Telecommunications (Security) Bill (Third sitting) Debate
Full Debate: Read Full DebateLord Beamish
Main Page: Lord Beamish (Labour - Life peer)Department Debates - View all Lord Beamish's debates with the Department for Digital, Culture, Media & Sport
(3 years, 11 months ago)
Public Bill CommitteesThank you very much indeed. I am now in Members’ hands. Who would like to be first out of the blocks? Kevan Jones.
Q
Emily Taylor: Thank you very much for those questions. The first aspect is why standards are important. Standards development can be very long, drawn-out and not the most interesting thing to participate in, but they are vital both for our security going forward and as part of the diversification strategy. Dominance or over-reliance on a small number of players is bad for innovation, security and procurement. It is great to see the importance of standards coming through in the diversification strategy that has been published. Although standards can take many years to be created, they also hang around for many years, so if we miss the boat with a particular standard when it is critical to a new industry or technology, that can have a lasting effect on our domestic and international industries.
Many scholars, such as Laura DeNardis, have pointed out that technology is not neutral, and this really applies in standards. By accident or design, standards embed the attitudes, values and world view of the engineers who create them. That has not really been a problem for western countries to date, because the US and European participants have tended to dominate, but going forward we need to find a new way of coping and co-existing with a technological superpower that does not share our values and that has invested heavily, with a strategic approach to standards, for several years.
You asked who the leading players are in standards, and in particular you alluded to the role of China. It is quite telling to reflect on the number of leadership positions across the standards organisations environment currently held by Chinese nationals. Of course there are many standards organisations, including the Internet Engineering Task Force, the International Telecommun-ication Union, which sits within the UN, and bodies such as 3GPP—the 3rd Generation Partnership Project—and the European Telecommunication Standards Institute. The Chinese players we see, not just from the Government but industry, include Huawei, Futurewei, ZTE, China Mobile, China Academy of Telecommunications Technology, and Tencent. All of them are active in standards.
The ITU is headed by a Chinese national, and of 11 working groups within the ITU’s Telecommunication Standardisation Sector, or ITU-T, China has a chair or vice-chair in 10, and a total of 25 positions at chair or vice-chair; 135 so-called “questions”, which are sort of agenda items across those working groups; and 87 rapporteurs. I could go on, but I think the point is made.
On where we are with a D10, as you know, the Defence Committee has quite majored on the idea of a D10—indeed, the idea has been going around for several years. The key element as I understand it is a recognition that this country needs to act with others to have a chance of having the coverage and investment that China has had, and that there are like-minded countries that we can partner with across standards, and also to reinvest in domestic or shared capability for manufacturing. Manufacturing has been leaving western countries for more than 30 years and we are now seeing the effect of that. It is all very well to worry about the rise of China, but if at the same time you are asking China to make absolutely everything, it is inevitable that there will be some technology transfer.
Of course, the D10 does not exist. The idea of a Five Eyes type of thing that would also morph into an economic and legal type of partnership also does not exist. Five Eyes is an intelligence-sharing network, not an economic bloc or a trading bloc. So there are challenges, but there are also opportunities for partnerships.
Q
Emily Taylor: It is a bit like waking up halfway through a chess game and realising that you are about three moves away from checkmate. I think we have taken the eye off the ball, although the UK has been strong on standards and has invested in them, but we cannot match China, where we see the fruits of a patient long-term strategy. It is all laid out in the “China Standards 2035” document, but some people in working groups say that they get more than 100 papers to deal with just before a meeting.
There is a sense that we are losing a grip. Part of that is that we did not realise how far standards embed our values until we started to see the alternatives. New IP is something that we have been writing about and studying over the last year. That is China’s efforts to standardise effectively an alternative architecture for the internet, which would not be compatible with what we have today. That is at quite an advanced state across numerous working groups within the ITU.
Professor Webb, would you like to respond?
Professor Webb: I certainly agree with all that. I have written standards myself and even run a standards body, so I know how they work. The important point is that it is not possible for a Government just to say, “We are going to influence that standard.” Standards are influenced by the working papers written by the companies that attend the standards body. The UK Government themselves could not really have an influence, and nor could a university or any other organisation like that, not unless they spent inordinate amounts of money and hired a lot of people to write a lot of papers. There needs to be a concerted global or western European effort, or some kind of larger scale activity that can help the larger companies with the resources and expertise and the standards bodies to step up their efforts.
We have five minutes left; I am afraid there is a hard stop at 10 minutes past 10 o’clock. Two Members are seeking to ask questions, so would our witnesses treat this as a quickfire round, with punchy, pithy responses?
Q
Professor Webb: I think that has already been mooted. I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence, where the threats are analysed, assessed and understood. We have that, of course, in NCSC.
NCSC would advise Ofcom, perhaps at a high level. Perhaps they would not need to detail exactly what the issue was, but they could talk to Ofcom about the mitigation, and Ofcom could be the entity that performs the proportionality of understanding whether a threat needs to be addressed and to what extent, in the midst of all the other things. That is how I would arrange these organisations.
Emily Taylor: Thank you for this question, which goes to both the capabilities and the culture. With the capabilities, as I have said in earlier remarks, Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term, until there is a significant transfer of skills and technology, and in terms of the need for secrecy and a broader view.
Ofcom’s historical role has been much less interventionist than is foreseen in this piece of legislation. Those cultural changes go deep into the organisation and into the character of the people who work there. Cultural change is always difficult and takes time, so I would not underestimate the challenge.
Q
Thank you very much indeed. I am in the hands of Members. Who would like to ask the first question?
Q
Dr Drew: I think the bigger picture is bigger than purely telecoms when it comes to China. China treats all its emerging technologies and its advancement of technologies—including telecoms, artificial intelligence and quantum research—as part of a broader means of advancing its influence, its economic strength and its geopolitical power on a global, regional and domestic stage.
Telecoms is a large component of that predominantly because, as I am sure you are all aware, the future of telecoms is essentially the provision of what will be the backbone of most of those other technologies; you require a good, advanced telecoms network to gain the full benefits of applications of artificial intelligence or quantum networking, for example. I think China and the CCP have essentially seen that telecoms is a key component of that and have thus done as much as they can both to strengthen the sector within China, and to export that to gain further routes for the future stages of implementing more technological growth and economic and political growth through the next stages of their emerging technology portfolio.
Q
Dr Drew: I would say that is definitely the case. It is market domination primarily for domestic, good use: it is a mistake to think of all that China generally does as primarily internationally orientated. The primary interest is domestic strength, security and stability. The fact that that can be achieved through gaining dominance in markets outside China is an added benefit.
Q
Dr Drew: It is very similar. That is a great point to make. Pretty much wherever you see belt and road initiatives in, say, a port or supply chain of a physical good, you will see simultaneous investment and market input in a telecoms sense. There is a digital silk road as much as there is a belt and road initiative in the physical goods and supply chain sense.
They are becoming increasingly entwined fields; 10, maybe 15 years ago you could easily have seen a distinct separation between the physical supply chain and the digital supply chain. That differentiation is fading as we progress through time, and I think the Chinese have worked that out perhaps faster than we have and they are rapidly making inroads in order to amplify that effect and gain the benefits of it.
Q
Also, you have great experience in evolving security threats. In your view, does the Bill address major telecommunications threats to national security—future and evolving threats? For example, do you think this Bill would have helped to mitigate the impact of the recent SolarWinds Orion network monitoring hack, which was also mentioned by a previous witness?
Dr Drew: I will start with the question of values. I am a great believer that technology and values and norms of behaviour are implicitly connected: you cannot separate them. It should be explicitly understood that it is an implicit truth. I believe—and I have stated this before to some of your colleagues and civil servants in various Departments—that the CCP has realised that the great firewall of China, which tries to police content within China, has holes in it and is not going to last, or was not going to last, given the direction that the internet, freedom of communication and transfer of information is going.
The next logical step, and what I believe is happening, is that if you cannot control the internet within the great firewall, it is better to be able to shape the internet everywhere, both outside and inside it. I would argue that a lot of the technological standard-setting that you see take place in the ITU and elsewhere is essentially that taking place, as is the use of social media platforms to harvest data, which is then used to aid in the censorship of domestic content within China.
With regard to evolving threats and the Bill specifically, I think that the Bill goes a very long way towards pre-emptively meeting threats that are likely to come in the future. My biggest issue echoes what I caught of the previous witness statements: the fact that it is a matter of capacity for the institutions that are given this responsibility—that is, Ofcom—and the ability to change their culture to actively engage within that framework and take action to ensure these standards are met and kept to. Those are my biggest queries about the ability of this Bill to be as forward-looking as we would like it to be.
Finally, with regard to SolarWinds, I think this Bill is aptly timed in a way, given the context of this particular threat. SolarWinds was a perfect example of a supply chain security risk, and a vector of attack that went through a diverse supply chain to meet what should have been some of the most secure systems that the United States had.
Telecoms will, as I have already said, be the backbone of all the UK’s future advancements of technology in all the things we are seeking to develop within our borders. The hardest thing to do as an attacker is to gain access. We should be making it as hard as possible to gain access; we should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met, and I think this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.
I am, of course, talking about co-operation between NCSC and Ofcom.
Q
I think the Minister is relying on good co-operation between the two organisations, but it is clear from the 2013 ISC report on critical national infrastructure and Huawei that civil servants with a bent for looking at economic development did not have their eye on the ball in terms of security, and they did not even tell Ministers about security concerns that were clear then.
Dr Drew: That is a fantastic question. The best way for me to phrase this is that I believe there is an imbalance that is natural to those who have a particular role within Government or the civil service. Those with responsibility for economic advancement will have a different take on the same issue from those of their colleagues with a security bent to their work.
I find this is a complex topic that needs to be balanced across those different interests. That is why I would generally lean towards co-operation between these groups as opposed to others. I also suspect—although, due to the nature of their work, I cannot be certain—that GCHQ and the NCSC have significant work already, which is only likely to increase. Although they might have the technical capability that Ofcom lacks, I am not sure they have the capacity to take on the sheer volume of work that this is likely to create. I would argue that, actually, more resourcing in general is required for whatever co-operative body is created to carry out the actions of this Bill and other Bills attached to it. That is needed.
Q
Dr Drew: I would agree with you. I believe that the decision needs to be taken on a security level first, because insecurity and the risk of a poorly made decision would have negative impacts on the economic outputs as well. I am not certain that where it is currently vested in this Bill is the best place for it, but I also believe that transparency is the other balancing component here. I have had some conversations with one of the companies mentioned quite predominantly in this literature, and their biggest press is that they feel that decisions are being made with a lack of transparency and a lack of technical justification, and that it is all politics. The best way to solve that is through transparency.
Q
Dr Drew: It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
Yes.
Lindsey Fussell: Yes, I think so. It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies. In relation to telecoms security, that has enabled us to take the very detailed work and the threat assessment that the NCSC has done, which have been translated into a set of requirements in the code of practice, and to apply those and work with operators to monitor and enforce that compliance without having to make those national security judgments ourselves. On high-risk vendors, I think it inevitable that there will be more national security judgments to be made, so it is quite proper that that role sits with Government rather than the regulator.
Q
Lindsey Fussell: As I say, we have existing networks security responsibilities, so the issue of security clearance is one that we already need to deal with. I think the point that I have just made is important: we will not be making national security judgments, and that means that we will need access to less national security information than you might imagine. I do not think that we will be routinely handling national security information, but where the NSCS feels that it is required, there are clearly provisions in place for that.
Having said that, as now and in future, there are occasions when we have to handle sensitive information, and we do have the necessary security clearances in place at different levels for our staff to do that. As we recruit, we will obviously ensure that people have those necessary security clearances so that we can handle any sensitive information that we are given.
Q
Lindsey Fussell: We would clearly take guidance from the NSCS and others on whether they think STRAP clearance is required, because of course, it is for the agencies to have STRAP clearance and to classify information. I have had STRAP clearance in the past, in my previous roles in Government, for example, so I am well aware of the different security classifications that are required and the nature of the information that is to be handled. At the moment, the NCSC has not signalled to us that it thinks we require staff with STRAP clearance, but clearly, if it feels that that is needed for the type of information that we may need to handle, we would make sure that happened.
Q
Lindsey Fussell: Our role in relation to the requirements is pretty clear. The Government, through the legislation that is being considered by this Committee, are setting out a series of duties on providers and then giving us a code of practice, which has been developed through the work that the NCSC did. That sets out in some detail what operators, in particular the larger operators, will be required to do to meet those requirements. What we will be doing is monitoring, discussing with and talking to those operators as they go on that journey, and ultimately—of course—enforcing compliance, if we think that is needed. Of course, our trade-off is always to be proportionate in the application of our powers, but it is quite clear that the expectation is that we will enable, encourage and require operators to comply with the requirements.
Stepping back from that, there is clearly a balance of judgment that the Government have taken in bringing forward these measures. We all want, for example, to see people across the UK getting the best connectivity possible as fast as possible. This Bill may well have an implication for some of those plans, albeit that operators are well aware of what is coming. But of course the balance of judgment is the importance that security plays for consumers, in making sure that they have access to secure networks, and bearing in mind the significant costs that can be incurred by companies and ultimately by consumers if there are cyber-attacks.
Q
Can I ask you about an issue regarding oversight? Frankly, I am not a great fan of quangos, because I think their accountability is limited and they allow Ministers to offload difficult responsibilities on to people who have very little parliamentary oversight. Regarding the oversight of your organisation from Parliament’s point of view, some of these decisions will clearly be highly classified. The Digital, Culture, Media and Sport Committee will not be able to look at them, because of the security classification. So how will we ensure that you and Ministers will consider the importance of security around these issues?
Lindsey Fussell: That is a really important question. Clearly, we are accountable to Parliament—
Sort of.
Lindsey Fussell: And we are ready to come and give evidence about our work to any Select Committee that would like to hear that evidence.
As I say, we ourselves will not make national security judgments, but I hear your point that the relationship and the role that we play in monitoring telecoms security, and enforcing those obligations on operators, is a very important one. Under the legislation, we are required to provide an annual report to the Secretary of State about what we find on the state of play regarding how operators are moving towards compliance, and indeed on any security compromises or incidents that we have uncovered and the action that has been taken in relation to those, and on any new threats or other issues that we have identified.
It will then be for the Secretary of State to consider whether they publish that report, and how much of it they publish. We will publish a summary of our work in our annual Connected Nations reports; we do that now. And as I have said, of course we will be ready to talk to any Select Committee that wishes to hear evidence of our role and how it is playing out.
Q
Lindsey Fussell: I think that is really a question for Government rather than the regulator. We will be ready to provide whatever accountability the legislation requires of us, as well as providing direct accountability by talking to Parliament and Select Committees.
Q
Lindsey Fussell: I think the structural framework helps us a great deal here, as I have already indicated. Clearly, the NCSC carried out a really detailed supply chain review, which identified the threats that could occur in different elements of the network, and it has now turned that into telecoms security requirements and, ultimately, into the code of practice. We will be giving—indeed, the legislation requires us to—considerable weight to that code of practice and the judgments that the NCSC has reached on what is required to combat threats. That will then enable us to judge and monitor whether operators are doing what is said in the code of practice.
If, for example, an operator were to say to us that it was not going to meet something set out in the code of practice because it considered that an alternative way would meet that threat, we will have arrangements in place with the NCSC to enable us to seek its advice and guidance at that point on whether that satisfies the requirements of national security.
This will have to be a very quick answer, because we have to stop at 11.25 am.
Q
Lindsey Fussell: I think that the National Cyber Security Centre takes the decision on national security. Of course, the Government ultimately have the power for that but on the advice of the NCSC. Decisions on enforcement and compliance are for Ofcom, following the code of practice that the NCSC has created for the Government.
Yes.
Lindsey Fussell: I think in that case we would take the guidance of the NCSC. In practice, I really don’t think that is likely to occur. Ultimately, the final decision on whether an operator has complied and whether we enforce is with us. The NCSC would not be able to overrule that decision, but we would be taking that decision in the light of the information we would have been given from NCSC about what is required to meet national security.
Q
Lindsey Fussell: I have read that report, thank you.
Thank you very much indeed to our two witnesses. We are very grateful to both of you for your time this morning and for the expertise you have shared with us.