here; some of it is manufactured in Europe, and of course we are no longer part of that, but does that matter anyway? We are reliant for the supply of all this electronic equipment, and the components—such as chips, which I mention specifically —on China and many other places. The Americans also rely on China to manufacture components which they then put in their equipment. We had a security compromise a few years ago, when compromised components were put into some Cisco equipment. It is more complex than trying to ban one company or one country. But there are not many alternatives for us here, and that is the real problem. We need to get some home-grown stuff going and we need to get it done very quickly if we want to be really secure.
What are we going to do about it? The thing that worries me is that you cannot assume that your allies are always your friends in everything. We have to be particularly careful of being dragged into a trade war under the cover of security or defence—and this does happen. The cost of this whole thing is not so much that Huawei will try to cause us problems in some way unknown if we remove it from our system completely; there is the other side of it. If its technology is working and is better, and we can make sure in various ways that we are secure against what Huawei might do, its technology might get us to where we need to be in an internet world a lot quicker. I notice that we have already delayed quite substantially the rollout of broadband everywhere and 5G—everything seems to be stalling because of these rows, which to me are trade rows.
I fully understand the points of the noble Lord, Lord Alton, about supporting regimes that are doing appalling things around the world. The trouble is that there are an awful lot of them. Take the situation he mentioned, to do with cameras. It is actually the software that does the facial recognition, not the camera; it is purely a bit of hardware that takes a very good, high-quality photograph, and there are many alternatives to it. Who is supplying that facial recognition software? That is where I would really target, and I would bet it is China. If there are bits that are useful to us, we need to use them. We need to stay in the world and we need to get ahead. We are not ahead and we are going to drop behind more and more.
The other difficult thing about picking a fight with China is that, if we are really going to go net zero and start going all electric in the next few years, lithium supplies and processing are from China. There is already a shortage of chips and other things in the automotive industry; I am sorry, but we are reliant on an intertwined global supply chain which stretches all over the place. We must be very careful about singling out one country, but we are—and that is why the amendment is useful. We must have something that says that we are keeping a proper eye on the whole lot of them.
The Earl of Erroll (CB)
My Lords, I rather agree with the noble Lord, Lord Clement-Jones, on this matter. The Bill is meant to be about security, not about “anything”. I have seen this happen with other legislation—that it suddenly becomes convenient to take something never intended for another purpose and, because it is very broadly worded, use it to beat some company or someone over the head over something completely unrelated. I am afraid that I agree that the Bill needs to be tightened up and brought down to security issues, not just “anything”.
For starters, a powerful, predominant supplier of routing equipment in the IP network would be a security risk. If anyone relies too much on one supplier—and they may unfortunately be pushed in that direction—it becomes a security risk, and we may have to close down some providers: “Oh dear, that’s our network finished”. That would be stupid. We are going to be anti certain companies. Companies get based or controlled elsewhere as takeovers happen internationally, so I see a certain amount of difficulty with this if it is very wide.
I come to what the noble Lord, Lord Fox, said. The reason we lost our manufacturing, of course, was that BT selected Huawei as the preferred supplier of the 21st-century network rewrite in 2005. That is the point at which we closed down our capability, effectively being blackmailed by America to get rid of Huawei while potentially blackmailed by Huawei, which could get too much control. We need to look at these strategic decisions where private companies that used to be government suddenly make companies that affect UK security. I have never been happy about that.
Lord Fox (LD)
My Lords, in response to the noble Earl, Lord Erroll, I say that it is also a huge issue when you have, essentially, a near-monopolistic private sector supplier, which makes any decision completely catastrophic for the under-bidder. I am speaking not to that but to Amendments 2, 3, 4, 5 and 6, which, as my noble friend Lord Clement-Jones pointed out, bear my name. He set out a very clear rationale for these amendments, which back up the concerns of the Constitution Committee and, indeed, some suppliers. Rather than reiterate those, I beg noble Lords’ indulgence to illustrate the point, inviting them to join me in a thought experiment. They need not worry—it is not going to hurt and I will not be pushing them into a Petri dish or anything like that. I simply ask your Lordships to imagine things the other way around: imagine that the Telecommunications (Security) Bill did indeed include the words currently proposed by my noble friend Lord Clement-Jones and myself, words that clearly identify that the focus of the Bill should be on the security of telecoms.
I ask noble Lords to continue to use their imagination that it was my noble friend and I who were proposing changes to include the words that are currently there; in other words, imagine that we were proposing to take the word “security” from this imaginary Bill and turn it into “anything”. Broadening the cover, as we have heard, would broaden the problem around any interruption very widely. I do not know but I dare say that, if we tried to do that, the Public Bill Office would have something to say, pointing to the Long Title of the Bill, which is:
“To make provision about the security of public electronic communications networks and public electronic communications services”
—in other words, security. Were we to try to take that word out and put in “anything”, I dare say the PBO would not allow us to do so.
If we did however slip it past the PBO, I guarantee that the Minister of the day would tell us that this would subvert the Bill’s intention and would take away the Bill’s focus from security to some of the imaginary things that the noble Lord opposite suggested—or, indeed, a digger backing into a green box somewhere in Kent. This is not the “Telecoms (Mishaps) Bill” but the Telecommunications (Security) Bill. These simple and modest amendments focus the Bill on its stated objective.
Lord Naseby (Con)
My Lords, I am sorry that the noble Lord, Lord Clement-Jones, does not like my analogy of flying. I just remind him of a recent series of Boeing airliners that crashed with a huge loss of life when the security of flying was overridden by a piece of machinery. I stick by my analogy but I will not progress that any further in relation to these amendments.
The Bill says clearly:
“publish the code; and … lay a copy of the code before Parliament.”
However, it does not allow Parliament by right to debate that code and any amendments that come. This is a fast-moving market, as we all know. New opportunities have come up that will have a security dimension to them. There will be new developments, I hope, from our own technical universities so there must be some provision for the expertise that both the House of Commons and the House of Lords have within them to debate. Those of us who have been in Parliament for a few decades know that quite often there are unusual people who have a particular niche that they know something about. That is the benefit of the experience of Parliament.
I agree with the noble Lord that it ought to be done on the affirmative procedure. I sat in the chair for five years during the passage of all the Maastricht and other Bills and there are certain areas where it is absolutely crucial that it should be done by affirmative resolution. Therefore I certainly support that dimension.
The Earl of Erroll (CB)
My Lords, I can see that it might be useful to avoid scrutiny sometimes when we have to finesse difficult issues—say, balancing effectiveness and public perception of certain other issues, or whatever. We can also end up with an awful lot of SIs in front of both Houses and everyone feeling rather swamped and bored by them and no one really doing anything about them. The trouble is that we get more and more wide-ranging powers in Bills, and this is a particular example of it. The more we do that, the more careful we have to be about the secondary legislation, because that is where the devil resides and that is where the real control is. We have just passed something that enables a takeover by the Executive. In some cases that may be a good thing; in others it could be very dangerous. To be honest, because of the huge, general issues in these Bills, I now come down in favour of the affirmative procedure. We are going to have to scrutinise it.
Lord Fox (LD)
My Lords, harmony is breaking out across the Room, with the possible exception of the Minister. I will not reiterate my noble friend’s well-put argument but I refer the Minister—I am sure she has already read it—to the impact assessment. I am increasingly of the opinion that the single most useful document that comes with the publishing of a Bill is not the Explanatory Notes but the impact assessment. The department is to be congratulated on the quality of the one produced in this case.
Page 30 of the impact assessment covers the monetised and non-monetised costs of this. At the front of the assessment there is a number. However, point 6.1 says:
“This impact assessment makes an estimation of the costs and benefits of the options”.
It says it brings together “a number of sources” and notes that there are “limitations to the analysis”. The first is the
“lack of robust and specific data”—
that is a fairly serious limitation—
“for example on UK telecoms market size and the size of specific sub-markets”.
Therefore, the number on the front is based simply on—obviously, well-intentioned—estimates of the telecoms market. Furthermore, the costs are quantified based on equipment costs. They are not based on the friction of running a network under the constraints of this Bill, which is itself a glaring error in how one looks at the cost of this Bill in terms of impact.
It is not just about the cost and replacement of equipment—it is about the draft regulations to which my noble friend Lord Clement-Jones referred. They cover all aspects of the operation of the networks in this country. We are looking at a situation in which, if the Minister so chose, the regulations could be made and implemented such that the Minister ran the networks by remote control from the department. That is why these safeguards, parliamentary scrutiny and the affirmative process are an important safeguard to prevent attention—not, I am sure, from this Minister or this Secretary of State, who I am sure can be trusted with these regulations, but we do not know who will follow or what their intentions will be.
As the noble Earl, Lord Erroll, wisely said, to hand over these powers without simultaneously taking significant powers of scrutiny of the statutory instruments that will inevitably follow is the wrong way in which to pass a Bill in your Lordships’ House. For these reasons, along with the huge uncertainty of the cost of what we are doing here, I commend my noble friend’s amendments.
Lord Clement-Jones (LD)
My Lords, I hope I am demonstrating the agility of which the Minister is so fond. As I said earlier in respect of the judicial commissioner, these amendments provide a ready-made mechanism for oversight concerning the proportionality and appropriateness of any measures in the regulations and codes. Taken together, Amendments 9 and 19, would require the Secretary of State to take into account the advice of the technical advisory board—and insert a new clause after Clause 14—and that of a judicial commissioner appointed under the 2016 Act. We have gone a little further in specifying the make-up of the technical advisory board, but we are clearly on the same page as the noble Baroness, Lady Merron, with her Amendment 8.
The Earl of Erroll (CB)
My Lords, I want to speak on this issue as I remember mentioning it at Second Reading. There is a person for whom I have huge respect, Dr Louise Bennett, whose extensive knowledge and sagacity I first ran into when we were talking about ID cards years ago and the whole problem of digital identity and privacy over the internet. If you really want to know about such things, read her work: she has produced a lot of work on this. I think a technical advisory board is essential: these are complex issues. The Minister said that the matters subject to regulation will be technical. I do not see how we can do this without a good technical advisory board, and it is good if we have some view of who goes on it, because it is too easy for these things to disappear off and no one thinks about them. We will keep needing cutting-edge advice and not have groupthink, and these matters are very tricky.
Between Amendments 8 and 9, I could not decide between taking “the utmost” and “full” account; there is a neat little difference in the wording. Otherwise, the point about laying it out properly is important. The other thing, which slightly goes back to our previous debate, is that we get into the whole problem of what are regulations, what is guidance, what are guidelines and what is a code of practice and the different legal stance of those different things. We have to be careful about using them as if they were interchangeable. Regulations will often give rise to a code of practice, breach of which is not necessarily an offence, but they can be linked back to a primary Act offence. We should not bandy those words around interchangeably; they are different. We need a technical advisory board and, between these amendments, we should do something about it.
Lord Clement-Jones (LD)
My Lords, in its evidence to the Bill in the Commons, BT said:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
Amendment 10 seeks to ensure that codes of practice are necessary and proportionate.
As regards Ofcom’s new powers to ensure compliance with security duties as set out in new Section 105M, how will these relate to Ofcom’s existing powers and duties under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under new Section 105Y?
Amendments 16, 17 and 21 to Clauses 5, 6 and 19, in my name and that of my nobble friend Lord Fox, seek to ensure that the new powers for Ofcom introduced in the Bill are subject to requirements in the 2003 Act regarding carrying out and reviewing its functions. I was pleased that in her letter to noble Lords after Second Reading, the Minister explicitly said:
“When carrying out its security functions, Ofcom will remain bound by its general duties under Section 3 of the Communications Act 2003 as it is now. Section 3(3) provides a duty on Ofcom to have regard to the need for transparency, accountability and proportionality when carrying out its functions. Ofcom will also be bound by its duty under Section 6 of the Communications Act 2003 to review the burden of its regulation on public telecoms providers. If Ofcom fails to carry out its security functions in line with these duties, then it is likely to be subject to legal challenge.”
I very much appreciate those words, which are a very clear interpretation of the existing Act and the duties of Ofcom and the responsibilities it has in the way that it carries them out. Will the Minister repeat that assurance today?
The Earl of Erroll (CB)
My Lords, I want to say a few words on this because the key words “undue burden” stand out. It is very important that we do not put too many burdens, particularly unnecessary ones, on companies. In particular—and this is something that I have often looked at because I have done a lot of work with innovative and growing companies—you must not let large corporations stifle innovation. There is an attitude among them that regulations are for your enemies; they are a very good way of stopping up-and-coming competition. I have also noticed that departments tend to consult the companies which have significant market presence already and see them as being the people who know all about it. However, that does not take account of what is up and coming. The other thing is that they often have people on secondment from them or people who have retired from the companies and gone into the departments, so there can be some interesting biases within. With those few warnings, I think the whole undue burden issue is more important than people might think.
Lord Fox (LD)
The undue burden point touched on by the noble Earl, Lord Erroll, is really important. On a previous group I spoke about regulatory friction and the fact that this has not been costed into the impact assessment. Clearly, regulatory friction is harder for smaller companies to deal with than larger companies. I think that is the point that the noble Earl was making. It is one that I would also join up.
We should also not confuse lots of regulations with security. The whole point about people who wish to subvert security is that they understand the regulations and go round them. Indeed, sometimes regulations are a guidebook for security, in a sense, because they show the map around which you seek to find the chinks.
The point in the impact assessment about making the networks value security is right. On that, I completely agree with the Government. I am not sure that some of the measures in the Bill actually do that; what they do is create a regulatory load without necessarily adding value. Some of the measures that we spoke of in the last group of amendments, as well as in this, are about stripping this down to where value is added rather than simply more regulation being loaded up.
One of the great pleasures of speaking after my noble friend Lord Clement-Jones is that he normally says everything better than I would. He simply asked the Minister to repeat what was in the letter and to endorse the 2003 Act. I hope that he is able to grant his wish.
Lord Clement-Jones (LD)
My Lords, I shall speak to Amendments 14 and 15. I wanted to say on the last group of amendments that I entirely agree with the noble Earl, Lord Erroll, about regulation. It is entirely possible for regulation to provide certainty, to stimulate innovation and, in the context of this Bill, to ensure that we have the right framework for our providers to ensure that our security is not compromised. So there is certainly no negativity in that respect towards regulation; the question is whether it is appropriate in the circumstances and not unduly burdensome for those subject to it. That is why the question of parliamentary oversight, which has been mentioned throughout this afternoon, continues to be important, and I think that it will come up again in the next group.
This amendment is on rather a different area. I have quite a lot of sympathy with Amendment 13 in the name of the noble Baroness, Lady Merron, but this is more nuanced than the Bill provides for. I want to quote again from the evidence of BT to the Bill Committee in the Commons. It said:
“We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise … In certain cases”—
and this is a sort of “however”—
“the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.”
That is where our first amendment is going. BT further stated that
“the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with the operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).”
I think these are fair points. The Government must have an answer before Ofcom is faced with that set of issues. In this light, Amendments 13 and 15 make further provision about the duty to inform users of a risk of security compromise and specify that duties to inform others of “significant risks” of security compromises must be proportionate and not in themselves increase security risks.
The Earl of Erroll (CB)
My Lords, I put my name down to speak to this because the problem with putting a fixed time period on having to report security breaches is that it very much depends on what the breach is. We mentioned patches earlier. If it is a vulnerability in the software—or it may be the hardware—which requires a patch to be released, you must have the time to produce it and test it as fully as possible. You do not want the hackers out there to know what the vulnerability is until you can roll out the answer to it. That is what zero-day attacks are based on. Equally—the noble Baroness is absolutely correct here—you do not want this stuff swept under a carpet to sit there unused for years. Could our technical advisory board give advice at an incident level, or something like that?
Lord Fox (LD)
My Lords, this is an interesting and nuanced—to coin a word we used earlier—debate. I am probably the only person here who has had to deal with a national security issue that impacted a consumer brand in real time on television. I must say that 30 days was not an option—30 minutes was not an option. Picking up on the point of the noble Earl, Lord Erroll, the time is entirely dependent on the nature of the crisis or security breach. My fear is that 30 days becomes a target rather than an injunction.
I think the point here is “no burial”. I assure colleagues and others in this Room that our amendments do not intend to bury the issue either, but to introduce some equivocation in the event that not announcing something makes things more secure than announcing them. The point of this is not to protect the reputation or otherwise of the network, but to protect consumers and the integrity and security of the network. That is the decision Ofcom would need to make. That would be its call. Its default position would be that it needs to be communicated to consumers as quickly as is sensible, unless there is a reason not to communicate it, and it would be up to the network providers to put their position forward. However, there are definitely times when it should not be communicated. At the moment the Bill seems rather unequivocal in its approach.
Lord Clement-Jones (LD)
My Lords, we know how it is when you are on a roll. This reminds me that it is very unusual for somebody to have the opportunity to get in before the noble Lord, Lord Fox, draws breath, as the Chair did. “Very impressive footwork,” I thought to myself.
There has been a common theme this afternoon of a lack of oversight over aspects of this Bill in many respects—in particular, the regulations and codes. This lack of oversight is compounded by the fact that, under Clause 13, any appeal to the Competition Appeal Tribunal cannot take account of the merits of a case against the Secretary of State. The rationale for this, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
I will quote the Explanatory Notes in full. Clause 13 provides that, in appeals against relevant “security-related” Ofcom decisions, the Competition Appeal Tribunal is to apply ordinary “judicial review principles”, notwithstanding any retained case law or retained general principle of “EU law”—by that they of course mean retained EU law. This means that the tribunal should not “adopt a modified approach” to proceedings, as required under retained EU law, which provides that the “merits of the case” must be “duly taken in account”.
Therefore, this provision disapplies aspects of the ongoing effect and supremacy of retained EU law, as permitted by Section 7 of the European Union (Withdrawal) Act 2018. The rationale for reducing the powers of the tribunal in respect of security matters is unclear and not justified in the Explanatory Notes. The House may wish to ask the Government to justify reducing the powers of the Competition Appeal Tribunal in respect of appeals under Clause 13. That is the motive behind this clause stand part debate.
The most authoritative judgment to date about the current standard of review is the Competition Appeal Tribunal’s TalkTalk Telecom Group plc and Vodafone Ltd v Office of Communications case. This addresses, inter alia, the standard of review on an appeal to the Competition Appeal Tribunal under Section 192 of the Communications Act. The judgment of Peter Freeman QC provides a good analysis of the context and history of the changes to the standard of review. I make no apology for quoting it at some length:
“Of particular relevance to how the Tribunal should approach this appeal are Article 4(1) of the Framework Directive and section 194A of the 2003 Act, as amended by the DEA17 … Article 4(1) provides: ‘Member States shall ensure that effective mechanisms exist at national level under which any user or undertaking providing electronic communications networks and/or services who is affected by a decision of a national regulatory authority has the right of appeal against the decision to an appeal body that is independent of the parties involved. This body, which may be a court, shall have the appropriate expertise available to it to enable it to carry out its functions. Member States”—
this is the key bit—
“shall ensure that the merits of the case are duly taken into account and that there is an effective appeal mechanism…’ … Section 194A provides: ‘The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review.’ … The combined effect of these provisions is to require the Tribunal to apply the same principles as would apply in a judicial review case but also to ensure that the merits of the case are duly taken into account so that there is an effective appeal.”
At paragraph 139, the judgment concludes:
“Given that Article 4(1) continues to apply, it would appear that, in accordance with the Court of Appeal’s view in BT v Ofcom and the High Court’s view in Hutchison 3G, as set out helpfully by the Tribunal in the recent Virgin Media judgment, we should continue, as before, to scrutinise the Decision for procedural unfairness, illegality and unreasonableness but, in addition, we should form our own assessment of whether the Decision was ‘wrong’ after considering the merits of the case.”
“Article 4(1)” refers to the now-repealed framework directive. It should now be read as referring to Article 31(1) of the European Electronic Communications Code—the EECC. The transposition deadline of the EECC was just before the end of the transition period and iseb;normal;j therefore currently binding as part of retained EU law. The wording of the EECC is almost exactly the same as the framework directive in respect of appeals.
That is what will continue to apply across the remainder of the Communications Act for other appeals under Section 192 but is being changed by Clause 13 of the Bill, which amends Section 194A of the Communications Act in respect of security provisions. This is a very significant change to the appeals procedure in security cases. There is a single bald paragraph in the Explanatory Notes, no justification is given—as the Constitution Committee says—and neither is there any evidence of why it is necessary. What evidence does the Minister in fact have of the need to make this major change in respect of security decisions made by Ofcom? I beg to move.
The Earl of Erroll (CB)
My Lords, I saw this and thought that I really did not understand why the Government were doing it. I saw what the Constitution Committee had said and realised that it did not understand why it was needed. I cannot believe that you can have a proper appeal if you ignore the merits of the case. I probably have an overdeveloped sense of justice and I think that to have an appeal where you are not allowed to present half the case or whatever is not a proper appeal. In fact, what you find is that the system can use procedural things to run rings around people who have a very justifiable complaint about something. I did not like the look of it and I entirely agree with everything that the noble Lord, Lord Clement-Jones, said.
Lord Fox (LD)
My Lords, I am not going to attempt to outlawyer my noble friend Lord Clement-Jones. I may not be a lawyer, but I am suspicious or, indeed, perhaps ultra-suspicious. What is the department seeking to avoid by removing what would seem to be natural justice from this process? What are the Government seeking to protect themselves from in advance? Who are they frightened of?
I do not think I know the answers to these questions, but I know that there is someone or something there that the department is seeking to avoid in advance. For those reasons, we should be extraordinarily suspicious, just as suspicious as I am. I ask the Minister: what is the justification? What are the Government scared of?
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Earl of Erroll
Main Page: Earl of Erroll (Crossbench - Excepted Hereditary)Department Debates - View all Earl of Erroll's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill
Earl of Erroll ExcerptsThursday 15th July 2021
(2 years, 9 months ago)
Grand CommitteeRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 15-III Provisional third marshalled list for Grand Committee - (14 Jul 2021)
The Earl of Erroll (CB)
My Lords, I do not want to bang on for a long time because, in a way, this falls in with things such as the technical advisory committee. It is all part and parcel of the same thing, and we have to keep our eyes open and start forward scanning and see what else is out there.
Ofcom is not in fact a department; I seem to remember that it was set up by Europe through regulations and that originally, it reported via Parliament to the European regulators. I am not entirely sure what Ofcom’s chain of command is; I must do some research into it. Having this buried inside such a body without proper parliamentary scrutiny is unwise, so it is only sensible to embed the principle of having proper advisory committees. This is an obvious no-brainer: we need people with these abilities and skills to be advising on this stuff, and I cannot understand why there would be any objection to it.
Amendment 25 covers the very good point about long-term strategy. As was pointed out on Tuesday, our relationship with the Five Eyes could easily change. There have been efforts from time to time to drive a wedge between us, and we need to start looking at that. One cannot assume that the status quo regarding who is an ally or friend will continue for ever. The fact that we are in different parts of the globe and therefore perhaps in different trading blocs could cause undue pressure, so we must have this horizon-scanning, long-term attitude.
The speech of the noble Lord, Lord Coaker, reminded me of the Tallinn Manual and the question of when cyberwarfare escalates to actual warfare because your entire infrastructure and systems have been taken down. It is a very interesting document. I skimmed through it a long time ago, but it was very eye-opening and before we just leap in, people should take a look at it.
That is really all I have to say. This is so obvious, and I just hope that the Government are going to do something about it.
Lord Stirrup (CB)
My Lords, in speaking to Amendments 18 and 25, to which I have added my name, I have in mind the very purpose of the Bill itself, which is, I take it, to ensure the security and resilience of our telecommunications capability here in the UK. The Bill as drafted places certain duties on the providers of those capabilities and gives powers to the Secretary of State to make regulations and issue codes of practice. This is all well and good, but these somewhat mechanistic, albeit welcome, measures will not by themselves result in the necessary degree of security and resilience.
As I said at Second Reading, things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, we will need to be both agile and adaptable. The measures in the Bill will, by themselves, not ensure this.
One of the reasons why we are even considering this Bill is concerns over the position of Huawei in our telecommunications architecture, the clear channel that runs through that company to the Chinese Communist Party, and the ensuing vulnerability of our system. None of this comes as a great surprise, but we have allowed ourselves to get into a position where we are now having to play catch-up. This is largely because we spent the first half of the last decade thinking almost exclusively of the economic opportunities offered by China and very little about the associated security risks; in other words, our decision-making process was unbalanced and distorted. Without proper safeguards, we could easily find ourselves in a similar situation with regard to some future threat.
What sorts of safeguards might help prevent such an occurrence? There is no single answer to this question but at the very least we need a process that provides an appropriate degree of horizon scanning and that, importantly, draws in expertise from across technology, business and security organisations and, indeed, from across different government departments, to give us the best chance of coming to a balanced view.
That is what Amendment 18 seeks to do. It will not cure all ills but it will provide us with a mechanism to drive adaptability, not just in our architecture but in our thinking, something that is traditionally hard to achieve. Of course, the Minister may say that the Bill is not the place for setting out this kind of thing. My response to that would be: if not here, then where? The responsibilities outlined in the amendment must be met if we are to achieve the Bill’s laudable purpose.
Amendment 25 is in many ways a follow-on from Amendment 18. It calls for the deliberations of a horizon-scanning body and the ensuing policies and actions to be presented to Parliament in the form of a comprehensive strategy. Most importantly, it seeks to ensure that such a strategy is coherent with other elements of government policy, as set out in various documents, such as the integrated review, and in other legislation, such as the National Security and Investment Act. It also seeks to encourage international co-operation in this regard. I believe this is essential, since we rely so heavily on collective security for our national safety. The noble Lord, Lord Coaker, has already highlighted the importance that NATO now attaches to the whole area of communications and cyberspace.
Taken together, these two amendments put in place measures that would improve our agility and adaptability and thus strengthen the Bill in terms of its ultimate purpose. If the Government are going to set their face against such measures in this legislation, I ask the Minister to explain how the essential functions they prescribe are to be carried out and how Parliament can be confident of their success.
Lord Coaker (Lab)
I apologise to the Committee for having to hear so much of me in the first 48 minutes. This is a really important amendment and I will make a couple of general remarks before making some more specific comments.
Concern has been expressed throughout consideration of this Bill about the extent to which the Bill provides for parliamentary scrutiny. Parliamentary scrutiny is the important area that Amendment 22 seeks to address, and I am grateful for the support of my noble friend Lady Merron and the noble Baroness, Lady Northover.
Amendment 22 seeks to improve and prioritise national security. We have all said that we support the intention behind this Bill and the need for national security, but the sweeping powers that the Bill gives the Secretary of State must be used in the interests of securing our critical national infrastructure. Removing Huawei does not in itself do that, so there is a question of accountability here. Amendment 22 is designed to ensure greater scrutiny, focus and transparency and address the deepening hole in accountability presented by the Government. At its heart, it would
“ensure that the Intelligence and Security Committee … is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security”
by the Secretary of State, as soon as reasonably possible.
The Minister knows that, during the passage of the National Security and Investment Bill, noble Peers from all sides of this House repeatedly tried to ensure that the Intelligence and Security Committee had oversight of national security issues. To be frank with the Minister, it was difficult to understand why the Government were so determined not to give the committee a role. This amendment says to the Government that the ISC is the appropriate place to discuss matters of national security and that it has a unique role in assessing security implications, as even Ministers accept.
The key point is to ask the Minister how this would work. This is the nub of the amendment and goes to the heart of what many noble Lords have said. The DCMS Select Committee and many of the people who will be looking at these documents do not have the required clearance to scrutinise highly classified evidence, so should the ISC, which does have the necessary security clearance, not have a role? It is the only committee of Parliament that has regular access to documents marked “information sensitive for national security reasons”.
I am sure that many of us simply do not understand that when you look at the state security threats to the telecommunications infrastructure that have been identified by the Government, the level of clearance will not be official-sensitive, STRAP 1 or STRAP 2, it will be STRAP 3. No one in this Committee will see that. Some Members of the Committee may have seen it in the past. So how can Parliament be reassured without knowing that the Intelligence and Security Committee has looked at it? Who has oversight of it? Even the Minister will not have the level of clearance to see all of it, yet she will tell the Committee that Parliament has oversight of these matters, when none of us—or very few of us—have the security clearance to actually look at and scrutinise those threats. So how will Parliament scrutinise it if we do not have the security clearance to do that? It is logically inconsistent. Yet time and again, the Government refuse to allow the committee set up with that express purpose—namely, the Intelligence and Security Committee—the function that it was set up to do on behalf of Parliament. With respect, I simply do not understand why the Government are so resistant to that. On many of the other things that we mention, there is a debate and opinions are exchanged. But this is completely and utterly illogical.
I ask the Committee to consider this. Given that the level of security clearance needed to protect our country, its telecommunications structure and that of our allies from the threats posed by other states is above that of the vast majority of Ministers of the Crown, Members of the House of Lords and civil servants, who is to scrutinise these matters if not the Intelligence and Security Committee? I fail to understand what the answer to that is. Parliament deserves to scrutinise these matters and it should be done by the committee set up to do that because it is the only committee of Parliament that has the necessary security clearance. I beg to move.
The Earl of Erroll (CB)
My Lords, the noble Lord, Lord Coaker, has summed up an important recurring theme that was raised at Second Reading. The Government should take this very seriously indeed.
Oversight by a body with top-level security clearance is essential. I certainly would sleep safer if I knew this was happening. Part of this comes from the Minister’s reply when I started to query the status of Ofcom and its relationship to the Civil Service department. I gather that the relationship of Ofcom is similar to that of an agency—if it is not actually set up as an agency; it is set up as a regulatory body, I think. I remember the huge problem—debacle would be a better word—when Defra failed to bring in the new mapping system back when we were changing the way of paying farmers. Everyone knew that it was about to be disastrous. Everyone could see the train crash coming. The Minister could not do anything about it except stand at the Dispatch Box and say, “I’m not allowed to interfere. It is a separate company. We can only call it to account at the end of the year.” As a result, when it all went pear-shaped and farmers suffered disastrous and severe financial problems, the Minister was retired—and it was not any fault of his. He knew perfectly well what was going on but had no power under the structure.
This is my problem with the agency structure that was set up, I think under Mrs Thatcher, when she was trying to cut back the Civil Service so she took things off the Civil Service books to make the figures look better. We have to be very careful when we are handing huge powers or these momentous decisions to an agency. Therefore, it is important that we get into the Bill mechanisms by which we can know what is going on at the time and make sure that it is not going wrong. This oversight, certainly by the Intelligence and Security Committee, is essential—a no-brainer.
I will just mention that the same principle applies in Amendment 29 in the names of the noble Lords, Lord Clement-Jones and Lord Fox, which I did not put my name to because I thought that was unnecessary. Exactly the same thing applies to the Investigatory Powers Commissioner. Rather than me wasting time speaking again, I will say it now: please will the Government start looking at this more seriously?
Baroness Merron (Lab)
My Lords, I move the amendment in my name and thank the noble Lords, Lord Fox and Lord Alton—he could not join us today —for their support.
The amendment is about ensuring that the intent of the Bill can be delivered, and the measures that we are all in favour of will actually happen. There is therefore a link to the earlier debates. Throughout these debates it has become clear that diversity of suppliers is needed at different points of the chain, with sufficient support for the UK’s own start-ups. That will be the only way in which we can secure proper telecoms security.
Even the Government’s 5G diversification strategy demonstrates how diversification and security are inherently linked. It states that if the status quo remains with market consolidation, it will lead to
“an intolerable security and resilience risk”.
However, as was said clearly in earlier debates, the Bill does not even mention supply-chain diversification or the diversification strategy, even though we would all agree that we cannot have a robust and secure network with only two service providers—Ericsson and Nokia—which is the number that will be left once Huawei is removed from our networks. I hope that the noble Baroness the Minister will have the opportunity to address that concern.
It is of course right to remove high-risk vendors from the UK’s networks and enable the Government to designate vendors and require telecoms operators to comply with security requirements. However, as seems obvious, our networks will not be secure if the supply chain is not diversified. All that will happen is that there will be a shift of dependency to another point of failure.
Therefore, the amendment requires that network diversification is reported on annually. That can include an assessment of likely changes of ownership of existing market players, new areas of market consolidation and available public funding. The report could also provide proper accountability for the strategy’s progress, which will lead to real action. That is what we need. We know that that was called for by the Science and Technology Committee, which criticised the current diversification strategy for not having an action plan with clear targets and timeframes for how that funding will be spent.
The Minister will expect a question on how the announced £250 million funding will be spent. We all know that there are small start-up suppliers in this sphere which are desperate for this kind of support. I should also refer to the new advisory council, which, as she knows, I will come to in a later group. There are many unanswered questions about the adequacy and independence of its advice.
We cannot have a secure network with only two service providers, which is what we will effectively be left with after the removal of Huawei. So we need a diversified supply chain, which means diversity of supply at different points in the supply chain and networks not sharing the same vulnerability of a particular supplier. That is incredibly important for network resilience. That is why the amendment has been tabled. We are concerned to ensure that national security is not put at risk due to a lack of diversification. I beg to move.
The Earl of Erroll (CB)
My Lords, this point is very important and has been put across very well by the noble Baroness, Lady Merron. Network diversification will increase resilience and security for various very obvious reasons. The main thing is not just the supply chain. How the internet works is that messages are split over a whole lot of different routers going all over the place. Two things happen. First, because it is split up, if they are all going across different vendors, it is impossible to intercept the entirety of the messages. If it is all over one vendor and there is a clever way of monitoring that, it might be possible to put it together. Funnily enough, if you have lots of vendors, it does not matter whether Huawei is in there or not, and you will end up with flaws.
Also, the resilience of the internet is such that if you knock out a good chunk of the routers, it will still work and automatically route around the ones that have not been knocked out. If they are all from one vendor and all have the same flaw in them at some point, whether they are friendly vendors or not, you can take the whole lot out at once. The very fact that you have a good mixture gives you greater resilience and security. Everyone seems to think that it still runs over a copper wire from one end to the other, but it does not. The IP world is very different from that. That is the main thing.
Amendment 20 is also about long-term strategy. My noble and gallant friend Lord Stirrup is right about all these things. Although the amendments are not in this group, I might as well say now, rather than waste the Committee’s time later, that this lies with the principle of Amendments 18 and 25, that we need the right advisers, who can then advise on the issues that we are now discussing in Amendment 24. It all hangs together. We should not be chopping this up and structuring the Bill in a way that makes us vulnerable.
We may think that we have got the right people in, but we have clearly failed to do all this so far. This is the place to rectify our blindness. From the Minister’s comment, I think that the major change is the diversification and proliferation of civil service departments that are involved in security. That really does reduce our security. The lack of coherence will cause confusion like nobody’s business and will be very expensive.
Baroness Stroud (Con)
My Lords, I support Amendment 24, tabled by the noble Baroness, Lady Merron, which adds a new clause to the Bill that would tackle the pressing issue of network diversification.
As we have heard, the amendment places a duty on the Secretary of State to produce an annual report to Parliament on the progress that has been made in diversifying suppliers for our critical infrastructure in our telecommunications networks and services. The report would then be debated in the other place, ensuring that there is sufficient parliamentary oversight of the successes, challenges and opportunities of our diversification strategy. As I think about it, I am not sure why the Government would not want to commit to such an undertaking. As we have already heard this afternoon, the diversification of our telecoms networks needs to be a priority for this Government and an integral part of Ofcom’s reporting on the progress of these networks.
However, it is important to note that we have a Government who understand the seriousness of this issue. Indeed, the Secretary of State told the other place on 30 November 2020:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”.—[Official Report, Commons, 30/11/20; col. 75.]
This should never have been allowed to happen, and as I have mentioned, I fear that without the adequate parliamentary oversight that this amendment could give us, it is at risk of happening again.
Despite the reassuring statements from the Foreign Secretary, as highlighted in Tuesday’s Committee by the noble Lord, Lord Alton, we have seen new vendors come to market that are also high risk. The noble Lord said:
“Last week, we learned that, in a deal estimated to be worth £63 million … the UK’s largest producer of semiconductors … has been acquired by the Chinese-owned manufacturer Nexperia. Nexperia is a Dutch firm but is owned by China’s Wingtech.”—[Official Report, Lords, 13/7/21; col. GC 461.]
On Wednesday, this led to the Prime Minister expressing concern after the Business Secretary had said that the Government were monitoring the situation closely but did not consider it appropriate to intervene at the current time.
This new challenge is set against the backdrop of the noble Lord, Lord Grimstone, who is at the Department for International Trade, telling the House that he wants to deepen trading relations and trade deals with China, and of China having just overtaken Germany to become the UK’s biggest single import market for the first time since records began. Goods imported from China rose 66% from the start of 2018 to nearly £17 billion in the first quarter of this year.