Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill
Kevan Jones ExcerptsMonday 30th November 2020
(3 years, 4 months ago)
Commons ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts
Oliver Dowden
The purpose of this Bill is to give us flexibility so that we do not get bound by the particular circumstances of today, and we have designed it to give us that. The four big threats we consistently face in cyber in this country are, as my right hon. Friend knows, in relation to Russia, China, North Korea and Iran, and we are seeing an evolution in some of those threats, particularly in relation to China.
This new security framework is just one half of the Bill; the second half gives the Government unprecedented new national security powers to identify and tackle high-risk vendors. Under the Bill the Government will be able to designate specific vendors that pose risks to our national security and issue directions to telecoms providers to control their use of goods, services or facilities provided by those vendors.
Mr Kevan Jones (North Durham) (Lab)
In principle, I welcome the Bill. Its focus, however, is on kit, hardware and vendors, and that will go some way towards protecting our telecoms systems, but we are also still facing threats from hacking, so making sure we have basic good cyber-hygiene will be just as important as some of these measures we are discussing today.
Oliver Dowden
In short, yes, the right hon. Gentleman is absolutely correct. What this Bill does is bite in three respects. First, it sets out the overarching duties on mobile network operators and other telecoms providers in statute. It then empowers the Government through secondary legislation to provide further requirements on them. On top of that, for the tier 1 providers, which will basically be all the big telecoms providers, it also introduces a code of practice whereby they have to comply with that to ensure that they are secure. Across the board, the Bill tightens the requirements on them.
Oliver Dowden
My hon. Friend makes a very important point, and I will be coming on to that in a minute. It is actually happening now because telecoms providers and mobile network operators know three things. They have to remove Huawei equipment in respect of 5G by 2027 entirely. They cannot purchase any equipment from the end of this year, and—I will come on to this shortly—we have double locked that, as it were, by having the installation requirement. Mobile network operators are already working on that assumption.
Mr Kevan Jones
I find that very strange because the Bill is about security. The Secretary of State is now saying that he is introducing proposals which mean that if, for example, Vodafone or any other operator has got some stock in, it cannot put it in from the end of this year. What is the security risk there? The only reason we changed the projections earlier last year—which I supported—was the US sanctions on future kit. There is not a security risk to the kit that is going in now so how can he use this Bill, on security, for doing that? Is this not just a political decision that he is making?
Oliver Dowden
To clarify the position for the right hon. Gentleman, mobile network operators cannot purchase from December this year—so they can purchase it now— and the installation limit will then apply from September 2021. The point of these measures is to address the concerns that Members rightly raised that companies could be incentivised to purchase large amounts of stock, stockpile it and then roll it out right the way through to 2027. I told the House in July that I would set us on a clear and unambiguous path to 2027, and these measures do exactly that.
Oliver Dowden
My Department is in close contact with mobile network operators. I do not think that the sort of risk my right hon. Friend describes of companies going bust is remotely the case. Furthermore, we have given clear advance notice of this. For example, we made the first statements in January this year. We updated the guidance in July, and we also consulted extensively with the mobile network operators on the requirements in relation to installation that I am announcing today.
Oliver Dowden
I will make some progress. I may come back to the right hon. Gentleman later, but I have already given way to him twice.
I know that some Members are concerned that we have not named Huawei on the face of the Bill and that our approach could be reversed in years to come. I want to reassure those Members on a number of fronts. We have not chosen to name Huawei for two compelling practical reasons. First, as we discussed, this Bill is designed to tackle not only the Huaweis of today but the Huaweis of tomorrow, wherever they come from. It needs to be flexible enough to cover future threats and not tie our hands by limiting our response to one company and one company alone. Secondly—this is the most crucial point—making reference to any one company would create a hybrid Bill, dramatically slowing the passage of the Bill and therefore our ability to combat all high-risk vendors, including Huawei.
However, as a concrete sign of our commitment to tackling the national security risks posed by Huawei, I can confirm today that we are going further in two significant ways. First—I hope Members will have had a chance to see this—we have published an illustrative designation notice and an illustrative designated vendor direction to demonstrate how the Bill’s powers in relation to a high-risk vendor could be exercised. Given the level of concern in this House and in the other place about Huawei’s role in 5G infrastructure, these illustrative drafts name Huawei explicitly, clarifying our position beyond doubt, and set out a clear pathway to the reduction and removal of its equipment.
Oliver Dowden
My hon. Friend raises an important point. We are clear-eyed about putting national security first. If national security and economic interests are in conflict with each other, national security comes first. But within the context of that, we have properly weighed up the risks as between different dates. I believe that 2027 strikes the appropriate balance in that it can be delivered with impact, in the way that I described in my statement to the House in July—it will have an impact in terms of cost and roll-out for mobile network operators—but it does not run the risk that we go too far and too fast, whereby we risk some sort of blackout and loss of provision.
In addition to the draft directions, we are going a step further by using the illustrative directions to set out a new hard deadline for the installation of Huawei equipment. That direction makes it clear that all operators must not install Huawei equipment in their networks from the end of September 2021.
That clarification has clear practical implications. It will prevent any operator from stockpiling Huawei kit in the hope that the ban might be reversed. The new installation deadline will create cold hard facts on the ground, effectively turning the plan for Huawei’s removal into an irreversible reality.
The powers in the Bill also allow us to keep an eagle eye on the progress of Huawei’s removal. They enable us to require Ofcom to obtain information from companies to see whether a provider has complied, or is complying, and they allow us to require providers to prepare a plan setting out exactly how they intend to get to zero Huawei by 2027.
Using those powers, we will not just publish an annual report of compliance on the removal of Huawei equipment, but keep a close watch on the future progress of all telecoms companies where Huawei is concerned. Under this rigorous monitoring and reporting system, no provider will be able to drag their feet. They will need to provide proof that they are working to meet the 2027 deadline. But, critically, we can do this only if we secure these important powers—the powers that will enable us to take action in relation to Huawei to protect our networks, but also to take action against any other potential high-risk vendors now and in the future.
Mr Kevan Jones
The right hon. Gentleman is wrong. This Bill is actually about security. The reason he is going to get the powers is to take out vendors who are a clear high risk. Huawei has been there for a while. The kit that he is talking about banning after 2021—even if it is stockpiled or part of a contract—has not got a security implication at all because it has already gone through our Huawei centre. So I am not sure that he has the powers in the Bill to do that. I am sorry, but if I were a telecoms provider and I had a contract or a stockpile of kit that I could not use, I would be looking at taking legal action against the Government, because he cannot use the Bill if that equipment is not a threat to national security, which it is not.
Oliver Dowden
I say to the hon. Gentleman—[Interruption.] I beg his pardon. It is the right hon. Gentleman. I stand corrected. I say to the right hon. Gentleman that, first, this Bill and the measures in it implement what we announced as a Government in January and July, which, in turn, was based on the advice of the National Cyber Security Centre and GCHQ. In relation to whether I, or any Secretary of State, has sufficient powers in the Bill, I refer him to clause 16(2), which inserts new section 105Z8(4)(a) to (l) into the Communications Act 2003, which sets out a very wide range of bases on which I can designate a provider as high risk and take measures, so I am confident that I have those sufficient powers.
We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors, thanks to a lack of competition in the global telecoms supply chain. While this is a global problem, today this Government are officially leading the way in solving it. Alongside the Bill, we have published an ambitious diversification strategy—the first such strategy to be published anywhere in the world. It sets out our vision of what an open, competitive, diverse supply market for telecoms will look like, and the measures we will bring forward to develop an innovative and dynamic market.
We want to make progress as quickly as possible, so today I can also confirm that we are committing £250 million to kick-start this work. That includes funding and building a state-of-the-art national telecoms lab, which will bring together suppliers from across the world to test the performance and security of their equipment. We are also running a 5G open radio access network trial with the Japanese supplier NEC in Wales to help the entire UK benefit from this exciting new industry. That, of course, comes on top of NEC establishing a global open RAN centre of excellence in the UK just last month. We also know that Vodafone has recently announced that it intends to deploy open RAN technology across more than 2,600 of its sites—the largest commitment of its kind across any European network.
Jo Stevens
The hon. Gentleman seems to have forgotten about the former Prime Minister David Cameron and the former Chancellor of the Exchequer George Osborne, who also gave such a welcome.
It is worth outlining for the record the meandering journey that we have been on towards the publication of the Bill. The House will recall that in May 2019 the current Secretary of State for Education, the right hon. Member for South Staffordshire (Gavin Williamson) was sacked as Secretary of State for Defence following an inquiry into a leak from a National Security Council meeting at which it was reported that the Government had been advised in May 2019 to remove Huawei from the network. It was not until January this year—eight months later—that the Government decided that Huawei equipment should be excluded from the sensitive core parts of the 5G and gigabit-capable networks and from sensitive and safety-critical locations such as critical national infrastructure, and that its access to the non-sensitive parts of the network described as the “edge” would be capped at 35%.
In May, the United States imposed sanctions on Huawei through changes to their foreign direct product rules that restricted Huawei’s ability to produce important products using US technology or software. The NCSC advised that the UK could no longer be confident that it would be able to guarantee the security of future Huawei 5G equipment affected by the change in those US rules so, as the Secretary of State outlined, the Government changed their position again in July, announcing a ban on the buying of new 5G Huawei equipment after December this year and the removal of all equipment from our 5G networks by the end of 2027.
The UK has been slower to take action than our Five Eyes allies. In August 2018, the Australian Government blacklisted Huawei from the country’s 5G network in response to security advice, and New Zealand took the same decision in that same year. Our Intelligence and Security Committee made it clear 18 months ago that the debate on high-risk vendors had been “unnecessarily protracted” and damaging.
Mr Kevan Jones
It is worse than that. I know we had the panda-hugging days of Osborne and Cameron, but an ISC report in 2013 raised the issue of critical national infrastructure, with particular reference to Huawei, and nothing was done.
Jo Stevens
My right hon. Friend is absolutely right. For the benefit of anyone who has not read that report, it is pretty damning. We now find ourselves in a situation in which drastic action is necessary to safeguard national security and our critical national infrastructure, while at the very same time the economic imperative of the roll-out of 5G for the country has never been more urgent—and that has obviously been added to by the impact of the covid pandemic.
It is worth putting on the record that there are reasons other than national security in respect of Huawei that concern many Members from all parties in this House. The telecoms company has provided surveillance technology to the Xinjiang public security bureau, facilitating the construction of the world’s most invasive surveillance state. Last November, an Australian Strategic Policy Institute report detailed how Huawei has developed the Xinjiang public security cloud, which makes possible the total control and repression of Uyghur Muslims. As my hon. Friend the Member for Leeds North West (Alex Sobel) set out in a Westminster Hall debate on 4 March this year, the company has a shameful record on workers’ rights, operating
“a ‘wolf’ work culture of long hours and brutal workplace norms.”—[Official Report, 4 March 2020; Vol. 672, c. 282WH.]
Mr Kevan Jones (North Durham) (Lab)
I join the right hon. Member for New Forest East (Dr Lewis) in welcoming this Bill in principle but giving it a qualified welcome. It amends the Communications Act 2003, and in terms of technology 2003 is light years away.
When I was at school computers were not as common as today and even having a telephone at home was a rarity, so great changes have taken place in these types of technologies—as I have seen even in my short lifetime—and the pace of change is only going to increase. That is why this Bill is welcome in updating our laws, and it will not be the last Bill we require, because as technology advances, further updating will be needed. However, as the right hon. Gentleman said, the Intelligence and Security Committee warned about all this in 2013. It was the same with the National Security and Investment Bill last week; the warnings have been there. Yes, there has been a change of direction in the Conservative party from panda hugging to panda bashing now as the flavour of the day, but the question of security should always be central to all this.
To be fair to the Government, they have not stood still. We have been ahead of other nations in terms of Huawei and security and having the Huawei cyber security evaluation centre, which has helped us protect our networks. But a balance must be struck between open competition and being able to interact with other nations, and also protecting our security.
I want to touch briefly on the issue of security, as that is what the Bill is about. I think some people are getting carried away in thinking that the Bill will be used in a protectionist way to protect our own suppliers or as a way of cutting off altogether any trade with regimes that we might have huge reservations about, such as China. We are never going to be able to do that. The powers in the Bill are clearly around security, and my only problem is with the definition of the word. I would argue that the way in which the Government approached the matter of the Huawei security centre had security its centre in order to protect our networks. As the Minister knows, I was one of those who agreed with the Government’s decision in July to allow Huawei to have 35% of the market as long as the security was there. The National Cyber Security Centre was clear in its evidence that that could be maintained. It was the American sanctions that changed that.
When a Secretary of State makes his or her decision on whether to take a vendor out, the important thing is that it is made on the ground of security. It is not clear from the Bill how that will be looked at. I would not want to see lobbying for a certain company, for example, or a situation such as we are currently seeing on the Conservative Back Benches where anything with “China” on it has to be resisted. I should point out that many people in the Chamber tonight will have mobile phones in their pockets that contain Chinese components. Even Ericsson and Nokia, which we are going to allow into our system, use components that are made in China. We cannot just close our minds to China altogether, so these decisions must have security at their centre.
Any decisions made by the Secretary of State have to be around security, and I have some concerns about DCMS having control over this. I raised a similar point on the National Security and Investment Bill. I am not sure that the Department has the necessary expertise. Personally, I would sooner see the Secretary of State taking such decisions alongside the National Security Council, or a sub-committee of the NSC, for example, to ensure that security could be at the heart of those decisions. Likewise, I have reservations about Ofcom. As a regulator, it has been around for quite a while now, but I wonder whether it has the expertise to look at the security sector.
A specific practical point about DCMS and Ofcom is that if a decision were taken by the Secretary of State on security grounds, a lot of the relevant information would be highly classified and would not be available to people without the necessary security clearance. I presume that the Secretary of State has the highest security clearance, but I doubt whether anyone in Ofcom would do so. I would like to hear more about how that will work in practice when they are dealing with highly classified information, because the Bill makes it clear that that is the only way in which a vendor can be struck from the marketplace.
Another issue, which has already been raised, is whether Ofcom will have the necessary budget and focus to undertake this work. The right hon. Member for New Forest East made the point about a revolving door, and that is an issue that concerns many people. There is a revolving door between industry, the various regulatory bodies and the Government.
There is also an issue around oversight. I do not see anything in the Bill that will allow parliamentary oversight of these decisions. Clause 17 refers to the Secretary of State being required to lay a copy of their decisions before Parliament, but there is also a get-out clause in that the requirement
“does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.”
Anyone who has been in the House for any length of time and who has worked in this field will know that that is the usual way for civil servants to get out of any kind of question whatsoever. There is a need for oversight in this regard. I am not trying to make work for the Intelligence and Security Committee, which I am a member of, but it is the only Committee of Parliament that has a high enough security clearance to be able to see the information that will inform these decisions. Without that, there is an issue in the Bill in terms of how Parliament will scrutinise the Secretary of State’s decisions effectively.
Anthony Mangnall (Totnes) (Con)
I am sorry to interrupt the right hon. Gentleman while he is making such good progress. If a decision were not to be laid before Parliament, would he accept the idea of it going before the Intelligence and Security Committee?
Mr Jones
Yes. If we were able to see it, at least we would be able to get access to the intelligence that informed it. The DCMS has its own Select Committee, but that Committee does not have the clearance, so I would suggest taking the approach the hon. Gentleman describes. There is a way of doing that. Under the Justice and Security Act 2013, the DCMS does not come under the Intelligence and Security Committee’s remit, but we could change the memorandum of understanding to include this issue. I think that is needed, and I said the same thing on the National Security and Investment Bill.
On diversity, we would love to have a large number of vendors, but there is a clear issue we have to recognise. People talk about market failure. There has been a market failure because, in terms of Huawei and the Chinese state, there has been a deliberate decision to buy in to a sector. There has also been a tendency among us all, as consumers of telecoms services, to make sure that the rates go down as low as possible. That has led the prices down, so there is no money in the infrastructure at all, which is why companies have got out of the sector.
There is an area where diversity can come in, and that is open RAN. If the investment goes into that, we could be a world leader, but let us not make the mistakes we have in the past, where we have been a world leader—for example, in fibre technology in the early 1990s—and then gave that lead away.
On the removal of Huawei from the 5G network, the 2027 deadline needs to be maintained. I am sorry, but I think the Secretary of State is wrong in what he is suggesting. If he does what he suggests, that will add further costs and slow our progress. The equipment that is there now has been through the cyber security centre. We are satisfied that there is no security risk from that equipment, so why rip it out before we have to do so? All that that will do is slow our system down and slow the economic advantages that can come from 5G.
We have concentrated a lot in the debate on the hardware. Will the Bill somehow make us completely immune from cyber-attack? No, it will not. The other side to this, which is just as important, is to ensure that we educate companies to ensure that they use their systems safely and that upgrades are done on security networks and other things. That is about the basic education of the people who use a mobile phone or any type of computer network.
With those concerns, I welcome the Bill as a step forward. Let us see it not just as a way for us to somehow solve all our cyber-problems, because we will not. We still have to be vigilant, and we still have to make sure that our security services have the finance, ability and expertise to respond to the enemies who are attacking us.
Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
I welcome the Government bringing forward this Bill now, and I congratulate them on having listened, which is not always something that Governments can be accused of. The Secretary of State and his Minister, whom I welcome—the Under-Secretary of State for Digital, Culture, Media and Sport, my hon. Friend the Member for Boston and Skegness (Matt Warman) —have listened to many concerns, and measures to address them are now embedded in the Bill.
China recently said that if there was any further interference, it would poke the eyes out of the Five Eyes. This Bill puts the missing fifth eye back into the Five Eyes, because we have been laggard, lazy and late on this, and I think this would probably be the case across the board, so perhaps that is a positive. The right hon. Member for North Durham (Mr Jones) made a very good speech. He was right to say that this is not about China. There are plenty of security risks, as my right hon. Friend the Member for New Forest East (Dr Lewis), the Chair of the Intelligence and Security Committee, said. Russia is a massive security risk to us and has probably carried out more cyber-attacks on us than anybody else. That is debatable, but it has a very big criminal network that attacks us the whole time.
I accept that. However, the difference is that China is now the driving force for our introducing this Bill, because it poses a very different kind of threat. The fact is that China has juxtaposed the ability to dominate in a market sense, which sucks us in—I will come to project kowtow and the mistakes that were made—while at the same time forcing us to often turn a blind eye to some of the work it did, which we do not do with Russia and some of the more immediate threats. It is a peculiar and different challenge, which is now embedded in the Bill.
My right hon. Friend the Member for New Forest East made the important point that the nature of our exposure has been known about for some considerable time, and we should not have ignored it. I thank my colleagues who joined the Huawei interest group early on, in winter last year, and who have campaigned to try to tighten up these security measures. Following that, the Inter-Parliamentary Alliance on China was set up, which is now made up of politicians on the left and right from 38 countries, and they are asking us to tighten up our security co-operation and ensure that we get this right.
This Bill is long overdue, and it is welcome, but I want to highlight three issues in it. First, although it is not in the text of the Bill, the Government have now announced that they accept 2027 as the end point for Huawei as a provider that may be high-risk and that no new Huawei equipment may be installed from September 2021. That is very welcome. In fact, the September 2021 date is better than I would have expected at this point, so I congratulate the Government on being very clear about that. That is a more important date than 2027, in effect, because it opens the market and allows others to recognise now that they have a possibility of re-entering a market that was closed to them by one company in particular—there are other companies in China—that has manipulated the normal rules of market adherence and subsidy. It has been a disaster for us not to recognise that on that basis alone, forgetting the security risks as well.
I am, however, concerned by another point about the process, which leaves the Secretary of State to make these decisions going forward, against criteria that are laid out, and I will come back to that. I think my right hon. Friend the Member for New Forest East said, “Who will be the advisers? Who will advise?” That is absolutely right, and the Secretary of State should listen to the Chair of the Committee on that point. It is important to structure who will advise the Secretary of State and how that will happen. Perhaps the Committee can have a very strong look at that and advise the Government on how to structure that.
There should be a more formal structure embedded in the Bill, otherwise it will be too easy for a Secretary of State, under pressure from the Business Secretary or a Chancellor, such as one we once had, who was very keen on a golden era, to be leant on and told, “Do you really need to go down this road?” That will happen. I sat as a Secretary of State, and I can tell the House that all that stuff happens, and anyone else will say that, too. A more structured approach would not allow the Secretary of State to miss the right people on advice. That will be very important.
The descriptions in the proposed new sections of the Communications Act 2003 under clause 16 of the Bill are important, and I will come back to those, because the list gives the Secretary of State plenty of scope. Tightening up the advice means that that scope will not therefore be wasted.
We are here because of the mistakes of the golden era—the great kowtow, as I would rather call it—where we too often ignored the realities of what was going on in security terms for the sake of this great drive that we would benefit massively from the opening up of trade with China. There was also a mistaken belief: too often, liberal democracies and all of us who believe in freedom of speech and the general freedoms believe, rather arrogantly, that all we have to do is open up markets and everyone else will realise that their system must be wrong and therefore they will change it.
That was the great belief. I was told it endlessly in government, “Don’t worry about this sort of stuff. China will change once they realise exactly how wonderful it is to trade with the west.” Well, they did not. They do not want to change, because they think that their form of government is a better form of government. They will say, “We are opened up to the markets. We are getting the benefits of the marketplace.” China was invited to join the World Trade Organisation back in 2001. There have been real problems since then with market forces, but I want to come back to the security elements.
The worry is that others of the Five Eyes spotted what was going on long before us, and we ignored a lot of the evidence that we should have been tightening up much, much earlier. We should have been concerned. I cannot remember which Member said that security should be the No. 1 consideration, over everything else. We lost that—I hate to say that—and considered it just one of the things we might look at.
Mr Kevan Jones
I am not one for doing the Government’s job or supporting them, but I do not think we did that actually, in terms of the Huawei cyber-security evaluation centre. We were ahead of other countries that did not do that, including the United States, and let Huawei into their country networks without any checks whatever. But the issue has to be security. I know that the right hon. Gentleman has strong views about China trade, but security has to be at the heart of things, which I think is where we have been up to now.
Sir Iain Duncan Smith
I have to say that I do not agree with the right hon. Gentleman on this. Although the Huawei cyber-security evaluation centre was installed, when I sat and listened to people from it making a presentation to us earlier in the year, it was almost as though we were watching people who were kind of squeezing their own genuine, real opinion, which would have been coming via GCHQ, about how the real threat was formed. Their arguments did not stand up, even in the face of people who were not every day working on security.
The truth is we need to be careful, and it should have been a tighter position from the word go. The very fact that the Government are bringing this measure forward now suggests that that was not the case. [Interruption.] Listen, I am critical of my own Government. I resigned from the damn thing at one point. I have to say that I therefore do believe it is possible for great Governments, like mine, to get things wrong.
Chi Onwurah
I thank the right hon. Member for that intervention, and indeed for his contribution to the debate. I agree with him, although I think that is something we need to work out and probe in Committee, because currently there is no reference to that, or no plan to do that. I think we should certainly be taking into account and using our existing resources, and we all know that these kinds of resources and skills are both expensive and hard to find at the moment. The right hon. Member makes an important point.
On 14 July, the Secretary of State, who is not in his place, said in this House that he had
“set out a clear and ambitious diversification strategy.”—[Official Report, 14 July 2020; Vol. 678, c. 1377.]
I asked him repeatedly over the summer when he would publish this clear strategy that he had already set out. Answer came there none, and I could only conclude that he had misspoken. However, I did think that today we would get that strategy, but unfortunately not. Yes, there is actually a diversification strategy, which has been published, but it is neither clear nor ambitious. It is far more concerned with bringing new vendors into the UK than with developing our sovereign technological capability. Indeed, as it diversifies opportunities for Nokia and Ericsson, we could call it an effective Scandinavian industrial strategy. Apart from a vague commitment to link the scale of home-grown suppliers to the Government’s broader growth and productivity agenda, there is no clear plan—no plan at all—to build UK sovereign capabilities, which the right hon. Members for Vale of Glamorgan (Alun Cairns) and for Bournemouth East (Mr Ellwood) emphasised as being important.
Just today, Mobile UK, the mobile operators industrial body, emphasised that the Bill and the 5G diversification strategy are intrinsically linked but not, it would appear, by the Government. The diversification strategy also does not refer to fibre, although the Bill applies to our fibre networks too and may impact the Government’s constantly shifting roll-out targets.
Network operators need to be confident in the maturity, performance, integration and security credentials of new vendors and technologies before they are deployed in their main networks. We agree with the Secretary of State that the Government can help accelerate that process, and in doing so there is potential to create opportunities for the UK to take the lead, as well as much-needed high-skilled jobs. The hon. Members for Totnes (Anthony Mangnall), for Strangford (Jim Shannon) and for Bracknell (James Sunderland) all agreed about the importance of diversification, but all the diversification strategy says about developing UK technology, jobs and capability is that it will be part of the industrial strategy, which we have yet to see. Clearly, we do not have a diversification strategy.
Mr Kevan Jones
Does my hon. Friend agree the Bill will have to dovetail closely with the National Security and Investment Bill? If new developments were taken over by foreign entities, that could be a security risk as well. However, as we were told last week, the responsibility for that lies with the Department for Business, Energy and Industrial Strategy, not DCMS.
Chi Onwurah
My right hon. Friend makes an excellent point. He is absolutely right. The question of how the diversification strategy delivers home-grown capability and protects that as it grows and strengthens has been avoided.
As the shadow Secretary of State said, it is important that everyone can benefit from 5G, both in our technological capability and in using it. There is a digital divide in this country: 11 million adults lack one or more basic digital skills and 10% of households do not have internet access. 5G has the potential to increase digital inclusion, providing greater access to broadband. As the hon. Members for West Dorset (Chris Loder) and for Caithness, Sutherland and Easter Ross (Jamie Stone) highlighted, digital technology can be a great leveller, but we need to ensure that the infrastructure and skills base exist for everyone to take advantage of the opportunities it provides. Digital inclusion requires political will, urgent action and a Government who understand the importance of universal digital suffrage. Government interventions on that have been brief—not quite as brief as the intervention of the hon. Member for Tonbridge and Malling (Tom Tugendhat) in the debate, but far less eloquent.
As a chartered engineer, I want to finish by celebrating the potential of 5G, which can truly transform our businesses, our industries and our daily lives. It will not only vastly improve our connectivity and browsing experience but support new enabling technologies, from the internet of things to artificial intelligence. If the first industrial revolution was powered by engines, the fourth will be powered by data. As hon. Members have observed, 5G is essential for innovations from driverless cars to smart cities, and to addressing the climate emergency through monitoring and improving our energy efficiency. Some estimates predict that 5G could mean productivity savings for the UK of up to £6 billion a year on top of energy and waste reductions that internet of things devices could enable.
We must get this right. As we all agree, our national security is priceless, but until we see a detailed plan, a proper impact assessment and an industrial strategy, the Opposition will remain deeply concerned that the Government are not prepared to make the interventions necessary to ensure that our national security is safeguarded.
Matt Warman
We do not anticipate legislation as a direct result of the diversification strategy, but of course there are other important avenues to explore as part of the broader industrial strategy. A lot of what is in the diversification strategy does not need to be delayed by the legislative programme, and I think my right hon. Friend would welcome that.
A number of Members raised the role of Ofcom. Ofcom will monitor, assess and enforce compliance with the new telecoms security framework that will be established by the Bill. It will report on compliance to the Secretary of State alongside publishing the annual reports that he mentioned on the state of the telecoms security sector. I want to be absolutely clear: we have had productive conversations with Ofcom already. Ofcom will continue to have the resources it needs. We appreciate that those needs will be affected by the changes that we are bringing in today, and we will agree their precise nature with Ofcom. We will make sure that Ofcom has all the security clearance that it needs to do the job, and all the resources, external or otherwise, to do the job, because this is an important new power.
Ofcom may also play a role in gathering and providing information relevant to the Secretary of State’s assessment of a provider’s compliance with a designated vendor direction, and it may also be directed to gather further information to comply with the requirements specified in a direction. The Bill already enables Ofcom to require information from providers and, in some circumstances, to carry out inspection of the provider’s premises or to view relevant documents. Ofcom’s annual budget, as I say, will be adjusted to take account of the increased costs it will incur due to its enhanced security role.
Let me turn to a couple of issues raised by the hon. Member for Newcastle upon Tyne Central. We will of course be working with local authorities and with networks to minimise any disruption, but we do not anticipate that the decisions that we have made over the past few months will have a direct impact on existing commercial decisions. As the Secretary of State said, we do not expect the two to three-year delay to be extended by what we have said today, but we will keep in close contact with the networks and continue to make sure that we do everything we can to remove the barriers to the roll-out of the networks as far as we possibly can. I do, however, expect companies to do as much as they can to minimise the effects. These are commercial decisions that have been made by companies over a number of years. We have already seen, as a result of the Government’s approach over the past few months, significant changes to decisions. I welcome the neutrORAN project that my right hon. Friend the Member for Vale of Glamorgan mentioned, as well as a number of others that have been taken by networks that already see important changes to how they procure their networks.
Mr Kevan Jones
The Minister has introduced the September 2021 date after which no new Huawei or high- risk vendor equipment can go into the networks. What will happen to those companies that perhaps have stock of Huawei equipment or entered into contracts thinking that they could implement them before September 2021 and will now have to be told that they cannot? Would they actually lose a lot of money?
Matt Warman
Those decisions, as I said, were taken in the context of the environment that people were already well aware of, and they are taken at a degree of commercial risk. However, we have worked closely with the networks to ensure that there will be no additional delays as a result of this decision. I think it is the right thing that puts national security at the absolute heart of our programme, but it also does that in the context of not jeopardising the clear economic benefits and the clear practical benefits of improving connectivity across the country that we would all like to see.
On the emergency services network, we anticipate that these announcements concerning Huawei will have a very low impact on the emergency services network. We do not anticipate any impact on the programme schedules. There is some Huawei equipment in the EE part of the emergency services dedicated core network that EE is already working towards removing.
Let me cover one other aspect raised by the Chair of the Intelligence and Security Committee, my right hon. Friend the Member for New Forest East (Dr Lewis). I look forward—maybe that is not quite the right phrase—to appearing before the ISC in the next few days. We will always co-operate with it, and I am very happy to work with it on the best way to balance the obvious requirement between transparency and national security, although we would always seek to be as transparent as we possibly can be within those important bounds.
Telecommunications (Security) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (First sitting)
Kevan Jones ExcerptsThursday 14th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
The Chair
Before we begin, I have a few preliminary announcements. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings of this Committee. I would also like to remind Members of the need to observe the rules on physical distancing, both in this room and when entering and leaving via the marked entrance and exit doors. It is important that Members find their seats and leave the room promptly in order to avoid delays for other Members and staff. Date Time Witness Thursday 14 January Until no later than 12.30 pm Three; O2; Vodafone Thursday 14 January Until no later than 1.00 pm British Telecommunications Thursday 14 January Until no later than 2.45 pm Mobile UK; TechUK Thursday 14 January Until no later than 3.30 pm Mavenir; NEC Europe Ltd Thursday 14 January Until no later than 4.15 pm Small Cell Forum; Digital Policy Alliance Thursday 14 January Until no later than 4.45 pm British Standards Institution; Royal United Services Institute Tuesday 19 January Until no later than 10.10 am Webb Search; Oxford Information Labs Tuesday 19 January Until no later than 10.45 am Dr Alexi Drew, the Centre for Science and Security Studies, King’s College London Tuesday 19 January Until no later than 11.25 am The Office of Communications Tuesday 19 January Until no later than 2.45 pm Catapult Compound Semiconductor Applications; Dr Nick Johnson; UtterBerry Tuesday 19 January Until no later than 3.30 pm MWE Media Ltd; Lumenisity; Dr David Cleevely CBE Tuesday 19 January Until no later than 4.00 pm Information Technology and Innovation Foundation
Today we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication, and then a motion to allow us to deliberate in private about our questions, before the oral evidence session. In view of the time available, I hope, but cannot insist, that we take those matters without debate. I call the Minister to move the programme motion standing in his name, which was discussed on Tuesday by the Programming Sub-Committee for this Bill.
Motion made, and Question proposed,
That—
(1) the Committee shall (in addition to its first meeting at 11.30am on Thursday 14 January) meet—
(a) at 2.00 pm on Thursday 14 January;
(b) at 9.25 am and 2.00 pm on Tuesday 19 January;
(c) at 11.30 am and 2.00 pm on Thursday 21 January;
(d) at 9.25 am and 2.00 pm on Tuesday 26 January;
(e) at 11.30 am and 2.00 pm on Thursday 28 January;
(2) the Committee shall hear oral evidence in accordance with the following table:
(3) the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Thursday 28 January.—(Matt Warman.)
Mr Kevan Jones (North Durham) (Lab)
I have no problem with the programme motion, because it is sensible, but I want to put it on record that it is frankly nonsense for us to come in today and sit in a room to take evidence from virtual witnesses, as we will do next week as well. There is no reason why evidence sittings, particularly, could not happen remotely. I have attended two meetings this week, including a meeting on Tuesday of the Defence Committee, which took evidence from witnesses virtually.
I understand that things are being done in this way at the insistence of the Leader of the House. I think he is hiding behind the usual channels having sorted it out. I want to put it on the record that that is not true and that objections have been raised by the official Opposition, certainly about evidence sittings being done in this way. If we are to travel long distances, as many of those present have, to get here today and next week, that flies in the face of the advice of not only the Government but Public Health England about moving between areas.
I do not know whether, at this late stage, we could at least consider whether next week’s evidence could be taken virtually, because it is a bit ironic that we are sitting in a room here—I accept your rulings about social distancing and so on, Mr Hollobone—and that the evidence that we shall listen to from the witnesses today and next week will be given virtually.
The Chair
Mr Jones, I note your remarks and know that many others will share your view. As the Chair of the Committee I can operate only under the rules that I have been given by the House.
Question put and agreed to.
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Matt Warman.)
The Chair
We will come on to Kevan Jones. Now I am getting the hang of this now, I do not think it is fair to always ask Patrick to be the first out of the blocks to answer the questions, so I will try to rotate so that everyone has a chance of going first.
Mr Jones
Q
Having met many of you at a previous Committee and taken evidence from you, it is clear that there is little profit to be made on the hardware side because we all want cheaper phone calls, and you obviously react to customer demand to try to get costs down. What are the realistic prospects of any UK-based company or other vendor coming into the hardware side? On open RAN, I accept that it is for the future, but what timescales are we talking about for that having an impact on how our telecoms networks are organised?
Derek McManus: On timescales for ORAN, I think we are very early in the evolution of that technology. There are trials in the UK, as there are in various markets across the world. In our view, it will be at least a couple of years before you have a viable technical and commercial product, focused initially on rural. To have diversification in a meaningful way, you have to have scale, and scale will take a number of years beyond that—I would say five to eight years to get a real, viable-scale vendor to challenge the two incumbents.
On your previous question about the likelihood of there being UK players in that market, the UK used to have a very healthy telecoms supply industry, which sadly over time has faded away. I think it is more likely that the UK could play in the software part of the future of radio, and particularly ORAN, than in the hardware part. I cannot see today a viable UK hardware provider. Actually, there are not that many UK telecoms suppliers around. But software is a bigger opportunity. Part of the diversification work that is going on with the industry and Government is looking at ways to encourage the inclusion of UK business in that emerging opportunity.
Mr Jones
Q
Derek McManus: Yes, and if you look at the scale of mobile growth, the fact that there are only two remaining viable competitors is an indication of how difficult it is to have competition in today’s marketplace. That is technical and, to meet the economic challenges, that requires scale, too. There are other providers in the marketplace, but only two provide the 2G, 3G, 4G and 5G capability that the current UK markets require.
Andrea Donà: To answer the specific question on timescales, Vodafone UK is pioneering the development of open RAN. We were the first operator to achieve a commercial open RAN solution, in August last year, having delivered the first commercial open RAN unit on the ground radiating and carrying traffic at the Royal Welsh showground. We recently developed and announced plans to deploy open RAN across 2,600 sites. It is a promising innovation, but it is not yet mature enough to match the traditional vendors in terms of functionality and efficiency on an industrial scale.
However, if the UK wants to lead in this field and take advantage of the existing advantage that it has when it comes to design, it should continue putting its weight behind this promising technology and allow partnerships to be formed, where the incumbent vendors are asked to play a role in the architecture of this new technology. That will allow other parts of the technology chain—as Derek said, software, the baseband or the antennas—to attract and welcome new entrants through appropriate policy frameworks and the diversification strategy.
With new entrants, as we open this technology, we fuel innovation. If the UK keeps ahead of that, it will be able to be at the forefront of exciting new innovation. We welcome the steps that were outlined by Government to try to press this technology ahead. You could do that through trials or through incentives for the MNOs to use their technology. We can work together to create local research and development centres to fuel this new technology.
Mr Jones
Q
Andrea Donà: There is an opportunity for British companies to play an active role in the open RAN ecosystem. As we open up the interfaces of the technology, it creates a golden opportunity for British companies, with British support and know-how, to come and contribute to the development of this new technology.
Patrick Binchy: My views are broadly aligned with the previous answers. The reality of the situation that we find ourselves in is that there are only two practical vendors for the next couple of years. As both my colleagues have said, beyond that there is opportunity for ORAN.
I am not sure if it came across in the previous answers, but I would stress strongly that the first thing we need is the R&D. We need to understand how we can move this technology forward. As Derek said, trials are primarily operating in rural capacity, but to be a true competitor to the incumbents we have to be able to use it in deep urban areas, under significant loads, which needs a lot of development.
The Government can support trials and help build the ecosystem around them, but the first thing that we need is to get the research and development that will feed the trials. In terms of the Government’s development of opportunities in ORAN, it is key that they look at working with international partners. This has to be scaleable; otherwise, it is never going to be commercially viable. The UK market will not be big enough to drive that scale and commerciality.
David Johnston (Wantage) (Con)
Q
Andrea Donà: Specifically on the incident you are referring to, which was in April 2019, it was a Telnet protocol, which is used by many vendors in the industry to perform diagnostic functions. It is important to note that it would have not been accessible from the internet. Detailed analysis showed that it was simply a failure to remove a function that is used, as I said, for performing diagnostics after it had been developed.
On the broader question of security and our concerns, we have always maintained the very highest level of security policies, security processes and security procurement mechanisms and frameworks. We use a layered approach to our security needs, whereby we secure by design. All our systems and process put in place guarantee the highest security standards, end to end. The UK networks and standards are the highest in the world. We constantly work hand in glove with the NCSC, and abide by all the latest NCSC guidance and policies to keep those minimum standards high every time. We have worked very closely with the NCSC to set up HCSEC, an ad hoc centre where any new Huawei equipment or software goes through rigorous checks, audits and assurances, in line and in close collaboration with NCSC.
Patrick Binchy: I do not have much to add to that. We are similarly aligned in terms of our processes, from procurement to deployment. We have security checks throughout, and separate functions to make sure that we are adhering to those. We work very closely with the NSCS and HCSEC in terms of the technologies that are in the network. Going forward, we will continue to do so. We will be reviewing the software and hardware versions that we have in place and ensuring that those are fully checked and validated. As I said earlier, we also have a full, independent view of the traffic traversing our network, so if something untoward were to start happening, we would immediately have a view of it, and would be able to shut it down independently.
Derek McManus: As I said earlier, we do not have sufficient numbers in the UK. We have fewer than 10 Huawei base stations, so although we perform all the necessary checks, we are not exposed on the scale of others in the market.
Miriam Cates
Q
Howard Watson: I actually think the structure of the Bill accommodates that quite well. It allows secondary legislation and guidelines to be upgraded. We note the critical role of the National Cyber Security Centre working with Government in doing that. I think, actually, you have taken care of that well with the way the Bill is structured.
Alex Towers: Yes, I would completely agree with that. I suppose our concern, slightly, at the minute, is to see some of the detail that is going to sit underneath the Bill in terms of a code of practice, in particular, and secondary legislation, because that is where it will become clear exactly what the implications are for operators. The sooner we can see some of that detail and get into the teeth of that, that would be great; but the way the Bill is structured, to allow that sort of detail to be updated on a regular basis as the world changes around us, seems totally sensible.
Mr Jones
Q
Howard Watson: Let me work through that. First, from our perspective, given that we do have quite a large amount of BT in our mobile network, which is with the high-risk vendor, we have a large swap-out programme already under way. Effectively, we already use Nokia to extend their reach, but also to introduce Ericsson. That essentially means that I will be replacing a significant amount of my network over the next seven years.
It is quite difficult for me to start introducing new opportunities and new options into that, certainly in the early part of that. For my network, I see the opportunities in the latter part of this decade, not the early part. That does not mean that there will not be opportunities to try open RAN in some of the rural areas or to conduct some trials with the other vendors that we have talked about. It is very much an industry approach that we are taking here. Some of my colleagues may be able to move a bit earlier. It is important that we collaborate and work as a UK set of operators with the Government to make sure that we have the right rich set of solutions.
We would not want to come down to just one vendor. That would certainly be a worry for many reasons, so we need to continue to ensure that, in the short term, we absolutely have the choice of two.
Alex Towers: Given the timeframes that Howard has described, it is a five to seven-year cycle of replacement for the vendor. That is why it makes sense, we think, to go big now on large-scale trials of things like open RAN. The important investment in R&D and the £250 million is a good step towards that, but we will probably need some more, because we need to be ready for the next cycle if it is going to be a workable solution in future.
Chi Onwurah
Q
Secondly, we heard from Sir Richard Dearlove, the previous head of MI5, that when Huawei was first used as a vendor or equipment supplier by BT, it was not considered worth informing Ministers of that fact, despite what he considered to be evident security concerns. Can you say what in the Bill changes that so that the Government of the day will be better aware of ongoing and future security concerns?
Thirdly, on behalf of Catherine West, on international collaboration, what presence do you have on standards bodies? Can you say what your budget is for research and development so that we can see how that compares with the £250 million on offer?
Alex Towers: I will defer to Howard on the questions about standards and technical details. On your point about the relationship with Government, I do not think that any of us were around in 2005, but I know that there is some sort of contested story about exactly who was told what about the introduction of Huawei. You would—[Inaudible.] We have moved a long way on that. We have a very close working relationship with the NCSC and with other parts of Government, and we would be very confident that we are constantly in contact with them about exactly the mix of suppliers that we are using. The introduction through the Bill of TSRs will take that even further, so we would be very confident that we have got a good enough structure there to ensure that any concerns that any part of Government had would be captured and dealt with, and Ofcom is also now in a position to regulate.
The question about relying on just the one supplier is less a concern about security and more one about the commercial resilience of that position. Howard can probably say a little bit more about the standards and the technical questions around that.
Telecommunications (Security) Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Second sitting)
Kevan Jones ExcerptsThursday 14th January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
Miriam Cates (Penistone and Stocksbridge) (Con)
Q
Matthew Evans: Thank you for that question. As I said at the start, we welcome the Government’s diversification strategy. It looks to tackle four issues, really, which are supporting incumbent suppliers to the UK market; attracting other global-scale suppliers; accelerating open interfaces and interoperability; and then the fourth area, which we could probably do with more detail on, which is really building on that domestic capability. I know that the taskforce that helped Government to frame the strategy is working on that aspect of it. As I say, I think we could do with some more detail.
However, we welcome the funding that has come alongside that strategy, and I think that we have a real opportunity in the UK in some of the areas where we have traditional strengths, in the software side in particular, to build some world-leading capability. As for the Bill itself, I do not think that it necessarily presents a barrier to that domestic capability; it is more in how we develop the strategy that sits alongside the Bill.
Hamish MacLeod: Just to add to what Matt said, yes, we very much welcome the diversification strategy. It is an absolutely necessary step to mitigate the risks of having to rely on two incumbents. It gives the UK an opportunity to have a leadership role in the development of exciting new technologies, such as open RAN, and, as Matt said, to grow the supplier base in the UK in the mobile sector.
Mr Kevan Jones (North Durham) (Lab)
Q
Hamish MacLeod: Yes. As I just said, the 2027 deadline is very important, because that will give time for realistic competitive alternatives to develop. The open RAN is being deployed in the UK in sort of rural areas and in the less high-performance environments, and that will change over time. The investments that this diversification strategy talks about in research and development will help to develop open RAN, and also in the test bed programmes. All these things will help to build the capability of alternative vendors.
Matthew Evans: Just to add to Hamish’s answer, there is a reason that we have a relatively constricted number of scale providers for telecoms, and it is the level of R&D required—that is the risk associated with each generation of technology if it is not taken up on a global scale by operators. To be realistic, we are likely to be focused around two incumbent vendors in the short term.
I think that what the diversification strategy sets out, though, and in fairness it is a strategy and not a complete plan, is a path to open up the UK market to those scale providers who at the moment do not participate in it. That is through trying to reduce the commercial and regulatory barriers that we face, such as on spectrum defragmentation and on providing a single RAN solution —at the moment in the UK, there are obviously 2G, 3G, 4G and 5G. But it also then opens up the possibility of greater use of technologies such as open RAN, which really breaks away from that proprietary architecture, whereby we have both the hardware and the software from the same provider.
That will be a challenge in the short term, but in the medium to long term there are actions that can be taken both to attract the scale providers not in the UK market and to make the UK market attractive to people who work in the open RAN area as well. So I think a dual-track approach helps to bring diversification to the UK market.
Mr Jones
Q
The Chair
Mr Evans, let us go to you first.
Matthew Evans: Is it going to be easy? No is the short answer. Is it possible to increase that diversification? Yes. We would like to see more commercial incentives for operators, who will have to change and adapt. This will be a change for operators as they diversify their vendor base. Part of the strategy has to be around the scales and the commercial incentives for operators to do so. We have certainly seen, as we heard from the witnesses this morning, UK operators really pushing the boundaries in terms of what open RAN trials can deliver. As I said, I suspect it will not be a short-term solution, but it is promising to see the trials that are already under way in the UK.
Hamish MacLeod: I would also like to highlight the Government’s commitment to taking a greater part in the process of international standard setting and driving scale across the global market. Although we expect the operators to do the technical heavy lifting, the Government can leverage our international relationships, and the actual resource makes the whole standardisation process move along more quickly.
Mr Jones
Q
Matthew Evans: I think the £250 million is clearly initially focused on the R&D ecosystem. That is a big commercial barrier when you look at the testing environment and the time it often takes for operators, understandably, to feel confident in deploying equipment into their networks, because they are ultimately responsible for the integrity of them. If we can supercharge the testing environment in the UK, we should be able to shorten the time to market, but open RAN in particular is going to require a boost in funding to accelerate the maturity of that technology.
The other part of the diversification strategy is the scale vendors that may be operating in other parts of the world but are not present in the UK today. That is why it is also important to tackle some of the regulatory or commercial barriers that exist and prevent them from entering the market today.
Hamish MacLeod: I do not think I really have anything to add to what Matt just said.
David Johnston (Wantage) (Con)
Q
Hamish MacLeod: One of the things about open RAN and more open architecture generally is that you generate competition in the hardware and in the software—it is not one package—so I think it is realistic to expect more competition, particularly in the software side of things.
David Johnston
Q
John Baker: Perhaps I could take that one. This is falling in line with what is going on globally. We see initiatives coming from Spain, the EU and the US. The US is further ahead in terms of passing law on trusted suppliers, and it is now setting timelines and budgets for taking suppliers out of the network. That rip-and-replace programme is now under way. The money for that was approved in December, and operators are looking at open RAN as solutions for that. That is very similar to the activities that you are planning through this Bill in the UK.
Chris Jackson: What we have seen in Japan is strong support for this direction, but I think the UK Government have taken the lead in terms of putting forward an aggressive stance on this to ensure that the security of the country is protected. The UK is doing everything that we would expect it to, and we fully support that.
Stefano Cantarelli: Some of the things said about the diversification of the supply chain are particularly important in terms of the ability to create competition and, as such, innovation. The interoperability of interfaces is fundamental in order to boost data and to be able to create more competition. We strongly believe that competition is based in innovation, and innovation these days can create a very powerful cycle of technology. It is not like how it was in the old days when it took maybe a year, two years or three years to get things into deployment; today, in less than a year a trial can become a commercial deployment.
Pardeep Kohli: I agree with the other gentlemen. In a number of countries, operators have made the decision that, going forward, they will only buy open RAN-based solutions. Governments are supporting that in many parts of the world.
Mr Jones
Q
Pardeep Kohli: Let me start. You are right that until now it was all about hardware, because people were building proprietary hardware to supply radio products. When you do hardware-based solutions, the scale matters, because you need logistics, manufacturing capability and factories, and obviously Huawei, Ericsson and Nokia had a strong base and the logistics set up.
When you do open RAN, it is more software leaning on general-purpose hardware. Companies like us do not need manufacturing plants any more because we are only providing software, and we have the advantage that our software can run on a private cloud that an operator can build on, for example, standard Dell servers—there are plenty of them, and people can build those—or we can run it on a public cloud on Amazon or Google. If you look at the scale that Google, Amazon and Azure have, Huawei is nowhere close to their scale. In that sense, the whole matter of Huawei’s scale does not matter at all the moment you move a hardware problem to a software problem.
The same thing happens with logistics and people. For us, hardware-based solutions need people to carry the hardware around, bolt it and everything. For software, with the click of a button you can distribute it to 2,000 sites; you do not need people and logistics to drive hardware around. This is how with what we are doing—for example, we are working with Dish to build a nationwide network, and we will have 50,000 sites deployed in less than two years—not that many people are required to do all this, because the problem has moved from hardware to software.
We would like the Government and other people to understand that there is no way any company can beat Huawei with the presence it has in China alone if they take on the problem as a hardware problem. It must be converted into a software problem—that is the only way it can be solved.
On your question about how we convince operators, it is always on the point about proof. We are a 20-year-old company working with operators all over the world. We handle 60% of the world’s operators’ messaging. If you look at SMS, for example, we carry that traffic for all the operators in the UK, and voice calling. We already do more critical services: radio is important, of course, because of the connectivity, but operators are relying on us for the day-to-day services. Now we are working with them to prove that our software is as good or better than what they can get on from the incumbents. Of course, we are expecting them to participate in the journey and work with us so that we can prove to them that we are good. We have done that in all other layers of the software, so we feel that if somebody engages with us, within six to nine months we will prove to them that we are good and it works.
That is working; in terms of the whole idea that the technology does not exist, we have crossed that hurdle. Now it is more about, “Okay, does it work for this use case or that use case?”, or, “In my network, I may have some proprietary stuff I have done with existing vendors, and I want you to do that as well.” So it may take six to nine months, or even 12 months, to get there, but I think we are beyond the point where we need to prove that it works. We know it works.
Mr Jones
Q
Pardeep Kohli: If you look at investments, because of Dish, the US is making the most investments; the Government have now surpassed $1.9 billion on rip-and-replace to replace Huawei equipment, so that will create an ecosystem. In Japan, with Rakuten, they are building a whole nationwide network based on open RAN. We have seen Deutsche Telekom, for example, announce in Germany that it is building an ORAN town, so it will have a whole city that will have only ORAN components in a due timeframe. We have systems applied now in Sri Lanka, in India and in Malaysia. A lot of countries are looking at the economics: obviously, volume makes the numbers different, and with higher volume you will improve the economics further, but if you include the opex cost as well to go along with the capex cost, there is no way to compare what you can get with this technology compared with the legacy one.
The Chair
I am just conscious of time; do any of the other witnesses have anything they want to add to what we have heard from Mr Kohli?
John Baker: I would just like to add that Vodafone has been very much in the lead with the development of open RAN solutions. We have been engaging with Vodafone for three and a half years in test labs and specifying the technology, and so on. The UK has been very much part of bringing this technology forward, as well as BT with the Telecom Infra Project labs.
Chris Jackson: Coming back to your question, I would not like to speculate as to how long it would take for open RAN to become standardised and commonplace within the UK. The Government are setting up a national telecoms lab and SONIC. There are a number of companies like ourselves, NEC, who have just set up our 5G global centre of excellence here in the UK, and the operators have all set up laboratories. If we can start to encourage and bring all those parties together, that is the key to accelerating the technology.
Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.
Stefano Cantarelli: I just want to say quickly that we are part of some of the initiatives Chris has mentioned, such as SONIC with DCMS and so on, and we think they are particularly useful to give visibility on the status of open RAN. My last comment is about the hardware; I heard a few comments this morning, and I want to underline that hardware is still quite a profitable business. If we look at what happened to IT servers in the IT industry, there are companies that are much more than profitable in those spaces. Commoditisation of a hardware does not mean that there is no profitable business behind it.
Telecommunications (Security) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Fifth sitting)
Kevan Jones ExcerptsThursday 21st January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Mr Kevan Jones (North Durham) (Lab)
It is a pleasure to serve under your chairmanship, Mr Hollobone. I apologise for my late arrival, but I was asking a question of the Health Secretary on the vaccine roll-out. When we look back at the time before the pandemic, would we have thought that part of our critical national infrastructure would be vaccine production? As my hon. Friend the Member for Newcastle upon Tyne Central said, that is a good example of the changing nature of these things. Will the threats to telecoms change? Yes, they will. Last night we discussed the National Security and Investment Bill, which addresses some of the same issues.
I tabled the amendment to focus on and consider the supply chain. There has been much concentration, quite rightly, on Huawei—not just the history, but the threats. As the Minister knows, I was a keen supporter of the Government’s initial response to Huawei. From a technical point of view, I think allowing 35% and making sure that Huawei was not in the core network was the right response. That all changed with the US sanctions on semiconductor exports to China, which changed the security advice. Again, I agree with that.
It will be interesting to see whether, if President Biden were to change that, we would change the security advice back. Frankly, I doubt that because of the direction of travel. I do not think there will be great change in the new Administration’s approach to China. It might be more nuanced and less belligerent, but I do not think it will fundamentally change. I know from sitting on the NATO Parliamentary Assembly and meeting fellow members from both sides of the House in the US Congress that there is a pretty unified bipartisan position on China.
The debate around Huawei has concentrated on the hardware. My amendment, which is a probing amendment, tries to see what coverage we will have in the telecoms network supply chain. There has been much talk about compromising the main components, but each of these networks are very complicated. We need only look at any electronic equipment used today, whether that is a telephone or a microwave oven, to see that they are very complex pieces of kit. The components are not all sourced here in this country—it would be impossible to do that—but are supplied from around the world. However, in terms of electronics, the major suppliers of a lot of these components are the Chinese, or Chinese companies that manufacture in different parts of south-east Asia, for example.
This is not just about how we get diversification in this sector, although trying to get some home-grown innovation is going to be important. To be honest, I think the opportunity is going to be in software and open RAN, because that is where we can get an advantage if we get our ducks in a row, not only through investment but through Government initiatives and other things. It is about trying to minimise the risk that will be there now that we are going to have two vendors. Now that Huawei is no longer in the network, we are going to have Ericsson and Nokia, both of which are going to be there for the foreseeable future. What will the regulator do to look at the supply chain around their components, for example? From the evidence we took from Dr Drew, it is quite clear that China is using not just these networks and the components that go into telecoms, but other things, including the belt and road initiative, for geopolitical purposes.
Chi Onwurah
I thank my right hon. Friend for giving way, and for the excellent points he is making. He mentioned the evidence we took in our session with Dr Drew. Is it not true that in those evidence sessions, we heard about the complexity of our networks and the extent to which network operators were not always aware of where their components were or, in this case, the level of components? Is it not the case that my right hon. Friend’s amendment will not only increase the visibility of the different components in the supply chain, but should help the Department and Ofcom understand where these components are, where they are going and the way they are changing through soft upgrades?
Mr Jones
I agree. The issue with both Ericsson and Nokia is that they will have Chinese components in their hardware. This is an incredibly complex situation, as my hon. Friend said: we are talking about not just one piece of kit that most of us have in our pockets, but hundreds of thousands of components, pieces of software and other things. What I am trying to put on the record, and what I want the Minister to respond to, is the question of how we get an understanding of any risks that are involved in that, and how the regulator and the Government are going to look at ways in which national security could be compromised, not by the main company being owned by a Chinese state entity, a Russian state entity or any actor that we feel is a threat to us, but by a key component.
I have not yet really understood how the regulator will look at that issue further down the supply chain, and whether it will ask a supplier of kit to the telecoms network, “What is the level of threshold or security that you need?” That is hard enough with hardware, but with open RAN and software—we are talking about bits of code—it is going to be incredibly difficult. One of the issues is around vulnerabilities, and various things have been said about the vulnerability that Huawei poses to our telecoms network. However, I suggest people read the Huawei assessment centre’s annual reports—I am rather sad, because I read such documents. One thing sticks out every single year, and it is not that the Chinese are doing anything nefarious. The reports are highly critical of Huawei for its shoddy workmanship and engineering, but that type of shoddy engineering and a lack of attention to security will lead to security concerns in our telecoms network.
Amendment 7 is designed to tease out from the Government their thinking about the supply chain. We do not want to be over-burdensome on it, because we want to get innovation in the supply chain. We do not want to suddenly give researchers and other people in the supply chain huge regulatory hurdles to jump over, because that would stifle the development that we are looking for. It is about how individual components and the overview of the supply chain will be regulated. I have tabled a later amendment about Ofcom, but again it comes back to the point I made yesterday about the National Security and Infrastructure Bill. What has to be at the heart of it all, every single time, is not to stifle innovation and prosperity, but what has to come first every time is national security.
As I say, amendment 7 is a probing amendment, and I want to understand where the Government are at in terms of the supply chain, the security they feel they need over the supply chain and, more importantly, the visibility of the supply chain.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to serve under your chairmanship, Mr Hollobone. I echo the thanks of the hon. Member for Newcastle upon Tyne Central to you and the House staff for facilitating this Public Bill Committee. I also echo her praise for the temperature of the room and especially her commitment to crack on and not fill it with further hot air. That is to be welcomed.
Like the hon. Lady, I will briefly talk about the broader context of the Bill before I directly address this group of amendments. As we all know, security should be the first priority for any Government, and the Bill demonstrates this Government’s commitment to securing the UK’s telecoms networks.
Clauses 1 to 14 raise the bar for security across the whole telecoms sector, and the subsequent clauses—15 to 23— provide the mechanism for the Secretary of State to manage the role of high-risk vendors. The part that telecoms plays in our security is undeniable and has become even more evident in the midst of this global pandemic. At present, the internet provides absolutely everything for workplaces, schools, families and friends, and the Government are committed to improving that through our gigabit programme. New technologies have the potential to be transformative, but they have the opportunity to reach their full potential only if they are secure, and the Bill will ensure that.
Before I explain the Government’s response to amendments 7 and 8, it is necessary to explain briefly how they would interact with clause 1. New section 105A in clause 1 places a duty on providers to take “appropriate and proportionate” measures. Those measures oblige providers to identify and reduce the risks of security compromises and require them to prepare appropriately for those risks. New section 105A also addresses the interaction between the duty and the national security and law enforcement activity, such that these activities are appropriately excluded from the definition of a security compromise. I will return to new section 105A later—I know that will excite the Committee.
Alongside the overarching security duty in new section 105A, new section 105B gives the Secretary of State the powers to make regulations that impose duties to take specific security measures. Clause 1 creates a duty for providers to take “appropriate and proportionate” measures to protect their networks and services from security compromises. “Security compromise” is then defined in new section 105A.
Mr Jones
I would, and this is really a probing amendment to get an understanding of what the Government think, but may I ask the Minister a direct question about the national security bodies—GCHQ and others? If they came across a component or something that a supplier was producing that raised concerns, how would their concerns be translated into saying that a red warning should be put on a certain component in a supply chain?
Matt Warman
I simply say that, as the right hon. Gentleman knows, the NCSC and others already work very closely with the networks. What he seems to be talking about, in some ways, is a very day-to-day way of talking about security concerns. That happens a lot already, and what the codes of practice and other documents will do is set up the framework by which that is formalised. As he knows, that process of very quick action being taken as soon as something is spotted, both by the networks themselves and by our agencies, is already well established, and the Bill gives considerably greater force to it.
As the right hon. Gentleman knows, the Bill is aimed at ensuring that providers take responsibility for the security of their networks and services in a way that has not happened, in legislative terms, in the past, and it then provides the Government with the powers that we need to enforce that. In so far as any supply chain components give rise to risks to the security of a network or service, new section 105A already requires providers to take appropriate action and proportionate measures to identify those risks. I appreciate that this is a probing amendment, but in a sense what the right hon. Gentleman is seeking to do through it is already there, and it will be enforced in the documents, such as the code of practice, that I have mentioned.
Furthermore, the addition of the presence of a supply chain component as a security compromise would not be consistent with the security framework’s definition of a security compromise, but I do not think that we need to get into too much detail about that in the context of a probing amendment. The concept of a security compromise is used in other provisions in the Bill, and it is important that we are consistent.
More fundamentally, the right hon. Gentleman’s amendment would put the onus on providers, rather than the Government, to determine a national security risk, but, as he implied, it is absolutely down to the NCSC and, ultimately, the Government and agencies to make that definition. Placing the responsibility for determining what does and does not constitute a threat to national security on the shoulders of all individual providers is not the right thing to do, and I think, to be fair, the right hon. Gentleman is not really suggesting that it is, either.
Mr Jones
Clearly NCSC does a tremendous job in terms of education of members of the public and companies —as the Minister outlined, that is a key part of its role. Does he see, therefore, a role for Ofcom as part of that, in terms of ensuring that the supply chain and operators are aware of their responsibility not only under the Bill, but to ask the right questions about supply chains from what might be deemed as high-risk vendors?
Matt Warman
In so far as codes of practice will be published by Ofcom, the answer to the right hon. Gentleman’s question is yes. The more nuanced answer is that it is a co-production between Ofcom, the Government, NCSC and others.
To conclude, the Government are immensely sympathetic to the issues that the right hon. Gentleman and the hon. Lady seek to probe, but we take the view that this amendment would do something that is, ultimately, already covered in the Bill. I hope that, in that spirit, she will withdraw the amendment.
Chi Onwurah
I thank the Minister for his response. I am concerned that there is not greater clarity on the role of the supply chain components and the supply chain more generally. We will come to that in further amendments. Given where we are and how we got here, we must take a forward-looking approach to future risks and vectors for risks. This amendment is important in probing that, but I do not seek to put it to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Mr Jones
I beg to move amendment 9, in clause 1, page 3, line 26, at end insert—
“(2A) The Secretary of State must provide the Intelligence and Security Committee of Parliament with a report on the specified measures.”
This amendment would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to specified security measures which the Secretary of State requires the provider of a public electronic communications network or a public electronic communications service to take.
We are now going to have a debate reiterating a speech I gave yesterday on the National Security and Investment Bill, because it covers the same issues. I will go into the details in a minute, but the amendment attempts to ensure parliamentary oversight of the way in which this Bill will operate. Such scrutiny traditionally comes from the Select Committee that mirrors the Department —the Select Committee on Digital, Culture, Media and Sport—but the decisions taken by the Government and the Secretary of State will be based on evidence that cannot be put into the public domain, because much of it is highly classified. In Parliament, only the Intelligence and Security Committee has the required STRAP clearance to see that evidence. It is important to ensure that the Executive is held to account for taking such decisions and for the public and Parliament to know that decisions have had parliamentary oversight from the ISC.
I do not want to give the impression that the ISC is looking for work, because I have been a member for a number of years and we are busy with a lot of inquiries—I have three to four hours’ reading every week looking through reports from the agencies. However, it is important that the ISC can at least look at the intelligence that lies behind decisions. The amendment does not propose that the ISC should have a veto or be a regulator, because that would not be correct. Decisions about high-risk vendors are for Ofcom and the Secretary of State.
We had the same debate yesterday on the National Security and Investment Bill, because the same issues come up there: decisions will be taken on national infrastructure, and the justification for them will be based on highly classified secret intelligence to which the Business, Energy and Industrial Strategy Committee will not have access. People might say, “Isn’t this the ISC getting involved in the day-to-day work of the BEIS Committee?” No, it is not. The ISC already has such a responsibility for Defence Intelligence and the National Cyber Force—military cyber-security—and we stick just to that; we do not go into wider Defence policy issues. Likewise, we scrutinise MI6, whose home Department is the Foreign, Commonwealth and Development Office. Again, we do not get into general foreign policy issues, which are rightly for the Foreign Affairs Committee. I do not think there is an easy way for the Government to provide for parliamentary scrutiny at the moment, but I want to go through and explain one.
I have some sympathy with the Minister, just like I had some sympathy with the Secretary of State for Business, Energy and Industrial Strategy yesterday on the National Security and Investment Bill. I know exactly where the problem is, and it is not in the Minister’s Department or in BEIS: it is in the Cabinet Office, which seems to have an issue with the ISC and jealously guards anything that we ask for, ensuring we get only some information even though we are legally entitled to it under the Justice and Security Act 2013. There is usually a tug of war, and on every occasion I have seen it the ISC has won—it is legally allowed the information—but that does not stop the civil servants. I must say that this is not Ministers’ fault; it is the culture in the civil service.
James Sunderland (Bracknell) (Con)
Given that most MPs do not fully understand what the ISC does, does the right hon. Gentleman not agree that the Government are probably best placed to make the decision on this particular matter?
Mr Jones
No, I do not. I know the hon. Gentleman is a new Member, and I actually quite like him, but what is he arguing for? A dictatorship? That the Executive should decide everything? Knowing you, Mr Hollobone, you would take a very dim view of that. You have form on holding the Executive to account—all Governments.
The ISC is there to look at information and provide parliamentary scrutiny. As for the nature of the information we receive, we have all the clearances from top secret going up to STRAP, including STRAP 3, which is intelligence that has a limited circulation and people have to be added to the list. We have access to that as well, which allows us to consider that information.
Our annual reports, which we supply to Parliament, can be debated by Parliament. We can produce reports. For example, most recently, there was the Russia report, which highlighted what the Government had not done rather than what it should have been doing. The contention from the Cabinet Office is that if information goes to the ISC, it is in the public domain. That is a little bit insulting. We do public reports, which have information that can be put into the public domain, but there are always secret annexes that go to the Prime Minister and are not made public, which allow us to question decisions and highlight issues that we think the Prime Minister should take notice of. It is a valuable mechanism for scrutiny.
The argument that will come from the Cabinet Office is that DCMS is not covered. It is. The memorandum of understanding says:
“The ISC is the only committee of Parliament that has regular access to protectively marked information that is sensitive for national security reasons: this means that only the ISC is in a position to scrutinise effectively the work of the Agencies and of those parts of”
the Government
“whose work is directly concerned with intelligence and security matters.”
I accept that DCMS’s day-to-day work is not covered in the description of national security, whether or not this is an issue of concern to individuals. I think it is. There could be an argument as to why the Department for Digital, Culture, Media and Sport got this legislation and whether it should perhaps be put in another Department. I do not agree with that, because I think the general issue of telecoms fits well into the Department’s wider briefs.
Increasingly, a number of Departments are getting involved in, or taking responsibility for, areas that involve national security. BEIS and the National Security and Investment Bill is a good example.
Chi Onwurah
My right hon. Friend is far too modest to set out his vast experience with and long-standing membership of the Intelligence and Security Committee. Does he agree that the geopolitical and technological shifts in the last decade in particular—perhaps the last two decades—have meant that the threats to our security come from a broader range and, more specifically in a more technologically-based range, and we have seen our defence requirements move to cyber-security? Therefore, as he said, the increased need of Departments to consider security issues means that the Intelligence and Security Committee’s ability to review items that require security clearance is important. Does he understand why the Government will not allow the Committee to do that?
Mr Jones
My hon. Friend knows that modesty is one of my trademarks, but no, I do not—I do not understand it, nor do I understand where the Government are coming from. I do not think that the problem is with the Minister or his Secretary of State; I think it is the culture of the Cabinet Office, trying somehow to test the Justice and Security Act to destruction. Its argument, basically, is that DCMS is not on the list of organisations, but the Act and the memorandum of understanding are clear: we have jurisdiction over matters that relate to national security, which this clearly does.
Christian Matheson
I am grateful to my right hon. Friend for providing inspiration for a speech that I will make later, when I will make similar points on similar provisions. Listening to him and to the hon. and gallant Member for Bracknell—whom I also like, incidentally—talk about the alternatives, it strikes me that there are only three: to provide classified information to be laid before the whole House or the DCMS Committee; to do the right thing and to provide that classified information to the Intelligence and Security Committee, which was surely established for exactly that purpose; or to have no scrutiny at all. It is one of those three alternatives. Surely the Government are not pushing for no scrutiny at all.
Mr Jones
I must say that this is the first time I have heard that one of my contributions to a Bill Committee is inspirational. I shall mark that as something to be remembered. However, my hon. Friend summarises the position very clearly: the DCMS Committee cannot deal with this, because the nature of the information garnered could not be shown to them, given its classification. We would not want to do that because this is highly sensitive information—meaning no disrespect to the members of that Select Committee. Some of it is not our intelligence; some of it will come from our Five Eyes partners, so it is about guarding not just our secrets, but theirs. Any leaking or compromise of that type of intelligence affects not only our ability with this type of work, but our relations with our Five Eyes partners. The next option, the ISC, is the obvious one. The third option means that the Government must put through a Bill that does not allow Parliament to scrutinise these matters at all. I do not think that that is what the Minister, or his counterparts in BEIS, believe. I think we will have a to and fro on this, and will get there eventually, but it will be hard work.
As my hon. Friend the Member for City of Chester says, scrutiny is important in helping to ensure that there is not only public but parliamentary confidence that the decisions are at least being looked at. Some of the decisions will be very controversial and the Government need covering. Will that be onerous for the Department? No, because all it will entail is that the report should include the decisions taken and the reasons why. We can ask, and be supplied with that, and that, I think, is important.
Yesterday, speaking on the National Security and Investment Bill, the Under-Secretary of State for Business, Energy and Industrial Strategy, the hon. Member for Stratford-on-Avon (Nadhim Zahawi) said that the ISC can ask for the information and demand that the Secretary of State comes before it. There are two important points about that. First, yes, we could do that. However, and as I said yesterday I do not for one minute suggest that the Secretary of State or the Department would want to refuse, but there is no legal justification behind it. If a future Secretary of State said “No, I am not appearing or giving you the information,” there would be nothing at all that the ISC could do.
I remind the Committee as I reminded the two Ministers in yesterday’s debate that we are all, as the great Robin Day once said, “here today, gone tomorrow” politicians, so any legislation we pass here must be future-proofed. Not only must we be satisfied with it; it must go on. The other important aspect of what the Under-Secretary said was the recognition of the ISC’s role in asking for information in relation to the National Security and Investment Bill. However, if it is possible to ask for information a mechanism is needed to guarantee it. I think that is also the case for the Bill that we are considering.
It will be interesting to see how the Minister responds, and whether he really believes what he will tell me, but there is a mechanism available and it would be easy and not burdensome. I stress that not for one minute is it suggested that the ISC would veto decisions or have any involvement in them. As with much of our work, apart from certain issues, it would be retrospective, looking back at decisions that had been taken. If mistakes, issues and concerns are raised, we can raise those directly with the Prime Minister and Departments. That is another check and balance in the system, of which I think you, Mr Hollobone, would approve, in view of your vociferous wish, whatever the Government, to hold the Executive to account. The mechanism is pretty straightforward. Either we put it on the face of the Bill or we get it into the memorandum of understanding.
There is an increasing problem with the involvement of more and more Government agencies that are not traditionally involved in national security, such as the new Joint Biosecurity Centre, which falls within Department of Health and Social Care. All the information that they will get is classified, so how, again, will Parliament scrutinise it? That will be important.
Christian Matheson
Perhaps my right hon. Friend will reflect on a third issue. The Committee cannot ask for information if it does not know that it exists. If there is no obligation to report orders to the Committee there is no way for it to know that they have been made, and that it needs to scrutinise them.
Mr Jones
There is, but to give a bit of background, we are quite tenacious on the Committee and if we do not get what we ask for we usually keep on and get it eventually. Some of the agencies are better than others, but overall the working relationship with GCHQ has always been a very good one. The amendment would help the Bill, but I think we will to and fro on this.
Matt Warman
I start by acknowledging the incredibly important work that the ISC does. Its role in overseeing the work of the UK intelligence community is vital to maintaining public trust, as the right hon. Member for North Durham described, and its members make important contributions to public debates on national security matters of all kinds. The right hon. Gentleman has done that for a number of years. Because he is a member of the ISC, he will know that I have proactively engaged with it on the substance of the Bill. I did so enthusiastically—if any Minister can ever regard a Select Committee appearance enthusiastically—and in recognition of the interest that I knew that Committee would have in the Bill. I will be writing again to the ISC on a number of matters raised in the Bill, and I have instructed officials from my Department to continue to engage with the ISC as the Bill proceeds through Parliament, building on the work that it has already done and on the transparency that we have already demonstrated by publishing the draft of the security framework regulations on 13 January, copies of which have been provided to the members of the ISC and a number of other interested Committees. I hope that all that demonstrates the Department’s commitment to working constructively with the ISC, despite the fact that, as the right hon. Gentleman said, DDCMS does not normally fall within the ISC’s formal remit.
It is none the less important to acknowledge that the ISC is not the only legitimate avenue to scrutinise this framework. We fully intend to make use of all the appropriate parliamentary procedures.
The regulations and the explanatory memorandum accompanying them will all be there for the ISC to scrutinise. There is also further guidance to providers in connection with the measures specified in the regulations that can be provided in the code of practice, which must be published, with a copy laid before Parliament. Also, beyond the usual arrangements for secondary legislation, new section 105Z of the Communications Act 2003 provides for Ofcom to produce security reports. Clause 11 of the Bill enables those reports to be published by the Secretary of State, and clause 13 provides for a review of the effectiveness of the framework, including any regulations, after five years.
It is in that context that I point to the enthusiasm with which we have engaged with the ISC. We will continue to do so and ultimately—this is perhaps the reason why the right hon. Gentleman described this process as an ongoing campaign, rather than something that we should address piecemeal—the ISC is clearly defined in the Justice and Security Act 2013. I do not think it would be right to address the memorandum of understanding that he referred during our consideration of the Bill. We should not go at it in piecemeal fashion. The role of the ISC as set out in that MOU is to oversee the work of the security agencies, to provide oversight of certain intelligence or security matters within Government. Ultimately, if the right hon. Gentleman wants to change the MOU, that is a broader issue for him to take up. I note that he is not the only Member of this House to have made that point, but it is not my place to take a view on the role of the ISC; that should be for the ISC itself.
I am confident that we will continue to engage with the ISC; I personally will certainly do so. I know that the DCMS Committee will continue to take an interest, and I will simply say that we will co-operate as fully as possible. I will set out more in the letter I mentioned, and I look forward to the future salvos in the right hon. Gentleman’s campaign.
Mr Jones
I make no criticism of the Minister, because he has been very proactive, as has his Secretary of State. The problem is this: we have two pieces of legislation going through Parliament. We do not have security Bills very often in this place, and now we have two in a very short period of time. Both make eminent sense and I support them, but this is not something that comes up regularly.
In terms of the Minister’s co-operation, I have no complaints about the way he has operated, but he is not going to be there forever and neither is his Secretary of State, so we need to put in place something that will weather the passage of time, and create an arrangement whereby it will be seen that Parliament is scrutinising these measures. I do not know why the Government—I am sure it is not the Minister, or even his Secretary of State—are resisting this. Frankly, I am not really bothered whether it goes on the face of the Bill or in the MOU, but the Justice and Security Act 2013 is very clear that as a Committee, the ISC has the ability to look at this.
I accept that it would be wrong to get into issues around this Bill that are quite rightly, as the Minister said, for the relevant Select Committee—the Committee on Digital, Culture, Media and Sport—to deal with. We would never do that, so I will withdraw this probing amendment, but we will come back to this issue. I am not usually a betting man, but I suspect that by the time this Bill and the other Bill go through, we will have got to where both I and the Minister—I think, privately—think we should be. I therefore ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Chi Onwurah
I beg to move amendment 21, in clause 1, page 3, line 26, at end insert—
“(2A) The Secretary of State must make regulations under subsection (1) requiring providers of public electronic communications networks and public electronic communications services to carry out an audit of the goods, services and facilities supplied, provided or made available for the purposes of the provision of their network or service to ascertain whether they present a risk to the security of that network or service.”
This amendment is a probing amendment designed to learn how the Government plans to ensure network operators have a comprehensive audit of hardware of interest because, for example, it is manufactured by a designated or high-risk vendor.
The amendment goes to the heart of two of our key themes: the scrutiny of the powers in the Bill and the effectiveness of the accompanying diversification strategy. It is a probing amendment, designed to enable us to understand—or to have the Minister clarify—plans to ensure that network operators carry out a comprehensive audit of hardware that is relevant to the Bill because, for example, it is manufactured by a designated or high-risk vendor.
We tabled the amendment for a number of reasons. The first is the Government’s decision, which we welcome, to strip Huawei out of our telecommunications networks. There are questions about where that equipment is located, the level of software provision, and in particular the exact nature of the revision of the equipment within the network. In addition, the Government have not provided a plan for locating and removing Huawei from our networks; instead, they have opted to leave it entirely to private sector providers.
That might seem appropriate, but as someone with 20 years’ experience in the telecoms sector, I have to say that it is generally not the case—I am not insulting any individual provider—that providers know exactly where every bit of equipment is located and what level of software or build is associated with the equipment.
Chi Onwurah
As always, my hon. Friend makes an excellent point. Indeed, the audit, which I agree is burdensome if the information is not already in the management systems, which it should be, would, I hope, be less burdensome than the potential fines for not meeting the basic requirements of knowing what is in the network and where it is. Also, that challenge has been made more complex by the subcontracting of different parts of the telecoms networks.
For example, network providers such as Vodafone or Three have primary vendors—currently Ericsson or Nokia—but there might be subcontractors who provide particular elements of the network and particular management elements. We hope that that will be increasingly the case as we seek to open up the supply chains and make them more diverse. A basic and critical requirement for the Bill to be effective is to have a more diversified supply chain. More suppliers go hand in hand with a diversified supply chain, and therefore different types of equipment, of which we will need to keep track.
Mr Jones
The hon. Member for Bracknell has argued that regulations are somehow burdensome on business and unnecessary. It is only when things go wrong that we look back and think, “Wait a minute. That regulation or audit, which was suggested in an amendment, was vitally important.” We must get the context right. These amendments are being tabled not for their own sake but to ensure that security is improved.
Chi Onwurah
My right hon. Friend makes an excellent point. As someone who worked for a regulator for six years, I might be expected to agree with my right hon. Friend on the point of regulation; in this context, regulation should not be seen as a burden. As my hon. Friend the Member for City of Chester set out, it should be seen as a carrot—an incentive—to get things right. Imagine we had known and been able to see how Huawei’s presence in BT’s network, over the last 15 years or so, would rise from small beginnings to becoming the principal vendor. That might have rung more alarm bells and been an incentive to have transparency.
Regulation is also about levelling the playing field and enabling more effective competition. The better providers will do that, but some providers may not. We want a level playing field, particularly because the 2019 UK Telecoms Supply Chain Review said that there was not an incentive for security in mobile networks. It concluded specifically that there was no incentive for security in mobile networks. Given that conclusion and some of the points provided in the evidence sessions, the Bill does not address incentives to ensure security by design in our mobile networks. It has burdens and fines for not doing that, but it does not have positive incentives.
Chi Onwurah
Again, my hon. Friend makes an excellent point with regard to the way in which Huawei grew in the telecoms sector. I do not want to detain the Committee on that history, but Huawei grew by under-cutting existing vendors, building up scale and making its profits by locking in network providers, despite issues with the quality of the equipment, which, as we have discussed, our security services identified.
Having visibility of network equipment, as well as the level of concentration of any one provider, will enable us, in part, not to get into such a situation of dependency in future. Again, I would emphasise that this is about incentivising what should happen but is unfortunately not always the case. That is not simply my view or that of the Labour party; it is the view of witnesses who participated in our evidence sessions. For example, Andrea Donà said:
“It is vital that the secondary legislation that accompanies the Bill clarifies assets in the telecoms network architecture that will be in scope of the security requirement, so that we can work knowing what we have audited, and knowing that the auditors always shared with NCSC. We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 13-14, Q10.]
Dr Bennett said:
“I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 49, Q62.]
Dr Bennett later said:
“I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]
Ofcom said that it was more or less impossible to meet the requirements set out in the codes of practice for the operators, unless it had a detailed asset register of everything in its system. We will expect to see evidence of that, and we expect that it will be regularly checked, audited and so on. We recognise the potential costs of an audit, particularly for smaller providers, although most of them have newer networks and equipment and should have a lot of this information already available. Ofcom is anticipating that this is something it would need to have access to, yet there is no requirement in the Bill or, as far as I can see, in the delegated legislation that has been published to make that requirement.
I have mentioned that this is a probing amendment. I am not sure that it is necessary to have it on the face of the Bill, and it might be that it will be provided for in delegated legislation, but we need a clear and strong strategy for the detection and removal of high-risk components, vendor hardware and software. Otherwise, the Bill will not protect our national security effectively. I hope the Minister will give clarification on that.
The Chair
Order. Mr Jones wants to speak, but he will have to wait until this afternoon.
Ordered, That the debate be now adjourned.— (Maria Caulfield.)
Telecommunications (Security) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Sixth sitting)
Kevan Jones ExcerptsThursday 21st January 2021
(3 years, 3 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
The Chair
Before we resume, I have been asked by Mr Speaker to remind people that, when they are not speaking, they should wear a mask. I know this is extremely inconvenient for lots of people, not least me—my glasses steam up. I do not want to be taking names or issuing yellow cards, but may I ask you to try to be mindful of Mr Speaker’s concerns and do the best you can? Hopefully we will all be okay.
Clause 1
Duty to take security measures
Amendment proposed (this day): 21, in clause 1, page 3, line 26, at end insert—
‘(2A) The Secretary of State must make regulations under subsection (1) requiring providers of public electronic communications networks and public electronic communications services to carry out an audit of the goods, services and facilities supplied, provided or made available for the purposes of the provision of their network or service to ascertain whether they present a risk to the security of that network or service.’.—(Chi Onwurah.)
This amendment is a probing amendment designed to learn how the Government plans to ensure network operators have a comprehensive audit of hardware of interest because, for example, it is manufactured by a designated or high-risk vendor.
Question again proposed, That the amendment be made.
Mr Kevan Jones (North Durham) (Lab)
I am demasked. Welcome to the Chair, Mr McCabe. It is a pleasure to serve under your chairmanship. The amendment’s intention is similar to that of new clause 7, which we spoke about earlier. My hon. Friend the Member for Newcastle upon Tyne Central is trying to probe, like I was, how we get operators to ensure that there is a full audit of their telecoms networks. This is not an easy situation. I accept what the Minister said about trying to strike a balance between prosperity—not wanting to put undue burdens on operators—and ensuring security. As my hon. Friend said, with her huge expertise in the field, these networks are not static entities; they develop over time. The example that she cited was that some of the kit in networks is many years old, which may now create security issues that were not evident when the equipment was introduced.
We are not talking about too onerous a burden on the network operators, because they are large companies. I accept that they will be resistant to anything that adds cost because, at our insistence of wanting cheaper phone calls and mobile technology, prices are competitive between the various operators. My hon. Friend therefore makes a good point that there must be a clear level playing field between the operators.
The Bill will ensure that existing Huawei kit is taken out by 2027, even though the networks did nothing wrong by putting in that kit in the first place. Without wanting to carry on my campaign against the Cabinet Office, the Intelligence and Security Committee’s 2013 report “Foreign involvement in the Critical National Infrastructure” shows that the Cabinet Office was made aware of BT’s contract with the Chinese company Huawei in 2003. That the Cabinet Office felt it was not important enough to tell Ministers so until 2006 reinforces my point about its role. That brings me to Ofcom and its capacity, which I will come to later. If we want the most robust system, we will need a system by which we know what is in the network.
There are two issues. I think it is possibly easier for future deployments, because we know what we are putting in. In the debate around Huawei and the security risks, I think it has been very clear. Let us be honest: an operator would be very silly to put in a piece of equipment that was deemed to be high risk for any future roll-out. However, as my hon. Friend says, it is what is already in the network. We accept that some of that will be taken out as a result of the Huawei issue, but a huge amount of equipment will still be in there.
That is before we look at software. What saddens me about the entire debate around Huawei and the telecoms sector is that it has been very hardware-centric. We know that the risks to our network from software are greater in some respects; we have seen examples of where network compromise is easier, too. Again, how do we get a robust framework in terms of the audit around software—not just what has already been used, but what will be used in the future?
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
My right hon. Friend is making some excellent comments. He has raised another issue, which I perhaps did not highlight in my speech, which is that there might be existing equipment that is not necessarily seen as having a security implication but that, as the network evolves, will pose a security threat in the future. I gave an example in the evidence sessions. Say Amazon Web Services was to be bought by a Chinese company. As our networks move the functionality into the software, that will be running in the cloud over the Amazon Web Services infrastructure, which would have a huge potential security impact. An effective audit of where that equipment is now would be critical to knowing the level of that threat.
Mr Jones
I do not disagree with my hon. Friend. That is why we need to get into the idea of the audit. As I said earlier, we basically need a level playing field for operators; we do not want one to have an advantage over another. We also need a clear picture of what we are asking in terms of the audit. On the point she makes regarding web services and the cloud, there is an issue there that I think is worth referring to. It links today’s Bill with the National Security and Investment Bill, which we were discussing yesterday. There was a lot of discussion around what we define as critical—a point she has already raised.
For yesterday’s Bill, the question was what is critical to national infrastructure—for example, a company that is developing software that is then acquired by a state that we deem is a security risk to us. If that equipment or software is being used in our telecommunications network, does that mean that the network is compromised, and how do we guard against that? There are provisions in the National Security and Investment Bill that enable the Government to stop the acquisition of companies that we consider vital to our national security, but unless we know that in advance, how will we make that decision?
If we have a situation where a small company is providing software for part of our critical national infrastructure for telecoms, how will that be joined up? How will we be able to use the provisions in the National Security and Investment Bill, so that the Business Secretary can block the sale? Likewise, how do we get that connection? We can do that only by the Minister and Ofcom having a very clear indication from day one—I do not think it will be possible from day one, but from some time into it—what is in our network, not just now, but into the future. That will be important.
That brings us to the role of Ofcom. We have seen a development of regulators in this country. I am not a great fan of regulators, because I think it is a way for Ministers to palm off their responsibilities to third parties and then stand back and saying, “If it all goes wrong, it is nothing to do with me, guv—it is these independent organisations.” A long time ago—perhaps it is a bit old-fashioned—the General Post Office used to be responsible for this type of thing, and I am currently reading the excellent new history of GCHQ that has come out, which I recommend to everyone. It is fascinating to read about some of the challenges—things that apply to this Bill—such as, in the first world war, what was conceived as national security and who was responsible for it. Was it the GPO, the military or someone else?
How will Ofcom be able to look at a network and say, “Yes, we are satisfied that there is nothing in there that is a matter of national security”? They do not know. I do not think for one minute that we are going to have a situation whereby this Government or any future Government will suddenly throw so much money at Ofcom that a huge army of inspectors will be climbing up poles and going into operators’ offices to check source codes and so on. That is not going to happen.
From a practical point of view, the operators will have to be responsible for providing that information to Ofcom. Whether it is in the Bill or in the guidance, it must be clear what is expected of operators. It is no good looking back in hindsight and saying, “We should have done that,” when something happens. The operators will just say, “You did not tell us we had to do that,” or, “We didn’t know about that.” It has to be very clear, to prevent a competitive advantage between different companies, that there is one standard. They also have to know what we are asking for. Then, taking the telecoms hat off and putting the national security hat on, from the Government’s point of view, that needs to be very clear as well, because we need to be reassured that the components and software in those networks, now and in the future, are not a national security risk.
That brings us to an issue that I have already raised. I am not someone who thinks that every time we go to bed at night, we should look under the bed to see whether the Chinese are there, unlike some members of the China Research Group, but there is an issue about the way in which China will look at supply chains as a way of getting access, for two reasons. The first is national security. The second is commercial reasons—dominating the market, which is what China has done with Huawei. How will we identify that, without having some type of audit process? I do not think that everything to do with China is bad, but a huge number of the components in all our mobile phones in our pockets today will have come from China, including Ericsson and Nokia hardware.
James Sunderland (Bracknell) (Con)
I am enjoying the right hon. Gentleman’s logic. He talks a lot of sense, which is great. I am really intrigued by his insistence that the Government place these obligations on the National Cyber Security Centre and Ofcom. In my humble view, and knowing how those organisations work, it is likely to be the case that the Joint Forces Intelligence Group, GCHQ or the National Cyber Security Centre inform Government where there have been transgressions of security and breaches. I am intrigued by the counter-logic with where I think we need to be.
Mr Jones
This is a remarkable day. This morning I was told that my contribution to the debate was inspiring, and now I am being told that I am talking sense—I thank the hon. Gentleman for making my day.
The hon. Gentleman is right, but he is also wrong. He is right in the sense that there are threats that will come through GCHQ and others—they will say to operators, “You’ve got to be careful of these things.” Where he is wrong, though, is with the idea that somehow GCHQ can take a guess at what is in the network. It does not have that capability. Going forward—the emphasis in this country, in the Bill, in terms of looking at telecoms security—yes, the bar has been raised substantially.
There will be occasions when GCHQ—it does it already —contacts operators and others to say, “Beware of this software or this thing.” I accept that as a proactive approach, but handling backwards will also be important. How do we have a gold-plated system, whereby we have GCHQ doing what the hon. Member for Bracknell suggested they are already doing, but one that also matches up with operators taking responsibility to say, “We have spotted something and are doing something about it”? It is pulling the two things together.
Chi Onwurah
Part of the challenge is that the operators do not know themselves and, as we have discussed, there are no incentives for them to find out. To give an example, Virgin Media took over from NTL, which I think took over from the 13 different cable providers in the franchises of the ’80s, and the BT mobile network was bought partially from EE—so there are takeovers and acquisitions, and partners may not know, and do not necessarily have an incentive to find out unless we put in a requirement.
Mr Jones
My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.
We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.
I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.
The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
It is a pleasure to serve under your chairmanship, Mr McCabe.
We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers
“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.
That is already there and key to the issues that hon. Members have been talking about.
The Chair
This must be down to that productivity seminar they sent me on. Still, nothing lasts forever.
Clause 3
Codes of practice about security measures etc
Mr Kevan Jones
I beg to move amendment 6, in clause 3, page 5, line 4, at end insert—
“(ia) the National Cyber Security Centre;”
This amendment would require the Secretary of State to consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.
The Chair
With this it will be convenient to discuss the following:
Amendment 10, in clause 3, page 5, line 8, at end insert—
“(iiia) the National Cyber Security Centre;”
This amendment requires the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security measures.
Amendment 5, in clause 4, page 7, line 41, after “OFCOM”, insert—
“and the National Cyber Security Centre”.
This amendment would require providers to inform the National Cyber Security Centre, as well as OFCOM, of any security compromise.
Mr Jones
We are romping through the Bill, aren’t we? Two clauses in less than 15 minutes.
Again, these amendments are probing. I might sound like a broken record, but my aim with them is to ensure that national security and those who deal with national security decision making are at the centre of the decisions that are taken. Amendment 6 would require the Secretary of State to
“consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.”
The Minister will say, “Well, it is self-evident that they will do that,” but going back to my Robin Day analogy from this morning, legislation needs to survive him, me and everyone else. The guidance will change over time, and we have to ensure that whoever is sitting in the Minister’s seat in 10 years’ time—hopefully, it will not be the current Minister, not for any unfair reason, but because he has gone on to higher and better things—the onus is on the Secretary of State to consult. Having that on the face of the Bill, or at least some discussion about it, would reinforce that, because the Secretary of State will move on, and there will be new civil servants, who might not have as clear an indication as the Minister will give today, or perhaps a Minister who thinks that this is the key part.
It might be a bit anorak-ish, but the problem with the national security world, which I inhabit occasionally, is that people can see everything through the national security prism—although I am not sure that that is the case for everyone. It will be important to ensure that the individuals at the National Cyber Security Centre have a real input, and not just to say that they will be consulted. The NCSC, which was introduced at the tail end of the coalition Government, is the only positive thing I can think of that that Government did. We now have a world-beating centre that protects our national security and also does a very strange thing: it looks to the secret world, but also looks outwards, engaging with the industry and individual citizens, too.
That is now being replicated around the world. I chair the science and technology committee of the NATO Parliamentary Assembly. On our visit to the UK the year before last, we visited the centre, and most of my parliamentary colleagues from across the world, including the US, were quite impressed with how it balanced complete secrecy about things that need to be kept secret and having that outward-looking approach. I am really just trying to see how we can ensure that going forward.
Amendment 5 seeks to ensure that the NCSC, as well as Ofcom, is informed of compromises and breaches. I am sure the Minister will tell me that Ofcom and the NCSC have such a symbiotic relationship that that information will automatically be transferred, but again we are assuming a lot about what will be done. It is important that this Committee at least discusses how we ensure that that continues. I will come to Ofcom personnel, but various comments have been made. I asked the head of Ofcom about Ofcom’s expertise in dealing with these issues, and this comes back to the point I made to that witness. This is about mindset. Whether we like it or not, people in the security world think differently from the rest of us in how they approach things. Ofcom will have a learning curve, not only in recruiting the individuals with the capability to do this work, but in ensuring the culture to react to these issues. My two amendments seek to ensure not only that national security is at the heart of the Bill, but that practitioners have a clear focus on national security risk.
Matt Warman
I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.
New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.
The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.
We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.
Mr Jones
I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”
Matt Warman
The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.
Matt Warman
Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.
The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.
I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.
Mr Jones
A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Matt Warman
The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.
We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.
I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.
Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.
New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.
New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.
Matt Warman
The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life,
and I would expect that to continue in the area in question as well.
Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.
Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.
We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.
Matt Warman
Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.
Mr Jones
Speaking gives me an opportunity to take my face mask off. I will make a few points about clause 4, which is broadly welcome because it clarifies for operators what their responsibilities are, not just from a national security point of view but from a consumer point of view. I think there is an issue, though, which my hon. Friend the Member for Newcastle upon Tyne Central raised.
Again, I do not want the Minister to respond now, but I think the crossover with the Information Commissioner might be one area that we need some clarity on. Is there an example of this? Yes—the TalkTalk case. People might look at this Bill and think national security is about the Russians or the Chinese hacking, but that was a criminal act that led to a lot of people’s data being compromised. From a constituency point of view, as any Member of the House at that time will know, trying to get TalkTalk to do anything about that, in terms of the losses that people incurred, was virtually impossible. That is why these clauses are so important.
Mr Jones
My hon. Friend is correct. A lot of the debate has been about hardware, but the biggest threat to our national security, in terms of telecoms, is from hacking and cyber-attacks. The changing nature of the threat is interesting. There are state actors and there is organised crime, acting on of behalf of states, but there is also, as referred to by my hon. Friend, some poor teenager who thought it was a good idea. The TalkTalk case showed the emphasis they put on the security of their network. Not just clause 4, but the whole Bill, puts the onus on the operators, which is why it is so welcome. Never again could they be accused of not knowing their responsibilities.
New section 105J requires providers to take “reasonable” steps to inform users about the risk, the nature of the security compromise, the steps the user could take in response, and the name and details of the person to contact. That is fine, but how to respond might be a matter for Ofcom. That is important, because people might then quickly take steps to stop compromises to their security.
The Bill lays out penalties for telecoms operators, but what about the consumer and people who have lost money because of data breaches? Do I assume that the Bill does not change that? It beefs it up, but I assume that any mitigation or compensation that should be paid to individuals who have been compromised would be an issue for Ofcom. When we had the TalkTalk compromise, getting TalkTalk to do anything was like trying to get blood out of a stone. That is important from the point of view of consumers.
It is important that the Secretary of State is informed, but how will that be done? I presume GCHQ and others would do that. Would that lead to lessons learned or to a notice being given to other operators that that has happened? Would that be done by Ofcom, the National Cyber Security Centre or GCHQ, or would it be a combination of all of them? It comes back to the point made by my hon. Friend the Member for Newcastle upon Tyne Central: this is a risk and this clause puts the onus initially with the operators, where it should be.
Chi Onwurah
We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.
My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.
I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.
I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?
Those are just some general comments. We welcome the clause.
Matt Warman
I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.
On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.
Matt Warman
I am not sure I fully understand the right hon. Gentleman’s point.
Mr Jones
I raised the point, as did my hon. Friend the Member for Newcastle upon Tyne Central, that we are asking operators to inform individuals about data compromises. That is welcome, but as my hon. Friend said, there might also be a breach of the Information Commissioner’s regulations, and we just wanted to get some idea of how the two would mesh together. I do not expect the Minister to know now, but could he write to us to say how the two would interact?
Matt Warman
As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.
Christian Matheson
I am really grateful for that intervention—not just for the context that my hon. Friend gave, but for prompting me to think that having such a tight-knit sector, and the character of the sector, works both ways. Ofcom might appoint as an inspector to undertake one of the audits somebody who is on very good terms with the business or the provider. They will perhaps take their foot off the pedal and not do quite as thorough an investigation, because they know the business and trust them. As a result, the inspection would not be as thorough.
Mr Jones
My concern is also that the Government do not have a good track record on applying the standards that have been developed over many years to ensure proprieties in public appointments. No doubt somebody who would fit the bill for the role would be Dido Harding, who was responsible for TalkTalk and is now having huge success, as we have been told by the Prime Minister, with Test and Trace. She seems to have a common thread, but success does not seem to be part of that.
Christian Matheson
Who am I to disagree with my right hon. Friend and his years of experience? So far, we have been fairly consensual in this Committee, because we want the Bill to pass. My right hon. Friend is absolutely right: we have seen a certain level of—
Christian Matheson
I was going to say cronyism, but chumocracy is a far nicer way to put it, and we have seen it in the way consultancy contracts have been dished out during the current crisis. My right hon. Friend is absolutely right to say that there can be as little scope as possible for people who are perhaps not quite as qualified as they should be to be given such jobs.
Christian Matheson
My hon. Friend says that it is not in the scope of the Bill, but so wide is the definition of “another person” that, quite frankly, anything or anyone could be in the scope of the Bill. Again, the possibility is there, and it would not be down to the Minister. I know him—he is a friend and a man of integrity. As my right hon. Friend the Member for North Durham said, however, the next Minister to come along, in this Government, at least, might not be. Who knows? In four years’ time, we might not have that problem.
This is an important aspect of national security, so I ask the Minister for clarity. It goes to the heart of the question of accountability—where responsibilities for inspections should lie. Similarly, in the second part of the amendment, we are seeking clarity on a limit on the amount that can be spent on inspection. We certainly do not want Ofcom to be swayed into decisions about whether inspections can go ahead based solely on fears that it might wrack up big costs. Nor can those costs be allowed to spiral if the first part of the amendment is not adopted and private contractors are brought in but abuse the system. I refer the Committee to the comments made by my right hon. Friend the Member for North Durham a while ago—such abuse does happen.
It is often not helpful to put a financial cost limit on the face of the Bill, if only because it can become outdated over time. To be honest with you, Mr McCabe, the truth is that the £50,000 limit specified in the amendment is arbitrary. We plucked it out of thin air to illustrate a point.
Christian Matheson
Fortunately, we will not push the amendment to a vote, so we will not have to put that point to the test. It is an arbitrary figure and I hope the Minister will not fixate on it. It simply illustrates the point that there is a question of open-ended costs. We will not push the amendment to a vote, but we think there is a vagueness and a lack of clarity that needs addressing. I urge the Minister to consider these issues and whether Ofcom would be assisted by the greater clarity that these probing amendments would bring.
Telecommunications (Security) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Seventh sitting)
Kevan Jones ExcerptsTuesday 26th January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Mr Kevan Jones (North Durham) (Lab)
I beg to move amendment 16, in clause 15, page 22, line 12, at end insert—
“(2A) When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering when to issue a designated vendor direction.
The Chair
With this it will be convenient to discuss the following:
Amendment 17, in clause 16, page 27, line 8, at end insert—
“(3A) When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering whether to issue a designation notice.
Amendment 18, in clause 16, page 28, line 3, at end insert—
“(m) the person’s control of data flows.”
This amendment requires the Secretary of State to consider a person’s potential control of data flows when issuing a designation notice.
Clause 16 stand part.
Amendment 19, in clause 17, page 29, line 19, at end insert
“, together with an assessment of the impact the designation notice will have on supply chain diversity;”.
This amendment requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity, enabling parliamentary scrutiny.
Mr Jones
I thought I would bring some light relief to the Committee’s proceedings. Amendments 16 and 17 are both probing amendments. I might sound like a broken record, but they are really just to ensure that we get a situation where the necessary advice is taken. Amendment 16 states:
“When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
I accept that the entire purpose of the Bill is to have national security at its heart, but I still have a nagging doubt about whether Ofcom will be able to put national security at the heart of its considerations.
Amendment 17 states:
“When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”
This is an attempt to future-proof the Bill. As I mentioned the other day, when we pass legislation in this place it is important that it outlives present Ministers, and us all. Unfortunately, there is form on this—look at the Intelligence and Security Committee’s 2013 report on critical national infrastructure. I accept it was then the Cabinet Office, not Ofcom, that dealt with this, but when BT negotiated its contract with Huawei, the Cabinet Office was told about it but did not feel it necessary to tell Ministers for another three years, until 2006. I am concerned that national security will not be at the forefront when people look at such matters. The amendment is really just to ensure that that takes place, and codifies it into law.
I do not wish to criticise civil servants in any way, but having been a Minister myself, I know they sometimes have a tendency not to put forward things that might have a political dimension that they do not recognise. That is why it is important for national security that the Secretary of State has first-hand knowledge and information directly from the security services. We have very effective security services in this country—I pay tribute to them—but we also have the Cabinet Office. I know the Minister might think I am a bit obsessive, but I am sure he has come up against the buffer of the Cabinet Office, which seems to want to intervene in everything and anything that does not really concern it.
Matt Warman
I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.
As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.
As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2020, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.
Mr Jones
I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?
Matt Warman
In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.
The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.
Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.
I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.
It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.
The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.
I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.
Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.
The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.
Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.
Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.
Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.
The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.
Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.
Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.
To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.
Chi Onwurah
I will speak to amendments 18 and 19, standing in my name and those of my hon. Friends, and to clauses 15 to 17. As the Minister set out, the clauses are about key powers in the Bill that seek to secure our networks and to regularise requirements already in place, albeit informally or not legally, to remove Huawei as a specific high-risk vendor from our networks. The clauses give Government the powers to do what they have said they will do.
On the clauses, I will not repeat what the Minister said, and I congratulate him on clearly setting out their powers, which the Opposition believe are necessary. I also join the Minister and my right hon. Friend the Member for North Durham in paying tribute to our security services, which do such great work to keep us secure across a wide range of threats and challenges—both present and evolving—and on whose continued work and effectiveness the Bill is highly dependent. As my right hon. Friend set out, we want to ensure that national security is absolutely at the heart of the Bill.
Matt Warman
The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.
Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.
As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.
The Chair
We now come to amendment 20 to clause 17. This is Christian Matheson’s big moment. I call him to move the amendment.
Mr Jones
My hon. Friend the Member for City of Chester said that we were going over old ground, and to a certain extent we are because some of the amendments reflect those that I moved last week.
May I say at the outset, Mr Hollobone, that the Minister has been an exemplar in engaging with and briefing the ISC? He has set something of a precedent; usually we have only Cabinet Ministers or Prime Ministers before us to give evidence. He is one of the few junior Ministers to have appeared before us, so I congratulate him. He did it because he wanted to engage with the issues. He must therefore be commended on his commitment to ensure that there is scrutiny. However—this is not to wish his demise, but to argue for his promotion—he will not be there forever. I think he does not quite understand why the Government are not at least moving on this.
The ISC’s remit is defined in the Justice and Security Act 2013. It sets out which Departments we cover, and the Department for Digital, Culture, Media and Sport is not one of them. However, as I said last week, security is increasingly being covered by other Departments, and this Bill is a good example. The National Security and Investment Bill is another one, where security decisions will be taken by the Secretary of State for Business, Energy and Industrial Strategy. Parliament must be able to scrutinise that.
If a high-risk vendor is designated as banned from the network by the Secretary of State for Digital, Culture, Media and Sport, there are perfectly good reasons why the intelligence behind that cannot be put into the public domain. The methods by which such information is acquired are of a highly sensitive nature, so it would not only expose our security services’ techniques, but in some cases would make vulnerable the individuals who have been the source of that information. I think most people would accept that that is a very good reason.
This sort of thing is happening increasingly. We have the two Bills that I have referred to, but we also have the Covert Human Intelligence Sources (Criminal Conduct) Bill, which will come back to the House tomorrow. Covert human intelligence and the ability to collect intelligence on behalf of our security services is very important. Most of that is covered by the Home Office, and covert human intelligence sources are covered by the ISC’s remit and can be scrutinised. However, there is a long list of other organisations that will be covered by tomorrow’s Bill, including—we never quite got to the bottom of this—the Food Standards Agency, for example. Again, how do we ensure that there is scrutiny of the decisions?
We also have—this has come out of the pandemic—the new biosecurity unit in the Department of Health. Again, there is no parliamentary scrutiny, because the Health and Social Care Committee will not be able to look at the intelligence that supports so much of that. An easy way out of this is in the Justice and Security Act 2013: the memorandum of understanding, which just means that, were our remit extended to look at this and other matters, the ISC could oversee and ask for the intelligence.
Having spoken to the Business Secretary and the Minister, who sympathises with us, I am not sure where the logjam is in Government. The point is that an amendment will be tabled in the Lords. Whether the provision is in the Bill or just in the memorandum of understanding between the Prime Minister and the ISC, it is easily done and would give confidence that the process at least had parliamentary oversight.
On many of these decisions, frankly, the oversight would not be onerous; we are asking only that we are informed of them. On some occasions, we might not even want to look at the intelligence. It might be so straightforward that, frankly, it is not necessary, so I do not think that it is an administrative burden. I cannot understand what the problem is. To reiterate what I said last week in Committee, it is not about the ISC wanting to have a veto or block over such things. It is, rightly, for the Government and the Secretary of State to make and defend those decisions.
It is also not about the ISC embarrassing the Government, because we cannot talk in public about a lot of the information that we receive. It is not as though we would publish a publicly available report, because of the highly classified nature of the information. However, the ISC can scrutinise decisions and, if it has concerns, write to the Prime Minister or produce a report for the Prime Minister raising them. That gives parliamentary scrutiny of the Executive’s decisions.
As I say, the report might not be made public. People might ask, “Would that be a new thing?” No—it happens all the time. For example, on the well-publicised Russia report this year, there was a public report with redactions in it and quite an extensive annex, which raised some issues that we were concerned about. That annex was seen only by individuals in Government, including the Prime Minister.
There is already a mechanism, so I fail to understand why the Government want to oppose this. From talking to Ministers privately, I think that there is a lot of sympathy with the position and I think that we will get there eventually. How we get there and in what format, I am not sure—whether the method is to put it in the Bill or to do it through the mechanism in the 2013 Act. That might be a way forward.
Chi Onwurah
I rise to support the excellent comments made by my hon. Friend the Member for City of Chester and my right hon. Friend the Member for North Durham. I did well to delay my remarks till after my right hon. Friend had spoken, because he has set out very effectively, based on his considerable experience as a long-standing member of the Intelligence and Security Committee, both why it is important that that Committee should be consulted and receive the reports, and why it is hard to understand the Minister’s reluctance both in this Bill and in the National Security and Investment Bill to involve a source of such credible security expertise and, importantly, security clearance in key issues of national security.
I want to add two points to those made by my right hon. and hon. Friends. The first is to reiterate a point made previously: our security threats are changing, evolving and, unfortunately, diversifying. We see that in changes to our defence spending, in changes in the national review of our defence capabilities, and in changes in the evolution of the geopolitical landscape—the potential source of threats. However, the Minister does not seem able to support reflecting that by ensuring that, rather than keeping to our existing modes of parliamentary scrutiny, we enable parliamentary scrutiny of issues of national security by those who are best placed to carry out such scrutiny—undoubtedly members of the Intelligence and Security Committee.
I want to point briefly to a discussion in the evidence sessions. Ofcom made it clear that it does not consider itself in a position to make national security decisions, which is understandable, and that some of the decisions and considerations about national security with regards to telecommunications networks would require people who have STRAP clearance. Ofcom’s group director for networks and communications pointed to the fact that she had had STRAP clearance previously, and she said that if the NCSC
“feels that that is needed for the type of information that we may need to handle, we would make sure that happened.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 90, Q115.]
To my knowledge, Digital, Culture, Media and Sport Committee members do not have STRAP clearance. I would like the Minister to comment specifically on the level of security clearance required for members of the Committee that he has identified as being the location for scrutiny of important issues of national security. What level of security clearance do its members have? Would that enable the scrutiny that we all agree is in the best interests of the Bill?
I would like the Minister to respond to a specific example. Amendments 20, 22, 23, 24 and 25 are designed to require that the Intelligence and Security Committee has access to the appropriate information. There is a requirement for the Secretary of State to lay before Parliament a copy of a designated vendor direction, as set out in clause 15, which inserts new section 105Z11 into the Communications Act 2003. The new section states:
“The Secretary of State must lay before Parliament a copy of—
(a) a designated vendor direction;
(b) a designation notice;
(c) a notice of a variation or revocation of a designated vendor direction; and
(d) a notice of a variation or revocation of a designation notice.”
So far, so good—we have that scrutiny. However, the new section also says:
“The requirement in subsection (1) does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.”
Matt Warman
I welcome the second salvo in the campaign to address this matter by the right hon. Member for North Durham. He said it would be an ongoing campaign.
This group of amendments would require the Secretary of State to provide information relating to a designated vendor direction or designation notice to the ISC. The amendments would require the Secretary of State to do this only where directions and designation notices had not been laid before Parliament, whether in full or in part, as a result of the national security exemptions in clause 17. It will not surprise the right hon. Member for North Durham or other Opposition Members that some of these short remarks will overlap with the conversation that we had earlier on a similar matter.
Amendment 20 would require designated vendor directions or designation notices to be provided to the ISC. Amendments 22 to 25 would require the Secretary of State also to provide the ISC with copies of any notifications of contraventions, confirmation decisions and so on. Although I recognise some Members’ desire for the ISC to play a greater role in the oversight of national security decision making across government, including in relation to this Bill, the amendments would, as the right hon. Member for North Durham knows, extend the ISC’s role in an unprecedented way. None the less, I thank his welcome for my unprecedented appearance.
As I said in the debate on amendment 9, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, and the accompanying statutory memorandum of understanding, to which the right hon. Gentleman referred. I do not think he thinks it is my place to take a view on that role, and I do not think this Bill is the place to have that debate.
Mr Jones
Yes, but I would ask the Minister’s civil servants to read the Act before they write this stuff for him. The Act refers to “intelligence”. Our remit is not fixed by a Department. I know the Minister sympathises with this and that we will get there eventually, but I say to his civil servants, please read the Act.
Matt Warman
I will come on to that. Accepting any of these unilateral amendments to this Bill is not the appropriate place to achieve an overall enhanced role for the ISC—
Mr Jones
I am sorry to say to the Minister that it is not looking for an enhanced role at all. It is actually doing what it says in the Justice and Security Act 2013. It is about scrutinising intelligence. A lot of the information, which will be used by him and others in these orders, will be derived from the same decisions that we oversee .
Matt Warman
Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.
In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.
Telecommunications (Security) Bill (Eighth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Eighth sitting)
Kevan Jones ExcerptsTuesday 26th January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Christian Matheson
I do not want to detain the Committee all that long. The basis of the new clause is to ensure that Ofcom has the staffing and financial resources, as well as the capacity and technical capability, to undertake its new responsibilities under the Bill.
I remind the Committee that we heard in the evidence sessions that this is only one of several new areas of responsibility that Ofcom has received in recent years. For example, it now has responsibilities for regulating aspects of the work of the BBC. Parliament will be presenting Ofcom with responsibilities in relation to online harms, all of which is to be welcomed, but we have to recognise that there will be an overstretch for Ofcom.
In the area that the Committee is considering, there are technical complications that require specific sets of talents and capabilities which, we have heard previously, are not always in ready supply in the sector. We heard evidence that Ofcom, in common with other public sector bodies, does not pay as highly as some high-end consultancies, suppliers, developers or software houses, and therefore there will be churn. I do not want to stand in the way of anyone’s career development, but understandably there will be churn, in terms of Ofcom’s ability to maintain its responsibilities in what we know will be a continually evolving sector that throws up new technical challenges.
New clause 3 provides a duty on Ofcom to report on its resources, including the
“the adequacy of Ofcom’s budget and funding…the adequacy of staffing levels….and any skills shortages faced”.
In doing so, it will concentrate the minds of senior management at Ofcom, although I have no doubt that those minds will be focused on these matters already. Perhaps they will give this priority, particularly in terms of forward planning, and they will think, “We’re okay at the moment, but are we going to require extra and additional capability in area x, y or z in the next couple of years.” It will also focus and concentrate the minds of Ministers and Parliament, ensuring that Ofcom has the resources and capability to achieve the tasks that we have given it.
We heard many lines of evidence from the expert witnesses. My hon. Friend the Member for Newcastle upon Tyne Central may refer to some of them in her contribution, and I do not want to undermine that. Professor Webb said:
“I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence”.
Emily Taylor of Oxford Information Labs said:
“Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term,”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 79, Q95.]
The new clause is about assisting Ofcom to make an audit of what is available and ensuring that it is up to standard in terms of technological changes. It will also ensure that it is looking forward, in the midst of all the other responsibilities that Parliament is asking it to undertake, in order to maintain a level of skills and expertise that will enable it to undertake the snapshot reviews of current networks, as well as reviews of future provision and threats to the network. I hope that the new clause is self-explanatory and I am pleased to present it to the Committee.
Mr Kevan Jones (North Durham) (Lab)
I would like to speak to new clause 7, which stands in my name. It is related to new clause 3, in the name of my hon. Friend the Member for City of Chester. As he has just said, Ofcom has had an expansion of its duties in the last few years and become a little bit like a Christmas tree with added responsibilities, but none of them will be as important for the nation’s future as this. That is not to decry any of the expertise or other duties that Ofcom has, but national security and the security of our national telecoms infrastructure, is a vital new task. I have said before that my concern about Ofcom centres on national security. That is why I have tabled amendments to the Bill. My fear is that Ofcom will not have the necessary expertise, although I am not suggesting that it cannot develop into a good regulatory body looking at security and our national telecoms infrastructure.
I tabled parliamentary questions on Ofcom’s budgets and headcounts, and I am glad to see that its budget and personnel have increased as its tasks have grown. That was not the case in 2010, when its budgets were subject to some quite savage cuts. My concern—I will call this my Robin Day approach—is that we have to future-proof Ofcom to ensure that the organisation not only has the budget but also has the personnel it needs. I do not want to suggest that the Minister would want to cut Ofcom’s budget at present, as it does important work. However, it is a regulator and perhaps does not have the clout of a Government Department, so any future Chancellor or Treasury looking for cuts disguised as efficiencies could see it as easy, low-hanging fruit.
Ensuring that the Secretary of State undertakes duties highlighting Ofcom’s efficiency puts a spotlight on the basis of considerations by future Administrations of any political persuasion. That will be important, not just in the early stages but as we continue. It may take a while for Ofcom to get up to speed, but I want to ensure that that continues. The obligation for the Secretary of State to report on Ofcom would at least give me comfort that first, it is being looked at and, secondly, that civil servants cannot in future just assume that an easy cut can be made but which might then impact on our national security.
I raised another subject with the head of Ofcom when she appeared before the Committee. I do not really want to rehearse the discussions again, but as the Bill progresses the Minister will have to give assurances on security, and try to demonstrate the close working relationship between Ofcom and the security services. That will be important, as it will give credibility to the expectation that Ofcom can actually do the job that we have set out. If the Minister does that, it will reassure people who may not be convinced that Ofcom has the necessary expertise, and ensure that that close working relationship continues, not just now but in future, so that national security is at the centre of this.
There will always be a balance—as I said, we saw it in the National Security and Investment Bill—between wanting, quite rightly, to promote telecoms as a sector, and national security. I fall very much on the side of national security being the important consideration, and we need to ensure that that is always the case. It is important that national security and intelligence agencies are able to influence these decisions, not just in respect of Ofcom but also in respect of Ministers in future.
Chi Onwurah
I support and second the comments and contributions of my hon. Friend the Member for the City of Chester (Christian Matheson) and of my right hon. Friend the Member for North Durham (Mr Kevan Jones), who tabled new clauses 3 and 7. I would also like to congratulate the Committee on having made it through, as it were, the thickets of the Bill as it stands to the sunlit uplands of our new clauses, which are designed to improve it in a constructive and supportive way.
New clauses 3 and 7 both address the challenge of Ofcom’s resources. As Members of the Committee know, I joined Ofcom in 2004. I know that we are not allowed to use props in debates in the Chamber, but the Communications Act 2003, which I am holding in my hand, is the Act with which the Bill is concerned. The changes that the Bill makes are mainly adding to that Act.
Mr Jones
This is about resources for Ofcom as a whole, but there will also be debate within Ofcom about how its resources are spent. Without any ring-fenced moneys for security, is my hon. Friend concerned, like me, that not only the external control of the budget but that debate internally might compromise security?
Chi Onwurah
My right hon. Friend makes an excellent point. This debate is important for the Bill and important for our new clauses. It is also important that the Minister clarifies what the duties and priorities of Ofcom should be. Having worked for Ofcom at a different point in its history, I can tell hon. Members that when there is, say, a complaint about the behaviour of somebody in the “Big Brother” household that is hitting all the headlines in all the newspapers, that attracts the sudden concentration of resource—unnecessarily, one might argue. There needs to be a counterweight, if you like, to those headline-driven resourcing bottlenecks, which would be either ring-fencing or reporting on how resource is being used to support national security.
All Opposition Members are clear that national security must be the first priority of Government, and therefore the first priority of Ofcom. This is all the more relevant as I pick up the Communications Act 2003, in all its weightiness, where we find the general duties of Ofcom in section 3:
“It shall be the principal duty of OFCOM, in carrying out their functions—(a) to further the interests of citizens in relation to communications matters; and (b) to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Security is not mentioned—national security or telecommunications security. During the evidence sessions, the argument was made, although I forget by whom, that security was a necessary part of furthering the interests of citizens in relation to communication matters. That is possibly true, but I still think this important issue would be improved by clarity.
As we know, there is a significant pressure on Ofcom’s resources, which changes week by week and month by month depending on what the issues are in the many and increasing domains in which it operates. If these principal duties of Ofcom do not reflect our national security, the concern is that having no direct reporting mechanism to Parliament could mean these resources being used opaquely, with no direct requirement to prioritise national security. I hope the Minister will agree that new clauses 3 and 7 solve a problem the Bill will have in practice. I hope that if he will not agree to the clauses as they stand, he will agree to consider how Ofcom’s prioritisation of national security interests can be made clearer.
Mr Jones
As I have said before, I am not a great fan of arm’s length regulators, because it is a way of Government Departments and Ministers off-loading their responsibilities. Given how my hon. Friend has described the Bill, the way this is going means that Ofcom will be larger than DCMS in the future. Does she share my concern about accountability if things go wrong? It is a good get-out for the Government to be able to hide behind Ofcom, rather than Ministers taking direct responsibility.
Chi Onwurah
As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.
My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.
My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.
Matt Warman
Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.
Matt Warman
The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.
Mr Jones
Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.
Matt Warman
The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.
The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.
As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.
Matt Warman
I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.
Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.
Matt Warman
We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.
Matt Warman
I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.
I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.
Matt Warman
Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.
Mr Jones
No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.
Matt Warman
That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.
Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.
The Chair
Mr Jones, new clause 7 has already been debated. Do you want to put it to a Division?
The Chair
I realise that this will come as a devastating blow to all of you, but the final question I must put is that—
Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevan Jones
Main Page: Kevan Jones (Labour - North Durham)Department Debates - View all Kevan Jones's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill
Kevan Jones ExcerptsMonday 8th November 2021
(2 years, 5 months ago)
Commons ChamberRead Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Commons Consideration of Lords Amendments as at 8 November 2021 - (8 Nov 2021)
Julia Lopez
I am pleased that the Bill has returned to the House from the other place and for the chance to speak to it. I thank my hon. Friend the Member for Boston and Skegness (Matt Warman) for his tremendous work in bringing it through the House earlier in this Session and in the last.
The Bill will create one of the toughest telecoms security regimes in the world. It will protect networks, even as technologies grow and evolve, shielding our telecoms critical national infrastructure both now and for the future. As the House will be aware, the Bill introduces a stronger telecoms security framework, which places new security duties on public telecoms providers and introduces new national security powers to address the risks posed by high-risk vendors.
I will briefly summarise the changes that have been made to the Bill. Lords amendments 1 to 3 were tabled by my colleague in the other place, Lord Parkinson. Lords amendment 4 relates to reporting on supply chain diversification and Lords amendment 5 relates to reviewing actions taken by Five Eyes nations regarding high-risk vendors. I will speak first to Lords amendments 1 to 3.
The important role of parliamentary scrutiny has been raised in debate throughout the passage of the Bill. In the other place, particular attention has been paid to scrutiny of our strengthened telecoms security framework. In its report on the Bill, the Delegated Powers and Regulatory Reform Committee noted that the new codes of practice were central to this framework, as they will contain specific technical information for telecoms providers. The Committee recommended that the negative procedure should be applied to the issuing of codes of practice. We carefully considered the Committee’s recommendation over the summer, and tabled amendments 1 to 3 in the other place to accept them.
The amendments will require the Government to lay a draft of any code of practice before Parliament for 40 days. Both this House and the other place will then have a period of time to scrutinise the code of practice before it is issued. These amendments demonstrate that we have listened and that we are committed to every aspect of the framework receiving appropriate parliamentary scrutiny. I commend these amendments to the House.
I will now speak to Lords amendment 4, regarding diversification. This amendment would place an annual requirement on the Government to report on the impacts of their 5G telecoms diversification strategy on the security of public telecommunications networks and services. It would also require a debate in the House on that report. The Government cannot support the amendment for two reasons. The first objection relates to the flexibility necessary for diversification. A reporting requirement of this nature is restrictive and premature. This is an evolving market that is rapidly changing, and we need the flexibility to focus our attention where it will have the greatest impact. While our focus is currently on diversifying radio access networks, once that part of the mobile network has been diversified we will move on to focus on other areas. Committing to reporting on specific criteria would limit us to reporting against the risks as we find them today and would not afford us the flexibility that diversification requires.
Mr Kevan Jones (North Durham) (Lab)
I am very interested in what the Minister says, because one of the major themes, and one of the big failures of the 5G debacle over Huawei, is the fact that we do not have diversification in the network. How will the Government be able to do a stocktake every year so that we as parliamentarians, and others, will be able to judge that what is being said about a commitment to diversification, which is in a lot of policy papers, is actually happening in practice?
Julia Lopez
I thank the right hon. Gentleman for his comment. Hon. Members will be able to raise in the normal way, through parliamentary questions, scrutiny at oral questions and Committee work, what we are doing in this area. We are reporting regularly on some of our diversification efforts and some of the money that we are spending from the spending review.
Mr Jones
I accept that, although the current Government’s response to parliamentary questions these days is sometimes lacking. What benchmark, then, will the Government use for ensuring diversification? I accept that the Minister is the Minister today, but there will possibly be a future Minister—she will not be there for ever—so how are we to judge that we are actually going to get that diversification? Without that, we will end up as we have done now, with a network that is market-led and diversification is not in the market.
Julia Lopez
I appreciate the right hon. Gentleman’s concerns. We are committed to reporting to the House on a regular basis, but we do not want to limit ourselves on specifically what we will be reporting on in technological terms, because this is a rapidly evolving marketplace and we need to make sure that we have the flexibility to deal with particular infrastructure challenges as and when they come along.
My sense is that this amendment is intended to hold the Government’s feet to the fire on delivering their diversification strategy. If that is the case, a reporting requirement of this nature is unnecessary. This House and the other place already have mechanisms to hold the Government to account through parliamentary questions, as I said, and through the various Select Committees that can ably scrutinise this work. That is the appropriate way for scrutiny to take place.
Our second objection relates to focus. This is, first and foremost, a national security Bill. It is intended to strengthen the security and resilience of all our public telecoms networks, be they fixed line or mobile—2G, 3G, 4G, 5G and beyond. While the Government’s 5G telecoms diversification strategy has been developed to support that objective, it is not the sole objective of the strategy. This is market-making work. It is not a panacea to raise the security of our public networks. Moreover, the current scope of the strategy is not to address the entire telecoms market but to diversify a specific subset of it. The amendment extends the Bill beyond its intended national security focus and creates an inflexible reporting requirement on a strategy that will need to continue to evolve. We have been insistent on this position, and that is why I ask that this House disagrees with Lords amendment 4.
Lords amendment 5 would require the Secretary of State to review decisions taken by Five Eyes partners to ban telecommunications vendors on security grounds. In particular, it would require the Secretary of State to review the UK’s security arrangements with the vendor and consider whether to issue a designated vendor direction, or take a similar action, in the UK. I welcome the intention behind the amendment, which demonstrates that those in all parts of this House and the other place take the security of this country and its people incredibly seriously.
However, while we support the spirit of the amendment, we cannot accept it for four reasons. First, the House will recall that the Bill will provide the Secretary of State with the power to designate specific vendors in the interests of national security for the purpose of issuing a designated vendor direction. In clause 16 there is a non-exhaustive list of factors that the Secretary of State may take into consideration when issuing these designation notices. That list illustrates the kinds of factors we proactively consider on an ongoing basis as part of our national security work. A decision by a Five Eyes partner, or any other international partner, to ban a vendor on security grounds could be considered as part of that process, so this amendment would require us to do something that has been part of the Bill from the outset.
Chi Onwurah
Not to break the rules, but to work with other nations whose values we share, and in the long term to develop and support companies in this area.
Mr Kevan Jones
Does my hon. Friend also agree that this did not come as a great shock to the Government? It was all laid out in the 2013 Intelligence and Security Committee report on critical national infrastructure, but nothing has been done since then.
Chi Onwurah
My right hon. Friend, as always, makes a really good point. That is where an industrial strategy would have come in. It was predicted and we had time to build up alternatives. To go from having Huawei as one vendor among others that had small parts of our network, to our network being so dependent on it, took time. We could have used that time better to secure our networks and our own capability. The Government are bodging this. They are leaving it to the market when national security is not a market function. Labour has consistently welcomed the Bill, but it is only a small step towards achieving a truly secure and robust telecommunications network. In 2010 the Tories inherited a secure, competitive and world-leading network. It is now insecure, uncompetitive and bumping along the bottom. The Government have wasted 11 years, with huge delays in the second and third-generation fixed broadband roll-out, pushing us down the bottom of the OECD tables. Telecommunications are essential to our national security and economy, and we hope the Government will take this opportunity to recognise that.
Mr Kevan Jones
I begin by thanking the hon. Member for Boston and Skegness (Matt Warman), who took the Bill through Committee very ably. Sadly, he was a victim of the cull of competence in the last reshuffle, but his approach to the Bill was refreshing.
The Bill is important and, as a member of the ISC, I fully support it, but aspects of it need improving. Lords amendment 4 on the diversification strategy is vital. I was not reassured by the Minister telling us that this would be kept on track. When people try to give the impression that the issue of telecoms security suddenly hit us like a bolt out of the blue because of Huawei, I suggest that they read the 2013 ISC report on critical national infrastructure. What was going to happen was all laid out there, and nothing did. I think that without this annual stocktake, as the right hon. Member for New Forest East (Dr Lewis) said, there will be a tendency for future Governments to take their eye off the ball in terms of pushing forward the agenda that ensures that we are never again in a situation where we are beholden to, in this case, Huawei or any other vendor.
I have no problems with Lords amendments 1 to 3, but I think the Minister rather oversold this in saying that it is a demonstration of the Government’s commitment to parliamentary scrutiny. I accept that to a limited degree as it pertains to the codes of practice, but as the right hon. Member for New Forest East outlined, there is an issue that should concern Members on both sides of the House with this Bill and the National Security and Investment Act, in that there are elements of security now in two Departments that will not be able to be scrutinised by any Committee other than the ISC. As he outlined, although we have tabled probing amendments here and in the other place, we have given the benefit of the doubt to the Government, because of reassurances that scrutiny will be forthcoming. However, I say to the Minister that I would like a commitment tonight that she will feed that point back, because without this, no other Committee will be able to deal with the secret aspects involved. I have spoken to members of the Business, Energy and Industrial Strategy Committee, who are still trying to wheedle out of the Government their memorandum of understanding about what they can and cannot see, and that does not bode well. This is one thing that we will come back to, if it is not done now.
The ISC has so far been constructive and responsible in the way in which it has approached this issue. It is now in the hands of the Prime Minister to ensure that the memorandum of understanding is amended and is, as the Chair of the ISC said, in line with the Justice and Security Act 2013, which envisaged that we would have oversight if security went into other areas. Without that, these matters will lack the scrutiny that they rightly need.
Bob Stewart
I, too, speak as a member of the Intelligence and Security Committee. My comments will be short, because my time is limited, but many of the views that I will express have already been stated by other hon. Members.
As the House has heard, the ISC broadly supports the Bill, although it remains concerned about the Bill’s lack of a role for it in providing parliamentary oversight of parts of the legislation that Select Committees are unable to supervise. The ISC has made that point to the Government, but they do not accept it.
As a Committee, we want this legislation and will not push the issue, but we retain reservations about the matter not being part of the Bill. However, as the Chairman of the ISC—my right hon. Friend the Member for New Forest East (Dr Lewis)—and other hon. Members have said, we have written to the National Security Adviser to suggest that the matter be addressed in a revised edition of the Committee’s MOU, which comes from the Prime Minister. Otherwise, we consider that there will be gaps in the supervision available to Parliament—that is our main point.
The Committee fully supports the changes to clause 3 in Lords amendments 1 to 3 about codes of practice and the new wording after clause 23 in Lords amendment 4. With regard to Lords amendment 5 on Five Eyes review, we believe that the intelligence community will naturally consider the views of Five Eyes partners as part of its reporting, so the new clause, although worthy, is not really necessary.