Read Bill Ministerial Extracts
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateJames Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
(3 years, 11 months ago)
Commons ChamberIt is a great pleasure to follow my hon. Friend the Member for Totnes (Anthony Mangnall). I am delighted to speak in the debate, for two key reasons. First, it shows that the Government do listen to Back Benchers. We have provided feedback all the way through this process, and some of us have some background on this topic. I am therefore greatly reassured that the Minister is here and is listening to what we are saying.
I also commend the Bill for what it is. I am very reassured that the conclusions of the telecoms supply chain review in 2019 are being met. As the world recovers and recalibrates after covid, the UK has a great opportunity to take the initiative and to become a world leader on another piece of vital technology, and I will be firmly supporting the Government on the Bill.
As our defence and national security move ever more online, it has never been more important to secure our lines of communication. With £16.5 billion extra in the Ministry of Defence budget alone, it is really important that the defence sector takes advantage of that, not least in the cyber-sphere. We have heard today of the strategic independence imperative, and I firmly welcome that.
The Bill will do three things. It will allow for better security, which is absolutely important. It will placate our allies, notably in the Five Eyes community, and why not Japan as well? There is a neat link there with the NEC trial that is coming up in Wales. It will also open the door for other 5G providers. I therefore support the UK’s diversification strategy.
As we have heard, clauses 1 to 14 introduce a more robust telecoms security framework. The Bill enables more specific security prerequisites to be set out in secondary legislation. It also gives the telecoms operators’ regulator Ofcom more power to monitor and enforce industry compliance. Clauses 15 to 23 give new national security powers for the Government to manage the risks posed by high-risk vendors, and we have heard much about that today. The Bill therefore gives the Government new powers, and rightly so.
On 14 July, the Secretary of State announced that, from the end of this year, telecoms operators must not buy any 5G equipment from Huawei, with a timetable for removing all Huawei equipment from our 5G network by 2027. September 2021 has also been announced as the new cut-off date for new Huawei equipment in the UK.
What about the wider requirements of the Bill? This is really important, so I urge the Minister to take note. Industry must be given sufficient time to comply with telecoms security requirements, and deadlines must be realistic. The Government, as we have heard, have settled on 2027 as the date by which high-risk vendor equipment is to be removed and this timeframe must be left as it is. It reflects the complexity of the task and slippage will not be welcomed.
I also support the Government’s initial commitment to promote diversification and resilience in the supply chain backed by the initial £250 million from the spending review. That is probably just the start and it may need more funding. I welcome, as I mentioned, the forthcoming trial in Wales with NEC and our Japanese friends.
I will mention Vodafone very quickly. Vodafone has called for greater investment in Open RAN and, of course, Vodafone has been a key contributor to Open RAN. This would reduce UK reliance on mobile network vendors and allow the UK to develop domestic vendors at scale and benefit consumers through greater price competition. That is to be welcomed. Again, it is clear that the more 5G providers there are, the better it is for everyone. As we have heard, the most sensitive core parts of our 5G network must be free of Huawei equipment and must remain so.
Lastly, upgrading the UK’s mobile infrastructure to 5G could be worth as much as £158 billion over the next 10 years. It will also keep us safe. Surely this is worth investing in, so the telecoms bill is absolutely a step in the right direction and I support it.
Telecommunications (Security) Bill (First sitting) Debate
Full Debate: Read Full DebateJames Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesThree Members have indicated that they would like to ask questions. We will take them in the following order: James Sunderland, Miriam Cates and Kevan Jones.
Q
Patrick Binchy: I think, initially, it is not for the industry to comment on and define national security and risk. That is for the Government. However, we absolutely support whatever is put in place beyond that. I think that this Bill, in the way that it is structured, very much helps with that, because not giving a definition, and the way that it will be able to include additional vendors and additional technologies, gives it the flexibility to move forward and to adapt to threats, whether they are technical or through suppliers in the future. In that way, it is well constructed.
Irrespective of the Bill itself, we work with the security bodies on a regular basis—on a day-to-day basis—and we continue to do that, to protect the British public from any and all security threats. And I would add that the UK is actually very well advanced in terms of protecting itself and its security posture.
Derek McManus: Similarly, I am the COO of a commercial organisation; I am really not best placed to answer that point specifically. But what I will say is that we run our business by security by design—it is a key part of the evolution of our network and all of our services. I believe that as an industry we are actively engaged with the security forces to deliver a good track record in terms of national security from telecoms. It is important that we continue to do that. Everyone who is connected closely to security knows that it constantly evolves as technology evolves, and the continued collaboration between the industry, the Government and the security forces is essential beyond the completion of the Bill.
Andrea Donà: Similarly to my colleagues, I am not in a position to comment on national security. What I would say is that Vodafone worked very closely with Government on how the Bill best enables us to secure our networks in practice. I think it is very important that we maintain a very close collaboration as we work in implementing the Bill.
We believe the Bill is sufficiently flexible for the Secretary of State and Ofcom to interpret the security threats and issue notices to providers to deal with them. Reviewing the legislation at regular intervals to assess its efficacy in the face of new technological challenges, and also in the light of new strategic aims by Government and that constant review involving the industry, will be very welcome for us. Our continual engagement will enable us to ensure that the new regulations can be enforced in practice effectively to achieve the scope of the Bill.
Thank you. We will come to Miriam Cates next. Then, after Miriam, the order will be Kevan Jones, David Johnston, Christian Matheson, Dean Russell and James Wild.
Telecommunications (Security) Bill (Second sitting) Debate
Full Debate: Read Full DebateJames Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesQ
Matthew Evans: I am happy to take that question. From the principle point of view, the principles of cyber-security are the same regardless of the network: having security built in by design, but also having a zero-trust principle and good assurance that your defences are looking inwards as well as outwards. On a principle basis, they are very similar.
Hamish MacLeod: I have nothing to add to what Matt said.
Thank you. I am going to Mr Sunderland. I will come back to you if you want to come back later.
Q
Mr Baker is the obvious candidate.
John Baker: I think the legislation, as you have it written, is good and supportive. The underlying thread of this is all about open interfaces. Having open interfaces fully specified makes the ability for testing of elements in the network simpler and easier, because you open up the testing community, the vendors, to produce interoperable equipment, so you can compare equipment side by side. This has been the basis of the whole open RAN discussion. Open RAN is about open and interoperable interfaces. If you follow that philosophy through into this Bill, you should be able to test each of the elements and the network end to end, from a security perspective, so we are fully supportive of the activities that you have in place.
Anyone else?
Stefano Cantarelli: I will just add that of course, when we say “open interfaces” and “open and interoperable”, “open” means standardised and well known, not open in the sense of open sources or whatever else people can think of. As far as the Bill is concerned, I believe that it is quite appropriate for the specific actions and conditions that will be triggered. I would just suggest that you make sure that it is followed up by secondary legislation to make sure that in some cases there are very tangible and specific examples that will be able to make it a bit more specific and will give directions within the framework that the Bill itself provides.
Thank you. Mr Robson, do you want to add anything to that?
Julius Robson: I think it is very important. One of our angles on this security Bill is that we see diversity as important not just for building resilience, but for delivering on the promise of 5G, which is to take mobile—which currently is about voice and data for people—and deliver it into organisations, to have e-health, smart industry and connected communities. To do that, you need a diversity in service providers. It is fair to say that mobile operators have done a great job of the outdoor national network, but perhaps not so much delivering into enterprise.
We want to ensure that when we implement new policies, like the telecoms security Bill, we are not introducing large barriers to entry to those smaller players that will come in and diversify our network. This talk of making everyone auditable is a workload that will drive us back towards a monolithic industry, where you have a small number of service providers, and only the largest vendors are able to service that. We need to ensure that whatever policy we implement looks forward and is workable for this diverse ecosystem that we aim for in 2025 and beyond, not the monolithic one we have today.
Q
Who wants to go first? Dr Bennett, I think that was mostly directed at you.
Dr Bennett: I appreciate that it is a framework, but it is a framework that does not say that powers in certain areas are going to happen and how you might do it. I think the Secretary of State and the whole industry actually needs a lot of help to do this. The whole tenor of wanting to have things like the telecoms diversification taskforce and the 5G diversification strategy is absolutely right, but as you do that you are bringing in people to do these things who have less resources than the people currently in there. As Mr Robson said, they can afford the expense of the barriers to entry, whereas smaller players require assistance from the Government to enter this world without going out of business because of the impacts of the cost of compliance.
Q
I have questions for both of you, but let me start with Dr Bennett. I was impressed by your structured list of things that are missing from the Bill, because we are here to scrutinise the Bill and see how we can improve it. I think you talked about the breadth of the security challenge and how this Bill, as it stands, might not meet the full breadth of it. You had four areas, and I think you have run through two of them in more detail. Could I ask you to summarise again the areas that you think are missing? In particular, could you talk a little bit more about the need for improved scrutiny? Could you just summarise that and then go into more detail on the ones where you have not yet?
Dr Bennett: I said that the areas that needed to be covered were network architecture, which is the Bill’s focus, the security of the asset databases that make up the network, how to ensure security of the data passing over the network, the maintenance of security over time, and the operational costs and other impacts of compliance. I have touched on all of them, but perhaps not very much on the operational costs and impacts of compliance.
The more diversified your network, and the more small vendors there are, the harder it will be for them to maintain the level of scrutiny, record-keeping and general security that is required as their bits of the network develop and the interfaces they have with other bits of the network change over time. That is an area where the Government should consider giving help to people to cover those costs. I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.
If the Government suddenly say, “All components from supplier X must now be removed from the network because of x, y and z,” it is incumbent on the Government to have some funding to help people to do that and to ensure that that really does happen, because it could be a step too far if you have a lot of very small suppliers that do not have the resources of skills, time or money to do it. You need to think about that and about how you can ensure that they are not squeezed out of the network—this diverse network that we want—by those costs.
I think I might interrupt you there, because we have only until 4.45 pm. I would really like to bring in Mr Sunderland, the Minister and the shadow Minister, so we need very tight questions and very succinct answers.
Q
The important question from me is: what will be the reaction to the Bill within the Five Eyes community?
Dr Steedman: I will lead on that. I think the Five Eyes community will welcome the Bill, and it may well begin to set a model for the way that the UK and like-minded nations can create a pro-innovation market framework which has sufficient regulatory powers, backed up by industry standards, to deliver the environment that we want and that will, particularly in the UK’s case, stimulate new entrants, SMEs and innovation. That is a really critical part of future diversification, because we have no incumbent major players based out of the UK, so we need to stimulate our own industry as well.
Charles Parton: I do not have a great deal to add to that, other than, as a side note, that I do not think we should underestimate American bipartisan attitudes to the whole question of China and technology. I think we are going to have to take that into account in the broader context, because they are long-standing allies and sharers of the same values as us.
Telecommunications (Security) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateJames Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesGiven that most MPs do not fully understand what the ISC does, does the right hon. Gentleman not agree that the Government are probably best placed to make the decision on this particular matter?
No, I do not. I know the hon. Gentleman is a new Member, and I actually quite like him, but what is he arguing for? A dictatorship? That the Executive should decide everything? Knowing you, Mr Hollobone, you would take a very dim view of that. You have form on holding the Executive to account—all Governments.
The ISC is there to look at information and provide parliamentary scrutiny. As for the nature of the information we receive, we have all the clearances from top secret going up to STRAP, including STRAP 3, which is intelligence that has a limited circulation and people have to be added to the list. We have access to that as well, which allows us to consider that information.
Our annual reports, which we supply to Parliament, can be debated by Parliament. We can produce reports. For example, most recently, there was the Russia report, which highlighted what the Government had not done rather than what it should have been doing. The contention from the Cabinet Office is that if information goes to the ISC, it is in the public domain. That is a little bit insulting. We do public reports, which have information that can be put into the public domain, but there are always secret annexes that go to the Prime Minister and are not made public, which allow us to question decisions and highlight issues that we think the Prime Minister should take notice of. It is a valuable mechanism for scrutiny.
The argument that will come from the Cabinet Office is that DCMS is not covered. It is. The memorandum of understanding says:
“The ISC is the only committee of Parliament that has regular access to protectively marked information that is sensitive for national security reasons: this means that only the ISC is in a position to scrutinise effectively the work of the Agencies and of those parts of”
the Government
“whose work is directly concerned with intelligence and security matters.”
I accept that DCMS’s day-to-day work is not covered in the description of national security, whether or not this is an issue of concern to individuals. I think it is. There could be an argument as to why the Department for Digital, Culture, Media and Sport got this legislation and whether it should perhaps be put in another Department. I do not agree with that, because I think the general issue of telecoms fits well into the Department’s wider briefs.
Increasingly, a number of Departments are getting involved in, or taking responsibility for, areas that involve national security. BEIS and the National Security and Investment Bill is a good example.
Given that the Bill mandates that vendors could be fined up to 10% of annual turnover or £100,000 a day for violating the terms of their obligations, does the hon. Lady agree that a full audit of all goods and services supplied could be quite draconian and onerous?
Telecommunications (Security) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateJames Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesI do not disagree with my hon. Friend. That is why we need to get into the idea of the audit. As I said earlier, we basically need a level playing field for operators; we do not want one to have an advantage over another. We also need a clear picture of what we are asking in terms of the audit. On the point she makes regarding web services and the cloud, there is an issue there that I think is worth referring to. It links today’s Bill with the National Security and Investment Bill, which we were discussing yesterday. There was a lot of discussion around what we define as critical—a point she has already raised.
For yesterday’s Bill, the question was what is critical to national infrastructure—for example, a company that is developing software that is then acquired by a state that we deem is a security risk to us. If that equipment or software is being used in our telecommunications network, does that mean that the network is compromised, and how do we guard against that? There are provisions in the National Security and Investment Bill that enable the Government to stop the acquisition of companies that we consider vital to our national security, but unless we know that in advance, how will we make that decision?
If we have a situation where a small company is providing software for part of our critical national infrastructure for telecoms, how will that be joined up? How will we be able to use the provisions in the National Security and Investment Bill, so that the Business Secretary can block the sale? Likewise, how do we get that connection? We can do that only by the Minister and Ofcom having a very clear indication from day one—I do not think it will be possible from day one, but from some time into it—what is in our network, not just now, but into the future. That will be important.
That brings us to the role of Ofcom. We have seen a development of regulators in this country. I am not a great fan of regulators, because I think it is a way for Ministers to palm off their responsibilities to third parties and then stand back and saying, “If it all goes wrong, it is nothing to do with me, guv—it is these independent organisations.” A long time ago—perhaps it is a bit old-fashioned—the General Post Office used to be responsible for this type of thing, and I am currently reading the excellent new history of GCHQ that has come out, which I recommend to everyone. It is fascinating to read about some of the challenges—things that apply to this Bill—such as, in the first world war, what was conceived as national security and who was responsible for it. Was it the GPO, the military or someone else?
How will Ofcom be able to look at a network and say, “Yes, we are satisfied that there is nothing in there that is a matter of national security”? They do not know. I do not think for one minute that we are going to have a situation whereby this Government or any future Government will suddenly throw so much money at Ofcom that a huge army of inspectors will be climbing up poles and going into operators’ offices to check source codes and so on. That is not going to happen.
From a practical point of view, the operators will have to be responsible for providing that information to Ofcom. Whether it is in the Bill or in the guidance, it must be clear what is expected of operators. It is no good looking back in hindsight and saying, “We should have done that,” when something happens. The operators will just say, “You did not tell us we had to do that,” or, “We didn’t know about that.” It has to be very clear, to prevent a competitive advantage between different companies, that there is one standard. They also have to know what we are asking for. Then, taking the telecoms hat off and putting the national security hat on, from the Government’s point of view, that needs to be very clear as well, because we need to be reassured that the components and software in those networks, now and in the future, are not a national security risk.
That brings us to an issue that I have already raised. I am not someone who thinks that every time we go to bed at night, we should look under the bed to see whether the Chinese are there, unlike some members of the China Research Group, but there is an issue about the way in which China will look at supply chains as a way of getting access, for two reasons. The first is national security. The second is commercial reasons—dominating the market, which is what China has done with Huawei. How will we identify that, without having some type of audit process? I do not think that everything to do with China is bad, but a huge number of the components in all our mobile phones in our pockets today will have come from China, including Ericsson and Nokia hardware.
I am enjoying the right hon. Gentleman’s logic. He talks a lot of sense, which is great. I am really intrigued by his insistence that the Government place these obligations on the National Cyber Security Centre and Ofcom. In my humble view, and knowing how those organisations work, it is likely to be the case that the Joint Forces Intelligence Group, GCHQ or the National Cyber Security Centre inform Government where there have been transgressions of security and breaches. I am intrigued by the counter-logic with where I think we need to be.
The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.
The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.
Does the Minister agree that the Bill in its current form is prescriptive enough already?
I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.
In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateJames Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
(3 years, 6 months ago)
Commons ChamberWe heard you loud and clear, Colonel Bob.
It is a great pleasure to follow my eminent right hon. Friend the Member for Beckenham (Bob Stewart)—if only I were as good.
As the final Back-Bench speaker this afternoon, it is incumbent on me to be supportive of the Government, which of course I am, and this excellent Bill. We are where we are today for two reasons. First, it shows that the Government do listen to Back Benchers. Secondly, the Bill is a pretty good bit of work and it ticks the box, as indeed it should. As defence and national security become ever more virtual and online, it has never been more important to secure our lines of communication, both domestically and internationally, with our allies. I urge all Members to consider the notion of strategic independence, which we have spoken a lot about during the covid crisis. As we go forward, it is really important that we aspire to be able to operate autonomously as a global nation alongside our allies.
I believe that the Bill is important for three reasons. First, it will allow for better security both domestically and internationally. It kicks out the high-risk vendors from our network—what’s not to like? Secondly, it placates our allies. New Zealand, Australia, the USA, Canada and others were quite noisy when Huawei was originally admitted to our network, so let us hope that this will placate them, cement that relationship and, perhaps in time, even enable us to admit Japan and other close allies. Thirdly, it opens the door for other 5G providers to come in, which is a good thing, and I support the UK’s diversification strategy.
Having sat on the Committee for this excellent Bill, it is a pleasure to see it back here on Report. The Bill takes forward the Government’s commitment to the UK telecoms supply chain review, introduces a new security framework, amends the Communications Act 2003, introduces new security duties, brings new powers to the Secretary of State and strengthens Ofcom’s regulatory powers, allowing it to enforce the new framework. That is all very positive. It also introduces new national security powers for the Government to impose, monitor and enforce controls. Again, that is a positive step.
I am pretty happy with the Bill as it stands, but in the interests of objectivity, I will talk to a number of the new clauses and amendments. On new clause 1, the Government are aware that the Bill gives Ofcom significant new responsibilities, and it will need to increase its resources and skills to meet those new demands. Ofcom’s budget is approved by its independent board, and the Minister has today confirmed that the budget limit set by the Government will be adjusted to allow Ofcom to carry out new functions effectively. Ofcom is already engaged in this space—we are already proactively looking over the horizon and scanning for future threats—so I am happy that the Government have got this about right.
New clause 2 would ensure that the Intelligence and Security Committee of Parliament is provided with information relating to a designated vendor direction. I am sympathetic to this, but the Government know what they are doing. As the Minister said, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, so the Bill is not the appropriate place to achieve an overall enhanced role for the ISC.
I am sorry to have to reiterate this point. There are other ways in which our concerns could be addressed, such as by adjusting our memorandum of understanding, rather than putting it on the face of the Bill, so I am with my hon. Friend as far as that is concerned. However, it is very clearly within our remit to oversee not only the agencies but those parts of other Departments where highly classified information is concerned. That is just a matter of fact—it is in the agreement between us and the Prime Minister.
I empathise with my right hon. Friend’s view, and I agree that he has a point. My position is the same as the Government’s: I do not think that this Bill is necessarily the vehicle through which we should look at the future of how the ISC operates. I am a keen follower of the ISC and its output. Its work is eminent, and my right hon. Friend’s point is well made.
Let me cement that point but also perhaps offer an olive branch to the Minister, if I might be so bold. If the Minister, when he sums up, were to make a firm and binding commitment that he, for example, and others will appear before the ISC at our request to be scrutinised on these and other matters, that might go some way—not the whole way, but some way—to assuaging doubts and fears.
I thank my right hon. Friend for his intervention. Again, I empathise with the point. I will happily leave it to the Minister to make his view known in his summing-up later.