(3 years, 11 months ago)
Public Bill CommitteesQ
Doug Brake: I worry that sometimes 5G is conceptualised as a singular technology or a singular thing. It is not a monolith; there are a number of different component technologies and a number of different flavours. Depending on whether you are doing a fully 5G network, a stand-alone network or a non-stand-alone network, it is a very different sort of system. There are also a lot of differences between what spectrum is used to deploy the network—if you are using low-band, mid-band or high-band spectrum or a combination of all three. It is hard to answer that question in generalities.
A number of different component technologies and architectures will be rolled out over time. At a high level, the real advantage of 5G compared with 4G is in its flexibility. It is able to tailor its connectivity to a number of different applications’ needs. It can offer extremely high throughput and much faster speeds. It is very reliable, with very low latency. For example, if you want to stream a football match while travelling on a train, it can do that quite well, or quite a bit better than LTE and 4G today. At the same time, you can also change very obscure technical parameters to make for simple communications that require very little battery on the device side to be able to communicate. If you want to have massive deployments of sensors for smart agriculture, or something like that, that have battery life in the order of decades, it can do that. The hallmark is its flexibility.
Given that flexibility, it is anticipated that 5G is going to be much more deeply integrated within the economy and trade sectors, and will be a key tool to boost productivity. There is an important hope that we see a broad deployment, not just in urban areas but in rural areas. Again, I go back to that note on differences depending on the spectrum that is used to deploy—unless it is of interest, I do not want to get too bogged down in the details, but there are real differences in what we would expect to see deployed in urban versus rural areas. But, again, we would also expect to see very different use cases in those areas. Admittedly, there will likely be a performance difference between urban areas and more rural areas. But at the same time, like I said, the use cases look very different—you are not likely to have massive crowds of people all looking to share video from a stadium or something like that in rural areas. There will be a real difference in the roll-out, but I worry that sometimes the challenges with that have been overstated.
Q
Doug Brake: That is a great question. We talk now about needing diversification and seeking entry of a US-UK equipment supplier, but the question and lessons from history are about why we need this in the first place. In the past, we had quite successful telecommunications supply companies, especially in the US. The president of our organisation, Rob Atkinson, set out to answer that question. You may have seen an article in the American Affairs journal, titled, “Who Lost Lucent?” It is a long and interesting article—I will not go into all the details of history. I would say that it is fair to characterise the failures and decline of Lucent as a complicated story, but it stems from a combination of unique challenges imposed by the Anglo-American economic system, systemic failures of US Government policy—particularly with regards to anti-trust and some of the regulatory policy throughout the 1990s—and very strong and aggressive foreign industrial policies, particularly with regards to China, to acquire market share.
I am happy to go through that in some detail, but feel free to cut me off if I go on too long. You are absolutely right to say that we had Lucent and Nortel. Lucent was absolutely massive—it was three times larger than Nortel—and originally spun off from AT&T’s equipment arm, Western Electric. It had the famous Bell Labs. Throughout the ’90s, it was the largest telecoms equipment company and was still growing dramatically overseas, but due to a number of strategic decisions within the company and decisions within the US Government, it ended up really suffering as a result of the dot.com bubble.
Setting aside all the competitiveness questions, particularly with regards to Chinese companies, a hands-off, free market globalised system reigned in the US and UK throughout the ’90s. It was finance-focused capitalism that saw Lucent and Nortel cut their R&D budgets and staff dramatically, particularly as a result of the 2001 crash—much more so than some of their international competitors. With that financial system, it was harder for those companies, which were designed to be growth companies—much more so than a valued company. They were focused on growing quarter after quarter and meeting their financial targets, which made it very difficult to focus on long-term growth. You can contrast that with Ericsson in Sweden, where the Wallenberg family control a lot of the voting shares. Ericsson was able to focus on much longer-term value creation, and they did not cut staff or R&D by nearly as much as Lucent did.
Before that, I think there are a lot of lessons to be learned from the aggressive anti-trust action that broke up Bell Labs and restructured the entire industry. Up until the restructuring of the US telecom market in 1984, Bell Labs had a fantastic situation in order to generate innovation. It had the commercial drive, focus and flexibility that is often lacking in a Government research lab. It also had a long-term focus and an interest in broad technological change, which many R&D efforts in industry do not see. It had steady revenue from telecom rates. There is a complicated story there. It is hard to tell what concentration is good for innovation and where competition is really the order of the day, but it seems clear that the decline of Bell Labs was a real loss.
(3 years, 11 months ago)
Public Bill CommitteesQ
Dr Drew: It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
Q
“to further the interests of citizens in relation to communications matters; and to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Do you think there is an argument to add a further security duty, if that is going to take such a large portion of Ofcom’s capacity?
Dr Drew: As to the second question first, I believe that security should be a component here. In fact, I believe it fits with what Ofcom is likely to be responsible for, and with the Online Harms White Paper as well. Security is fundamentally and inexorably linked with technology, culture and communications in the modern sense, so I believe that it would be important for that to be included as a key provision for DCMS.
With regard to the differences between fixed networks and 5G and the implications of this Bill, in the efficacy of its methodology towards the other, there are technical differences in how 5G operates right now and how we perceive the next generation of telecommunications to operate, but those differences will change over time, I believe. They will become less distinct. It is likely that fixed networks will move towards the concept of computing on the edge, and this is indeed already happening in some senses.
As for the actual efforts to control security risk, I do not see any major differences between telecommunications suppliers and fixed network suppliers. There is the same potential risk. You mentioned the SolarWinds hack earlier. That was a fixed network supplier in a way—it was not telecommunications—but there was the same risk involved and the same means of access, through a diversified chain with limited oversight at Government level, because it is a private sector actor with limited responsibilities. That is as true in that case as it would be for a fixed network with Cisco, and as it would be with a telecoms provider by ZTE, Huawei, Ericsson or any other. I do not think there is a significant technical difference to mean that the goals and direction of this Bill could not, and perhaps should not, be applied to others.
Q
Can I come on to duties? I have the Communications Act here, which has got a lot thicker since I left Ofcom. The two duties are the “interests of citizens” and the “interests of consumers” with regard to competition, but there is not a duty on security. Does that not suggest that if there is a conflict between competition or communication matters, that will be prioritised over security if there is not an explicit duty to maintain the security of our networks?
Lindsey Fussell: I think this legislation quite clearly does place explicit duties on us to monitor and enforce the compliance of operators on network security requirements. I do not see that there is any risk that we would downplay the importance of that duty in comparison with others. Clearly, it is for the Government to put forward any changes to legislation to change the balance of our duties or to add new ones, but I think the Government—and, indeed, Parliament—are asking us very clearly to take on those responsibilities through this new legislation.
To pick up on a point I made earlier, in terms of the interests of citizens and consumers, it is important to say that of course it is in the interest of citizens and consumers to have excellent networks functioning that provide them with great connectivity. If we have learned anything from this most recent period, it is how important connectivity is to everybody’s daily life. Of course, that comes across in pricing and support for more vulnerable consumers, and all those other things that we have responsibility for in telecoms.
Actually, promoting secure networks is absolutely in the interests of consumers and citizens as well, not just because of the really damaging consequences of cyber-attacks, but because, ultimately, if we are able to have better networks, that should enable greater economic innovation through 5G use cases and things like that, for example. I think in promoting the interests of citizens and consumers, telecoms security is clearly part of that.
Q
Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.
In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.
The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.
(3 years, 11 months ago)
Public Bill CommitteesQ
I have questions for both of you, but let me start with Dr Bennett. I was impressed by your structured list of things that are missing from the Bill, because we are here to scrutinise the Bill and see how we can improve it. I think you talked about the breadth of the security challenge and how this Bill, as it stands, might not meet the full breadth of it. You had four areas, and I think you have run through two of them in more detail. Could I ask you to summarise again the areas that you think are missing? In particular, could you talk a little bit more about the need for improved scrutiny? Could you just summarise that and then go into more detail on the ones where you have not yet?
Dr Bennett: I said that the areas that needed to be covered were network architecture, which is the Bill’s focus, the security of the asset databases that make up the network, how to ensure security of the data passing over the network, the maintenance of security over time, and the operational costs and other impacts of compliance. I have touched on all of them, but perhaps not very much on the operational costs and impacts of compliance.
The more diversified your network, and the more small vendors there are, the harder it will be for them to maintain the level of scrutiny, record-keeping and general security that is required as their bits of the network develop and the interfaces they have with other bits of the network change over time. That is an area where the Government should consider giving help to people to cover those costs. I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.
If the Government suddenly say, “All components from supplier X must now be removed from the network because of x, y and z,” it is incumbent on the Government to have some funding to help people to do that and to ensure that that really does happen, because it could be a step too far if you have a lot of very small suppliers that do not have the resources of skills, time or money to do it. You need to think about that and about how you can ensure that they are not squeezed out of the network—this diverse network that we want—by those costs.